About mr.linus

Dear, Is it possible to use GlobalProtect with pre-logon enabled as a "Network Logon" for Windows? This way I want to use the GlobalProtect to tunnel the domain-login request to our AD when the pc is on the road. Ultimately we want to use this for users with expired accounts to be able to reset their domain password remotely. If this is not possible, then what use is the pre-logon feature on the GlobalProtect? Kind regards ... View more

Dear, I was wondering if it was possible to schedule a dynamic update (download&install) from Panorama. I know I can configure dynamic updates from the panorama (templates/device/dynamic updates). But I don't want my devices to download the dynamic updates since they have no internet access; I want the Panorama to download them and push them to the boxes. I know I can download the dynamic updates on Panorama and install them on the boxes (panorama/device deployment/dynamic updates), but I can only do this manually, I want to schedule this. Is there a way to combine these two actions? Kind regards ... View more

hey all, I would like to decrypt my ldaps traffic that is now showing up as ssl in my traffic logs. I can not seem to get it to work - with ssl forward proxy decryption, I break the ldaps connection altogether and my ldap connection just fails. - with inboud ssl decryption (with the AD-ldaps certificate + private key imported), the palo alto just refuses to decrytp the traffic. in the logs it is just marked as not decrypted (and application = ssl). anybody has any experience with this? kind regards ... View more

Hi All, Setup - We got 2 PA clusters with a leased line between them, joining two offices of the same company. - Both offices have their own AD, servers, ... - We have GlobalProtect configured on both devices. - We have PanOS User-Id configured (so no agent) on both devices - We have a user based security rule providing a "support" user access to certain devices. => This is all working fine, but only if we use each offices his local GlobalProtect connection. In other words, we can only reach servers in office A if we login to the GlobalProtect of office A. Goal - We now want to be able to GlobalProtect to office A, but reach servers on office B, with user restriction (this last part is the important part). Problem - When we create a rule on the PA of office B, to allow access from connection coming from office A to certain servers, the PA of office B does not know the user since it was authenticated via GlobalProtect on the PA of office A. Hence, we can not create user based security rules. Solution? - Either give the GlobalProtect "support" user a fixed IP (that way we can work IP based instead of user based). But this is not possible I think, only by creating a separate portal + gateway? - Passing on the user-ip mapping from office A to office B. But we only want the user-ip info of the GlobalProtect users (which are local users: same user exist on both devices). Is this possible, and if yes, how do we configure this? Kind regards ... View more