Management Articles

Featured Article
This article has been deprecated, please follow this link instead: Transition From an Evaluation to a Paid License  
View full article
bfrentz ‎09-19-2018 02:41 PM
1,937 Views
0 Replies
1 Like
  Overview The GlobalProtect Portal configuration allows the user to define whether the GlobalProtect user can "disable" the GlobalProtect agent on the local machine.   From the WebGUI, go to the Network > GlobalProtect > Portals > Client Configuration.     Symptom If the option is set to "disabled," you only allow user to click on the "Disable" option within the GlobalProtect agent. This configuration works fine on PC, MAC and Android platforms.   There is a restriction for this option on iOS devices (iPhone, iPad), which prevents it from working. This is the expected behavior and it is there due to a limitation on interacting with operating system. The user can always disable VPN connection from global Settings menu, regardless of the GlobalProtect configuration.   In GlobalProtect version 2.2 and above, there is one behavior change where the user can disconnect the VPN connection from the GlobalProtect client, but the subsequent traffic will re-initiate the connection if we set the mentioned option to "Disable." However, the user can still disable the VPN through system settings.   Workaround Create different proxy policies within .pac files that will be pushed to users: Create a URL hosting a .pac file, for example: http:// The <server_name> should resolve to a private IP within the corporate network (or when the client is connected to GlobalProtect Gateway) <server_name> should resolve to a public IP if the client is not within the corporate network (using public DNS servers, which are not pushed by the GlobalProtect Gateway) Depending on the DNS resolution, .pac file will be fetched from different servers and will provide a different configuration. Internally fetched .pac will tell the client to forward all http(s) requests directly to the Internet, and externally fetched .pac will force the client to redirect all traffic to a page, which is asking the user to enable GlobalProtect client VPN connection in order to have internet access. Aproxy configuration can be pushed to the clients using an MDM solution.   owner: nmarkovic
View full article
nimark ‎09-18-2018 11:27 AM
5,926 Views
0 Replies
1 Like
Overview GlobalProtect clients installed on Windows 7/8 machines. Following the install, there are multiple login tiles for the same user account. Issues are present regardless as to whether the screen is locked, account is logged off or if the workstation is rebooted.   Issue Issues were isolated to the workstation in question which utilizes a Fingerprint Logon CP (Credential Provider).  End result in certain scenarios is duplicate SSO Logon tiles as seen above.   Resolution Workarounds in this case would be as follows:   Option 1 DISABLE the Fingerprint Logon CP as the GP client will utilize it's own built-in CP. Conflict would be removed & issues should no longer be present (though obviously customers may wish to utilize this functionality).   Option 2 DISABLE Our Logon CP which should still allow full functionality of the GP client, while allowing the use of the 3rd Party Fingerprint CP. Workaround requires issuing the following commands via CLI: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   Desktop should now be restored to expected functionlity without duplicate users:   Note: As of GP Client v1.2.x the previous utility (PanGPUpdater.exe) has now been merged into the service process, hence the removal off this executable altogether. Workaround still stands though now referencing 'PanGPS.exe', i.e.: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   owner: bryan
View full article
bryan ‎09-14-2018 12:21 PM
5,010 Views
1 Reply
Issue   If Global Protect VPN realized in “on-demand” mode remote GlobalProtect Agent clients will be able to connect to VPN network by doing a right click on GlobalProtect Agent icon on the Taskbar and choosing the “Connect” option from the drop down list, as shown in the following picture:       If remote user changes IP address of Portal field in GlobalProtect Agent, the ”Connect” option from the dropdown list will become inactive and it would not be possible to use it to connect to VPN. Instead we would need to select the option “Open” in order to open the whole GlobalProtect Agent application and navigate to Settings in order to establish a connection:     Explanation If Portal’s IP address in GlobalProtect Agent is changed to a new one, GlobalProtect Agent flushes the existing configuration considering it obsolete, since it was given by the old Portal.   This basically means that it reset the original "on-demand" mode and instead fell back to the default user-logon mode, until new configuration is downloaded. And, in user-logon mode, the "Connection" button will always be greyed out until GlobalProtect Agent connects. If the connection is established, then the "Disable" button turns active. 
View full article
djoksimovic ‎09-14-2018 12:11 PM
7,031 Views
0 Replies
Issue PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2   Cause Running PAN-OS 6.1.4 and below, b y default the GlobalProtect Agent connects using TLS 1.0.   Resolution To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.   Steps Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile. Go to the GlobalProtect configuration under Network > GlobalProtect. Map the newly created SSL/TLS service profile to both the portal and the gateway configuration. Commit the configuration. Reconnect to the GlobalProtect from the client machine.    
View full article
rchougale ‎09-07-2018 01:15 AM
4,882 Views
3 Replies
Overview When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:   Captive Portal ("CP") pages Response Pages GlobalProtect ("GP") Portal Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.   Steps 1. Requesting the certificate Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL. If using PAN-OS 5.0, refer to How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate   2. Creating the combination certificate When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.   To get each of these certificates: Open the "Server Cert" file sent by the CA. In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path. Click the Certification Path and click the certificate one step above the bottom. Open that certificate and click the Details tab, then Copy To File. Save the file as a Base-64 encoded X.509 (.CER) formatted certificate. Do the same for all certificates in the chain except the top (Root). Open each certificate .CER file in a plain-text editor (such as Notepad). Paste each certificate end-to-end, with the Server Cert on top and each signer below that. Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail. 3. Importing the Certificate Take the combined certificate and import it on the firewall. In PAN-OS 5.0 and above, the private key is on the firewall already. Follow these steps to import the certificate: How to Generate a CSR and Import the Signed CA Certificate   Workaround In the event that you can not generate a new CSR , but still need to export a certificate, please try these Steps: Export the current Certificate on the Firewall , PEM format and with Private key exported. Open the cert in a Text editor. Separate the public key from the private key in two separate text files (being careful not to add any spaces). Save the private key text file and keep it aside. Edit the file where the public key is and have the public key at the top and add the intermediate CA below it as in the url shared, and save the file. Delete the certificate already on the firewall. Import the private key with the edited certificate.   owner: gwesson
View full article
gwesson ‎08-30-2018 07:00 AM
84,074 Views
6 Replies
3 Likes
GlobalProtect versions 2.1.1-25 and above   Issue GlobalProtect Agent fails to connect to the GlobalProtect portal when using the portal’s FQDN. It generates the following error message:   (T8728) 02/13/15 13:58:55:137 Info (2184): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000001CE29A0) (T8728) 02/13/15 13:58:55:137 Info (2197): winhttpObj, dwCertError is: (T8728) 02/13/15 13:58:55:137 Info (2202): WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID   This issue is not seen when the portal’s IP address is configured in GlobalProtect Agent, instead of FQDN.   Explanation The GlobalProtect Agent performs an additional check in order to protect the SSL connection with the portal by comparing the portal’s certificate common name with the FQDN name put in the GlobalProtect Agent. The GlobalProtect Agent will consider the portal’s certificate as invalid if the CN doesn’t match the locally configured FQDN name.
View full article
djoksimovic ‎08-28-2018 10:36 AM
2,433 Views
0 Replies
GlobalProtect agent collects vendor-specific data about the end-user security packages that are running on the computer (as compiled by the OPSWAT global partnership program) and reports this data to the GlobalProtect gateway for use in policy enforcement. Following are the third-party vendor products that GlobalProtect can detect using the specified OPSWAT SDK.   The attached pdf documents pertain to GlobalProtect version 4.0.x.
View full article
srajasekar ‎08-28-2018 10:30 AM
26,639 Views
5 Replies
1 Like
Symptoms Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and  accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.   Diagnosis System logs +++++++++ (description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region: 192.168.0.0-192.168.255.255, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' ) Cookie is  encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail. Solution Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.
View full article
bdubey ‎07-31-2018 11:28 AM
2,349 Views
1 Reply
Symptoms After deploying GlobalProtect with pre-logon enabled, clients running a bluecoat user agent (bcua) experience intermittent connectivity issues. A continous ping from the client to internal resources shows successful replies but after 40 - 50 seconds, the pings begin to time out. Connection will then get reestablished after a few minutes and the behavior will loop. Diagnosis The bcua creates a tunnel to Symantec Web Security Service (WSS) which means GP traffic is also tunneled. This causes intermittent connectivity.   This can be verified by running a packet capture on the client machine.   A few other ways to verify this is the case: Check the client's public IP address; you can do this by doing a google search of "whats my ip address" Verify if this is the IP address from the client's ISP or whether it belongs to Symantec. I used arin[dot]net to verify. If you get a Symantec IP address that would be an indication that a tunnel has been created to Symantec. On the firewall, run the following commands as shown in the screenshot:   Solution Symantec is aware of this issue and has provided a workaround in this link.  Once the changes have been made, verify the IP seen by the firewall. This should be a non-symantec IP and connectivity should now be stable.  
