About Remo

Added two rare issues in 5.0.2 to the third post in this topic. ... View more

I will test the following configurations: Config 1 "Portal Client Config" { hip-collection { max-wait-time 20; collect-hip-data yes; } gateways { external { list { GATEWAY { fqdn GATEWAY; priority-rule { Any { priority 1; } } manual no; } } cutoff-time 5; } } authentication-override { generate-cookie no; } source-user any; os any; agent-ui { max-agent-user-overrides 0; agent-user-override-timeout 0; } internal-host-detection { ip-address INTERNAL-IP; hostname INTERNAL-FQDN; } gp-app-config { config { connect-method { value pre-logon; } refresh-config-interval { value 1; } agent-user-override { value allowed; } client-upgrade { value disabled; } use-sso { value yes; } logout-remove-sso { value yes; } krb-auth-fail-fallback { value yes; } retry-tunnel { value 1; } retry-timeout { value 1; } enforce-globalprotect { value yes; } captive-portal-exception-timeout { value 3600; } traffic-blocking-notification-delay { value 5; } display-traffic-blocking-notification-msg { value no; } traffic-blocking-notification-msg { value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con nect to GlobalProtect.</p></div>'; } allow-traffic-blocking-notification-dismissal { value yes; } display-captive-portal-detection-msg { value yes; } captive-portal-detection-msg { value '<div style="font-family:'Verdana';"><h1 style="color:green; margin: 0; font-size: 16px;">Loginseite erkannt / Captive Portal Detected</h1><p style="margin: 0; font-size: 14px; line-height: 1.2em;">Bitte klicken Sie auf den Link, um sich anzumelden und Zugriff auf das Netzwerk zu erhalten: <a href="http://CAPTIVEPORTALREDIRECT">Klicken Sie hier</a><br/>Please click the link to login and to get access to the network: <a href="http://CAPTIVEPORTALREDIRECT">Click here</a></p></div>'; } captive-portal-notification-delay { value 5; } certificate-store-lookup { value machine; } scep-certificate-renewal-period { value 7; } retain-connection-smartcard-removal { value yes; } enable-advanced-view { value yes; } enable-do-not-display-this-welcome-page-again { value yes; } rediscover-network { value yes; } resubmit-host-info { value yes; } can-change-portal { value no; } can-continue-if-portal-cert-invalid { value no; } show-agent-icon { value yes; } user-switch-tunnel-rename-timeout { value 0; } pre-logon-tunnel-rename-timeout { value 0; } show-system-tray-notifications { value no; } max-internal-gateway-connection-attempts { value 0; } portal-timeout { value 30; } connect-timeout { value 60; } receive-timeout { value 30; } enforce-dns { value yes; } flush-dns { value no; } proxy-multiple-autodetect { value no; } use-proxy { value yes; } wsc-autodetect { value yes; } mfa-enabled { value no; } mfa-listening-port { value 4501; } mfa-notification-msg { value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at"; } ipv6-preferred { value yes; } init-panel { value no; } } } save-user-credentials 0; portal-2fa no; manual-only-gateway-2fa no; internal-gateway-2fa no; auto-discovery-external-gateway-2fa no; mdm-enrollment-port 443; }   Config 2 (on this gateway local network access is disabled) "Portal Client Config" { hip-collection { max-wait-time 20; collect-hip-data yes; } gateways { external { list { GATEWAY { fqdn GATEWAY; priority-rule { Any { priority 1; } } manual no; } } cutoff-time 5; } } authentication-override { generate-cookie no; } source-user any; os any; agent-ui { max-agent-user-overrides 0; agent-user-override-timeout 0; } internal-host-detection { ip-address INTERNAL-IP; hostname INTERNAL-FQDN; } gp-app-config { config { connect-method { value pre-logon; } refresh-config-interval { value 1; } agent-user-override { value disabled; } client-upgrade { value disabled; } use-sso { value yes; } logout-remove-sso { value yes; } krb-auth-fail-fallback { value yes; } retry-tunnel { value 30; } retry-timeout { value 5; } enforce-globalprotect { value yes; } captive-portal-exception-timeout { value 3600; } traffic-blocking-notification-delay { value 15; } display-traffic-blocking-notification-msg { value yes; } traffic-blocking-notification-msg { value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con nect to GlobalProtect.</p></div>'; } allow-traffic-blocking-notification-dismissal { value yes; } display-captive-portal-detection-msg { value yes; } captive-portal-detection-msg { value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has tempo rarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>'; } certificate-store-lookup { value machine; } scep-certificate-renewal-period { value 7; } retain-connection-smartcard-removal { value yes; } enable-advanced-view { value yes; } enable-do-not-display-this-welcome-page-again { value yes; } rediscover-network { value yes; } resubmit-host-info { value yes; } can-change-portal { value no; } can-continue-if-portal-cert-invalid { value no; } show-agent-icon { value yes; } user-switch-tunnel-rename-timeout { value 0; } pre-logon-tunnel-rename-timeout { value -1; } show-system-tray-notifications { value no; } max-internal-gateway-connection-attempts { value 0; } portal-timeout { value 5; } connect-timeout { value 5; } receive-timeout { value 30; } enforce-dns { value yes; } flush-dns { value no; } proxy-multiple-autodetect { value no; } wsc-autodetect { value yes; } mfa-enabled { value no; } mfa-listening-port { value 4501; } mfa-notification-msg { value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at"; } ipv6-preferred { value no; } } } save-user-credentials 0; portal-2fa no; manual-only-gateway-2fa no; internal-gateway-2fa no; auto-discovery-external-gateway-2fa no; mdm-enrollment-port 443; }   ... View more

