This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About raji_toor

Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
raji_toor
‎06-27-2025
since ‎02-10-2017
L4 Transporter
User Activity
User Profile
Latest posts by raji_toor
View All
My LIVEcommunity Articles Contributions
View All
User Badges
Community Statistics
Member Since ‎02-10-2017 09:47 AM
Date Last Visited ‎06-27-2025 07:23 AM
Posts 366
Total Likes Received 23

Asymmetry routing and NAT

by in Next-Generation Firewall Discussions
‎06-25-2025 03:39 PM
‎06-25-2025 03:39 PM
Attending a class about cloud security - AWS, Its mentioned that we can have 2 different subnets, SubnetA connected to internet gateway for ingress traffic and SubnetB connected to NAt gateway for egress traffic. An this should/have to be done how transit gateway routes play out, and is architectured as such to allow for traffic inspection with NVA's like palo to allow for inspection before traffic hits the actual server. Considering above a user connecting to internal webserver from outside, will get in through internet gateway(1.1.1.1), while the return traffic will be out through NAT gateway(2.2.2.2) creating asymmetrical traffic. We are told return traffic to user behind their firewall(3.3.3.3) will not be an issue, although return traffic for the same NAT session will be arriving from different IP(2.2.2.2) but was sent to (1.1.1.1). That is because traffic will be matched to the NAT session id and not to the actual ip addresses. How accurate is above statement, I am not able to test this in my environment. My understanding was NAT session and IP details all have to match for matching the session.       ... View more

Re: Loading firewall context in CLI

by in Panorama Discussions
‎05-28-2025 11:06 PM
‎05-28-2025 11:06 PM
@mshekh @matthew554  Direct access to access to firewalls is blocked for the most part and can only be reached in GUI vi loading firewall context. So cannot ssh to run those commands, hence was looking for a solution, and I sort of did, through developer tools user is now able to copy the run time stats information. ... View more

Loading firewall context in CLI

by in Panorama Discussions
‎05-22-2025 01:18 PM
‎05-22-2025 01:18 PM
Is there a way to load firewall context in Panorama CLI, similar to how we can load in GUI.    Or is there a way to export in excel runtime stats/routes in GUI from virtual router. ... View more

Re: Threat Logs: Countries with no IP

by in General Topics
‎04-20-2023 07:55 AM
‎04-20-2023 07:55 AM
Thanks @SutareMayur , Yes that was an oversight. Low level logs without packet capture were showing as expected and critical also stated showing IP address after disabling packet capture on vulnerability profile. ... View more

CIE(Cloud Identity Engine) Deactivated?

by in Next-Generation Firewall Discussions
‎04-11-2023 04:00 PM
‎04-11-2023 04:00 PM
Could not understand why the CIE account was deactivated. It was setup to sync with Azure AD and one on-prem DC. And atleast one firewall was configured to use it.    Is this caused by the 3 month certificates? Also are these certs meant to be renewed manually every 3 months? If so its very challenging to use CIE for on-prem infrastructure. Does anyone know better.   User-ID was not much in use on that firewall so went unnoticed as it was only for test.  Now we want to move forward but if this gets deactivated like that it can be an issue.         ... View more

Threat Logs: Countries with no IP

by in General Topics
‎03-31-2023 08:43 AM
‎03-31-2023 08:43 AM
So we have 'Use X-Forwarded-For HeaderEnabled for Security Policy' enabled, and are using it policies. The threat logs show the real Source Country but no address under X-Forwarded For IP Column. Although when exported to CSV many logs show the real address under XFF column. And many don't. Again checking in GUI although some logs show XFF in in packet capture(single packet enabled) it does not show in the logs.  Now because I cannot filter for XFF in threat logs, I can't use dynamic address groups to auto block these IPs   Logging need to be improved for 'Use X-Forwarded-For HeaderEnabled for Security Policy'  feature. We are on 10.1.8   ... View more

Re: XFF: For security Policy

by in General Topics
‎02-21-2023 08:58 AM
‎02-21-2023 08:58 AM
Thanks @nikoolayy1  Rewriting HTTP header on Application Gateway to remove port information made it work. ... View more

XFF: For security Policy

by in General Topics
‎02-17-2023 04:26 PM
‎02-17-2023 04:26 PM
Trying to implement this. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging Azure Web Application Gateway is in the front, acting as proxy. I can see packet captures for port 80 x-forward for is included But i don't see xff in traffic logs, and matching the url accessed shows traffic from Azure Gateways internal backend IP and not from the original client IP in XFF. How ever I don't see IP under XFF traffic logs as source ip Also i tried adding source ip to be blocked to test, and could not get it to work ... View more

Re: Map IP Addresses to Users - Azure-AD Cloud Identity User ID

by in General Topics
‎02-10-2023 02:49 PM
1 Kudo
‎02-10-2023 02:49 PM
1 Kudo
@Metgatz I am assuming you are having remote users who have Azure AD joined systems. This is what I have been wanting in our environment, mapping external IP addresses authenticated to Azure AD. I don't think CIE does that. It just pulls the user/group information as this is the only scope that is given to the application in Azure.   Other method would be to use authentication policies but I am waiting for input from the community if exposing external interface for response pages to be exposed on the external interface is seen as an issue or not. I think threat would be of the same level as exposing Global Protect portal to publicly.   @TomYoung  What do you think of it ... View more

Re: No reports and unable to upload tech-support file

by in AIOps for NGFW Discussions
‎02-09-2023 07:25 AM
‎02-09-2023 07:25 AM
@lir Its no use, I can upload but nothing happens after that. You can check my previous screenshot it just stays like that and after hours when i login to check it shows as failed. On support portal however i had no issue uploading TSF and generating BPA ... View more

reverse proxy key 'abc.com' doesn't match certificate issued to 'abc.com'

by in General Topics
‎02-09-2023 06:21 AM
‎02-09-2023 06:21 AM
How do I find from the firewall which backend server is not matching the certificate/key here. Alert doesn't give much information. We have about 20 servers behind with inbound decryption. ... View more

Re: No reports and unable to upload tech-support file

by in AIOps for NGFW Discussions
‎02-07-2023 12:46 PM
‎02-07-2023 12:46 PM
@lir  Yes TSF is from firewall running version 10.1 I was checking it today again and file got uploaded but it doesn't go anywhere.. I tried twice, I was not able to immediately check, first attempt shows as failed. Second attempt appears as stuck from last 30 plus minutes.   I also noticed an error pops up sometimes when I click report, but it quickly disappears so could not make a note of it. something like 'There is an issue....' ... View more

No reports and unable to upload tech-support file

by in AIOps for NGFW Discussions
‎02-04-2023 12:56 PM
‎02-04-2023 12:56 PM
I setup a new free tenant for AIOPS, but i am unable to use the BPA tool to upload tech-support file, I have tried many times in last 24 hrs. Its just quickly spins out. Also does the free tier only provide DNS and wildfire information as report section is also all empty. ... View more

Re: Virtual router not getting attached

by in General Topics
‎02-03-2023 02:27 PM
1 Kudo
‎02-03-2023 02:27 PM
1 Kudo
Virtual router was overridden and forgotten causing the issue. ... View more

Virtual router not getting attached

by in General Topics
‎02-03-2023 11:19 AM
‎02-03-2023 11:19 AM
2 Azure VMs managed from same panorama template. Adding a loopback interface and IP but virtual router getting attached to only in 1 VM. They are not in HA and are separate firewalls.   It won't even let delete it on this firewall. getting message below ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-27-2025 07:23 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks