About nthen

I know that I can add a second IP to my outside interface by using a /32 instead of /24 like the first one has.  My question comes in with routing.  My default route shows a 0.0.0.0/0 going out ethernet1/1.  Since this interface has 2 IPs what IP does it use for the routing?  Will it use the one with a /24 or /32. ... View more

Is it possible to have more than 1 Global Protect portal and gateway on a single appliance?  We use tunnel all mode with a route of 0.0.0.0/0 for all of our users.  However today a vendors need access but want to use their own systems at the same time.  In this case I would not want to tunnel everything, only our private subnet.  ... View more

According to product help for application-default: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Note that when you use this option, the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols. When I use an application override rule, can I still use application-default or do I need to use ANY? ... View more

I have two VPN tunnels established with a vendor.  1 is in San Digeo and 1 is in Las Vegas.  The subnet in SD uses 10.220.1.0/24 and LV uses 10.220.2.0/24.  With both tunnels they want me to NAT my IP of 172.16.1.235 to 10.200.249.30.  I have a NAT statement configured that says to NAT all traffic coming from zone Inside to zone VPN Tunnels coming from my IP to both of the remote subnets to the 10.200.249.30.  My security policy right now says to allow any > any both ways.  I added 2 static routes in my virtual router for both subnets. I can ping all addresses in San Diego and Vegas without issue and the NAT translation is working.  When my vendor tries to ping me the request times out.  They can ping me from both data centers only if I add 10.200.249.30/32 using one of the tunnel interfaces as a static route.  It doesn't matter if I use tunnel.8 or tunnel.9 for the static route.  It seems as long as the 10.200.249.30 is in the routing table pings will go through from them. Has anyone seen this behavior?  Is this the proper way to get this to work or so I need to use some type of alternate interface to pin the NAT'd IPs to?  Or should this not be happening at all and there is a software bug somewhere? ... View more

Does anyone know if there are any enhancements in version 5 where the GlobalProtect VPN client will prompt the user to change their password if it expires when using single sign-on with sources such as AD? ... View more