About Remo

Hi @Hammer88    It depends on the proofpoint product that you have. Actually you need at least one firewall with a wildfire subscription as you need the wildfire API key. But depending on the protection you requires you need a wildfire subscription for more/all your firewalls ... this depends on your current topology and security requirements. ... View more

Hi @AbdallaAbdelkhaliq    What you are asking for is possible. The problem here that GP does not ask for OTP isn't located on the firewall - it is a problem on your RSA server. When your RSA Radius server receives username and password (if the credentials are valid) it needs to reply with an Access-Challenge packet. This way GP would show the OTP prompt. Right now your RADIUS server sends back directly an access-accept packet so the firewall and GP see only a valid authentication without the need to ask for OTP. ... View more

@Sec101  Traffic will always match only one rule. Even if there could be multiple matches, the first rule that matches will be applied. Only adding the URL category directly into the rule is a matching criteria, not the URL profile. ... View more

Hi @Sec101    Could you maybe give an example with your actual rules and where the problem is you describe here? At least for me it's hard to understand what you are trying to do or where the problem of the not matching rules reside.   What I can say right now is only that an URL profile is not a matching criteria in security policy rules. If you want to force specific categories to be processed by a specific rule you need to add the (custom) category directly into the rule. But I assume this wasn't very helpful to you 😛 ... View more

@rj_raj  I have updated the third post in this topic with the open issues with the one described by you. In addition I have also created a case with a reference to yours. Thanks! ... View more

@rj_raj  I was able to reproduce the issue. Without entering any OTP GP gets stuck at "still working" as you mentionned. ... View more

I have added another low priority issue and also case numbers for the 3 issues that I have experienced so far with 5.0.2. I need to add here, the issues from me in the list I so far saw only once. Even if I tried, so far I was not able to reproduce them (which is good and bad at the same time) ... View more

@Mick_Ball wrote: The "enforce GlobalProtect" option boosted our service desk calls bt 45 million (approx) so we took it off. mainly because of issues with captive portal etc but we do prevent open browsing by the use of a proxy.pac config.   pretty much got this down to a fine art as we generally only get 1 or 2 calls per week regarding GP. most resolved as users not joining guest networks correctly but hardly ever due to a GP fault.   we also run a couple of pre and post VPN scripts but this is just to enforce a few proxy settings and ipconfig/flushdns  as this was not part of the early GP versions. @Mick_Ball you should give 5.0.2 a try. I have spent a lot of time together with Paloalto to report, solve and test fixes for issue you describe here. Of course 5.0.2 will not be bug-free, but right not it runs pretty good with enforce enabled. Captive portals are no longer a problem even with this option and in my setup we even have MFA with RADIUS configured which made the whole situation even more difficult. Anyway, if you do test it with 5.0.2 any maybe also with the enforce option, please write your feedback/issues to this post, where I try to collect informations about 5.0.2: https://live.paloaltonetworks.com/t5/General-Topics/Global-Protect-5-0-2-working-deployments-configurations-open/m-p/260183#M73745     ... View more

@Remo wrote: Keep in mind that this recommendation is a general one and does not take into account specific customer configurations, so testing the releases in your environments is still recommended prior to installing it in production. @reaper as I wrote 😉 Even a recommendation nobody should blindly follow ... View more

Whats the difference between recommended and preferred? From the description in the topic this sounds like recommended even if the word prederred is used... ... View more

Ho @hibagus    Only paloalto knows how this is done 😛 But I found something which may be useful for you: you cannot create an app to identify linux/windows pings, but you can create an app that checks the length of the ping payload. So maybe it works if you specify a length of 0 (<1) and allow only that. This way not the default pings are allowed but you could make sure that there is no data sent put of your network. ... View more

@hibagus  Unfortunately what you're asking for is not possible. The signatures you can create do not allow you to do a pattern match on icmp-payloads - the decoder probably only checks icmp type and code and nothing else. The only thing you can do so far is to create a feature request... ... View more

@rj_raj wrote: - My machine was docked - i put it sleep and then undocked it - At home I had to connect to the WiFi as my conneciton is manual - When connected to WiFi that is when i noticed it   I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it @rj_raj I have added this issue to the open issues list. Would be great if you can add more details or even better if you are able to reproduce it. ... View more