Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect, Working from Home, Prisma Access and Covid-19

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

GlobalProtect, Working from Home, Prisma Access and Covid-19

L7 Applicator

To all, 

Just wanted to post a message about the Hot Topic right now, which is Covid-19. 

With all of this going around, everybody's health and safely is the utmost concern. Keeping your hands clean, washing your hands (A LOT), using hand sanitizers, and stop touching your face (I see you doing it now).

 

One of the things that is happening all over the place is telecommuting. Just like being safe in the real world, a VPN is a necessity when doing your work online. Palo Alto Networks has a couple of products that can help keep you secure online, which are GlobalProtect and Prisma Access.

 

GlobalProtect is the built-in VPN solution for our Strata (firewall) suite.

Prisma Access is our globally distributed cloud service that can automatically scale when your need increases. 

One of the advantages of using Prisma Access is that you do not need to deploy any new hardware to expand your capacity.

 

For GlobalProtect, our sales staff is available is to help your need for more hardware capacity.

For Prisma Access, we are offering free accelerated deployment and on-boarding of remote users.

Also, for any existing Prisma Access customers, we will be giving additional capacity to address increased usage at no additional cost for 90 days.

 

This is meant as a reminder for everyone that we have products to keep you secure.

Please send an email if you have any questions about increasing capacity to the following address:

rapid-response@paloaltonetworks.com

 

More Information:

Palo Alto Networks CEO, Nikesh Arora has put out a blog about this subject here:

Securely Connect and Scale Remote Workforces

 

For a list of Configuration and Troubleshooting articles, please see the GlobalProtect Resource List here:

GlobalProtect Resource List on Configuring and Troubleshooting

 

For any questions about licensing, please review GlobalProtect License requirements here:

GlobalProtect Licensing

 

Please check my Blog about this with more information, links and even videos here:

GlobalProtect and Prisma Access during COVID-19

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
43 REPLIES 43

Palo Alto Networks Guru

@raji_toor 

To answer your question about QoS and GlobalProtect.. Yes, you can.

 

Here is a link to a Learning Happy Hour that talks about Throttling with QoS

https://live.paloaltonetworks.com/t5/Learning-Happy-Hour-Articles/Throttle-Bandwidth-Hogs-Using-QoS-...

 

The only note that I can help add about GP and QoS is:

When an interface that is part of an existing QoS configuration is later configured to be part of a tunnel configuration (IPSec, GlobalProtect, etc.), the Palo Alto Networks device expects QoS to be applied to the tunnel traffic. Apply the default/custom QoS profile to the tunnel traffic.

 

I hope this helps.

 

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Just wanted everyone to know that we have created a brand new area on the LIVEcommunity, it is the Covid-19 Response Center. 

It is hard to miss it once you are on the LIVEcommunity, just look at the top Navigation, and you will see "COVID-19 Response Center" or you can click here:

https://live.paloaltonetworks.com/t5/COVID-19-Response-Center/ct-p/COVID-19_Response_Center

 

We have worked hard to combine a lot of great resources to help answer your common GlobalProtect and Prisma Access questions.

 

Be sure to check it out if you haven't already.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L0 Member

Hi Team,

Can we can achieve remote vpn load balancing while using global protect on palo alto....if yes,can we add firewalls in a cluster to increase support to increased users...how can we do this between firewalls are different sites

@sumitsingh14 

Please allow me to respond.. 
1. HA is for redundancy, not for adding capacity.

2. In a Single Gateway instance, there is no balancing of the GP traffic. As one client will connect to a gateway.

Taking that a step further, You can setup multiple gateways. When the client connects to the one portal and downloads the list of gateways, the client then connects to the gateway that responds the fastest. So sort of load balancing depending on load and response time.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L3 Networker

@jdelio 

I appreciate what you guys are doing here, just took me a while to find it.

One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue?

Thanks again for your team in this challenging time.


Bruce.

Learn at least one new thing every day.

@BruceBennett  Thanks for the kind words, we are really trying to help as many people as we can.

 

As far as the issue you are asking about.. I know that our support group has more info about similar issues, so for that I would recommend opening a support case and seeing if they can help.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

@jdelio Thanks for your response.

 

Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.

 


Bruce.

Learn at least one new thing every day.

L2 Linker

HI !

 

I enabled trial license for Global protect gateway license and follow the link below to try to allow zoom traffic go out via physical adapter in Global protect client 5.1.0 PANFW firmware is 8.1.12. It does seems to be working. Does it require portal license in additiona to gateway subscribtion. If now how to prove it is working. Our tracert  zoom.us from GP client (full tunnel mode) still goes out tunnel (we did restart gp services/reboot client window OS)

 

Any suggestion is appreciated

 

https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and...

@Daniel_Li 

If you have followed the document properly, then this should be working for you. 

If this isn't then I would recommend ensuring that your dynamic updates are up to date, as well as on a schedule to stay up to date.

 

If this isn't working after updates, then I suggest posting a new thread to the GlobalProtect discussion forum https://live.paloaltonetworks.com/t5/GlobalProtect-Discussions/bd-p/GlobalProtect_Discussions

with more details, or opening a case with support (last resort because of how busy TAC is right now.)

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thank you Joe. Update is current. We have opened a ticket with TAC.

 

Daniel

Hi @BruceBennett  & @Daniel_Li  ,

 

I have recently wrote following document for split tunneling Office 365 applications based on recommendation with Microsoft:

https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta...

 

In case you are still run into any issues with app and domain based split tunnel than following document will help you troubleshoot:

https://live.paloaltonetworks.com/t5/General-Articles/Troubleshoot-Split-Domain-amp-Applications-and...

 

Feel free to open TAC case if you still encounter issues. 

 

Thanks,

Nehal

Hi @nnaik 

Your articles are great! They will be very useful for our split tunnels.

 

I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.)

 

That only leaves my issue with MS Network Location Awareness. 

 

Again, thank you very much!

 


Bruce.

Learn at least one new thing every day.

Thank you Nehal for the useful link for troubleshoot.

 

I tried netstat -anob on window 10. It does not display adapter info for connection which shows connection to Zoom IP exiting at physical adapter. Pcap will show the info.

 

C:\WINDOWS\system32>netstat -anob | findstr 52 (52.202 is zoom.us IP)
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1752
TCP GP IP.3:30390 52.202.62.232:443 CLOSE_WAIT 10596
TCP GP IP.3:31060 52.96.50.98:443 ESTABLISHED 2124
TCP GP IP.3:32232 52.96.50.130:443 ESTABLISHED 2124
TCP GP IP.3:32324 52.114.128.70:443 TIME_WAIT 0
TCP 127.0.0.1:1521 127.0.0.1:1522 ESTABLISHED 10436
TCP 127.0.0.1:1522 127.0.0.1:1521 ESTABLISHED 10436
TCP 192.168.0.17:3429 66.199.36.52:443 ESTABLISHED 7984
TCP 192.168.0.17:49420 52.177.166.224:443 ESTABLISHED 5080
TCP [::]:49666 [::]:0 LISTENING 1752
UDP 0.0.0.0:54908 *:* 2520
UDP 127.0.0.1:52597 *:* 2124
UDP [2607:fea8:329f:e653:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fd00:8494:8cd1:3322:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:1900 *:* 5988
UDP [fe80::e8b2:bccd:6d37:5242%13]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:59606 *:*

 

Daniel

Hello @BruceBennett ,

 

Appreciate your feedback and glad that article helped.

 

Thanks,

Nehal

  • 43655 Views
  • 43 replies
  • 33 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!