Added FR ID 13046: Support gMSA Accounts for User-IP-Mappings
Description: Currently only standard windows Useraccounts can be identified by PaloAlto User-ID Agent. This capability should be extended to group managed service accounts as more and more of them will be used in windows environments. This way it remains possible to restrict access from servers to specific ressources so that the installed software is able to communicate but not an admin which might be able to log in to the specific server.
I have several feature request for Palo Alto firewalls:
To create a new Feature Request you'll need to reach out to your SE to get them into the system. Once that's done and you have the FR numbers, post them here so people can add their votes to the FR.
It would be nice to be able to associate an address group object with a IPsec VPN tunnel Proxy ID. It can be tedious to add multiple local subnets/addresses to local subnets/addresses per line in the configuration. Maybe incorporate tagging as well. It would make it easier/quicker to setup the static routes for the remote subnets as well and less chance of error (fat fingering) during the configuration.
I'll update this with the FR ID from my SE when I get it.
It would be awesome to harden Android GlobalProtect when it's in Always-On mode. Despite that the admin can disable sign out, GP can be simply killed by the Android OS, or a user can simply remove the app from the phone, or kill the VPN in the settings. Yes, you can try to configure it on MDM, but it means a different ifrastructure, and, in most cases MDM will not help for BYOD devices.
Look how it's been done on Checkpoint Sandblast, or google maps or any other navigation system. It can't be killed by the os at any time or by another app. Or look how kaspersky implemented their antivirus solution. no way to get it removed without knowing the password. So why GP is so weak then ?
Another awesome feature would be if GP could detect from which android app the traffic is being sourced. For example if you watch youtube and use google play store, you can't differentiate the traffic, because in both cases they're using QUIC. You can't decrypt quic, disabling quic means you will make google play not working, so how can we, for example, enable google play, but disable watching youtube videos using youtube app. Or their google maps are also using quic.
Hello Palo Alto teams !
I would like to raise a feature request here for Global Protect;
Thanks to version 9.0, we're now able to have Global Protect DNS configuration assignment based on user group.
Unfortunately, it's a "hard settings" and it cannot change according to which gateway we push those settings from Panorama. Yet, the Panorama already have the capability of using "Variables" which change the setting according to which gateway we push the configuration. Everything is already there to make it work, I'm sure it's not a big work.
We would like as new feature, the possibility to use Panorama variables on the Global Protect DNS assignment based on user group.
We have an ASPAC & EMEA GP gateway which share the same gateway settings, so our users can't get a local DNS according to which gateway they connect.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!