GlobalProtect, Working from Home, Prisma Access and Covid-19

Reply
Highlighted
L3 Networker

@jdelio 

I appreciate what you guys are doing here, just took me a while to find it.

One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue?

Thanks again for your team in this challenging time.


Bruce.

Learn at least one new thing every day.
Highlighted
Community Team Member

@BruceBennett  Thanks for the kind words, we are really trying to help as many people as we can.

 

As far as the issue you are asking about.. I know that our support group has more info about similar issues, so for that I would recommend opening a support case and seeing if they can help.

Stay Secure,
Joe
End of line
Highlighted
L3 Networker

@jdelio Thanks for your response.

 

Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.

 


Bruce.

Learn at least one new thing every day.
Highlighted
L2 Linker

HI !

 

I enabled trial license for Global protect gateway license and follow the link below to try to allow zoom traffic go out via physical adapter in Global protect client 5.1.0 PANFW firmware is 8.1.12. It does seems to be working. Does it require portal license in additiona to gateway subscribtion. If now how to prove it is working. Our tracert  zoom.us from GP client (full tunnel mode) still goes out tunnel (we did restart gp services/reboot client window OS)

 

Any suggestion is appreciated

 

https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and...

Highlighted
Community Team Member

@Daniel_Li 

If you have followed the document properly, then this should be working for you. 

If this isn't then I would recommend ensuring that your dynamic updates are up to date, as well as on a schedule to stay up to date.

 

If this isn't working after updates, then I suggest posting a new thread to the GlobalProtect discussion forum https://live.paloaltonetworks.com/t5/GlobalProtect-Discussions/bd-p/GlobalProtect_Discussions

with more details, or opening a case with support (last resort because of how busy TAC is right now.)

Stay Secure,
Joe
End of line
Highlighted
L2 Linker

Thank you Joe. Update is current. We have opened a ticket with TAC.

 

Daniel

L4 Transporter

Hi @BruceBennett  & @Daniel_Li  ,

 

I have recently wrote following document for split tunneling Office 365 applications based on recommendation with Microsoft:

https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta...

 

In case you are still run into any issues with app and domain based split tunnel than following document will help you troubleshoot:

https://live.paloaltonetworks.com/t5/General-Articles/Troubleshoot-Split-Domain-amp-Applications-and...

 

Feel free to open TAC case if you still encounter issues. 

 

Thanks,

Nehal

Highlighted
L3 Networker

Hi @nnaik 

Your articles are great! They will be very useful for our split tunnels.

 

I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.)

 

That only leaves my issue with MS Network Location Awareness. 

 

Again, thank you very much!

 


Bruce.

Learn at least one new thing every day.
Highlighted
L2 Linker

Thank you Nehal for the useful link for troubleshoot.

 

I tried netstat -anob on window 10. It does not display adapter info for connection which shows connection to Zoom IP exiting at physical adapter. Pcap will show the info.

 

C:\WINDOWS\system32>netstat -anob | findstr 52 (52.202 is zoom.us IP)
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1752
TCP GP IP.3:30390 52.202.62.232:443 CLOSE_WAIT 10596
TCP GP IP.3:31060 52.96.50.98:443 ESTABLISHED 2124
TCP GP IP.3:32232 52.96.50.130:443 ESTABLISHED 2124
TCP GP IP.3:32324 52.114.128.70:443 TIME_WAIT 0
TCP 127.0.0.1:1521 127.0.0.1:1522 ESTABLISHED 10436
TCP 127.0.0.1:1522 127.0.0.1:1521 ESTABLISHED 10436
TCP 192.168.0.17:3429 66.199.36.52:443 ESTABLISHED 7984
TCP 192.168.0.17:49420 52.177.166.224:443 ESTABLISHED 5080
TCP [::]:49666 [::]:0 LISTENING 1752
UDP 0.0.0.0:54908 *:* 2520
UDP 127.0.0.1:52597 *:* 2124
UDP [2607:fea8:329f:e653:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fd00:8494:8cd1:3322:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:1900 *:* 5988
UDP [fe80::e8b2:bccd:6d37:5242%13]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:59606 *:*

 

Daniel

Highlighted
L4 Transporter

Hello @BruceBennett ,

 

Appreciate your feedback and glad that article helped.

 

Thanks,

Nehal

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!