About Remo

This definately is possible. What output does the following command show you: "show user ip-port-user-mapping all"? ... View more

Hi @Pattarachai   What global protect versions did you try with PAN-OS 6.0 and newer?   So far this does not sound like an issue: PAN-OS 6.0 is no longer supported: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary Global Protect for Windows XP is supported up to GP 3.0.x: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app#id7a3c3401-b233-43b0-8d78-dfceab88798f ... View more

@Radmin_85wrote:   i have read this in the Internet.How one can handle with it? Not the answer you want to hear, but there is no solution. For SMB and other connections in system context you will not have user-ip-port mappings. If you really want to restrict connections from terminalservers to user connections you have to deny these connections (except the ones that that are required like SMB to Domaincontroller, Profileshares, ...) somewhere (on other external firewalls or with the local firewall. ... View more

Hi @ihealey   When clients are connected with GP, there is no other method than the clients register themselfes to DNS (AD joined computers) - or you have to create a custom solution that gets the connected computers and thwn adds/updates the records in the DNS accordingly.   Also for the GP part: we use already version 4. And there we also had the problem where we didn't had DNS entries. Then suddenly version 4.0.5 came out with the fix for a problem that prevented DNS updates from computers connected with GP. So our solution was an update to 4.0.5 or higher. This problem was NOT mentionned in the known issues list, so may be this problem also exists in 3.1.x. Maybe you should ask support about this...   If DNS internally isn't working properly the root cause probably is also somewhere else - but in case you enforce GP for network access I am not absolutely sure about this - possible that it is also GP related.   Regards, Remo ... View more

Hi @JohnUrbanek   Try starting Panorama on 8.0.x in debug mode (when started in maintenace mode) and the boot loop is gone 😉 Everything then works: Adding Disks to local Log collector Removing Disks from local log collector Softwareupgrades And everything else that panorama does... ... View more

Hi @jsalmans   Do you have installed dynamic updates on panorama and if yes maybe a reinstall of the dynamic apps and threats update? ... View more

@uvdeswrote:   Does the same requirement for multiple routers hold true with ECMP to keep the tunnels active, or is it different now? I don't see a requirement for more than one virtual router. (Yes, I would use 2, but just to separate internal and external routing). Actually I don't really see a technical reason why you use 2 VRs today, as it is also possible to keep all tunnels up and running (with tunnel monitoring and/or PBF monitoring).   In any case with PAN-OS 8 and the route monitoring there is no need for PBF rules in your case. ... View more

Hi @uvdes   @uvdeswrote: I'm curious: in the two-VR design, why does ECMP need to be on both VRs?    I have to admit that with my previous assumption ECMP was only needed on the main location for both VRs. But with the direct internet access now I would use it really on all VRs. So let's take a remote site as example. There you have 2 ISPs on the external router and 4 tunnels on the internal router (and of course the internal interface (s)). So to use both ISPs actively for internet connections ECMP is required to make that possible. And from the view of the internal VR you have 4 links towards your main location, so you need ECMP also there to use all these 4 links for connections towards your main location. Hope this makes sense.   Using OSPF works perfectly fine for this. Also in combination with ECMP to utilize all available links from and to every location (from just a technical view this active-active setup is just the "cooler" solution as it would be also recommended to size the uplinks big enough that you won't have problems if one of them is down for a longer period of time. But this of course is up to you, if you simply need redundancy and in case of a problem it is not a big deal to use "half" the max bandwidth, then it simply is cheaper with active active as you don't need that much bandwidth.   If you don't want to use this all-active setup, I think you should also check out Global Protect Large Scale VPN because of the following reasons: No static routing needed. It is possible to configure the satelites to tell their local networks to the main location when the connection is established Redundandancy is easy to set up. If one uplink fails on any location, Global Protect automatically connects the other way Simple setup if you once have even more locations. No additional configuration (IPSec tunnels (and routing in case of static) required on the main firewall if you add new locations to the setup. Simply configure the Global Protect Portal to the new branch firewall, connect an internet uplink and you're done. (Works also when you don't have static IPs from your ISP) Regards, Remo ... View more

Hi @uvdes   @OtakarKlier is right. My solution also works with 1 virtual router per firewall. The solution with two routers is just my personal preference how I would do it. This way you have external ant internal routing completely separated and if you start with static routing and want to change to dynamic in the future, you could simply enable the dynamic routing on the internal virtual router without touching the external one which still handles both ISPs with ECMP.   Regards, Remo ... View more

Hi @fjwcash   Why don't you simply use the IP of the external interface for the Global Protect Gateway? ... View more

Hi @uvdes   All right. One question I forgot: will you route everything to your main location and from there to the internet or will every branch office have direct internet access over the PAN firewall?   Anyway let's start with a setup with static routing and an active-active config (the one i would prefer in your situation - assuming you don't need branch-to-branch office tunnels) The following is the same for all the up to 6 firewalls: 2 virtual routers: 1 for the ISP interfaces and one for the internal and tunnel interfaces 2 default routes with integrated route monitoring on the external virtual router ECMP enabled on both virtual routers Then you need to set up the configuration for all the vpn tunnels (20 on the main location): I recommend to configure all tunnels with transportnetworks (/30). These IPs you need for the route monitoring later Assign at least the same zone per location to all tunnel interfaces. This is required for active active use of the connections, because otherwise the firewall probably droos most of the traffic because of asymetric routing (or if you haven't enabled that in the zone protection you don't need firewallrules for both directions) As already mentionned assign all tunnel interfaces to the internal virtual router Set up all the IPSec configurations Create for each location 4 static routes with equal metrics. Every route points into one tunnel and configure also the route monitoring for each route - for this you now need the tunnelinterface IP addresses. This monitoring is needed that a failed tunnel isn't used any longer On the main location you need a default route on the internal virtual router with the destination the external virtual router for the internet access. On the remote sites it depends on my question from the beginning of this post. If everything has to go to your main location you only need 4 default routes for the 4 tunnels with the same metrics on every remote firewall. If these locations have direct internet access then you need the same default route configuration as on the main location and routes for all internal networks that you want to route to the main location (every route 4 times).   My recommendation so far is based on the fact that you don't need branch-to-branch and that you will not have more than 5 locations. If there are 6 or 7 locations sometime the additional routing config will be doable, but if you see that you will have a lot more locations in the future there is probably now way around dynamic routing or another possibility would be Global Protect Large Scale VPN, but with that you cannot have active-active configurations utilizing both ISPs.   I hope this is somehow understandable. Feel free to ask again if something is not clear or if you have further questions.   Regards, Remo   ... View more