About santonic

Ty for the info. ... View more

That's all normal. That doesn't indicate any errors. ... View more

TCP-FIN is a normal way to end a TCP session and doesn't indicate an error. Aged-out is as normal way for UDP session to end. But make sure packets are flowing in both way in this case, check sent/received packets count. ... View more

Absolutelly.  But i've had a scenario where the customer couldn't force all clients to use GP client yet it wanted the website to be seen by many. So we researched this CP idea from outside. But in the end they didn't implement it for above reasons. ... View more

If there aren't many users I'd always go with GP client. There you can set any authentication you want, as strict as you want. ... View more

PA could only allow traffic based on IP addresses, ports and user information. You can't make rules and allow traffic based on session cookies.    Another potential issue; for CP to work on outside interface you'll have to enable User-ID on the security zone for that interface. If you have WMI queries enabled UID agent will try to send queries to any public address that tries to authenticate. So make sure you either have this disabled or to have this traffic blocked. Otherwise you're leaking information about your network and domain.     ... View more

Definitelly a mistake. This would make firewall practically useless for VPNs. ... View more

    Got it working after posting, sorry.  ... View more

Whole networks have survived many years without (modern) firewalls and other security devices. But times and landscape are changing rapidly with many new threats emerging. So now we all agree that (NG)FW is a must. I'd say it will be similar with cloud adoption. ... View more

What about API and (dynamic) address groups?   On some server make a script that daily (hourly) gets a list of IP addresses, parses it and then adds them to the correct group via API on firewall. Minemeld would work too, but I'd say for this situation a simple script and few API calls are quicker solution. ... View more

Did you try only static route and only adding inbound NAT rule seperately? I'm curious what really was the original cause of issues. ... View more

@ebonjour wrote:     1. ==> There is a global timeout for global-protect process which is 25 seconds by default. It must be the same as or greater than the total time that any server profile allows for connection attempts. The total time in a server profile is the timeout value multiplied by the number of retries and the number of servers. For example, if a RADIUS server profile specifies a 3-second timeout, 3 retries, and 2 servers, the total time that the profile allows for connection attempts is 18 seconds (3 x 3 x 2).   This is just not acceptable when using two factor authentication. You can adjust via CLI with "set deviceconfig setting global-protect timeout  <range is 3-150 sec>", it is not in any GUI.   I also have no idea how this may work with multiple GP gateways... as the whole retry for that is insane.       This is useful info, thanks for sharing! I was wondering on one occasion why 2nd server in auth profile was never queried when 1st was't working. It was LDAP auth in my case but i'd say the logic is the same.     ... View more

I would definitelly first check logs (and make sure you log everything). If you can't find packet in logs then i would say PA isn't doing proxy ARP for static NAT rules. ... View more

Assuming you log everything; untill you don't see a packet arriving from their side it means they are not sending it correctly. You can also try sending traffic towards them. ... View more