About Remo

You're right... there was a question 😛   I was thinking a lot about this possible problem. And so far I did not find a point that this configuration is less secure than using an authentication profile. You only have to make sure that the pre-logon user only has very limited access to the ressources needed at login time (AD, SCCM, Antivirus updates, ...). If you have a specific group where you put all your vpn users into it: You can improve this, at least a little, when you only give this vpn usergroup full internal access and after this rule create a deny all rule. This way if someone has a company computer (or at least a certificate from your PKI) and valid credentials (of someone not belonging to this vpn usergroup) ALL traffic will be blocked. But in this, kind of worst case, situation you have the same problem when you use the traditional authentication profile method. In such situations there are internal processes needed that when a user got his computer stolen, he needs to call your support department as soon as possible to start the processes for revoking the computercertificate and for resetting the user password. ... View more

FYI: The method with the javascript redirect works better than expected - no warning in chrome and firefox - and is really easy to implement. Simply go to www.facebook.com and you will be redirected to www.facebook.com/paloaltonetworks - or wherever you want do redirect your users to.   With javascript it is even possible to customize this even more: user opens facebook.com --> redirect to facebook/paloaltonetworks user opens bing.com --> redirect to google.com   with the user-id data you can even create user-based redirects (but keep in mind that the javascript can be viewed by everyone who gets to the response page) or ip network based redirects. Another case would be redirects based on (custom) url categories.   While you already have a lot of possibilities with the integrated response pages, such a redirect to your own webserver gives you even more possibilities - countless possibilities because there you don't have any space or whatever limitations because you do not have the full control over the webserver which runs on the firewall.   Definately something I have to add to my to do list 😉 ... View more

Hi @Mister.iks   I don't know if this is supported or what ever the official answer to this is. Maybe someone else here knows exactly or you always have the possibility to open a support case.   But there is also another way to solve such problems: The key is: do not use PAN credential provider at all   Like I described here: https://live.paloaltonetworks.com/t5/General-Topics/Global-Protect-quot-Single-Sign-on-quot-with-Windows-Hello-on/m-p/157569#M51667   Another way maybe is with Global Protect SAML login. But I cannot say something about this method. I still have this on my to do list ...   Regards, Remo ... View more

Hi @ansharma   I have no evidence that it is really this, but I assume this fix has now introduced other IKEv2 problems. After the upgrade to Version 8.0.3 we started seeing other IKEv2 problems, so far "only" with PFSense firewalls. As I have seen the problem happens at rekey time. So there was an existing tunnel, but when the other side tries to renogotiate everything PaloAlto cannot match the proposed phase 2 networks to the configured one, even the proposal and the configuration have exactly the same parameters. --> The tunnel ONLY comes up when the existing SA's are manually cleared.   Regards, Remo ... View more

Hi @Kali_89   http://lmgtfy.com/?q=configure+GP+client+to+logon+automatically+as+soon+as+Windows+starts   In addition to the upper url, there are a lot of ressources here and on the official PaloAlto Documentation website on how to configure what you want. The keyword is "pre-logon".   https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/always-on-vpn-configuration#id6c49390a-2ed7-4f95-8f58-31c7f71ce16b https://live.paloaltonetworks.com/t5/Configuration-Articles/Basic-GlobalProtect-Configuration-with-Pre-logon/ta-p/136131 Hope this helps.   Regards, Remo ... View more

Hi @dropboxintegration   In addition to @acc6d0b3610eec313831f7900fdbd235's questions, what url categories do you allow? Because dropbox also loads some third party content when you open the website ( https://urlscan.io/result/708a0d7a-6695-4d13-8618-c078dc4d7f94#summary ). It could be if some additional ressources are blocked that the site does nor work properly. (I see a similar behaviour when I connect to dropbox with local adblockers enabled).   Regards, Remo   PS: Do you really decrypt-encrypt-decrypt-encrypt-decrypt-encrypt (3 times tls decryption) all the encrypted sessions? ... View more

@BPry What exactly do you mean with the mentionned warning?   I shortly tried with a local html file (not as response page). At least there with chrome 59 and firefox 54 the redirect works without issues. Ok, the respone page is shortly visible, but this you can customize with a text like "redirecting in 3, 2, 1 ..." (or something which makes more sense 😛   I will try this shortly at the beginning of next week if it works the same way when actually presented by the firewall as response page ... View more

"PanV2CredProv" = {25CA8579-1BD8-469c-B9FC-6AC45A161C18} ... View more

@reaper It is not officially supported but ...   @adrianflux I see a chance to do this with javascript on the response page.   window.location.href could be used to get the current URL then with a switch-case function you could dynamically redirect different sources to the destinations you want window.location.replace("www.paloaltonetworks.com"; will then to the redirect trick only with that it will not be done completely. You will also need different security rules to make sure that only specific websites will present the response page while the one you redirect to need to be allowed without response page ...   for example: rule: allow www.facebook.com/paloaltonetworks rule: show response page for www.facebook.com ... View more

http://bfy.tw/CVEJ   😉   The upper link will lead to to another bug ID because your ID so far does not appear anywhere in existing release notes. If you have this bug ID from support because of an active case you probably want to ask the support engineer about the release of the fix. You could also reach out to your SE to ask for information. ... View more

If someone else thinks this would be a great future when it would be possible to schedule these "Change Monitor" reports as parts of the existing Custom Reports ... vote for FR 7484! ... View more

There is only 1 average value for all cores/dataplane-processors. --> 1 OID for MP CPU and 1 for DP CPU(s) ... View more

This sounds to me still like your drive encryption software needs its own credential provider for SSO. In windows 7 you also have the ability to wrap the GP credential provider around another credential provider. ... View more