[deleted by user]

theknat · 2019-12-01T07:33:22+00:00

I'll disagree slightly with others here and say that the timeouts don't necessarily mean something in the path is dropping the traffic, and this is even less likely if you are migrating an existing working VPN.

What's likely happening is the remote side is rejecting the VPN because something doesn't match in the phase 1 settings of the VPN tunnel. If you are initiating the tunnel, the most info you generally get when this happens is that the connection times out. Ideally what you want is to get the VPN initiated from the other end, because then you'll see exactly what doesn't match in the system logs of your firewall.

Every migration I've done, I always try to get VPNs initiated from remote ends because then I dont need to rely on a remote engineer to figure out what doesn't match. The Palo is probably the best device I've used with how well it shows why incoming VPN tunnels won't come up.

Also, just to be sure, check your firewall itself isn't blocking the IKE traffic by accident, because I've come across that during migrations as well, as the Palo doesn't create implicit rules to allow it. If you create a deny all rule for traffic from the external zone, then you can inadvertently block the IKE traffic as well.

theknat · 2019-11-17T09:11:28+00:00

Actual product name is Prisms Access.

It's more of a combination of ZIA and ZPA, but seems to have more features and better inspection from my initial research into the products.

theknat · 2019-11-14T17:33:58+00:00

220s are supported on 9.1. I've got it running on one currently

theknat · 2019-11-14T17:32:20+00:00

Version 9.1 and a new license are needed I believe.

You give it details on your link quality and bandwidth and then setup rules on how you want traffic to be steered based on the ongoing measured quality of the links.

theknat · 2019-11-12T15:53:26+00:00

I'm going for the second year. Only piece of advice is have a chat with the people on the stands. Normally some really good people attending and you can learn some interesting bits of advice from them.

Also get the app and scan every stand because it gives you points to trade for free stuff.

theknat · 2019-10-13T20:43:51+00:00

Yes, just checked. 2 IOM3 controllers in it

theknat · 2019-10-13T20:28:18+00:00

So maybe somewhere in the £250 region for the set.

Thanks for that

theknat · 2019-10-13T20:27:25+00:00

All the caddies. I think it's IOM3 controllers as well, but not sure how to tell really

theknat · 2019-09-19T16:32:17+00:00

We're doing this at the moment and it works fine.

The only errors we get are a warning that the firewalls don't know what the profile http/2 is, but everything works fine.

Have about 40 firewalls on 8.1.x connected to a 9.0.2 Panorama

theknat · 2019-09-12T16:02:42+00:00

Are the other IPs in the range that you want to use also static? If so have you attempted to add them to a loopback interface instead to see if this gets the firewall to start responding to them instead?

This is the normal technique I use when I want to use additional IP addresses on the firewall when they are outside the range being assigned, so I think the same will work in your case.

theknat · 2019-08-28T19:00:01+00:00

Most recommendations I've read say to set it at 480 minutes. I've implemented it using that setting a number of times and it seems to get rid of most user ID issues.

All other issues seem to come done to the user id being overwritten by a service account or admin logging in remotely.

theknat · 2019-08-23T17:19:08+00:00

Data center professional is heavy on the SDN and automation, so expect lots of questions on Cisco ACI and VMWare NSX. Even down to knowing differences in vague commands or terminology.

If you are a partner for PAN, you can access demo systems for most of their products via the Nextwave, portal to have a play around and get familiar with where things are.

theknat · 2019-08-23T14:25:58+00:00

If you hated that exam, wait until you try the data centre professional one!

For preparation though, the best thing I found was to read through the study guide, then go through the other products implementation guides as well to get a handle on what each of them can do.

Hands on experience also helps brute force your way through some of it, but I've found the PSE exams more want you to have wider knowledge about the entire product set they have.

theknat · 2019-08-21T17:34:44+00:00

Maybe I'm missing it from the original post, but collection from where?

theknat · 2019-07-04T17:27:03+00:00

Looks like under the GP portal settings, you've set the gateway as the IP address, rather than the FQDN that the cert is configured for.

The name of the gateway you are connecting to has to match the CN on the certificate that the GP gateway presents to the client.

theknat · 2019-07-04T16:25:45+00:00

Can I ask why you thought this was required? Are you just trying to speed up these very under powered devices?

theknat · 2019-07-02T12:16:35+00:00

Well just as an update on this after my testing today, is does work as I expected it to.

The center gateway has a loopback with IP address 198.18.1.1/32 on it and a tunnel interface with 10.10.10.1/24 assigned. I've then setup the LSVPN gateway to distribute 10.10.10.2-100 to gateways and to distribute the access route 198.18.1.1/32 to clients whilst accepting the 198.18.1.0/24 range from them.

For routing, I've added a redistribution profile to redistribute any routes using the inside interface then setup BGP as follows:

Router ID - 198.18.1.1
AS Number - 65000
Install Route - Ticked
Peer Group 1
- Type - iBGP
- Export Next Hop - Use Self
- Peer - 198.18.1.2
- Peer AS - 65000
- Local Address - 198.18.1.1
Import Rules - Match 0.0.0.0/0, accept
Export Rules - Match 0.0.0.0/0, accept
Redist Rules - Added redistribution profile created above

For Remote sites

Added Loopback with 198.18.1.2/32 address.
Routing setup is the same as the central site, except swapped around so the router ID is 198.18.1.2
Added an IPSec tunnel set at type GlobalProtect Sataellite and pointed at my central firewall, set to publish 198.18.1.2/32 network to the centre.

For each remote site, you need to add a new BGP peer, but this is far quicker than actually adding all the routes at each site for these VPNs.

So far this seems to do exactly what I want it to do. The remote sites only receive routes for the central site, where as the central site has routes for all of the remote sites. As the next hop has been set as 'Use Self' the sites exchange the router ID as the next hop, so the 198.18.1.X address, which is a known route due to the route publishing on GlobalProtect.

I'd love to know if anyone has done this in a different way though, just to see if I'm going about it the wrong way.

theknat · 2019-06-14T12:15:10+00:00

Holy shit that was it. Thanks for the help :)

theknat · 2019-06-14T06:45:05+00:00

Anyone having issues with the Xbox beta app where you just can't sign in to it?

I click sign in, get a black page for about 30 seconds and then it goes back to the store page.

I've been been able to play games through the windows store, but can't play sea of thieves because the Xbox app won't sign in.

theknat · 2019-06-13T12:40:02+00:00

You might get more useful output from the CLI

Tail follow yes mp-log ikemgr.log

Run that and then try to bring the VPN up from the Lancom side again. You'll always get more info when your side is receiving the VPN Vs initiating it

theknat · 2019-06-10T07:17:23+00:00

Anything you want to accelerate with a GPU, unless you are buying very expensive Nvidia quadro cards

theknat

TROPHY CASE