Added FR ID 13046: Support gMSA Accounts for User-IP-Mappings
Description: Currently only standard windows Useraccounts can be identified by PaloAlto User-ID Agent. This capability should be extended to group managed service accounts as more and more of them will be used in windows environments. This way it remains possible to restrict access from servers to specific ressources so that the installed software is able to communicate but not an admin which might be able to log in to the specific server.
I have several feature request for Palo Alto firewalls:
To create a new Feature Request you'll need to reach out to your SE to get them into the system. Once that's done and you have the FR numbers, post them here so people can add their votes to the FR.
It would be nice to be able to associate an address group object with a IPsec VPN tunnel Proxy ID. It can be tedious to add multiple local subnets/addresses to local subnets/addresses per line in the configuration. Maybe incorporate tagging as well. It would make it easier/quicker to setup the static routes for the remote subnets as well and less chance of error (fat fingering) during the configuration.
I'll update this with the FR ID from my SE when I get it.
It would be awesome to harden Android GlobalProtect when it's in Always-On mode. Despite that the admin can disable sign out, GP can be simply killed by the Android OS, or a user can simply remove the app from the phone, or kill the VPN in the settings. Yes, you can try to configure it on MDM, but it means a different ifrastructure, and, in most cases MDM will not help for BYOD devices.
Look how it's been done on Checkpoint Sandblast, or google maps or any other navigation system. It can't be killed by the os at any time or by another app. Or look how kaspersky implemented their antivirus solution. no way to get it removed without knowing the password. So why GP is so weak then ?
Another awesome feature would be if GP could detect from which android app the traffic is being sourced. For example if you watch youtube and use google play store, you can't differentiate the traffic, because in both cases they're using QUIC. You can't decrypt quic, disabling quic means you will make google play not working, so how can we, for example, enable google play, but disable watching youtube videos using youtube app. Or their google maps are also using quic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!