NAT-T is a procedure wich is able to recognize if there is a router using NAT on its connection all the way of the ipsec tunnel you established. So needed packages are going to be encapsulated and UDP is going to be used. Thats it in a very short term. its a payload encapsulation over all .
Thanks for that. That's not how the Palo Alto support tech explained it. But he also said he has seen situations where NAT traversal just "doesn't work." Um... okay. God bless!
Fun, I used to do some of this. That employer was big on selling Sonicwall. I never really understood it. Fortunately that wasn't why I was hired. Instead I primarily did onsite voip servers (back in the day) and switching (Adtran/ Cisco). Luv'd L3/ L2 switching and routing. Pretty cool watching you, thanks! Now I just rack/ stack & idrac monster EMC servers. I'm just a gorilla with some config on occasion.
Seems like at my last two jobs, they had just decommissioned a Sonicwall just before I hired in. So for years I've "almost had" Sonicwall experience. LoL! God bless!
Both CBC and GCM are pretty secure however GCM also provides authentication which removes the need for an HMAC SHA hashing function. It is slightly faster compared to CBC because it can take advantage of hardware acceleration. If the hardware at both sides of the tunnel can support it and can make use of hardware-based acceleration then definitely use GCM for best performance.
CBC (Cipher Block Chaining) is encrypted but not authenticated whereas GCM (Galois/Counter Mode) is encrypted and authenticated. and Cipher block chaining - message authentication code (CCM) mode is an authenticated encryption algorithm designed to provide both authentication and confidentiality during data transfer.
I had to learn GlobalProtect on the fly as well. Funny enough I left that job 3 months ago and where I'm at now it's not my job to touch firewall. Can't if I wanted to.
I think the route interface shows up after you commit. It doesn’t exist yet. Commit, then it exists and you can use it in the route tables and commit again. We do this too many tunnels to vendors. PA-3220’s PA-1420’s and PA-460’s. We also do this for site to site vpn over internet and use ospf with a higher cost. It the metro Ethernet is down, it fails over in a second to cable modem vpn tunnel. BFD and OSPF make it magic… poor mans SD-WAN without paying for all the licenses!
Isn't NAT traversal the ability to VPN from private IPs over the public internet ? Like work from home folks have to do when their home IP is a 192 address? and I can relate to that mental block on a specific subject. I can learn everything around it but that one topic just puts me to sleep. Subnetting is a good example. I can do it, but I can't sit through a class that teaches it.
As I know understand it, NAT-T just encapsulates the entire packet so that address information in the source address, and data payload will match end to end. In the case of the data passing through an intermediate router that also does NAT, this can cause the source address and the source address in the message payload to not match, causing the data to be dropped. It's still confusing as all get out. I'm just pressing the "I believe" button for now. God bless!
NAT-T is a procedure wich is able to recognize if there is a router using NAT on its connection all the way of the ipsec tunnel you established. So needed packages are going to be encapsulated and UDP is going to be used. Thats it in a very short term. its a payload encapsulation over all .
Thanks for that. That's not how the Palo Alto support tech explained it. But he also said he has seen situations where NAT traversal just "doesn't work." Um... okay. God bless!
Fun, I used to do some of this. That employer was big on selling Sonicwall. I never really understood it. Fortunately that wasn't why I was hired. Instead I primarily did onsite voip servers (back in the day) and switching (Adtran/ Cisco). Luv'd L3/ L2 switching and routing. Pretty cool watching you, thanks! Now I just rack/ stack & idrac monster EMC servers. I'm just a gorilla with some config on occasion.
Seems like at my last two jobs, they had just decommissioned a Sonicwall just before I hired in. So for years I've "almost had" Sonicwall experience. LoL! God bless!
4:57 That’s awesome 👍🏿
All I can say is, don't ever get old. God bless!
Anyone who is calling you stupid lacks humility and forgets they used to be noobs too. No one knows it all. Thank you for sharing the video.
Thank you brother! God bless!
Both CBC and GCM are pretty secure however GCM also provides authentication which removes the need for an HMAC SHA hashing function. It is slightly faster compared to CBC because it can take advantage of hardware acceleration.
If the hardware at both sides of the tunnel can support it and can make use of hardware-based acceleration then definitely use GCM for best performance.
Okay, that may be why I was advised to use CBC. We don't know that the peer firewall has hardware acceleration. God bless!
CBC (Cipher Block Chaining) is encrypted but not authenticated whereas GCM (Galois/Counter Mode) is encrypted and authenticated.
and Cipher block chaining - message authentication code (CCM) mode is an authenticated encryption algorithm designed to provide both authentication and confidentiality during data transfer.
Thanks for the info! God bless!
I had to learn GlobalProtect on the fly as well. Funny enough I left that job 3 months ago and where I'm at now it's not my job to touch firewall. Can't if I wanted to.
Yeah, funny how life works out sometimes. God bless!
wow Thank vdio
You're welcome! God bless!
What headset are you using?
Logitech Zone Wireless. God bless!
I think the route interface shows up after you commit. It doesn’t exist yet. Commit, then it exists and you can use it in the route tables and commit again.
We do this too many tunnels to vendors. PA-3220’s PA-1420’s and PA-460’s.
We also do this for site to site vpn over internet and use ospf with a higher cost. It the metro Ethernet is down, it fails over in a second to cable modem vpn tunnel. BFD and OSPF make it magic… poor mans SD-WAN without paying for all the licenses!
Yeah, that's a PAN unit that's not connected to anything so it wasn't the greatest demo platform. But better than my production unit! God bless!
Isn't NAT traversal the ability to VPN from private IPs over the public internet ? Like work from home folks have to do when their home IP is a 192 address? and I can relate to that mental block on a specific subject. I can learn everything around it but that one topic just puts me to sleep. Subnetting is a good example. I can do it, but I can't sit through a class that teaches it.
As I know understand it, NAT-T just encapsulates the entire packet so that address information in the source address, and data payload will match end to end. In the case of the data passing through an intermediate router that also does NAT, this can cause the source address and the source address in the message payload to not match, causing the data to be dropped. It's still confusing as all get out. I'm just pressing the "I believe" button for now. God bless!
you didn't set up an interface, you set it up on the loopback.
There are no connected network interfaces on the firewall. Using the loopback was just an expediency. God bless!
IT is learned from life not courses
Sounds like something Yoda would say. But true! God bless!