Just wanted to post a message about the Hot Topic right now, which is Covid-19.
With all of this going around, everybody's health and safely is the utmost concern. Keeping your hands clean, washing your hands (A LOT), using hand sanitizers, and stop touching your face (I see you doing it now).
One of the things that is happening all over the place is telecommuting. Just like being safe in the real world, a VPN is a necessity when doing your work online. Palo Alto Networks has a couple of products that can help keep you secure online, which are GlobalProtect and Prisma Access.
GlobalProtect is the built-in VPN solution for our Strata (firewall) suite.
Prisma Access is our globally distributed cloud service that can automatically scale when your need increases.
One of the advantages of using Prisma Access is that you do not need to deploy any new hardware to expand your capacity.
For GlobalProtect, our sales staff is available is to help your need for more hardware capacity.
For Prisma Access, we are offering free accelerated deployment and on-boarding of remote users.
Also, for any existing Prisma Access customers, we will be giving additional capacity to address increased usage at no additional cost for 90 days.
This is meant as a reminder for everyone that we have products to keep you secure.
Please send an email if you have any questions about increasing capacity to the following address:
Palo Alto Networks CEO, Nikesh Arora has put out a blog about this subject here:
For a list of Configuration and Troubleshooting articles, please see the GlobalProtect Resource List here:
For any questions about licensing, please review GlobalProtect License requirements here:
Please check my Blog about this with more information, links and even videos here:
I appreciate what you guys are doing here, just took me a while to find it.
One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue?
Thanks again for your team in this challenging time.
@BruceBennett Thanks for the kind words, we are really trying to help as many people as we can.
As far as the issue you are asking about.. I know that our support group has more info about similar issues, so for that I would recommend opening a support case and seeing if they can help.
@jdelio Thanks for your response.
Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.
I enabled trial license for Global protect gateway license and follow the link below to try to allow zoom traffic go out via physical adapter in Global protect client 5.1.0 PANFW firmware is 8.1.12. It does seems to be working. Does it require portal license in additiona to gateway subscribtion. If now how to prove it is working. Our tracert zoom.us from GP client (full tunnel mode) still goes out tunnel (we did restart gp services/reboot client window OS)
Any suggestion is appreciated
If you have followed the document properly, then this should be working for you.
If this isn't then I would recommend ensuring that your dynamic updates are up to date, as well as on a schedule to stay up to date.
If this isn't working after updates, then I suggest posting a new thread to the GlobalProtect discussion forum https://live.paloaltonetworks.com/t5/GlobalProtect-Discussions/bd-p/GlobalProtect_Discussions
with more details, or opening a case with support (last resort because of how busy TAC is right now.)
I have recently wrote following document for split tunneling Office 365 applications based on recommendation with Microsoft:
In case you are still run into any issues with app and domain based split tunnel than following document will help you troubleshoot:
Feel free to open TAC case if you still encounter issues.
Your articles are great! They will be very useful for our split tunnels.
I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.)
That only leaves my issue with MS Network Location Awareness.
Again, thank you very much!
Thank you Nehal for the useful link for troubleshoot.
I tried netstat -anob on window 10. It does not display adapter info for connection which shows connection to Zoom IP exiting at physical adapter. Pcap will show the info.
C:\WINDOWS\system32>netstat -anob | findstr 52 (52.202 is zoom.us IP)
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1752
TCP GP IP.3:30390 188.8.131.52:443 CLOSE_WAIT 10596
TCP GP IP.3:31060 184.108.40.206:443 ESTABLISHED 2124
TCP GP IP.3:32232 220.127.116.11:443 ESTABLISHED 2124
TCP GP IP.3:32324 18.104.22.168:443 TIME_WAIT 0
TCP 127.0.0.1:1521 127.0.0.1:1522 ESTABLISHED 10436
TCP 127.0.0.1:1522 127.0.0.1:1521 ESTABLISHED 10436
TCP 192.168.0.17:3429 22.214.171.124:443 ESTABLISHED 7984
TCP 192.168.0.17:49420 126.96.36.199:443 ESTABLISHED 5080
TCP [::]:49666 [::]:0 LISTENING 1752
UDP 0.0.0.0:54908 *:* 2520
UDP 127.0.0.1:52597 *:* 2124
UDP [2607:fea8:329f:e653:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fd00:8494:8cd1:3322:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:1900 *:* 5988
UDP [fe80::e8b2:bccd:6d37:5242%13]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:59606 *:*
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!