What does it change in 'service route configuration' that Use kerberos for Global Protect??

cancel
Showing results for 
Search instead for 
Did you mean: 

What does it change in 'service route configuration' that Use kerberos for Global Protect??

L4 Transporter

Hello all,

I use kerberos auth for Global Protect on PANOS-4.1.x.

Remote users fail auth for GP connection that it appear 'invalid username'.

So I want to collect PCAP on kerberos server and PA device.

I know that PA use mgmt interface for communicated kerberos.

I want to change interface from mgmt for collected PCAP.

What does it change in 'service route configuration'???

Thank

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

The protocols that you can't select from left side of Service Route Configuration should be controlled by right side.

You can't choose source port for kerberos in left side.

Regards,

View solution in original post

4 REPLIES 4

L5 Sessionator

The protocols that you can't select from left side of Service Route Configuration should be controlled by right side.

You can't choose source port for kerberos in left side.

Regards,

Hello emr,

You assist my question, again.

Thank you for always help me.

I have a question, more.

If I install all side (left and right) in service route configuration.

Does the device process left side rather than right side?? or Does it process right side rather than left side???

Regards,

According to my test result, if I configure both left and right for panupdates, it couldn't reach to updates.paloaltonetworks.com.

I think you should not configure both.

Regards,

Dear Cheon,

Since you can not choose a service or application for routes on the right side: it is for all traffic!

And it will overrule all settings set on the left.

Ex. DNS server and Kerberos server are same server

LEFT SIDE:

Service: DNS

Source Address: MGT

RIGHT SIDE:

Destination: IP of your kerberos server

Source Address: IP of your internal interface

=> DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source...

But I guess since its going to the same server you would probably want to use the same source Address, but you never know: something to keep in mind....

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!