View full article
zmacharia_PA ‎07-30-2018 11:11 AM
1,697 Views
0 Replies
To download software: Log in to Support Portal Click Software Download link.   To receive notifications when this document is updated, see  Email Notifications for Subscribed Activities . Version Release Date 4.1.2 14-Jun-18 4.1.1 26-Apr-18 4.1.0 6-Mar-18 4.0.8 12-Apr-18 4.0.7 22-Feb-18 4.0.6 16-Jan-18 4.0.5 4-Dec-17 4.0.4 12-Oct-17 4.0.3 5-Sep-17 4.0.2 25-May-17  
View full article
panagent ‎06-14-2018 01:43 PM
140,868 Views
3 Replies
4 Likes
How to collect logs from the different GlobalProtect clients (Windows and Mac).
View full article
sraghunandan ‎05-30-2018 03:39 PM
31,208 Views
5 Replies
1 Like
The tunnel keepalive, used for checking if the GlobalProtect Gateway is up or not, cannot be adjusted. GlobalProtect client sends a keepalive every 10 seconds and if there is no response from the Gateway for 50 seconds, tunnel is torn down.   The timeout value set using the below commands is the timeout between GlobalProtect Client and firewall's GlobalProtect  Portal/Gateway web-server.    > configure  # set deviceconfig setting global-protect timeout <3-150> # set deviceconfig setting global-protect keepalive <3-150> # commit  # exit   So, changing these values will not affect the tunnel keepalives sent by the GlobalProtect client. This is a firewall setting and not a GlobalProtect client setting.
View full article
jputhenvel ‎05-09-2018 10:27 AM
11,740 Views
6 Replies
1 Like
Las funciones de múltiples factores de autentificación de Palo Alto Networks a partir de PAN-OS 8.0. S e mostrará como poder hacer la integración con DUO Security, como poder hacer MFA para autentificar aplicación Web, y como poder hacer MFA en aplicación NO-Web (solicitando autentificación a través del agente de GlobalProtect).
View full article
MarceloRey ‎05-09-2018 10:24 AM
3,717 Views
0 Replies
2 Likes
Overview This document is intended to provide a list of GlobalProtect CLI commands to help in troubleshooting sessions, users and statistics.   Details Below is a list of commands for “ > show global-protect-gateway ” that are currently available: (Each give specific information that will be valuable depending on what is being examined) Command Description current-satellite Show current GlobalProtect gateway satellites current-user Show current GlobalProtect gateway users flow Show dataplane GlobalProtect gateway tunnel information flow-site-to-site Show dataplane GlobalProtect site-to-site gateway tunnel information gateway Show list of GlobalProtect gateway configuration previous-satellite Show previous GlobalProtect gateway satellites previous-user Show previous user session for GlobalProtect gateway users statistics Show statistics of current GlobalProtect gateway users   Examples Below are some of the commands above and the output that can be expected: > show global-protect-gateway flow total tunnels configured:                                     1 filter - type GlobalProtect-Gateway, state any   total GlobalProtect-Gateway tunnel shown:                     1   id    name                  local-i/f         local-ip        tunnel-i/f ----------------------------------------------------------------------------------------------- 2     gp-gateway-N          ethernet1/3       10.30.6.26      tunnel.26     > show global-protect-gateway current-user GlobalProtect Gateway: gp-gateway (1 users) Tunnel Name          : gp-gateway-N         Domain-User Name          : :test         Computer                  : HOST17-WIN7-64         Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit         Private IP                : 172.16.148.1         Public IP                 : 10.30.6.83         ESP                       : removed         SSL                       : exist         Login Time                : Aug.12 17:12:34         Logout/Expiration         : Sep.11 17:12:34         TTL                       : 2591960         Inactivity TTL            : 10760     > show global-protect-gateway gateway GlobalProtect Gateway: gp-gateway (1 users) Tunnel Type          : remote user tunnel Tunnel Name          : gp-gateway-N         Tunnel ID                 : 2         Tunnel Interface          : tunnel.26         Encap Interface           : ethernet1/3         Inheritance From          :         Local Address             : 10.30.6.26         SSL Server Port           : 443         IPSec Encap               : no         HTTP Redirect             : no         UDP Port                  : 4501         Max Users                 : 0         IP Pool Ranges            : 172.16.148.1 - 172.16.148.254;         IP Pool index             : 0         Next IP                   : 172.16.148.2         DNS Servers               : 4.2.2.2                                   : 0.0.0.0         Access Routes             : 0.0.0.0/0;         VSYS                      : vsys1 (id 1)         SSL Server Cert           : iamportal         Auth Profile              : local         Client Cert Profile       :         Lifetime                  : 2592000 seconds         Idle Timeout              : 10800 seconds     owner: panagent
