About Remo

... and in case you haven't already a GlobalProtect subscription ... you will need one for this new split tunneling feature ... View more

May I add something here: The connections will not be "slower" with decryption enabled, but the maximum throughput decreases dramatically on PA-5000 series hardware. It is true that there are major improvements with PAN-OS 8.X but only in software ... the hardware remains the same. I don't know exactly about PA-5020 but with a PA-5050 the hardware reaches its limits at a max of 300 Mbit/s of decrypted traffic. The major problem is that the hardware is already "old" and since then there where major improvements about the used encryption algorithms in the internet and for all these new algorithms the chips aren't really made specifically. So with this hardware (PA-5020) this report could still be true or even worse because of the mentionned algorithms.   But back to topic. @SThatipelly how are you going to configure everything like you proposed and still maintain the visibility on your PA firewall? Only in TAP mode? Because without that I don't get how the PA would see and actively process the unencrypted traffic. I mean this new appliance cannot simply terminate all encrypted connections and forward them decrypted. This will break almost everything in my eyes. Or are you talking about inbound decryption? ... View more

@w.naderer Do you have netbios probing enabled on the user id agent? ... View more

Hi @jezkerwin   Allright I still see multiple ways about how to do it right in your environment. Let's start with the way I personally prefer: Direct polling. For the redundandency part you simply install a second User-ID agent server. Both servers poll ALL the domain controllers. Because of the domain trust it should also be possible to poll the domain controllers from the second domain with one single service account and you could there also configure the exchange servers to query these sources also for even more acurate data. On all your firewalls (and on all vsys) you then configure these two user ID agents and you will have consistent and acurate User-ID mappings everywhere in your firewall infrastructure. Simple and easy to achieve 😉 This solution requires reliable connections from your HQ (where you install the agents) to all the sites and if you are really, really concerned about the bandwidth to your sites you could use the same agents servers and configure event log forwarding from all domain controllers to these two user ID agents. Only if every bit/s of bandwidth matters I would use the event log forwarding method.   If the connection between the sites and the HQ is not that important and might fail without big restrictions (for examlle if all the firewalls in the sites have local internet connections and also if you have the important ressources distributed to all sites), the first proposed solution might not be the best one. In this case I would recommend using agentless User-ID agent on all the site firewalls to poll all the coresponding domain controllers at the sites. This way the site firewalls will continue to have user-id mappings also in case of the connection to the HQ fails. If you go this way you could theoretically dispense with the user-ID agent servers but then you need to configure user-ID redistribution between all and every firewall to have consistent data in every case on every firewall. So also in this case I would still use the user-ID agent servers.   Another possibility would be to use panorama for the redistribution of all user-id mappings, but this obviously requires a HA panorama because without that you are again at the non-redundant point as you are now.   Regards, Remo ... View more

@jdelio Known issues list here: https://www.paloaltonetworks.com/documentation/cloud-services/cloud-services-portal/cloud-services-portal-getting-started/get-started/cloud-services-portal-known-issues ... View more

Hi @thumper   Almost anythin is possible as long as you get around all the content that is loaded by default on the GP Portal. You can even change the form that is injected at the pan_form tag, but this one is tricky an requires you to use third party scripts as it needs more script/characterd than the firewall allows.   Question 1: Did you try to simply hide the CSS ID "dFormat" with an additional CSS statement in the head section of the HTML? (->display:none or display:hidden)   Question 2: If the proposed solution from question 1 works then you should be able to place the instructions on the initial page with the loginform and after login the instructions remain hidden. ... View more

There is nothing you really have to worry about. But you should make shure that both HA members have the same apps and threat versions installed because with diffefent versions the two members might not behave the same with some traffic. And what you definately should do is upgrading at least to PAN-OS 7.1 as PAN-OS 7.0 is no longer supported since december 2017 (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary) ... View more

I might be wrong, but I think the description in that documentarion is not very clear and the comment on that page writes something about suspended processed. But a not-running process simply is an executable somewhere on the filesystem, so I am back at my first comment here. ... View more

To check if a service is installed on a system you have to use the registry: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree Another solution does not exist as a non-running process simply is an executable somewhere on the filesystem. So GP would have to search the drives for an executable name that you have specified and this could easily be spoofed. ... View more

I think there are also other and probably even financial reasons why this list isn't public. This list completely public may cause wrong expectations as there is absolutely no guearantee that anything on that list will be implemented. And even when PaloAlto decides to implement a feature from that list - the first time this information becomes public is when a new PAN-OS is released. So even when you created a feature request you won't be notified when the decision is made for the implementation. And the financial reason might be something that it could prevent new deals because customers see that list, pick some IDs and then decides to wait for buying that product until this feature is included. Yes, personally it would be cool to see that list but not really more. And from a conpany view I am sure this list will never be public. With this post I simply tried to summarize the information that already made it to the public. ... View more

Back with PAN-OS 7.1 when it was working, do you know what version chrome was on? But as already mentionned by @BPry, when the firewall tries to but cannot decrypt the connection this leads to problems in most cases. In this situation of you I would expect that the first attempt fails and then the connection is placed in the exclude cache as you do not block "unsupported" protocol versions. But depending on the TLS Handshake the firewall may not be able to do that as it assumes the decryption works but it does not (TLS Handshake compatibility). When TLS1.2 should be used but the handshake is done in a way that it works also for servers with TLS1.0 (as it should according to the RFC) there might the location of this (possible) bug. So the firewall assumes it is doing everything correctly and from client perspective it looks like a protocol downgrade attack. I know a lot of speculation 😛 So I am interested what TAC says on this. Did you try to connect from a system/browser where you manually force everything to TLS1.2 only?   And now to something (almost) completely different: if you decide to do inbound decryption, shouldn't it be the opposite way? Decrypt TLS1.1 and 1.2 and block TLS1.0 with the decryption profile? (I am sure you have your reasons, so I am asking only because of personal interest) ... View more

Hi @jezkerwin   Do you need User-ID data on all firewalls and on all VSYS of theses firewalls or only on specific ones? Do you use panorama for firewallmanagement? Is there a domaintrust between these 2 domains?  As mentionned by @OtakarKlier querying the exchange servers is a very good solution but not always if you need the mappings as soon as possible after a user logs in to his computer. This changes a little if you use skyper4business as this software is in most cases the first software that starts (if autostart is enabled), and as skype4business relies on exchange for a lot of features the alternative with the exchange servers becomes pretty good also in this case. But to complete the whole story I would recommend both and depending on your answers to my questions we could recommend a good solution (even if you are already pretty close to a good solution except for the redundandency).   Regards, Remo ... View more

@ACortes If connections from specific clients are blocked, are these connections blocked permanently or does it work when you reload the website? ... View more