This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About Remo

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Remo
‎11-26-2025
since ‎03-20-2013
L7 Applicator
User Activity
User Profile
Latest posts by Remo
View All
User Badges
Community Statistics
Member Since ‎03-20-2013 04:23 AM
Date Last Visited ‎11-26-2025 01:29 PM
Posts 2,247
Total Likes Received 813

Re: GlobalProtect with MFA - Always On

by in General Topics
‎04-30-2019 01:46 PM
‎04-30-2019 01:46 PM
Hi @MikeC    Just a little hint ... wait a few more days until 5.0.2 will be released. Of course I cannot guarantee that there are no bugs but right now I have 10 open cases because of problems in 5.0.0 and 5.0.1 and most of the problems seem to be solved with 5.0.2 - even though I don't use MFA with Duo/Ping/... but with RADIUS. And at some of the problems are general ones like connection problems after resuming from hibernation mode. ... View more

Re: Override Template sub-interface in a Stack

by in General Topics
‎04-30-2019 12:25 PM
‎04-30-2019 12:25 PM
@jeremy.larsen wrote:  I have a ticket open and it sounds like this is a known issue.  I will update this thread once I get confirmation. So far I thought this is a limitation and not an issue ... great if there is a chance that this will be fixed (without a feature request) ... View more

Re: Override Template sub-interface in a Stack

by in General Topics
‎04-30-2019 11:54 AM
‎04-30-2019 11:54 AM
@jeremy.larsen  (Unfortunately) if you override a sub interface in a template stack the whole interface will be overridden and everything configured on this physical interface will be deleted and only the configuration in the stack is applied - this means you cannot override a single sub interface... ... View more

Re: NAT to VLAN Interface

by in General Topics
‎04-29-2019 10:55 PM
‎04-29-2019 10:55 PM
Hi @DoDo1975    What you want to configure ia a layer 2 deployment and this is documwnted here:https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-2-interfaces  ... View more

Re: GlobalProtect with MFA - Always On

by in General Topics
‎04-29-2019 10:31 PM
‎04-29-2019 10:31 PM
Hi @MikeC    Actually you need at least Global Protect 5.0.0, but this works also with PAN-OS 8 as it is a feature of GP and not something that you need to configure on rhe firewall. ... View more

Re: GlobalProtect with MFA - Always On

by in General Topics
‎04-29-2019 04:50 PM
‎04-29-2019 04:50 PM
@hshawn wrote: Assuming you are using pre-logon with always on? If so... This is funcionality that was added in PANOS 9.0 More precisely, this was added with GP 5.0. This feature also works with PAN-OS 8.0.x. With user-logon (as right now configured by @MikeC ) this is already possible with 4.1.x.   @MikeC There are quite a few things that you need to consider. Mainly the question of how much security you need? I am asking this because with your current configuration it is already (easily) possible to circumvent the VPN connection - a User only needs to block connections to your VPN Gateway and he is able to connect wherever he wants without the VPN. This problem can be solved with the enforce option as you mentionned, but enabling this option also requires a change from user-logon to pre-logon, because otherwise the network connections in the internal network are blocked until the user is logged in (access is blocked until the internal host detection is done and this check takes place when GP becomes active). For the public wifis and captive portals you can configure a timeout where access to these captive portals is allowed for the specified time and as soon the user loggs in to the caprive portal or accepts terms of service GP kicks in and asks for the MFA authentication.   ... View more

Re: 5260 Experience

by in General Topics
‎04-29-2019 12:27 PM
1 Kudo
‎04-29-2019 12:27 PM
1 Kudo
Hi @licenselu    This is a known limitation of PaloAlto firewalls. If you do inter-vsys routing then everything is done in software. The only way to get the full performance of the box is if you "think outside of the box": the traffic needs to go out of the firewall and come back over a switch/router to another interface of the next vsys. ... View more

