About darren_g

@Brandon_Wertz wrote: @pawelzwierz wrote: Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html Generally licenses are needed: - mobile devices - higher security - HIPS check - clientless   1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT 2. Yes, exactly To add to what @pawelzwierz  and @BPry  mentioned.  Palo in the "unlicensed" version of GP provides a robust client based VPN.  There's really not anything lacking in this posture.  In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness.    HIP enforcement however comes in the licensed version.  The clientless VPN portal also needs a license which is something you said you're looking for.  I think these two features alone should be able to help you justify the license purchase. There is, actually, in unlicensed - once you install software above the 8.0 series on the firewall, you lose the ability to split-tunnel in the unlicensed version of global protect - something which is critical to my installation.   I've already got the license - I don't need to justify it - I just want to get the most out of it when I get the firewalls actually installed. HIP enforcement is the first thing on my list, for sure.   Thanks for your input ... View more

@pawelzwierz wrote: Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html Generally licenses are needed: - mobile devices - higher security - HIPS check - clientless   1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT 2. Yes, exactly In regard to point 1 - what if I bind a second IP address to the interface - can I run one portal on one IP address, and another on he second?   Thanks ... View more

@BPry wrote: @darren_g, Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed. This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly.  Hi @BPry    I've already got that on my radar, definitely. That's one of the major reasons (along with client-less VPN) I purchased the subscription when I got the new firewalls. ... View more

Yeah, the V5 upgrade seems to have worked - and I thought I'd deleted this to save wasting anyone's time any further - thanks for replying and confirming.   I hate Windows 10. 😞 ... View more

The filters were identical to the routes in the normal RIB, and exactly the same as what was in the redistribution rule.   Even the TAC guy doesn't know why. I don't really care - it's working, and that's all that matters. ... View more

@jeremy.larsen wrote: I'm curious what's in your export filter.  Also, have you tried not using the filter as well?  You've got me scratching my head as well now. OK, I tried again with just deleting the export filter - and stuff me, it started to work.   The redistribution profile is controlling what routes get advertised anyway, so I don't need the filter.   I don't know what was breaking it - but it's working now, and in the spirit of "If it 'aint broke, don't stuff with it", I'm leaving it the way it is.   Thanks for your input. ... View more

It's pretty simple     I just tried it with the export filter disabled - no difference ... View more

@jeremy.larsen wrote: Are you missing the "Redist Rule" under BGP that uses the Redistribution Profile? Nope. I've got it set to redistribute statis routes, and am using the "export" filter to limit the routes I want to export to the other end.   All the routes I want to export are in the static routing table exactly as specified in the filter.   ... View more

@jeremy.larsen wrote: Are your 172.x.x.x routes "Connected" routes or are they aggregate routes you want to manually inject?  I'm spinning up something similar in my lab.  I'm trying to remember if they have to exist in the routing table (ie - via static route entry, etc) for them to actually push out via BGP.  It looks to me like they do exist based on your copy/paste.  I'll let you know what I run into.  I do remember routing protocols over VPN being a bit tricky with PAN as there is a built in mechanism for route propogation, but it's been awhile since I've played with it. The routes I want to advertise (172.x.x.x) are static routes, in the routing table.   They're also in the BGP local RIB now I've got a redistribution profile configured and attached properly.   What's got me beat is that the imported route from the remote peer works fine - it just won't export the routes I want. BGP is running - the peer is there, and it's doing its thing - it just isn't exporting. ... View more

@jeremy.larsen wrote: A couple simple suggestions from my own troubleshooting.   I found there are a couple spots where "enable" isn't checked by default.  Under the general BGP tab do you have "enable" checked at the top and "Install Route" checked as well?  Under the "Peer Group" tab do you have your peer groups set the "Enable" as well?  Are you using any kind or Redistribution profiles and are they set under "Redist Rules"?  Is this iBGP or eBGP? hi jeremy.   Thanks for the reply.   yes, the unticked boxes caught me out at first - but they're definitely both enabled, and "install route" is ticked as well - the route from the remote peer is installed, and is in the BGP local RIB   I now have a redistribution profile setup and installed - which I missed the first time around - and the routes I want are installed intot he BGP local RIB as well, vis-a-vis   show routing protocol bgp loc-rib   VIRTUAL ROUTER: default (id 1) ========== Prefix Nexthop Peer Weight LocPrf Org MED flap AS-Path *192.168.220.0/24 169.254.55.10 external-link1 0 100 i/c 0 0 64513 192.168.220.0/24 169.254.55.14 external-link2 0 100 i/c 0 0 64513 *172.20.2.0/23 172.20.200.2 Local 0 100 i/c 0 0 *172.20.12.0/24 172.20.200.2 Local 0 100 i/c 0 0 *172.20.13.0/24 172.20.200.2 Local 0 100 i/c 0 0   but the 172.x.x. routes are still not being exported to the remote peers.   This is eBGP. I'm using this to provide redudnant routing to a remote node over two IPSec tunnels.   I've logged a case with TAC to see if they can tell me where I'm being dumb. ... View more