topic Traffic from GlobalProtect stop working after upgrade from 8.1.11 in General Topics

Traffic from GlobalProtect stop working after upgrade from 8.1.11

Jacek_Loszewski — Fri, 26 Jun 2020 05:31:47 GMT

Hi,

I have two PaloAlto 3020 in an active-passive cluster. PanOS 8.1.11 is nstalled on both. Everything works correctly, internal traffic, traffic from GP Client, vpn tunnels. GP clinets connect, sends HIPs, Palo recieves this HIPs, traffic is passing trough according to rules.

The problem is that when I updated one cluster node from version 8.1.11 to 8.1.12 (but checked 8.1.13, add 9.0.8 also) and switch active node to this, using newer software, traffic from the GP client is not passing trough.
The GP client connects, sends HIPs, Palo recieves this HIPs, but GP traffic does not pass. And there are no traffic logs from GP clients.

The update passed without errors and internal traffic works correctly. Everything except GP traffic.
Does enybody have suggestions what coud be a problem?

Greetings
Jacek

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

JoergSchuetter — Fri, 26 Jun 2020 10:50:59 GMT

Hello @Jacek_Loszewski

Check for the user names listed in the logs (compare it with the ones from the working PAN). If the user name (format) is not different, then you need to adjust the authentication profile.

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

Jacek_Loszewski — Mon, 29 Jun 2020 07:54:47 GMT

@JoergSchuetter- thank you for your reply. You were right. There is a problem with format of the user names.
domain: acme.local - UPN: user@acme.local

domain name (pre-win200) is: Dom so sAMAccountName format is: Dom\user

When active node is the one with older software, in HIP log, we have user name in sAMAccountName format- everything working fine.
When we switch the active node (to the one with newer software) and make a GP connection we have something like this: acme.local\user
And thats why traffic in not passing trough the policy rules. So, as you say, we need adjust authentication profile.

I don't know how yet, but I hope it will work soon 🙂

Greetings

Jacek

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

JoergSchuetter — Mon, 29 Jun 2020 09:49:10 GMT

Hello @Jacek_Loszewski

I have set the following on my authentication profile (Kerberos):

Realm: ACME.LOCAL (all in capital letters)

User Dmonain: dom (we have all in lower case, not sure if Dom would also work)

Username Modifier: %USERINPUT%@ACME.LOCAL

Joerg

Re: Traffic from GlobalProtect stop working after upgrade from 8.1.11

Jacek_Loszewski — Wed, 15 Jul 2020 08:11:37 GMT

Hi guys,

Problem solved.

I had to change two things. First, as described in this article https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups.html, I had to add Alternate Username 1: userPrincipalName (in my old settings this field was empty).

And secondly, I needed to change Authentication Profile.

Type: LDAP

User domain: dom (lower case, pre-win 2000 format) (was domain.local)

Username Modifier: %USERINPUT% (was %USERINPUT%@%USERDOMAIN% )

Thank you for your help.

Greetings

Jacek