@rj_raj  Prior to entering sleep mode, where was your machine connected? in the internal/corporate network or were you already connected to your home wifi or another network? ... View more

@hibagus wrote: I wish I could just block all of ping. But sadly, I cannot. For what do you need the pings exactly? Maybe for some super-admins who blame you with a not properly working firewall/network when they are not able to ping whatever they want in the internet? Would it be possible that you allow some specific "trusted" destinations (destinations where you know that they don't do anything else than simply replying to the ping)? ... View more

The best actually is as mentionned by @OtakarKlier : do not allow pings outbound. PaloAlto will identify the ping propery but the App-ID does not care what is inside the ping packet. With a "harmless" ping it is not even possible to exfiltrate data, there is also software available that allows you to create a VPN connection over the icmp protocol. ... View more

Open issues # PA Bug ID Description Steps to reproduce Case number(s) Fixed in Version 1 - Two authentications sent from GP Agent to the firewall (in case of using MFA with SMS this means two SMS are sent to the user) Not (yet) available 01096611 - 2 - In rare situations GP detects a Captive Portal dven if there isn't one. If you have configured MFA (with RADIUS) and you are also enforcing GP this meant if the user cancels the MFA he has access to the network/internet without a VPN connection Not (yet) available 01146221 - 3 - After resuming from sleep mode Global Protect gets stuck with Captive Portal detection (in a network without a captive portal) and is not able to connect without a manual reconnect. Not (yet) available - - 4 - After resuming from standby it took about about 30 seconds (after connection to external network was established) until global protect continued with establishing a connection. Prior to standby the computer was connected to the same external network and GP was connected. Not (yet) available 01146236 - 5 - When nothing is entered on the OTP prompt, GP gets stuck at "still working" and only be restarting pangpa or with a reboot the issue can be resolved. Simply klick OK on the OTP prompt without entering anything 01147011 01147324 5.0.3 ... View more

Working configurations ... ... View more

5.0.2 was released. @MikeC you can start 😉 I need to test the version tomorrow, but so far I have still the hope that this will be the most reliable GP version for years! ... View more

@Alex_Samad wrote: @Remo so which is the prefered ? I don't know. I personally prefer the general IP pool as I have multiple gateways för different use cases - so I don't need specific client settings based on the possible attributes. ... View more

The recommendation is to use the dedicated HA1 port for HA1 (for deviced that have a dedicated HA1 port). For smaller firewalls a dedicated port is still recommended but depending on your port requirements the might be no dataplane port left for HA1. In any case I always use the mgmt port also for HA1 - at least as HA1 backup. ... View more

@chuckles wrote: what do you mean by service routes? --> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/service-routes ... View more