About OwenFuller

@Rajendranahak I think the solution @RamprakashRT is probably the easiest.  My organization currently runs multiple portals (one has pre-logon, and the other doesn't) on different IP addresses to meet this need.  I will also throw out that starting in GlobalProtect 5.2, it is possible to do user logon to GlobalProtect before doing Windows logon.  Palo Alto was calling this Connect Before Logon (CBL) in the beta testing.  I'm not sure what your use case is for needing pre-logon.  If you're needing the ability for a machine to be connected in order to run GPOs or login scripts, then this might be a viable option that lets you get away from the pre-logon user.  From my own testing, the feature works well, but as 5.2 just went General Availability, I'm not sure whether the steps to configure it have made it into the documentation yet. ... View more

Yes, we have gotten ours up to A- by running the following commands on our firewalls in config mode (substitute your profile names as appropriate): set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no Source:    https://www.reddit.com/r/paloaltonetworks/comments/hexquf/global_protect_and_cipher_suites/ ... View more

I might be misunderstanding what your issue is, but I'll give it a try.  In your portal configuration, do you have a anything configured under Authentication > Certificate Profile?  This will cause the portal to prompt you for a client certificate.  The certificate profile needs to be configured with the CA cert and key that signed your client certs in order to match it, and allow access to the portal.  If that's not what you're experiencing, please elaborate or provide screenshots. ... View more

You need to enable User-ID redistribution. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/configure-user-id-redistribution https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/user-id-redistribution-using-panorama ... View more

If I'm understanding what you are trying to do, you are trying to connect from your office computer to your home computer with RDP?  Your home computer is likely not using a publicly routable IP address.  Instead, it's probably using an address reserved for use on private networks such as 192.168.x.x or 10.x.x.x.  You cannot find these on the Internet.  They are only for use on internal networks.  If this is the case, your router has a public IP address on the connection to your ISP, but hides all the private addresses on the inside using network address translation (NAT).  In order to access the computer inside your network, you would have to enable port-forwarding on the router.  The steps for doing this vary from one manufacturer to another, and if you are not very technical, you should probably have someone who is help you set this up.  Alternatively, you might consider a product like TeamViewer.  However, both of these are outside the scope of this forum.  You will not be able to use GlobalProtect to connect to your home network, unless you're running a Palo Alto firewall. ... View more

This should be possible. First, enable group mapping using the documentation @domari mentioned.  Make sure you add the included groups to the group mapping profile in distinguished name format (e.g. cn=groupe1,ou=myou,o=mydomain,o=local) in lower case.  I have seen them fail time and time again if you use uppercase letters, or enter them in mydomain\somename format.  Verify that your firewall is seeing the groups, and members using the steps here:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK   In you have a client IP pool listed under your-GP-gateway > Agent > Client IP pool, then these IPs will apply to all gateway users.  You will need to delete this in order to enable separate pools for different groups. Under your-GP-gateway > Client Settings, create a config for Groupe1.  Under Source User, add Groupe1 once again using the distinguished name in lowercase (e.g. cn=groupe1,ou=myou,o=mydomain,o=local).  Go to the IP Pools tab, and add your pool for Groupe1 users.  Under Split Tunnel, add the included subnets you want to allow to be accessed over the VPN.  Configure any other settings in the client config you need.  Repeat the process for Groupe2 users. You will also need Security Policies which will allow access.  You can use the same groups for source users in those policies as well. ... View more

In my experience, policy optimizer is incredibly buggy, and the data isn't completely trustworthy.  This seems to be one of those bugs.  I was looking back on some internal notes from when I ran into this a few months ago.  I found something else that makes this even more odd.  When you run the clear policy-app-usage-data ruleuuid command in the firewall CLI, you get the error message, and the total apps displayed in the Apps Seen column doesn't change.  However, the detailed list of apps does seem to get flushed.  It's deceiving, but if you're trying to see which apps have hit the rule since it was last cleared, it still might be somewhat useful.  It's frustrating though. Before: Before clearing usage data   After: After clearing usage data ... View more

Have you tried uninstalling the client, rebooting, and re-installing?  I believe that was another solution that worked for us.  The problem only seemed to affect clients upgraded from 5.0, not clean installs. ... View more

I think the closest you will get is doing the cookies with the auto-reconnect option. I believe this should still work just fine. It’s not going to do quite what you want in terms of a specific message, but it should still pop up the GP window from the system tray as it tries to reestablish the connection. Beyond that, you might be right to go the feature request route.  ... View more

If you have a large number of rules, and want to save a lot of time over copying them individually in the GUI, it can be useful to export the list of rules from Panorma as a CSV and include the rule UUID column.  You can then use a text editor like Notepad++ to prepend clear policy-app-usage-data ruleuuid to each entry, and paste the whole thing into your firewall's CLI.  You'll want to run this command before pasting: set cli scripting-mode on   ... View more