About Remo

Hi @MP18   Does your company in this case already uses an Azure AD and/or Office 365 or other Microsoft Cloud Services? Or what is the exact reason to use Azure MFA if there are no prerequisites? ADFS technically is a SAML Identity Provider (I assumed you use this one as it is probably the only SAML IdP with an Azure MFA Integration). Another way you can go is with a Microsoft NPS RADIUS Server with the Azure MFA Plugin.  ... View more

In general yes it should be possible, but you did not share a lot of information to answer the question ...  Do you already have ADFS servers? Do you use Azure MFA there already? Do you use Azure MFA already for another service in your company or do you plan to implement it completely new?  ... View more

@OGMaverick wrote: All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com. What do you mean with "now"? Did the format suddenly change? Was there something changed by somwone in youe company? Did you upgrade from PAN-OS 8.0 to 8.1? ... View more

There will be no change in panorama functionality except that it is then only used for managing the firewalls and showing logs - it will no longer be able to receive logs. ... View more

@Aiace wrote: Add FR#241 SMTP authentication in Email server profile. Thanks.   Thanks for the input. FR ID 241 added to the list. ... View more

Hi @MP18   This is the default (local) log collector that comes with a Panorama in "panorama-mode". If you don't want this one you need to assign all firewalls to the dedicated log collectors and then change the panorama mode to "management-only". ... View more

Hi @khampshire   The link that I wrote in my previous post may really be something for you with the getting started series.   I assume you need to do at least parts of the following: Create a virtual router Add your two interfaces to the virtual router Add a dynamic ip and port NAT rule to hide the outgoing traffic behind your public IP that you received by DHCP by your ISP Add a security policy rule that allows outgoing traffic ... View more

Does this user normally works with his default user but needs to use another one for task that require administrative privileges and the user-ids are switching between these two? Or uses scripts that run as another user, maybe a service account? ... View more

Hi @LukeBullimore   I wasn't able to find out how exactly the salts and hashes are encoded in the output of the "request password-hash" command. Obviously it is not the plain MD5 hash, there is some additional encoding. With this example: $1$sumoabmi$tGZkhTpj536dlrfkkaowi $1 probably is the algorithm, $sumoabmi seems to be the (encoded) salt and $tGZkhTpj536dlrfkkaowi is the salted and hashed password. ( @reaper: do you know how to get the output as provided by the command "request password-hash"?)   So the conclusion is, I think you cannot simply enter a hash with the create user command, you probably need to use the request command. If your interessted I could provide a little powershell script that will take the values from a CSV and then create the users for you over the XML API... ... View more

As mentionned by @JW6224, to use a certigicate as ssl forward trust cert it needs to have the CA flag set ... your cert does not have this flag set (as you can see in the CA column kn your screenshot/cert list) ... View more

Hi @LukeBullimore   Now I did confuse myself too 😛 Need to test a little before I write wrong things ... ... View more

Hi @BigPalo   You can either generate a CA cert on your firewall or use a cert sygned/generated by an enterprise CA, but you will not get a CA cert from any of the public trusted certificate authorities. ... View more

@LukeBullimore Do you want to paste all the user from a pre-generated csv or something like that or you you use a script anyway?  But even if you want to pre-generate the hashes I assume you can do that without the request password-hash command, you just need to have the salt also in the string that you use as password hash when you henerate the user. I did not test it but if you use the same format as the request command generates ... ... View more