03-12-2020 03:17 PM - edited 03-19-2020 03:17 PM
To all,
Just wanted to post a message about the Hot Topic right now, which is Covid-19.
With all of this going around, everybody's health and safely is the utmost concern. Keeping your hands clean, washing your hands (A LOT), using hand sanitizers, and stop touching your face (I see you doing it now).
One of the things that is happening all over the place is telecommuting. Just like being safe in the real world, a VPN is a necessity when doing your work online. Palo Alto Networks has a couple of products that can help keep you secure online, which are GlobalProtect and Prisma Access.
GlobalProtect is the built-in VPN solution for our Strata (firewall) suite.
Prisma Access is our globally distributed cloud service that can automatically scale when your need increases.
One of the advantages of using Prisma Access is that you do not need to deploy any new hardware to expand your capacity.
For GlobalProtect, our sales staff is available is to help your need for more hardware capacity.
For Prisma Access, we are offering free accelerated deployment and on-boarding of remote users.
Also, for any existing Prisma Access customers, we will be giving additional capacity to address increased usage at no additional cost for 90 days.
This is meant as a reminder for everyone that we have products to keep you secure.
Please send an email if you have any questions about increasing capacity to the following address:
rapid-response@paloaltonetworks.com
More Information:
Palo Alto Networks CEO, Nikesh Arora has put out a blog about this subject here:
Securely Connect and Scale Remote Workforces
For a list of Configuration and Troubleshooting articles, please see the GlobalProtect Resource List here:
GlobalProtect Resource List on Configuring and Troubleshooting
For any questions about licensing, please review GlobalProtect License requirements here:
Please check my Blog about this with more information, links and even videos here:
GlobalProtect and Prisma Access during COVID-19
03-19-2020 12:05 PM
To answer your question about QoS and GlobalProtect.. Yes, you can.
Here is a link to a Learning Happy Hour that talks about Throttling with QoS
The only note that I can help add about GP and QoS is:
When an interface that is part of an existing QoS configuration is later configured to be part of a tunnel configuration (IPSec, GlobalProtect, etc.), the Palo Alto Networks device expects QoS to be applied to the tunnel traffic. Apply the default/custom QoS profile to the tunnel traffic.
I hope this helps.
03-23-2020 08:18 AM
Just wanted everyone to know that we have created a brand new area on the LIVEcommunity, it is the Covid-19 Response Center.
It is hard to miss it once you are on the LIVEcommunity, just look at the top Navigation, and you will see "COVID-19 Response Center" or you can click here:
https://live.paloaltonetworks.com/t5/COVID-19-Response-Center/ct-p/COVID-19_Response_Center
We have worked hard to combine a lot of great resources to help answer your common GlobalProtect and Prisma Access questions.
Be sure to check it out if you haven't already.
03-26-2020 05:01 AM
Hi Team,
Can we can achieve remote vpn load balancing while using global protect on palo alto....if yes,can we add firewalls in a cluster to increase support to increased users...how can we do this between firewalls are different sites
03-26-2020 09:57 AM
Please allow me to respond..
1. HA is for redundancy, not for adding capacity.
2. In a Single Gateway instance, there is no balancing of the GP traffic. As one client will connect to a gateway.
Taking that a step further, You can setup multiple gateways. When the client connects to the one portal and downloads the list of gateways, the client then connects to the gateway that responds the fastest. So sort of load balancing depending on load and response time.
03-27-2020 04:49 AM
I appreciate what you guys are doing here, just took me a while to find it.
One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue?
Thanks again for your team in this challenging time.
04-01-2020 01:53 PM
@BruceBennett Thanks for the kind words, we are really trying to help as many people as we can.
As far as the issue you are asking about.. I know that our support group has more info about similar issues, so for that I would recommend opening a support case and seeing if they can help.
04-01-2020 02:53 PM
@jdelio Thanks for your response.
Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.
04-05-2020 12:01 PM
HI !
I enabled trial license for Global protect gateway license and follow the link below to try to allow zoom traffic go out via physical adapter in Global protect client 5.1.0 PANFW firmware is 8.1.12. It does seems to be working. Does it require portal license in additiona to gateway subscribtion. If now how to prove it is working. Our tracert zoom.us from GP client (full tunnel mode) still goes out tunnel (we did restart gp services/reboot client window OS)
Any suggestion is appreciated
04-06-2020 12:18 PM
If you have followed the document properly, then this should be working for you.
If this isn't then I would recommend ensuring that your dynamic updates are up to date, as well as on a schedule to stay up to date.
If this isn't working after updates, then I suggest posting a new thread to the GlobalProtect discussion forum https://live.paloaltonetworks.com/t5/GlobalProtect-Discussions/bd-p/GlobalProtect_Discussions
with more details, or opening a case with support (last resort because of how busy TAC is right now.)
04-06-2020 12:47 PM
Thank you Joe. Update is current. We have opened a ticket with TAC.
Daniel
04-06-2020 09:56 PM - edited 04-06-2020 09:59 PM
Hi @BruceBennett & @Daniel_Li ,
I have recently wrote following document for split tunneling Office 365 applications based on recommendation with Microsoft:
In case you are still run into any issues with app and domain based split tunnel than following document will help you troubleshoot:
Feel free to open TAC case if you still encounter issues.
Thanks,
Nehal
04-07-2020 06:12 AM - edited 04-07-2020 06:26 AM
Hi @nnaik
Your articles are great! They will be very useful for our split tunnels.
I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.)
That only leaves my issue with MS Network Location Awareness.
Again, thank you very much!
04-07-2020 09:43 AM
Thank you Nehal for the useful link for troubleshoot.
I tried netstat -anob on window 10. It does not display adapter info for connection which shows connection to Zoom IP exiting at physical adapter. Pcap will show the info.
C:\WINDOWS\system32>netstat -anob | findstr 52 (52.202 is zoom.us IP)
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1752
TCP GP IP.3:30390 52.202.62.232:443 CLOSE_WAIT 10596
TCP GP IP.3:31060 52.96.50.98:443 ESTABLISHED 2124
TCP GP IP.3:32232 52.96.50.130:443 ESTABLISHED 2124
TCP GP IP.3:32324 52.114.128.70:443 TIME_WAIT 0
TCP 127.0.0.1:1521 127.0.0.1:1522 ESTABLISHED 10436
TCP 127.0.0.1:1522 127.0.0.1:1521 ESTABLISHED 10436
TCP 192.168.0.17:3429 66.199.36.52:443 ESTABLISHED 7984
TCP 192.168.0.17:49420 52.177.166.224:443 ESTABLISHED 5080
TCP [::]:49666 [::]:0 LISTENING 1752
UDP 0.0.0.0:54908 *:* 2520
UDP 127.0.0.1:52597 *:* 2124
UDP [2607:fea8:329f:e653:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fd00:8494:8cd1:3322:e8b2:bccd:6d37:5242]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:1900 *:* 5988
UDP [fe80::e8b2:bccd:6d37:5242%13]:2177 *:* 2832
UDP [fe80::e8b2:bccd:6d37:5242%13]:59606 *:*
Daniel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
