About OwenFuller

Very helpful. Thanks! ... View more

Check to see which certificate profile is listed under Templates > Network > GlobalProtect > Gateways > your-gateway > Authentication > Server Authentication Find this profile under Templates > Device > Certificate Management > SSL/TLS Service Profile and take note of which certificate is used. Find this certificate under Templates > Device > Certificate Management > Certificates Check that CN of the subject matches the gateway address specified in the portal configuration under Templates > Network > GlobalProtect > Portals > your-portal > Agent > your-agent-config > External (or Internal) > External Gateways Check that today's date does not fall outside the Not Valid Before/After dates (also check that system time on the GP client machine is correct. If everything looks good, try exporting your logs from the GlobalProtect client, and looking at PanGPS.log for clues. ... View more

It might be a viable idea with DNS... You can even bypass the DNS altogether and produce different blockpages on the webserver itself (diffirentiating users by the source IP) or use a load balancer/ADC for the same very purpose - to direct users to relevant page based on their IP address (= Zone)...  ... View more

I agree with @rmfalconer on the route metric issue. That's why I'm thinking ECMP with the symmetrical return option might be your best bet. I've not tried this with multiple VRs in the setup you have described. You could try it though, and if necessary, move all three ISPs to the same VR. ... View more

Assuming this diagram matches what you are trying to do, you'll want to apply a source NAT policy for the tunnel traffic on the remote firewall, so that their traffic appears to come from a network other than 192.168.1.0/24. If the servers on the local network don't need to know the individual client IP of the source traffic, a single address can be used for a many-to-1 source NAT policy policy. Otherwise, if the ability to discern individual source IPs is needed, several 1-to-1 source NATs will be needed (Palo Alto can do this as a pool). In this example I've used 192.168.2.1 (many-to-1) and 182.168.2.0/24 (1-to-1) for the Remote Site source NAT addressing. On the Local Firewall, you'll want to use a 1-to-1 destination NAT policy where the pool of 192.168.5.0/24 addresses translate to 192.168.1.0/24. You can find the details on how to configure these policies here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat.html   ... View more

Its not completely solved with 5.1.4 or 5.1.6   We discoverd Questionsmarks instead of Chinese Chars in the Username Field after Upgrade from 5.0.3 to 5.1.6   See the post here https://live.paloaltonetworks.com/t5/globalprotect-discussions/again-modified-username-in-gp-client-after-update/m-p/355358#M483   ... View more

I found a reason why anyone might see this registry key change. If I create an agent configuration for prelogon with the pre-logon account, and connection method: pre-logon (Always on). (Quite confusing). And I create another agent configuration for users (any) with the connection method: user-logon (always on).   In this scenario, if you want to enable prelogon to always start, you need to add the registrykey prelogon=1. However I have confirmed when a user logs in, the agent configuration for users will change the registrykey prelogon to 0. ... View more

Hi Dustin - did you ever figure this out? Nick ... View more

Hello, Have you solved this issue with Jabber? I'm currently experiencing the same thing with some calls working fine over GP and then others just ring, but you can leave a voicemail, then other just don't work at all, then all the sudden they can talk. I did make some changes in config to get it to this point, but still not working great. Thanks ... View more

Good Day Blwallace   The only way to install GP with multiple portals is to add a reg key to inside the users hive I used this PS script to install the app using SCCM $Location = (Get-ChildItem -Path C:\Windows\ccmcache -Filter "GlobalProtect64.msi" -Recurse | Select -Last 1 -Property Directory).Directory Set-Location $Location & ".\GlobalProtect64.msi" /q PORTAL="XXX.XXX.XXX.XX" CONNECTMETHOD="on-demand" Start-Sleep -Seconds 15 $User = (Get-WmiObject -Class Win32_ComputerSystem).username $SID = (Get-WmiObject Win32_UserAccount -Filter "Name= '$($user.substring(3))' AND Domain= '$($user.substring(0,2))'").SID New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name 'xx.xx.xxx.xxx' -Force New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name 'xxx.xxx.xxx.xxx' -Force Start-Sleep -Seconds 10 Get-Service -Name PanGPS | Restart-Service -Force If you dont use SCCM you can skip line 1 and 2  Hope this works out for you Any comment or question please let me know Thanks Regards ... View more

Does the "forbidden" message look like a typical web browser error message, or a Palo Alto block message? Have you checked your logs for any blocks? ... View more

You might want to look at a product like TeamViewer for your purposes, which can allow you to access your home computer from your phone or another computer without needing to open up ports on your firewall. While it's not a Palo Alto solution, I think it fits your use case better. ... View more

to enable certificate authenication all you need to do is just to choose a certificate profile in Portal and/or Gateway - Authentication Tab, settings. and put the "Allow Authentication with User Credentials OR Client Certificate" to NO in Client Authentication entry. the Client Certificate should be installed on local user account. try reinstalling Globalprotect before testing these Config.     ... View more

Yes, the same for me. I just click on the link in the left-hand side bar though, and it takes me right to the details:  GlobalProtect App 5.2 Release Information ... View more

Hi @OwenFuller ,   Yeah , please try and let me know how it went . thanks, Ram ... View more