We have 1 PA-500 which we recently upgraded from 4.0.5 to 4.1.4.
On 4.0.5 we used the NetConnect client for several users without any problem.
Now we upgraded to 4.1.4 we need to use the GlobalConnect client.
So I downloaded and activated the 1.1.4 client.
I thought it should offer an upgrade when you connect with an old client, so I started my NetConnect client and tried to connect. It failed to connect.
So I upgraded the client manually and and inserted my user/password and the portal.
Connection still fails with the error: Portal Error.
When I open the traffic log i see incoming connections from the Public IP.
Firstly since you upgraded the code from 4.0.x to 4.1.5, Global protect needs to be used as it has replaced SSL VPN .
Second, you can not connect via the old client (Netconnect).
While installing new one you will be prompted for the unistall. Please do so.
Also to check through you configuratio in Global protect I would like you to go through the the following document of the GlobalProtect configuration for users upgrading from NetConnect
Portal Error that you are gettings is related to the certificates. Please validate the configuration/migration path from the above document.
The upgrade wasn't suggested because at that point the firewall was already upgraded to 4.1.4 (not 4.1.5, my mistake) and the VPN wasn't working properly.
I did some more test and I can't figure out how i was ever connected as the logs only report errors.
The main error is that it could not connect to the portal.
Will read the docs and keep you posted
I haven't changed anything.
Right now i see errors coming in that the username or password is incorrect.
User is not in allowlist for <IP address>
Verified the username and password and they ar correct.
Can't find anything about allowing users from a certain ipaddress
The Authentication profile is set to allow users that are member of a certain active directory group.
When i try to use the Globalconnect with a username that is not allow I will get the same error message
Are you using LDAP to pull user groups? Getting the error "User is not in allowlist for <IP address>" indicates an issue with ldap configuration. Can you verify if you have your base DN and bind DN configured correctly?
We use RADIUS for the authentication from Active directory.
if i start typing it will find all AD groups, so RADIUS is working properly
When I allow 'all' then i'm able to connect, but it failed to get passed the discovering network.
check "Network->Zones->Enable User Identification" -after my upgrade from 4.0.7 - 4.1.4 was disable by its self.
maybe that will help regards...
User identification is still enabled.
But even if the authentication is working, then it wouldn't get passed the discover network part. Cannot figure out why because nothing has been changed to the network
What are the certificates you have in place for global protect? If you have a root cert, do you have it installed in your PC?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!