View full article
nrice ‎01-12-2018 04:01 AM
27,884 Views
3 Replies
1 Like
GlobalProtect does not need HTTPS from the interface management for the portal to function. It is recommended to review the Interface Management Profiles to ensure that loopback, physical interface or tunnel are NOT selected with HTTPS, and NOT applied to the GlobalProtect.   By default, when GlobalProtect portal is enabled it’s running on port 443.   If an interface management profile has been inadvertently applied to the loopback, or the physical interface for the GlobalProtect portal, the platform could potentially be vulnerable to the PAN-OS and Panorama Vulnerability on Management Interface (PAN-SA-2017-0027).   Note: Interface Management profile with HTTPS enabled is running on port 4443.   See the following for additional resources: Resources to configure the GlobalProtect portal, gateway configuration. How to Configure GlobalProtect   PAN-OS Admin Guide for 8.0 Use Interface Management Profiles to Restrict Access
View full article
kevinclepalo ‎01-10-2018 01:19 AM
2,829 Views
0 Replies
1 Like
Issue   In the picture below (click to enlarge), the gateway and portal are using the same IP address but different certificates (Server1 and Server2). Because the IP is the same the firewall will continue to use Server2 as the certificate.   Resolution If the portal's certificate needs to be changed, make sure the gateway is also changed and configured to use the same certificate as the portal.   owner: dburns
View full article
npare ‎12-19-2017 04:55 AM
4,295 Views
0 Replies
Overview Stareting from PAN-OS 6.1, access to the GlobalProtect Portal login page can be disabled from a web browser. This option prevents public access to the portal login page and prevents unauthorized attempts to authenticate to the GlobalProtect Portal. Note: This option does not affect GlobalProtect Agents' access to the portal.   Steps Follow these steps to disable the GlobalProtect portal login from a web browser: 1. In the WebGUI, go to Network > GlobalProtect > Portals > GlobalProtect Portal > Portal Configuration. 2. On the Portal Configuration tab > Appearance > Select 'Disable login page'. Or in PAN-OS 8.0, select 'Disable' from the drop-down options     After this configuration is committed, the Global Protect portal page will instead return a '404 page not found' error message   owner: hlim  
View full article
HLim ‎12-04-2017 01:45 AM
8,900 Views
1 Reply
Issue When trying to connect GlobalProtect to the Palo Alto Networks firewall, it is successfully connecting to the portal, but gives a certificate error when it tries to connect to the gateway. When using older versions of the agent it connects without issue.   Cause This issue might be caused by a new check that was introduced in GlobalProtect version 2.1.0. The validation check makes sure that the gateway address configured in the GlobalProtect portal matches the CN of the certificate that the gateway is configured to use. This check was not implemented in older versions, so this issue was not encountered. Note: When the gateway address is a FQDN and this FQDN is in the certificate, GlobalProtect Agent v2.1.0  and up produces the certificate error until the PTR record is created in DNS.   Resolution Determine which certificate the gateway is configured to use and write it down. Go to Device > Certificate Management > Certificates and write down the CN of the certificate that was copied in Step 1. Adjust the address of the gateway in the GlobalProtect portal client configuration to the CN that was copied in Step 2. Commit the changes and try to reconnect with the agent.   Note: If the gateway certificate includes a hostname (dnsname) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate as indicated in the article above.     Important! Before making this change, make sure the DNS servers that are used on the firewall are able to resolve the "GlobalProtect Portal" hostname to a public IP address and that there is also a PTR record to resolve the IP address back to the hostname. If it resolves to an internal IP address, this will make the portal inaccessible from the external interface.   owner: jwebb
View full article
jwebb ‎11-23-2017 02:39 AM
107,230 Views
21 Replies
3 Likes
Issue When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"   However, the login works fine if the allow list is set to "all" in the authentication profile.   Resolution Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings: Group Mapping Confirm that the group in question contains the user attempting to login. Run the CLI command: show user group name <value> For example: > show user group name pantac\vpn-user short name:  pantac\vpn-user source type: ldap source:      Pantac2003 [1     ] pantac\user1 [2     ] pantac\admin1 [3     ] pantac\administrator [4     ] pantac\user2 [5     ] pantac\user4 Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases. The LDAP server profile is under Device > Server Profiles > LDAP In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings :  User Domain   In PAN-OS 8.0 the User Domain can also be controlled in the Authentication Profile User Domain in the Authentication Profile Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command. Authentication Profile Allow List   owner: jteestel
View full article
jteetsel ‎11-20-2017 05:04 AM
91,311 Views
23 Replies
1 Like
Yes, there is a limit on the number of Gateways that can be defined, refer to the following table:   Model Max # of External Gateways PA-200 PA-220 6 PA-500 6 PA-820 6 PA-850 12 PA-2020 PA-2050 11 PA-3020 PA-3050 PA-3060 11 PA-4020 26 PA-4050 131 PA-5020 26 PA-5050 PA-5060 131 PA-5220 PA-5250 PA-5260 131 PA-7050 PA-7080 131 VM-50 VM-100 VM-200 6 VM-300 VM-1000-HV 11 VM-500 26 VM-700 26 owner: ashaik
View full article
ashaikh ‎11-15-2017 12:31 PM
9,419 Views
6 Replies
Overview When the GlobalProtect Client configuration is performed, use this information to verify that the correct Connection Method settings have being applied to the client, and that the client has retrieved the latest configuration.   Details User-Logon The client configuration under the GlobalProtect Portal appears as follows when the Connection Method is set to user-logon: Once the client is installed and connected, the options available under the File menu are as shown below: The 'Disconnect' option is grayed out and unavailable. For user-logon mode, the GlobalProtect client automatically establishes a connection after the user logs in to the host computer.   On-Demand The client configuration under the GlobalProtect Portal appears as follows when the Connection Method is set to on-demand: Once the client is installed and connected, the options available under the File menu are as shown below: As seen above, the Disconnect option for on-demand mode, because the user is required to explicitly initiate and end the connection.   owner: pvemuri
View full article
pvemuri ‎11-15-2017 12:30 PM
16,265 Views
0 Replies
Symptoms IOS devices will present the SSL certificates only when they are verfied. When we use client certificate to connect GlobalProtect the device needs to have a verified certificate else you will not be able to connect. There could be instances were the same certificate used on a MAC, PC or Andriod device will be working but not in IOS devices.   The issued certificate can be a Selfsigned or an Internal/External CA. Regardless of the CA we will need to ensure that the complete certificate chain is made available in the IOS device.        Diagnosis The first and foremost thing to check on such an issue to ensure that the certificate profile in the IOS device is verified. You should be able to see a green check mark stating the certificate is verified and the complete chain is present.   1. Navigate to Settings--> General --> Profiles 2. The installed certificate will be showing a error Not verified status when selected. See below image for reference       3. Ensure you installed the complete chain to have the certificate, the simple way to do is to email the intermediate and root certificates to the device, these certificates does not require a private key, they can be installed with the public key, if you do not have intermediate you can skip that certificate, just the root and the actual certficate should do.     4. Once you have the complete chain, the device will now be able to verify the certificate installed in it, and will present it to the GlobalProtect connection.      If running IOS 10.3 or later, please follow this additional step to trust the newly installed certificate. https://support.apple.com/en-us/HT204477   If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate. Solution Since that now you have all correct cerficate chain the GlobalProtect should be able to connect succesfully. Ensure that the certificate emailed to the device is in PKCS format as this is the most desirable format.    
View full article
smalayappan ‎11-15-2017 12:27 PM
5,093 Views
0 Replies
We limit the number of entries to 64 for our GlobalProtect Client Settings configuration ( Network > GlobalProtect > Gateways > Agent > Client Settings ).   Notice how the "OK" button is disabled once you go over 65 entries :          This limitation applies to any PANOS in all of our appliances, including Hardware and VMs.    
View full article
SuperMario ‎11-09-2017 02:17 AM
7,888 Views
0 Replies
Everything you need to know related to deploying, managing, and supporting Palo Alto Networks GlobalProtect.
