About santonic

Hello. We're having problems with user mapping for GlobalProtect users. In this case there are 2 users connected to PA device, yet mapping isn't working for either of them: (IPs and names deleted from output) astec@fw1(active)> show global-protect-gateway current-user GlobalProtect Gateway: vpn.xyz.si (2 users) Tunnel Name          : vpn.xyz.si-N         Domain-User Name          : :user1         Computer                  :         Client                    : Microsoft Windows 7 Professional, 32-bit         Private IP                :         Public IP                 :         ESP                       : exist         SSL                       : none         Login Time                : Jan.18 14:16:52         Logout/Expiration         : Jan.19 14:16:52         TTL                       : 82156         Inactivity TTL            : 2956         Domain-User Name          : :user2         Computer                  :         Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit         Private IP                :         Public IP                 :         ESP                       : exist         SSL                       : none         Login Time                : Jan.18 14:32:23         Logout/Expiration         : Jan.19 14:32:23         TTL                       : 83088         Inactivity TTL            : 3949 astec@fw1(active)> astec@fw1(active)> show user ip-user-mapping all type GP IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- Total: 0 users astec@fw1(active)> We have "Enable User Identification" enabled on both security zones: the one from where GP connections are originating (internet) and the one which is used for GP tunnel (vpn-clients). Pan-OS version is 5.0.1, we're also using (agent-less) AD user mapping which is working fine. On the above output I notice that tunnel name is vpn.xyz.si-N while we're using tunnel interface tunnel.1 in our configuration. I can't find vpn.xyz.si-N tunnel listed under tunnel interfaces so I don't think it's associated with any security zone. Can you please help us resolving this issue? Can you provide some info where did this new tunnel vpn.xyz.si-N come from? Thanx! Best regards, Simon ... View more

hi! I was wondering if a PAN firewall performs Duplicate Address Detection (DAD) by sending ARP Request packets for IP addresses on an interface once it is connected to a switch? does it do it only for the primary address on an interface or does it do it for all the IP addresses that are configured as aliases on an interface? we have noticed that if we replace a malfunctioning firewall with an on-site spare unit, that has the exact same configuration but a different MAC address on the internet interface, we are unable to use all the addresses that are configured as aliases on that interface. once the ARP cache on the provider router times out (by default on a Cisco device it takes 4 hours) and the binding between MAC and IP addresses is refreshed, all the connectivity problems are resolved. cheers, Andrej ... View more

hi! I was wondering if public key signatures (RSA signatures, DSS signatures, ...) are supported for authentication in IPSec VPN with PAN and if there are any plans to implement it? cheers, Andrej ... View more

hi! I was wondering if anyone has any experience building distributed firewall clusters (geoclusters) using PAN firewalls? we would like to use them as perimeter firewalls on two geographically separated locations and build a logical data center that would span over both so that we would be able to move virtual servers from one location to the other without changing their IP addresses (thus we would need L2 connectivity between both sites). we are planning to run BGP on both firewalls so we would be able to use the PI address space and provide fault tolerance for inbound connections. any special design considerations? cheers, Andrej ... View more