About Remo

Hi @Jasoncull365   Yes, your certificate (the public key) needs to be signed by a public CA, GoDaddy in your case. If you're going to buy a wildcard cert then there is no need to add additional FQDN's to the cert as the wildcard cert will enable authenticated communication to *.companyname.com.au. As soon as you have the signed cert, you need to upload it and also the private key to your firewall. In addition to that you also need to upload the GoDaddy intermediate CA cert to the firewall (and if there are more intermediates between your wildcard cert and the root you also have to upload them). This way the firewall is able to build ther certificate path up to the root CA. In addition, uploading the intermediate CA certs, will tell the firewall which certificates need to be sent in the TLS handshake to a client. The sending of the additional certs to the client is needed that also it will be able to build the certificate path up to the root (the client normally only has the root CA cert in his trust store, but not the intermediate CA certs) and can verify the identity of your certificate - without this verification the clients will see a certificate warning in their browsers. Your wildcard cert then needs to be added to a SSL/TLS profilw, which you then could reference in the global protect gateway and portal configuration.   Hope this helps a little.   Regards, Remo ... View more

If you're adding all of them to an EDL you have a good reason to upgrade to PAN-OS 8. With the new features in the llg forwarding profile settings you could easy automate what you're now doing manually and the EDL. But this is a point where you have to be careful, because floods from spoofed IP addresses, could let you block IPs from legimate addresses. ... View more

Do you manage the existing 3020 completery with panorama or only specific settings? ... View more

@Raido_Rattameister Am I right that this only matters starting with the 5000 series and for example on a 5050 is you have more than 2 Gbps of IPsec traffic (-> more than half of the platform max IPsec throughput of 4 Gbps) and all this in one VPN connection ... View more

Ah ok, so only something to consider with the bigger PA series 😉 ... View more

@Raido_Rattameister Could you explain the point with the performance advantages with proxy IDs? ... View more

Yes, with route based VPN Proxy IDs aren't needed but if you do have one configured, there shouldn't be an SA in addition to the configured proxy ID. Of course route based with 0.0.0.0/0 is the best way to configure it, but thats, as I understood, not the point. And because of the described situation I assume @Carracido uses IKEv2 ... View more

@sharathshashidhar Does this config now work or did you create this after this topics discussion? Looks actually pretty good, I think ... View more

@Udineverisch Without more details about the logs and the configuration of the portal and the gateway it slowly gets difficult to suggest ways to solve the problem. If the portal/gateway has the same configuration for every client and does not manually block your computer, it has to be an issue on your computer, specially because your virtual box still works. Is there any difference on these 2? Special software, windows updates, ...? ... View more

Hi @Carracido   PAN-OS version? IKEv1 or v2?   So you already have one proxy ID configured and traffic is also flowing between subnets without proxy ID? Did you check the tunnel status and the IPSec SAs on the cli to see what phase 2 tunnel is established?   ... View more

... and about the packet capture: If you set the source to the IP from where your client is connecting and the destination to your portal IP, then you, in most cases, don't have to worry about performance problems. Simply set the filters as exact as possible, this wil also help you seeing the data you want to see and you then don't have to search in a big capture for that one connection ... View more

Hi @husetech   Yes, I read your post about the suggestion with the windows updates. I mean if this is the only difference between the clients then go ahead and remove the updates. Might be worth a try.  But I still can't get the "missing private key" error out of my mind and what this exactly has to do with the connection problem. Are there differences in the certificate store between the admin and non-admin users? ... View more

@husetech Because of the error you described when you connect with a non-admin user to the website, I think you have cert-authentication configured, even if it is accidentially. Could you share a screenshot of your portal configuration? ... View more