Re: UDP 443 becoming more prevelant

by in General Topics
‎04-29-2019 12:23 PM
‎04-29-2019 12:23 PM
@Plattinum wrote: It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue. It depends on your needs. If you want to control and decrypt any connections then you need to force the traffic to a way that makes it possible. If you allow any connections to the internet then go ahead and allow 443/udp. Another possibility is you can write a custom application to at least detect the application.   If now every big player in the cloud starts to write their own protocol then it could be difficult (not impossible) for security vendors to support full control features for all of these.   You could also ask your SE to create a feature request so others can add their vodmtes to the FR because I think you are not the only one who thinks this would be a need feature. ... View more

Re: Presales question: External IP address assigned through DHCP and /29 routed to this IP, possible

by in General Topics
‎04-28-2019 10:31 AM
‎04-28-2019 10:31 AM
Hi @HaVaNL    @HaVaNL wrote: As soon as the ASA has a NAT rule and a security rule it will happily start forwarding packets the the published server. There is no need to assign any of the /29 IP addresses to any interfaces. For ease of management I just create an object for each IP address (x.x.x.x/32) and use it in the NAT rules. On the PA this works in exactly the same way, so yes also point 3 and 4 are possible.   Regards, Remo   ... View more

Re: Traps Agent is not upgrading automatically from Internet.

by in General Topics
‎04-27-2019 12:49 PM
‎04-27-2019 12:49 PM
Hi @ssnohman    Welcome to the community! First I need to mention that if you need urgent support you need to contact paloalto directly by creating a support case. Here in the community you get best effort support from people who help in free time - so you cannot expect someone to call you directly to help.   Anyway, do you have traps on-prem or the cloud service? In case of on-prem, is your traps server available from the internet or do you have a dedicated one in your DMZ? Do these clients have internet access or is there a general problem?   Regards, Remo   PS: There is a forum specially for Traps questions: https://live.paloaltonetworks.com/t5/Endpoint-Traps-Discussions/bd-p/Endpoint_Discussions ... View more

Block access to websites available over their IP (and not a FQDN)

by in Custom Signatures
‎04-27-2019 12:39 PM
‎04-27-2019 12:39 PM
Hi community   Does anyone already managed to block access to websites available directly with their IP? Actually with regex this would be an easy task, but I have some difficulties creating a custom application signature as there isn't the full regex available and there is also the limitation that the first 7 bytes of the signature need to be a static value. So with a signature for http host header there is no chance to create a pattern for IP addresses. Does anyone already managed to create such a signature or could point me to the right direction to create one?   Thanks, Remo ... View more

Re: Proxy ID for IPSEC traffic going to Internet

by in General Topics
‎04-27-2019 12:10 PM
1 Kudo
‎04-27-2019 12:10 PM
1 Kudo
Good article about the question of "why use a VPN proxy ID?": https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0 ... View more

Re: Trying to setup a virtual lab using VMWare Workstation

by in General Topics
‎04-26-2019 01:53 PM
‎04-26-2019 01:53 PM
The base images for VM firewalls are still at the same location as I wrote in the previous post. Or @Derlylop do you have another problem with setting up a VM firewall on VMWare? ... View more

Re: application any and service application default in policy

by in General Topics
‎04-26-2019 01:47 PM
4 Kudos
‎04-26-2019 01:47 PM
4 Kudos
As far as I know this speedtest uses TLS connections on port 8080. As the default port for the App ssl is 443 the firewall no longer allows these ssl connections from speedtest on port 8080.   To solve this issue you would have to create a new security policy that allows ssl on port 8080 and depending on your needs restrict it to specific IPs of servers that are used for the speedtest. ... View more

Re: GlobalProtect - "Refresh Connection" API call via DLL/etc

by in GlobalProtect Discussions
‎04-26-2019 10:21 AM
‎04-26-2019 10:21 AM
@AAT wrote: This issue has been on going for years and not acceptable for the software to have such an obvious / easily fixable bug last so long.  We shouldn't have to be writing our own code / hacks to fix Palo Alto's VPN client @AAT  Then 5.0.2 will be the first release that is acceptable 😉 ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎11-26-2025 01:29 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks