About Remo

Yes, inbound decryption will work - as soon as PAN-OS supports TLS1.3. Until then - as the firewall does not know about TLS 1.3 - it only offers TLS1.2 to the clients as highest version. If the server in this case obly support TLS1.3, the inbound decryption will fail. ... View more

Is your portal and gateway on the same device? If yes, then the chances that a client will connect directly to the portal are somewhere between low and not existent. Specially if you have the portal on another device than the gateway then the client will connect directly to the gateway if the portal is not available (if the client was already once connected and has a cached config)   ... but if your RADIUS is already doing what you need for the admin login, then there has to be a setting to force it this way ... ... View more

This will be interesting ... I am waiting already quite a while for an answer ... Not sure where I read that, but the only chance seems to be an explicit proxy or the complete visibiluty for encrypted traffic is gone. TLS1.3 in combination with DoH and also the DNS sinkhole feature is gone... ... View more

About what usercount are we talking here? Do they all have the same computers? Is it allowed to users to install software on their computers/do they have local adminrights? Is the issue showing up randomly or are there some constants (when they connect from a network with a captive portal/when they (try) connect over a mobile connection which at worst is a 2G network/when they wake up the comouter from standby/only after they changed from internal network to an external one)? Are these users able to connect succesfully after a reboot?   There are so many factors that could lead to issues like these which most of them aren't an actual GP issue. Except the portal thing, that somehiw sound like a bug of GP, but the trigger could be something "special" that the user does with his computer... ... View more

Hmn ... actually this is a setting on the RADIUS server where you define how the RADIUS server expects the password/otp, because the firewall only sends what it get from the user. The RADIUS server then answers with an ACCESS-ACCEPT, ACCESS-REJECT or ACCESS-CHALLENGE where the last one tells the firewall to show an additional inputprompt to the user where the OTP has to be entered. ... View more

Hi @Michael.Thyme   Do you use the same Authentication Profile for GP and for admin access? ... View more

@Lakshitha And in addition to the information @BPry asked for, could you also share some more about your configuration settings (prelogon/ondemand, enforce gp for network access, are users allowed to change portal, ...)? ... View more

Hi @snasheet   For SSL decryption, no license is required. This one and URL filtering are independent features.   Regards, Remo ... View more

@rj_raj Could you share some more information about this issue: PAN-OS version GP-Agent version Authentication (RADIUS, LDAP, ...) Pre-Logon/On demand Enforce Global Protect for network access enabled ... Maybe this would be helpful also for others here (and if others have the same problem and also open cases, this could also help you as the issue then gets a higher priority)   Thanks in advance, Remo ... View more

Hi @rcaduser   You have a special routing/firewall desgin here 😛 and I have some additional questions: Do you have a zone protection profile applied to the zones of e1/12.2 and e1/12.3? If yes, which protections are enabled? When you did the packet capture on the firewall, did you enable "Pre parse match"? Right now my assumption is, that the reply traffic is an IP spoofing attack for the firewall. Because whem the firewall sends an LDAP query out of vlan 2 towards the AD, the reply traffic obviously gets also back to the interface e1/12.2. But for this reply packet the source IP is the AD server IP - an IP that belongs to vlan 3 where the firewall is also directly connected. Because of that the firewall expects traffic from AD on e1/12.3 and not on e1/12.2 so it drops the packets arriving there. In your final test when you changed the service route you have exactly the opposite that when connecting to the sun LDAP the source is e1/12.3 and then the firewall receives a reply from a server in vlan 2 that it does not expect on e1/12.3 so it dropps it.   So solve this you could configure IP based service routes instead of feature based. Or: does the firewall really need interfaces in noth vlans when the routing is done on the core switch? In this case I would use a transport network between the firewall and the core switch instead of connecting the firewall to both vlans, but probably there are other reasons why you configured it this way. ... View more

Hi @Renato_Guerino   Did you create - as mentionned by @BPry - the dynamic IP NAT rule above the existing rule with DIPP? According to cisco the source port does not need to be the same as befire NAT, it only needs to be the same continuously (https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN). PaloAlto only changes the NAT source port when the firewall sees a new connection. This means you could also try to create a custom application where you set the timeout really high (even if I don't get why the NAT source port changes in connections when there is traffic every 10 seconds). With an application override rule you then force the traffic to be recognized as your custom application.  ... View more

Thanks @jharlow, FR ID 7832 is also added to the list.   Regarding the implementation status: New features are normally added in new major and some also in minor releases (so in x.0 and x.1 releases). This process takes a lot of time even for "highly requested" features. Maybe you are lucky and this one will make it into PAN-OS 9.0. (Some of the FR IDs on the list are already there for more than 4 years) ... View more

Unfortunately thats how it works right now. You could create a feature request for this DNS sinkhole cloud enhancement ... Or build something similar on your internal DNS server where you sinkhole alle the public lists of malware domains... I know, not really what your looking for... ... View more