About Metgatz

Hello @Carson1998    Try to this Link.   When I enabled this command solv my issues with Office 365 install process.     set deviceconfig setting ctd skip-block-http-range yes   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjPCAW#:~:text=http%2Drange%20no%C2%A0%20%3D%3E%20In%20PAN%2DOS%207.1-,set%20deviceconfig%20setting%20ctd%20allow%2Dhttp%2Drange%20yes,-%3D%3E%20In%20PAN%2DOS%208.1%20and%20above.%0A%0ANote   Cheers ... View more

Hello @weezy    I reiterate, are you sure that the range you are using in GP, i.e. the range or network you are using for GP, is a route known to your equipment ? Including Juniper ? knows how to return the traffic, when the connection comes from the GP network segment ? knows that the network, for example if your GP network is 172.16.90.0/24, Juniper Pulse, knows where to return the packet ? And the other tests I mentioned ? another IP, telnet ? split ? have you tried ? ... View more

Hello @weezy    Did you add only the IP 10.197.14.9/32 to the GP SPLIT ? ... Do it.  Ok, so if the ping does not complete then we may have a problem. If you have no response to ping then either the server/app has Ping disabled. As I mentioned before, do you have another device/server/printer, endpoint, that does respond to ping from GP on the same network segment as 10.197.14.9/sap-portal.juniper.net e.g. 10.197.14.5 ? 10.197.14.8 ? 10.197.14.3 ? or other to validate if something on that exact network segment responds to ping and responds correctly ? (Make sure you have the Palo Alto FWs security policies allowing this ping traffic). Did you check if the L3/routers or intermediary devices have the return path to the GP network, i.e. the Network or subnet range that you indicated in the FW in the Global Protect config to assign to the endpoints with GP client. In the Log Monitor traffic log, when you track the ping and telnet connection ( you did telnet 10.197.14.9/sap-portal.juniper.net port 443 , i.e. telnet command 10.197.14.9 443 ) you have only sent and not received bits ? Now from a computer stopped on 10.197.14.X ( for example from the server or other device ) if you try to ping or trace to the FWs for example to a GP IP endpoint ( you must allow with security policy the traffic from trust to GP zone ) the trace at least reaches the GW of the FWs PAN ? Cheers ... View more

Hello @weezy    Yes, I know that it is contained in the 10.0.0.0.0/8 but to avoid that the packet can be lost in another computer that sends the traffic incorrectly, please enter in the split the exact address i.e. example 10.10.1.100/32. Now if you tell me that they had to put in their host file the fqdn then it points to the issue being in the DNS. Now how much do you connect to GP: 1.- First what DNS does it assign you ? 2.- Those DNS are able to resolve the fqdn of the sap portal ? nslookup ... etc. 3.- Now from the client connected by GP, you can do a telnet to port 443, this to validate that the port answers. That is cmd. telnet sap-portal.juniper.net 443. 4.- When you are telnetting and/or trying from the client connected to GP to the URL and/or telnet to the port, go to the Palo Alto FW and check the log monitor, filter by IP and validate that there is a traffic log or not. 5.- Perform ping tests, do you reach it with a ping or trace ? the ip/fqdn sap-portal.juniper.net ? In the exact segment, not the supernet 10.0.0.0.0/8, but the exact network segment where the sap-portal.juniper.net is, do you have another IP of that segment with which you can make tests and comparisons, if you reach it or not without problems from GP ? 7.- If you do not have base connectivity it will not respond, check that also the L3 switches and/or routers, Core, etc have the return route corresponding to the network segment that Global protect uses ( the network for GP endpoints clients ), if they do not know how to return the traffic to that network, when the connection is originated, the packet will be lost. 8.- Take traffic captures with Wireshark and/or from the PA and check if you can see any network problem. Regards ... View more

Hello @Dereje    First thinking as always in a possible and safe rollback to use ipv4, I would consider the best option to clone the rules and add the ipv6 sources and destinations.   Having differentiated rules allows you to have a better tracking, review in log monitoring and check the correct hits of these.   Regards ... View more

Hello @TomYoung , thanks for answering.   Regardless of whether these data can be obtained by cli, via snmp statistics with a monitoring server, from Panorama or by the direct GUI of the Fws, the point is to know the detail of the terminology, which each of them includes What measure is it based on and how do they differ? It may not be in the view that mentions Panorama Sessions per second or New Sessions per second, but if you see a datasheet from a FWs if the detail is there or from a Monitoring server that interprets the session data. https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/pa-5200-series-specsheet ( Max sessions, New sessions per second ).   The point and focus of the post is the differentiation of CPS or connections per second, vs. New Sessions per second or Sessions per second, via Session count, on what is it based to differentiate each one, in what measure of time, average, data, type of connection etc. For example Session Connection, how it differs, and why the number of sessions is greater than that of CPS, this to give an example.   Thanks for the collaboration   Best regards ... View more

Hello @kn first of all thank you for your prompt response and for the details provided.   I have some additional doubts, which I would greatly appreciate if you could help me with your specific answers. Is it possible to have a Hybrid environment? That is, for example, in my HQ have SD-WA PAN-OS and in the branches ION Prisma access? Is this compatible? Will I be able to manage the SDWAN part from the Cloud Prisma Controller of the PAN-OS SDWAN (HA FWs) from Prisma SD-WAN or will I only have the Management Plane of the IONs from the cloud?   -Is it mandatory to have PANORAMA to manage Prisma Access / Prisma SDWAN and for PAN-OS SDWAN? I understand that no, since the first ones are already full from the Cloud portal and from PAN-OS SDWAN it can be done manually from the FW GUI.   -Now thinking about SASE, with If I integrate my remote locations, or my remote Networks, so that they are processed by Prisma Access, the proxy policies that are established will be global for all the remote networks, that is, for all that network? or can you filter by IP Source of that remote location/remote network ? And thinking about remote networks, thinking about the traffic between the branches, that is to say, for example, the traffic of remote Networks A that communicates with B and B with A and C, and C, with A and B, the security filtering, of the traffic between these connections would already be through the SDWAN network, not through Prisma Access, right? since if so, with Prisma access it should have "Service Connection" for that additional communication between the branches.   - Now thinking about licensing issues, when you license the Mobily Users part, I understand that the least number of users is 200. Those 200 have the right to use what features? FWas a service to filter the output to the Internet through Prisma Access? Will they also have the right to use SWG to use proxy?   - For remote networks/branches, thinking about licensing, strictly licensing, and what I understand is by bandwidth, in these cases, what bandwidth is accounted for by remote networks? the clean ? the processed? the bandwidth of the remote networks, against example the HQ, by means of a service connection, because for example a remote network needs to access the DNS, AD, internal systems, fileshare, among others of HQ? or what exactly is the use of bandwidth that is charged as consumption of bandwidth license? The processing by the SWG as a proxy for the remote network ?   -If I have my data center and I have to configure a Service Connection, since my remote users and my remote networks, through Prisma Access, need to reach a resource in the HQ/DC, it is enough to create a Services Network Connection to Prisma Access level, or for this example, for the DC/HQ, both must be generated, that is, the HQ/DC is treated as if it were one more Remote Network Connection and additionally a Service Connection must also be created? o Only the Service Connection for the DC/HQ is enough? or is both types of connections mandatory?   I know that they are thank you very much, but first of all I thank you very much for the time and for the one who can review and be able to answer the mentioned points.   Thank you very much for your collaboration, I am attentive to your comments   Best regards ... View more

@weezy    OK, Can you try put exactly network of the portal ? for example ? 10.1.1.100/32. And then in th GP client check the routes to verified if the route is charging in the routes GP. In 6.X Gp you can chek in Tshiit, advanced and routing table. Try put in the split route, exactly route ( example: 10.1.1.100/32 ), logoff login from gp VPN an then test and check Log monitor, filter source your IP GP. Try to do a ping a tracert from Client use GP to check if the route is going to another site, device or is looping in a parte of your network. Cheers ... View more

Hello @weezy    When you connect by GP, and the DNS that it assigns you, resolves the address of that URL ? If you do nslookup and query by that FQDN, does it resolve ?   Thinking about the DNS that you have assigned for GP clients to use.   Regards ... View more