I have two PaloAlto 3020 in an active-passive cluster. PanOS 8.1.11 is nstalled on both. Everything works correctly, internal traffic, traffic from GP Client, vpn tunnels. GP clinets connect, sends HIPs, Palo recieves this HIPs, traffic is passing trough according to rules.
The problem is that when I updated one cluster node from version 8.1.11 to 8.1.12 (but checked 8.1.13, add 9.0.8 also) and switch active node to this, using newer software, traffic from the GP client is not passing trough.
The GP client connects, sends HIPs, Palo recieves this HIPs, but GP traffic does not pass. And there are no traffic logs from GP clients.
The update passed without errors and internal traffic works correctly. Everything except GP traffic.
Does enybody have suggestions what coud be a problem?
Check for the user names listed in the logs (compare it with the ones from the working PAN). If the user name (format) is not different, then you need to adjust the authentication profile.
@JoergSchuetter- thank you for your reply. You were right. There is a problem with format of the user names.
domain: acme.local - UPN: email@example.com
domain name (pre-win200) is: Dom so sAMAccountName format is: Dom\user
When active node is the one with older software, in HIP log, we have user name in sAMAccountName format- everything working fine.
When we switch the active node (to the one with newer software) and make a GP connection we have something like this: acme.local\user
And thats why traffic in not passing trough the policy rules. So, as you say, we need adjust authentication profile.
I don't know how yet, but I hope it will work soon
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!