View full article
ekampling ‎10-19-2017 02:58 AM
50,738 Views
1 Reply
6 Likes
For PAN-OS 7.1 and prior   For all platforms the maximum number of Access Routes is limited to 100   For PAN-OS 8.0    The upper limit for number of Access Routes has been increased to 200   For PAN-OS 8.0.2 and later   The upper limit for number of Access Routes has been increased to 800 on Chromebook and 1.000 on all other endpoints (requires GlobalProtect app 4.0.2 or a later release)   owner: ashaikh
View full article
ashaikh ‎09-29-2017 09:46 AM
4,647 Views
1 Reply
GlobalProtect agent collects vendor-specific data about the end-user security packages that are running on the computer (as compiled by the OPSWAT global partnership program) and reports this data to the GlobalProtect gateway for use in policy enforcement. Following are the third-party vendor products that GlobalProtect can detect using the specified OPSWAT SDK.   The attached pdf documents pertain to GlobalProtect version 3.1.x.   Additional Information OPSWAT Support Charts for GlobalProtect 4.0.x
View full article
srajasekar ‎08-08-2017 07:50 AM
39,033 Views
6 Replies
3 Likes
The Palo Alto Networks network security platform requires access to a few specific services in order to perform Dynamic Updates and WildFire functions.  When deployed behind existing firewalls or proxy servers, these external resources and services must be accessible from the management interface of the Palo Alto Networks platform.  If traffic flows are traversing a Palo Alto Networks platform, the following applications may need to be included in the security rulebase:  paloalto-updates, pan-db-cloud, paloalto-wildfire-cloud, and brightcloud.   Application, Threat and Anti-Virus database updates updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.com:443   PAN-DB URL filtering seed updates and cloud lookups *.urlcloud.paloaltonetworks.com:443   Brightcloud URL filtering database updates database.brightcloud.com:80,443 service.brightcloud.com:80   WildFire wildfire.paloaltonetworks.com:443 *.wildfire.paloaltonetworks.com:443 jp.wildfire.paloaltonetworks.com :443 (Japan) *. jp.wildfire.paloaltonetworks.com: 443 (Japan) sg.wildfire.paloaltonetworks.com :443 (Singapore) *.sg .wildfire.paloaltonetworks.com: 443 (Singapore) eu.wildfire.paloaltonetworks.com :443 (Europe) *.eu .wildfire.paloaltonetworks.com: 443 (Europe)   GlobalProtect database updates c733.r33.cf1.rackcdn.com :80     Note: The updates.paloaltonetworks.com FQDN resolve to CDN-based IP addresses. If static IP addresses are required, staticupdates.paloaltonetworks.com may be used instead.   owner: rhagen
View full article
rhagen ‎06-13-2017 03:35 PM
16,949 Views
9 Replies
1 Like
Overview This document explains how an IP address is assigned to a GlobalProtect client when two or more IP address pools are configured.   Details Palo Alto Networks firewall keeps a pointer to the pool from which the last successful IP address assignment was taken. The next client will get the next available IP from the pointer's pool.   For example: GlobalProtect pools: 192.168.10.0/24 > pool-1 172.16.10.0/24  > pool-2   *pointer > pool-1 The first GlobalProtect client comes in and requests an IP The Palo Alto Networks firewall checks its pointer, and reads that it has to offer it an IP from pool-1 (192.168.10.0/24) Client ACKs the IP and installs it in its GlobalPointer virtual adapter A new GlobalProtect client comes in (at their local LAN they have the following IP assigned on NIC - 192.168.10.100) The client authenticates successfully and requests an IP The firewall checks its memory pointer, and it is pointing to pool-1. It grabs the next available IP from pool-1 and offers it to the client The GlobalProtect client reads the IP, but it overlaps with the address on its physical NIC, so it declines the IP address The firewall receives the decline and moves its memory pointer to pool-2. The firewall offers the client a new IP from pool-2 A third client comes in. Its physical IP is 192.168.1.15 The firewall checks its pointer which is pointing to pool-2 The firewall gets the next available IP on pool-2 and offers it to the client This third client receives the IP, checks it, it does not overlap, the client installs it on its virtual adapter and ACKs the IP to the firewall   See Also How can IP Overlaps be Prevented with GlobalProtect   owner: parmas
View full article
parmas ‎05-10-2017 06:27 AM
10,035 Views
5 Replies
2 Likes