Firewall Wizards (firewall-wizards) Mailing List

Palo Alto Networks

Tue, 2 Dec 2008 08:32:18 -0500

Posted by Cassell Damon Z. on Dec 2

Has anyone on the list had experience with firewalls from Palo Alto Networks? I am interested in real world experiences with these devices. Palo Alto is very new, so there is not much out there except marketing material.

You can contact me off-list if you'd prefer.

Thanks,

Damon Cassell
...

Re: Layer 3 Layer 7 integration

Tue, 2 Dec 2008 08:34:52 +0530

Posted by à aditya mukadam à on Dec 2

On Fri, Nov 28, 2008 at 8:53 PM, P OS
<research.questions.contact_at_googlemail.com> wrote:
> Hello All,
> We have a Netscreen firewall, but we are also open to other
> alternatives. I am wondering if the following is possible:
>
> - clients connect to our...

Re: Layer 3 Layer 7 integration

Sun, 30 Nov 2008 18:09:39 -0800

Posted by Lord Sporkton on Nov 30

I dont think i understand fully what you asking. It sounds like you
have some custom app that works in client server mode that hands out
IPs? and you want to inspect it? I think....

Its almost impossible to do app layer inspection on a custom protocol,
you would have to write you own...

Re: DMZ Routing Question

Sat, 29 Nov 2008 08:51:27 +0300

Posted by Farrukh Haroon on Nov 29

Considering the limited throughput on the firewalls as compared to a
SUP720......I would do all the advanced routing/PBR on the switch.

Regards

Farrukh Haroon
CCIE # 20184 (Security)

P.S. The ASA does not support PBR to date.

On Fri, Nov 28, 2008 at 1:07 AM, FW Mailinglist...

Re: asa 5520

Fri, 28 Nov 2008 12:25:54 +0530

Posted by à aditya mukadam à on Nov 28

In policy based NAT, you can define ACLs and then use that to perform
the required translations.

Thanks,
Aditya Govind Mukadam

On Thu, Nov 20, 2008 at 2:07 AM, Dave Love <dlove_at_verticalsystemsinc.net> wrote:
> I want to know if it is possible to have one global outside nat...

Layer 3 Layer 7 integration

Fri, 28 Nov 2008 15:23:24 +0000

Posted by P OS on Nov 28

Hello All,
We have a Netscreen firewall, but we are also open to other
alternatives. I am wondering if the following is possible:

- clients connect to our system using a custom protocol on top of TCP/IP

- a unique userId will be used to identify each user, as source ip...

DMZ Routing Question

Thu, 27 Nov 2008 14:07:29 -0800

Posted by FW Mailinglist on Nov 27

All,
I have searched the archives a bit, but haven't found what I am looking for.
I am implementing a new DMZ design and wanted to get back what the common
consensus is on routing. I am deploying a typical sandwich design - Outside
Firewall -> DMZ Networks <-Inside Firewall.

The...

Re: VPN NAT issue

Wed, 26 Nov 2008 23:41:29 -0800

Posted by Lord Sporkton on Nov 26

I have to this date, never needed an ACL to allow in VPN traffic on
the outside interface. In the case of ipsec(ive not dealt with pptp to
much) i dont even need an acl rule to allow the esp and udp 500
traffic in.

I can post working configs if anyone would care to discuss with me why
an acl...

pix to iptables conversion script?

Wed, 26 Nov 2008 10:17:09 -0800 (PST)

Posted by david_at_lang.hm on Nov 26

does anyone have a script that will convert a pix ruleset to iptables?

it's not _that_ hard to write one, but if someone has already done so...

David Lang

Re: asa 5520

Wed, 26 Nov 2008 15:38:48 -0200

Posted by Pedro Henrique Morsch Mazzoni on Nov 26

It is. See policy NAT.

Regards,
Pedro Mazzoni

2008/11/19 Dave Love <dlove_at_verticalsystemsinc.net>

> I want to know if it is possible to have one global outside nat address
> and use it to route traffic to two separate internal ips based on source
> address?
>
...

Re: Cisco ASA 8.0(3) with RSA SecurID

Wed, 26 Nov 2008 15:15:09 -0200

Posted by Pedro Henrique Morsch Mazzoni on Nov 26

Maybe you could try Cisco ACS to centralize your AAA. It´s not that good but
it has no substitute to all features it delivers.
Cisco ACS will pass authentication requestes to RSA and will deal with
authorization and accounting.

Regards,
Pedro Mazzoni

2008/11/26 Todd Simons...

Re: Windows dynamic ARP

Wed, 26 Nov 2008 16:51:30 +0000

Posted by Mike OConnor on Nov 26

:Does anyone know a way to turn OFF dynamic ARP on Windows? I'd like to
:set up a network where static ARP entries are the only way to
:communicate.

You might want to consider tweaking the StrictArpUpdate registry entry:
http://technet.microsoft.com/en-us/library/cc739819.aspx

...

Re: Cisco ASA IKE Initiator unable to find policy

Wed, 26 Nov 2008 09:49:09 -0800

Posted by Lord Sporkton on Nov 26

Is there anything special about these site to site tunnels? Aggressive
mode? or anything like that?

Do you have any further debug messages?

Lawrence

2008/11/12 Jens Brey <jens_at_chaos-co.de>:
> Dear all,
>
> i have the following problem. I have a ASA 5520 running 8.0.4....

Re: VPN NAT issue

Wed, 26 Nov 2008 09:46:21 -0800

Posted by Lord Sporkton on Nov 26

You want a NAT exemption on the IN2 interface
so like
nat (IN2) 0 access-list no-nat

where no-nat defines traffic from IN2 -> VPN_POOL

Lawrence

2008/11/12 Vladislav Antolik <vladislav.antolik_at_gmail.com>:
> Hello,
>
> I'm using Cisco PIX 515E with 8.0(3) image.
...

Re: Windows dynamic ARP

Wed, 26 Nov 2008 11:49:52 -0500

Posted by Darden Patrick S. on Nov 26

I don't think this will help. The Gratuitous ARP is sent out when the windows machine is first booting up--it is checking to see if it is duplicating anybody's IP address.

--p

-----Original Message-----
From: firewall-wizards-bounces_at_listserv.icsalabs.com
...