Home
Join

8 Replies

  • I don't use PA, but in general:

    • Give it a static IP (or DHCP reservation).
    • Allow ingress/egress on the ports REQUIRED to that defined IP
    Was this post helpful? thumb_up thumb_down
  • We connect our Pitney Bowes to an access point and then to the internet through the firewall.  The only thing I remember having to do was add an exception for DPI SSL.

    Do you know if your firewall is decrypting SSL traffic for inspection?

    Was this post helpful? thumb_up thumb_down
  • jcLAMBERT wrote:

    I don't use PA, but in general:

    • Give it a static IP (or DHCP reservation).
    • Allow ingress/egress on the ports REQUIRED to that defined IP

    It's very possible I don't know what I'm talking about, but should ingress be allowed?  With our Pitney Bowes device, I allow outgoing only.  It initiates all communication, so no incoming settings are necessary.

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Seems as though an update or information from the server would need ingress, but really don't know. 

    0 of 1 found this helpful thumb_up thumb_down
  • I don't know about the encryption but can try to find out. Here are a couple of lines from our log. Thanks!

    Domain Receive Time Serial # Type Threat/Content Type Config Version Generate Time Source address Destination address NAT Source IP NAT Destination IP Rule Source User Destination User Application Virtual System Source Zone Destination Zone Inbound Interface Outbound Interface Log Action Time Logged Session ID Repeat Count Source Port Destination Port NAT Source Port NAT Destination Port Flags IP Protocol Action Bytes Bytes Sent Bytes Received Packets Start Time Elapsed Time (sec) Category tpadding Sequence Number Action Flags Source Country Destination Country cpadding Packets Sent Packets Received Session End Reason DG Hierarchy Level 1 DG Hierarchy Level 2 DG Hierarchy Level 3 DG Hierarchy Level 4 Virtual System Name Device Name Action Source Source VM UUID Destination VM UUID Tunnel ID/IMSI Monitor Tag/IMEI Parent Session ID Parent Session Start Time Tunnel SCTP Association ID SCTP Chunks SCTP Chunks Sent SCTP Chunks Received UUID for rule HTTP/2 Connection link_change_count policy_id link_switches sdwan_cluster sdwan_device_type sdwan_cluster_type sdwan_site dynusergroup_name
    1 ######## 1.28E+10 TRAFFIC end 2305 ######## 192.168.10.99 199.231.44.30 70.62.20.74 199.231.44.30 PB-RULE ssl vsys1 Trusted Untrusted ethernet1/1 ethernet1/2 ######## 17711 1 53784 443 1671 443 0x40001b tcp allow 1793 925 868 15 ######## 121 allow-Allow All Filter IP 0 2E+09 0x0 192.168.0.0-192.168.255.255 United States 0 8 7 tcp-rst-from-server 0 0 0 0 PA-220 from-policy 0 0 N/A 0 0 0 0 2e59bbc2-6c13-4906-946b-d868e16035f5 0 0
    1 ######## 1.28E+10 TRAFFIC end 2305 ######## 192.168.10.99 3.5.9.193 70.62.20.74 3.5.9.193 PB-RULE ssl vsys1 Trusted Untrusted ethernet1/1 ethernet1/2 ######## 28242 1 47642 443 32541 443 0x40007a tcp allow 12875 4736 8139 42 ######## 8 allow-Allow All Filter IP 0 2E+09 0x0 192.168.0.0-192.168.255.255 United States 0 22 20 aged-out 0 0 0 0 PA-220 from-policy 0 0 N/A 0 0 0 0 2e59bbc2-6c13-4906-946b-d868e16035f5 0 0

    Was this post helpful? thumb_up thumb_down
  • Welcome to Spiceworks, spicehead-7wadi​!

    At a former company I had issues allowing PB devices through PA firewalls.  Use Application IDs where possible, these make rules more secure,  Side note: export the logs to CSV, sterilize the data and post it that way.  Makes it easier to read.  Here is what I would do.

    1. As jcLAMBERT​ said, give it a static IP address.
    2. Create a rule with only that device as a source and set the service and application ID to any.  The PB has a few security features built in, reference: https://www.pitneybowes.com/us/support/article/000084561/networking-and-connectivity-frequently-aske...Opens a new windowwhen doing  setup.
    3. Send traffic from the PB device and watch the monitor.
      1. It should indicate the services used are
        1. TCP/UDP 53 - App ID: DNS
        2. TCP 80 & 443 - App IDs: web-browsing, SSL.
      2. If it shows the APP IDs.  Lock it down with the service Application Default and App IDs web-browsing, SSL, and DNS.
      3. This should resolve it without resorting to ports only.  If there are still issues:
    4. Look in the Threat Logs to see if something is going awry with the traffic. 
    5. ich.ni.san​  and jcLAMBERT there are no ingress ports needed.  The device should pull data down over the outbound SSL connection. 
    6. As ich.ni.san said, check if you are doing SSL inspection/busting.
    7. As a last resort get PA support on the phone and get their help. 

    Palo Alto Networks has an Applepedia for finding the App ID based of ports, it is a great reference: https://applipedia.paloaltonetworks.com/Opens a new window.  Feel free to contact me if I can be of assistance.

    Pepper graySpice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • As suggested ingress rules would not be needed IF the PB unit itself is making the requests.  However, if you have things heavily locked down at the firewall, this may not be true.  However, most firewalls tend to allow all outbound traffic by default

    1 found this helpful thumb_up thumb_down
  • Thanks to everyone for your help. I had done most of those suggestions already and now not even sure if I needed to do all that. The PB engineer finally told me to set the DNS address outside of their "reserved" range, so I used the google DNS addresses and bingo - it worked! I've definitely learned a lot about our firewall though, and I'm sure I'll be back!

    Was this post helpful? thumb_up thumb_down

Read these next...

  • Simple command to monitor Windows 10 temperature?

    Simple command to monitor Windows 10 temperature?

    Hardware

    I feel like this has probably been address before, although I was wondering if someone is aware of a simple command I can run to report the internal temperature of a Windows 10 PC?I think all computers monitor the temperature, although I've only found thi...

  • Remote access to DVR?

    Remote access to DVR?

    Security

    Hi!I have an older Hikvision DVR that I need to provide remote access to. The users would be mainly accessing it from their smartphones. I tested their software, iVMS, by assigning one of my public IP's to the DVR and it worked fine. However the issue is ...

  • Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Spiceworks Originals

    Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: Back on December 6, 1907, Mathematical Logician J. Barkley Rosser Born (Read more HERE.) Bonus Flashback: Back on December 6, 1998, International Space Station assemb...

  • Spark! Pro Series - 6 December 2022

    Spark! Pro Series - 6 December 2022

    Spiceworks Originals

    Today in History: 6 December 1240 – Mongols led by Batu Khan occupy and destroy Kyiv after an 8 day siege; out of 50,000 people in the city only 2,000 survive 1849 – Harriet Tubman escapes from slavery in Maryl...

  • The most boring but interesting Phishing Attempt I've seen

    The most boring but interesting Phishing Attempt I've seen

    Security

    Hello There,We've recently had a phishy email come through to one of our employees with an attachment to something work related. But here's the interesting part: The email was spoofed. When checked, the address was that of our own domain, however the emai...