This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
GlobalProtect Discussions
GlobalProtect discussions offers topics about our network security for endpoints that protects your organization's mobile workforce. This area is dedicated to GlobalProtect discussions to help you answer questions.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
GlobalProtect Discussions
GlobalProtect discussions offers topics about our network security for endpoints that protects your organization's mobile workforce. This area is dedicated to GlobalProtect discussions to help you answer questions.
About GlobalProtect Discussions
Welcome to the GlobalProtect discussion area! Here, you can engage in conversations about GlobalProtect, explore new insights, and stay updated on ongoing discussions. Check back regularly for the latest updates and community insights on GlobalProtect.

Discussions

Start a conversation

Resolved! Using corporate wildcard certificate for Global Protect

To get up and running with GP I set things up with a locally generated a root cert on the PAN and then generated a server cert tied to the root cert. The server certificate used the IP address of the outside interface as the Common Name. Then I created an SSL profile which pointed to the server certificate. Everything works well although it has...

Global Protect Client IP Range not able to get to internal resources

Hi All,I recently configured an HA pair of 3220s for Global Protect. I have the firewalls handing out IPs from the 192.168.124.0/22 network. The clients can connect and get the correct IPs but are not able to reach internal resources. This same IP range had been setup on a pair of 5250s and I believe I had everything setup for this to work on th...

Global Protect Failing to Work on Xfinity Networks with PopOS 20.04

Hi there, I'm hopping to get some troubleshooting advice by the experts here. I'm using GlobalProtect 5.2.4 with a linux laptop running PopOS 20.04. At home I don't have issues connecting on a Verizon FIOS network, but when I visit family members (who all each have Xfinity) I haven't been able to get it all working. I can log in with the SSO GUI...

Global Protect - Internal Detect - WIFI/LAN

hello I am testing our rollout of mobile user vpn with pre-logon and always oncurrently we are on-prem with on-demand so its complete change in user experience but with one of out test users we found today when they are at home using they are using a device that displays company wifi so they connect to this and they are detected as internal whic...

GlobalProtect cert auth alternative

Hi all, We are using Cert authentication for identify check and make sure the device connected to GlobalProtect is a domain joined device. We are having issues with GlobalProtect Cert authentication when users travelling and connecting to a captive portal, where some captive portals represent their cert to the FW portal(man in the middle). This ...

Globalprotect Azure MFA in PA-220

Hello all, I'm just new here and would like to know if Azure MFA will work in PA-220 firewall or is there any restrictions with the said firewall? We are looking to provide solution to enable Azure MFA when using Globalprotect on a PA-220 firewall. Cheers,Mark

mrosales by L0 Member
  • 2249 Views
  • 1 replies
  • 0 Likes

easiest way to move users to 2nd gateway for maintenance on 1st

We have an Azure implementation of Palo Alto/GlobalProtect.We use an Azure LoadBalancer point to 2 Palo Alto firewalls for GP portal connectivity.Then based on the received config we send the user to the direct interface address of one of the 2 firewalls for gateway connectivity.No HA, no failover. What would be the easiest way to have users con...

GlobalProtect depends on ISP

Hello all, I have a problem that has no sense for me..A customer of us has problems with speed when they used his mobile phone as Personal Hotspot, all his employees uses same mobile phone model & ISP, and also same GlobalProtect version (5.2.2). When they're conencted throught their mobile phone & GP they have 35.4 Mb/s download but 0.0...

BigPalo by L4 Transporter
  • 2256 Views
  • 1 replies
  • 0 Likes

Lost Sign-In Options on Logon screen

Hi, I've logged onto my machine (logon screen shows GlobalProtect Status - Connected), using GlobalProtect 5.2.5 client with machine based authentication in a virtual machine. The certificate is present on the machine and everything appears to be working ok. If I then log off and go back to the logon screen, the Sign-in options have disappeared ...

borito78 by L0 Member
  • 2492 Views
  • 0 replies
  • 0 Likes

GP 5.2.4 upgrade

Dears, I am planning to upgrade the Globalprotect version from 5.1.7 to 5.2.4. Do I need to push or reinstall SSL / TLS certificate when I am upgrading to GP 5.2.4 ? Also I am planning to push the GP software (*.msi files) from an SCCM server. May I know is this the best method. And any best practices available while pushing the GP client from ...

GlobalProtect Pre-Login with SAML + Azure MFA re-authentication issues

We currently have GlobalProtect deployed utilizing a combination of certificates (for pre-login) and SSO + SAML (to Azure AD) for user authentication. The SAML portion redirects the users to the Microsoft MFA portal for 6 digit authentication when they log in. This is working without pretty much flawlessly. The issue comes into play when a use...

Global Protect gateway isolation based on LAN checks

Dear all,Please see the design below , the idea is testing against IPs 172.16.158.1 (IPs of VLAN 161) using path monitoring + static route Can we add a path monitoring to an internal static route , that internal route monitoring reachability of 172.16.158.1 using as a source Interface a newly created loopback that we could associate with the ...

DPonsdesserre_0-1616680833522.png

GP traffic black holing / redundancy

Dear all ,One of my client is currently facing the below issue :"We have faced some traffic black hole situations with Global Protect users when we are loosing internal connectivity in a GP gateway.When firewall can no longer reach the LAN / internal connection because cable has been disconnected from TRUST interface or LAN , our WAN connectivit...

DPonsdesserre_0-1616667169386.png

Found VAPT vulnerabilities points for SSLVPN URL.

We have done the VAPT on our environment and found the vulnerabilities for the SSLVPN URL which we use. We had mitigated the maximum points but five points are remaining. So need help on that. 1. Password sent in Clear Text - CWE-319.Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. To ex...

OsamaKhan_0-1616604463917.png

Global Protect user-pre-logon from Windows domain login first time user

I'm having an issue finding an all inclusive document that can help me validate my GP portal and gw config to allow new users who receive a domain joined laptop be able to log into the domain on receipt of the laptop current gw is pre-login with on-demandall laptop have machine cert installed from our domainfor purposes of the test I have a new ...

  • 2062 Posts
  • 68 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks