This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About COlson

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
COlson
‎03-20-2024
since ‎05-10-2019
L2 Linker
User Activity
User Profile
Latest posts by COlson
View All
My Liked Posts
View All
Posts I Liked
View All
User Badges
Community Statistics
Member Since ‎05-10-2019 02:15 PM
Date Last Visited ‎03-20-2024 10:33 AM
Posts 25
Total Likes Received 2

Re: GlobalProtect HIP issues

by in GlobalProtect Discussions
‎06-22-2022 10:42 AM
‎06-22-2022 10:42 AM
Hello,    Turns out there's a key part of using HIP matching that should probably be mentioned first instead of buried deeper in articles; you need to have User-ID enabled on the zone.  Once that was enabled it worked fine.  ... View more

GlobalProtect HIP issues

by in GlobalProtect Discussions
‎06-08-2022 01:33 PM
‎06-08-2022 01:33 PM
Hello,    I am testing out using HIP match for certain traffic but I am running into an issue where traffic continues to be blocked.  I can see the HIP information in the log and firewalls has GP Gateway license.  Originally tried to use HIP for just Anti-Malware 'Is Installed' and has 'Real Time Protection' and the traffic never passed even though in the HIP log I can see both of these being good.  So then I just tried to use host information and host contains "Microsoft" (I am using a Windows 10 machine to test) and again traffic fails despite the HIP log showing the machine is Windows 10.  If I remove the HIP profile from the security policy, the traffic passes without issue.       I have now tested with different categories in the HIP object, testing different client machines to see if something was unusual but it doesn't matter, if the HIP Profile is in use, traffic is blocked.       Is anyone familiar with what might cause the HIP information to match but traffic still not pass as expected?     Thank you.  ... View more

Re: Site to Site VPN failing when IKEv2 and different PANOS

by in General Topics
‎04-23-2022 05:40 PM
‎04-23-2022 05:40 PM
Hi,  I could set it to IKEv2 only but the same problem arises; as soon as the the two firewalls are on different versions of PAN-OS, IKEv2 fails.  I would have thought that would be the use case for IKEv2 preferred but it doesn’t seem it.  ... View more

Site to Site VPN failing when IKEv2 and different PANOS

by in General Topics
‎04-13-2022 05:58 PM
‎04-13-2022 05:58 PM
Hello,    I’ve recently ran into an issue where I’m using IKEv2 preferred and the two firewalls are using different versions of PAN-OS. It will fail with “invalid sig.”. If both firewalls are the same PAN-OS version (this has been happening on 9.1.11-9.1-13h3… I don’t have any other versions to test), it works fine. But since I can’t update all firewalls at the same time, there are periods of time where they are different versions and that results in the tunnel dropping.  Additionally, as I’m using IKEv2 preferred, I assumed that when IKEv2 failed, it would use IKEv1 but that doesn’t seem to be the case.   Are both of these expected behaviors?  There must be something I am missing. Thanks.   ... View more

Debug Dataplane Help

by in General Topics
‎01-07-2022 11:24 AM
1 Kudo
‎01-07-2022 11:24 AM
1 Kudo
Hello,    I am trying to troubleshoot an error in a traffic log regarding cert decryption.  I have found an article from PA on it: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boONCAY but I am unable to reproduce the steps to help in troubleshooting.  The fourth bullet says 'Dataplane Debug shows the following..." and I would like to see a log just they show in the example but I'm not sure where that is.  The log features it references I'm familiar with for packet capture but packet capture doesn't look the example they provided.    Can someone point me in the right direction of how I can reproduce that screen?  Thanks.  ... View more

GlobalProtect iOS Certificate issue

by in GlobalProtect Discussions
‎12-07-2021 05:37 PM
‎12-07-2021 05:37 PM
Hello,     I’m in the middle of trying to make a gateway for iOS devices and I’m having an issue. I use MobileIron to push out the config and it uses an MI SCEP cert; I’ve added the MI SCEP CA to the PAN device and set it up as the auth profile. If I only do UN/PW I have no issue but as soon as I add cert requirement, the iPhone GP app has an error and if I check the PAN traffic log I see my phone IP traffic behind denied with a session end reason as “decrypt-cert-validation.”  Based on what I have been able to read, this might be due to a cert not being X509 compliant.   Can anyone help me understand what specifically is required in the cert or does anyone have any experience with this issue/config?    Thanks in advance.  ... View more

Re: MS-Teams Update Security Policy Help

by in General Topics
‎01-14-2021 11:59 AM
‎01-14-2021 11:59 AM
@BPry , Thank you for the suggestion.  I have done this before but tend to see inconsistent/unexpected results. So, following your advice, I did this for the the statics.teams.cdn.office.net; created a Custom URL CAT, added it as a FDQN inside of that.  In the security policy, allowed the desired apps, ports, Destination ANY and that custom URL CAT.  The rule does work, Teams downloads but I also see the rule several times hitting IP addresses that don't reverse to the aforementioned FQDN.  Based on GeoDNS with Akamai though, you believe this is expected behavior? ... View more

MS-Teams Update Security Policy Help

by in General Topics
‎01-13-2021 12:34 PM
‎01-13-2021 12:34 PM
Hello all,    I'm trying to fine tune a security policy to allow MS-Teams to update; based on what I can see the logs, it seems to contact statics.teams.cdn.office.net for the update.  I have created a single policy with that destination as a FQDN, allowing the usual ports and applications.  However, the rule is never hit, it skips over it and hits a deny rule.  When I check the URL Filtering logs, it does indeed show that it hits statics.teams.cdn.office.net but the destination IP is completely different than any ping, nslookup, PAN resolve, etc... to that FQDN and I can't figure out why the IP doesn't match what returns for that FQDN.     Does anyone have any experience with something similar or even a better way that I might be able to allow Teams to update through the application itself?     Thank you.  ... View more

Re: DNS suffix not applying

by in GlobalProtect Discussions
‎12-10-2020 10:51 AM
‎12-10-2020 10:51 AM
Based on what you're showing, it would seem that GPO would indeed take a precedence; which makes the DNS suffix option not useful.  Although, I'm unable to find it anywhere in their documentation that confirms or denies that.  ... View more

Re: DNS suffix not applying

by in GlobalProtect Discussions
‎12-10-2020 08:16 AM
‎12-10-2020 08:16 AM
DomainA and DomainB DNS suffix are received via GPO. ... View more

Re: DNS suffix not applying

by in GlobalProtect Discussions
‎12-10-2020 06:33 AM
‎12-10-2020 06:33 AM
I had read that as well... but unfortunately, it doesn't seem to be adding the suffix.     It's not resolving properly.  So, my laptop is in domain A and receives DNS suffix for domain A and domain B.  GlobalProtect has a DNS suffix for domain C.  So when I connect to the GP gateway, I want to be able to resolve hostnames for domain C without FQDN but when I ping hostname, Wireshark shows DNS is trying hostname.domain A and hostname.domain B (which fails because the hostname is only in domain C) and then returns that the host can't be found.    ... View more

Re: DNS suffix not applying

by in GlobalProtect Discussions
‎12-10-2020 06:04 AM
‎12-10-2020 06:04 AM
When I do a ping hostname and look in wireshark, I see the DNS request to the proper DNS server but it uses the DNS suffix from the local machine (there are actually two and it tries both), not the DNS that should be applied via GlobalProtect.   ... View more

Re: DNS suffix not applying

by in GlobalProtect Discussions
‎12-10-2020 05:40 AM
‎12-10-2020 05:40 AM
Hi,    I have added the DNS suffix under Gateway-->Agent-->Network Services.  And I see the same thing in the log that you posted, the DNS suffix shows as being processed, but when that DNS suffix does not show up ipconfig or in the adapter settings for GlobalProtect and when I try and contact by hostname only FQDN works.  So it's as though the config for DNS suffix is processed but never actually applied as far as I can see. ... View more

DNS suffix not applying

by in GlobalProtect Discussions
‎12-08-2020 10:49 AM
‎12-08-2020 10:49 AM
Hello,     I have deployed a GlobalProtect gateway in an office that uses a different domain than our own.  To that end, I have added their dns suffix to the gateway but when I connect onto that gateway, the suffix is never appended.  I cannot access their domain resources unless I use FQDN.  In the logs, I see the config being sent and it does include the DNS suffix so I'm not sure why it won't be appended?     Thanks.  ... View more

Re: Service Route Help

by in General Topics
‎12-07-2020 07:11 AM
1 Kudo
‎12-07-2020 07:11 AM
1 Kudo
I was able to get this work but only by doing an override on the local PAN.  The settings are exactly the same as I used in Panorama but they only worked once I overrode the service route config.   Thanks.  ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-20-2024 10:33 AM
Latest Tags
No tags yet
Likes Given To
View All
Likes From
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks