About darren_g

Hey folks.   I had a situation today whereby one of my PA's was responding really slowly across IPSec tunnels and for Global protect clients - so once I could get onto it I started digging into the network monitor to see if I could find out if there was a link/network load issue.   I found a huge spike in traffic in the period concerned - much, much more than normal - but when I tried to check the traffic logs for matching application type, I can;t find anything which would come even close  to matching this level of load   The above shows the spike from the traffic monitor - you can see the increase plainly - and it lists as ms-ds-smbv3 - but when I go looking for that app in the traffic logs - there's minimal amounts - and none of it is in the period indicated by the network traffic monitor.   Does anyone know where I can dig to try and find out where this traffic was from/to?   Thanks ... View more

Hey folks.   I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.   Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than  fixed IP or subnet.   This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.   Can anyone tell me the implications of doing this? Is it just the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?   I can't seem to find a definitive answer - it should just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!   Thanks for any input ... View more

Hi Folks.   I run a (well, several) Global protect portals in various parts around the world, and for the large part they work just fine.   Recently, we've acquired another company, and we're dealing with some legacy assets until we can completely bring them in line with corporate standards.   Most of our PC's run Windows 10 Pro, and global protect just works.   However, I've run into an issue with the few legacy devices from the second company which are running Windows 10 Home which is baffling me.   When they connect Global protect, the link comes up fine, and assigns the VPN IP, and carries traffic - BUT the VPN assigned DNS servers don't get put into the DNS list.   Which means the PC can't resolve internal hostnames - DNS requests go to the local link DNS, and fail.   I've ONLY seen this on Windows 10 home - never seen it on Windows 10 Pro.   Has anyone else come across this? is there some magic beside "Upgrade to Windows 10 Pro" which can fix this?   I've put in some local host entries to work around it for the most critical internal hosts - but obviously this isn't ideal, and needs constant maintenance I'd rather avoid.   Thanks for any input! ... View more

Hey folks.   We're planning in implementing MFA for Office 365, and as part of that I want to add the Microsoft office domains into our Global protect split tunnels - since almost everyone is working from home, I want to whitelist our "corporate" IP addresses and have people who are connected from company PC's on the VPN not be bothered by MFA requests.   This is relatively easy in the configuration, but I've come across an issue which is perplexing me.   I run my personal machine on a fairly recent VPN client to check for issues before pushing it out to the main portal for users to upgrade - and when I implemented this split tunnel on the portal, it didn't work.   A colleague who is running the "production" release I have on the portal. So I downgraded tot hat version - and the split tunnelled domains work.   Does anyone know if there's something extra in the later clients which needs to be done to make this work?   Working client version - 5.0.8 Failed client version - 5.2.2   Thanks ... View more

Hi folks.   I have recently, as I'm sure a lot of us have, attempted to tighten security on my global protect portal.   I ran an SSL labs scan on it, and it came back with a B result because of some older cipher suites still being in use - so I made some changes to try and tighten this up.   I was successful - got it up to an A - but it came at a cost.   I, unfortunately, still have numerous Windows 7 workstations (save the outrage, please, I'm well aware of the risks, and there are legitimate reason I can't upgrade them yet), and it seems that tightening these protocols on the firewall completely broke Global protect on the Windows 7 machines. They simply would not connect.   The changes I made were as follows   1. Minimum TLS version set to TLS 1.2 2. Modified shared ssl-tls profile settings as follows auth-algo-sha1 no enc-algo-3des no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-rc4 no One of these settings simply broke global protect - I had to revert them all (except the SHA1 and RC4)   Has anyone come across his, and know of a solution on he Windows 7 end? Advice to upgrade to Windows 10, while certainly correct, aren't helpful at this point in time - I'm working to get that happening as quickly as I can.   Oh, the GP client running was 5.0.7   Thanks for any input ... View more