Traffic from GlobalProtect stop working after upgrade from 8.1.11

Reply
L1 Bithead

Traffic from GlobalProtect stop working after upgrade from 8.1.11

Hi,

I have two PaloAlto 3020 in an active-passive cluster. PanOS 8.1.11 is nstalled on both. Everything works correctly, internal traffic, traffic from GP Client, vpn tunnels. GP clinets connect, sends HIPs, Palo recieves this HIPs, traffic is passing trough according to rules.

The problem is that when I updated one cluster node from version 8.1.11 to 8.1.12 (but checked 8.1.13, add 9.0.8 also) and switch active node to this, using newer software, traffic from the GP client is not passing trough.
The GP client connects, sends HIPs, Palo recieves this HIPs, but GP traffic does not pass. And there are no traffic logs from GP clients.

The update passed without errors and internal traffic works correctly. Everything except GP traffic.
Does enybody have suggestions what coud be a problem?

 


Greetings
Jacek

 

 


Accepted Solutions
L1 Bithead

Hi guys,

 

Problem solved.

I had to change two things. First, as described in this article https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups.html, I had to add Alternate Username 1: userPrincipalName  (in my old settings this field was empty).

And secondly, I needed to change Authentication Profile.

Type: LDAP

Login Attribute: userPrincipalName  

User domain: dom (lower case, pre-win 2000 format)    (was domain.local)

Username Modifier: %USERINPUT%   (was %USERINPUT%@%USERDOMAIN% )

 

Thank you for your help.

Greetings

Jacek

View solution in original post

Tags (1)

All Replies
L4 Transporter

Hello @Jacek_Loszewski 

 

Check for the user names listed in the logs (compare it with the ones from the working PAN). If the user name (format) is not different, then you need to adjust the authentication profile.

L1 Bithead

@JoergSchuetter- thank you for your reply. You were right. There is a problem with format of the user names.
domain: acme.local - UPN: user@acme.local

domain name (pre-win200) is: Dom so sAMAccountName format is: Dom\user

 

When active node is the one with older software, in HIP log, we have user name in sAMAccountName format- everything working fine.
When we switch the active node (to the one with newer software) and make a GP connection we have something like this: acme.local\user
And thats why traffic in not passing trough the policy rules. So, as you say, we need adjust authentication profile.

I don't know how yet, but I hope it will work soon

 

Greetings

Jacek

 

L4 Transporter

Hello @Jacek_Loszewski 

 

I have set the following on my authentication profile (Kerberos):

Realm: ACME.LOCAL (all in capital letters)

User Dmonain: dom (we have all in lower case, not sure if Dom would also work)

Username Modifier: %USERINPUT%@ACME.LOCAL

 

Joerg

L1 Bithead

Hi guys,

 

Problem solved.

I had to change two things. First, as described in this article https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups.html, I had to add Alternate Username 1: userPrincipalName  (in my old settings this field was empty).

And secondly, I needed to change Authentication Profile.

Type: LDAP

Login Attribute: userPrincipalName  

User domain: dom (lower case, pre-win 2000 format)    (was domain.local)

Username Modifier: %USERINPUT%   (was %USERINPUT%@%USERDOMAIN% )

 

Thank you for your help.

Greetings

Jacek

View solution in original post

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!