About ksauer507

One of the things I've noticed is sometimes the fw will see the user as domain.com\username and sometimes as domain\username.  I found this thread and made changes so user and Group Attributes Primary Usernname is sAMAccountName and Alternate Username 1 is userPrincipalName, but it still randomly flip flops detecting the user. so we ignored app-id based on the user name with a temp rule and deleted our others, now things work.  Why doesn't the palo see what AzureAD is passing and normalize it with what we have in on prem AD? ... View more

Well we tried this and still having problems.   In traffic monitor we just get random denies falling back down to our last rule we call block others (like a catch all deny rule). In this state seems the user can ping and trace but can't really "access" anything.  Like you could ping a DC for example, but you cant RDP into it.  Or ping an internal webserver, but again cannot access its webpage.  Cant login to the phone system, or skype for business.  Many of it says subtype eq deny, and action is drop.... for applications like msrpc-base, ms-ds-smb-base, DNS, SSL, ntp, cotp.  However the source user IS correctly identified, and the allow rule for this user is high up, actually rule 7 in this case VPN Access - Information Technology and its allow domain admins, information technology, a vpn-it ad group, and a particular service account we sometimes use to rdp to a particular server.  The thing is the destination is any / any / any and application and service are both any / any.  So why would it deny on things like ssl.   Its random, like I will have Outlook open and lock my screen one day and the next morning unlock my screen - I'm still connected to the VPN, Outlook is up to date.  I'll work for an hour or two and then start getting connectivity issues.  GP says I'm connected... the internet works fine (we split tunnel) but I can't access anything internal. I can ping but nothing else really.  I can fire up another computer on Cisco Anyconnect just so I can see the firewall logs for my GP IP address, and my user name is still correct but its starting to deny applications that shouldn't be denied because we have it set to "any".   We have a few testers and they seem to see that they log in and it goes from pre-logon to their user, GP says connected, but they can't access ANYTHING internal (except pinging things) for like 10 minutes!  We initially had the Gp tunnel rename timeout at 200 seconds so there's enough time to allow login scripts to run, but we tried changing it to 0 and still nothing.  We thought maybe a good working config would rename the tunnel WITHOUT disconnecting the user.   At first I was ok for some time and then I would get into this random "state" of ping only, and we did seem to track it down to cookie auth expiring and renewing, so we disabled the cookies and did not fix. We then thought maybe its user id an its not thinking about moving from pre-logon to user or not detecting the user correct, so we tried that tweak above about disabling user id timeout. Then I noticed I would have these strange connectivity issues right around a HIP check, so I disabled that. Still nothing.  We can't get this thing stable and we are supposed to finally fully migrate on it from a 100% stable working Cisco ASA next weekend.  I can't move forward with that plan if we cant get 80 work from home users on a stable VPN.  We've been sitting on these PA-3220's for a year now and just cant get it going.  I'm almost regretting going with Palo and maybe I should have gone with our other contender, Fortigate.  Were at a loss here. ... View more

I know this is an old thread but I'm experiencing the same issue, 3220 fw's with 10.0.8-h8 and GP 5.2.10-6 on Windows 11.  First I thought it was an expiring cookie, but your right its right after the hip check.  Strange I see exactly the same thing.   So when you say you disabled the timeout of user-id, do you mean you unchecked Enable User Identification Timeout in the cache section in Device > User Identification?         ... View more

show user ip-user-mapping all showed valid user to IP mappings. show user server-monitor statistics showed 4 DC's in the connected state, but if you kept running that command over and over you'd see a random DC go to not connected, then access denied, then connected again.  The windows program WBEMTEST with the same service account credentials we use against the DC's launched with no issue.   We changed them from WinRM-HTTP to WMI and committed, and no issues since.   There's no problem with it on WMI, that's ok to have it set to that method if it works right? ... View more

How do you get the certs going? Had minemeld running bare bones Ubuntu 16.04 LTS.  A lot of vulnerabilities were detected so we tried a dist-upgrade to Ubuntu 18.04 LTS.  That cleared many of the vulnerabilities but broke minemeld.  Posted about it and was told, hey run it in docker.  Ok great!  Found this thread, took Ubuntu all the way up to 20.04 LTS to get even more vulns to go away, installed it, it runs, set a password, great.  But now I want to continue on with your instructions to run it with my certs.  Our internal CA signed our minemeld.domain.com and its already sitting in /home/minemeld so I tried this but not knowing anything about how this all works is confusing....     root@minemeld:/home/minemeld# sudo docker run -dit --name minemeld --restart unless-stopped --tmpfs /run -v minemeld-local:/opt/minemeld/local -v minemeld-logs:/opt/minemeld/log -v /var/lib/minemeld/real-cert.crt:/home/minemeld/minemeld.cer:ro -v /var/lib/minemeld/real-cert.pem:/home/minemeld/minemeld.pem:ro -p 443:443 -p 80:80 paloaltonetworks/minemeld docker: Error response from daemon: Conflict. The container name "/minemeld" is already in use by container "e37c49d9b85a8bb6b47d248666bb8265bccca6fb59dece63316d8aabefc35376". You have to remove (or rename) that container to be able to reuse that name. See 'docker run --help'. ... View more

Ok so I googled it and came across this thread:   https://live.paloaltonetworks.com/t5/general-articles/running-minemeld-using-docker/ta-p/289062     I didn't even think about running it in docker.  Thanks for the suggestion, I'll give it a whirl! ... View more

Because when on site it says in the lower right Gateway External-Gateways The network connection is unreliable and GlobalProtect reconnected using an... (then it's cut off and not fit on the screen).     ... View more

How do you get rid of this warning on PANOS 10.0.6?  Where do you delete all botnet-domains ?  I guess I can just import them via minemeld anyway? ... View more

Wow I must have stumped this forum, or maybe the start of summer everyone is out on vacation or something. ... View more