About darren_g

darren_g · ‎12-20-2017

Folks. I have a requirement for setting up an EC2 Windows server in a remote Amazon region for receiving files. On this server, I need some custom API stuff (easy) to allow file transfer from the Internet - but I also need a secure VPN to my normal site elsewhere to I can connect to several databases and other services which are *not* available on the Internet. Does anyone know if it's possibel to use the Amazon VPN to setup an IPSec to my Palo Alto's (PA 3050, currently running 6.1.19) to allow for connections to the internal servers? Or would it be easier to leave a console user logged on and run Global protect? While that might work, it's an ineligant solution as it needs all the remote processes to run as that user to be able to access the resources? Thanks for any input

darren_g · ‎10-25-2017

HI. We run global protect for a reasonable number of remote users on our PA3050's without much in the way of issues. One thing which pops up, though, is that our Virus management server (McAfee) gets hugely confused about which machines are on which IP address. We've done a little digging, and it apepars to be related to te fact that all machines conencting via global protect appear to get the same virtual MAC address for the tunnel interface - and this reports to the virus server. Which means, of course, every time someone establishes a new VPN connection the virus server gets a new hostname assigned to the MAC address - which is normally wrong. Does anyone know if there is any way I can force each new connection on GP to get a unique virtual MAC on the tunnel interface on the local PC? If so, how? I've had a poke around and I can't seem to find any way to do it. Thanks

darren_g · ‎07-26-2017

@TranceforLife wrote: I would strongly advise you to get the devices upgraded as you are on EOL release: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary I did an upgrade to 6.1 today. And my fears were correct - it broke things. Luckily, they were easy to fix things, but now I know why I was holding off on upgrading. Oh well. I'll wait a while until I go to V7, methinks.

darren_g · ‎07-25-2017

Thanks - I'll continue to ignore it for now. It doesn't appear to be breaking anything anwyay. Yes, the upgrade process is fairly easy and can actually be done without any downtime. However, be very careful of the behavior changes. It's a big leap from 6.0 to 7.1. Check through all the tech-docs about behavior changes, what's new, new features, upgrade/downgrade considerations, etc. That's the main reason I haven't upgraded yet - I have other PAN devices running later versions, but this is my main production cluster, and has many, many more policies and features enabled - and I don't have time to validate the upgrade and check if anything will break. I might bump it to 6.1 in the near future and let that run a while before going to 7. Thanks again.

darren_g · ‎07-19-2017

Folks. I have a pair of 3050's in a HA cluster, and recently I'ver been noticing some weird messages ont he system log on the primary. I happened to log into the secondary the other day, and say a heap more. has anyone seen messages like the following Failed to upload the new HA URL file to RAM. Failed to upload the old URL file to RAM,Starting with an empty file. Received callback from peer for completion of handle url_sync; file /opt/pancfg/opt/pan/content/pan/panurldb.bin.ha. The corresponding error on the active reads Failed to sync PAN-DB to Peer: Peer user failure Are these something I should worry about? I shoulod note that this pair is running qutie an old software version - getting a time to upgrade is not easy - they're currently on 6.0.15 Thanks for any pointers.

darren_g · ‎06-08-2017

Thank you Sir, you are a legend. I was applying the inbound security rule on the wrong zone, and everything was failing. Now it's not. Appreciate your assistance.

darren_g · ‎06-08-2017

I've had a total brain fade, and am unable to figure this out. Hoping you guys can help. Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks. I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned. Thing is, I don't know if I can do this. I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working. I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done. So, questions for guys who have done more NAT than I have 1. Is the NAT policy I want even possible? 2. Is the methodoligy I've described right? 3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both? Can anyone shed some light for me, please? I'm scratching my head here. Thanks

darren_g · ‎12-12-2016

@santonic wrote: Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users. Thanks - looks like I'm out of luck - because the source zone and destination zone are the same. I might have to fiddle with moving the server into a different zone maybe. No, scratch that - I'm an idiot. I put in a rule to allow traffic to the given server - but forgot to put in one to deny everything else!

darren_g · ‎12-11-2016

@baudy wrote: Hi, In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool. Benjamin hi. Haven't upgraded to PanOS 7 yet, so this one's not going to work. Thanks for suggesting, though.

darren_g · ‎12-11-2016

@BPry wrote: The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to. hi. OK, so the source zone would be the zone the VPN terminates on (outside zone), or the one it spits out into? I'm figuring the former, but I could be shooting in the dark. thanks

darren_g · ‎12-07-2016

Folks. I have a normal Global protect portal for internal staff which works fine. I now have been asked to provide access for a support organisation which is not staff - not employed by our company - but which needs access to certain devices inside our network. Does anyone know if there is any way I can restrict what they access via Global Protect? Would a security policy rule on source user work, or is there some other way? Thanks.

darren_g · ‎10-09-2016

Folks. I made a rule change this morning - first one in a while (fairly static environment of late) - and when committing, got the following warning Error: Invalid id 6 for os WindowsUWP.(Module: useridd) Anyone recognise this/know the cause/know what I need to do to fix it? Cheers

darren_g · ‎09-13-2016

@bgmncwj wrote: We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN. We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed. On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in. That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer.

darren_g · ‎09-13-2016

@reaper wrote: have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows Yes, I have - but that's not really dual factor authentication in the context I'm using. Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in. With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token.

darren_g · ‎09-12-2016

Folks. Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication? Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term. Is this possible? Any pointers to guides anywhere? Thanks

Member Since	‎09-16-2012 09:05 PM
Date Last Visited	‎03-24-2026 03:53 PM
Posts	289
Total Likes Received	59

Online Status	Offline
Date Last Visited	‎03-24-2026 03:53 PM

About darren_g

Re: Portal/Gateway certificate renewals - automation?

Portal/Gateway certificate renewals - automation?

Re: Block access on HIP check failure - how?

Block access on HIP check failure - how?

Network monitor shows huge traffic spike, but can't find traffic details

Re: LogDB Import failing - anyone suggest why?

Re: Split tunnel specific URL only, not entire site?

Split tunnel specific URL only, not entire site?

Re: Implications of "No direct Access to Local Network" toggle in Global protect client settings?

Re: Implications of "No direct Access to Local Network" toggle in Global protect client settings?

Re: Portal/Gateway certificate renewals - automation?

Re: Why do "incomplete" sessions show as "allowed"

Re: Force HA failover - how?

Re: LogDB Import failing - anyone suggest why?

Re: Scheduled reports not working

Re: IPSEC vsys cli

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

Re: IPSec VPN routing across multiple tunnels

Re: IPSec VPN routing across multiple tunnels

IPSec VPN from EC2 server to remote Palo Alto possible?

Global protect and virtual MAC address

Re: Strange system error messages

Re: Strange system error messages

Strange system error messages

Re: NAT configuration - DMZ zone to Trust zone

NAT configuration - DMZ zone to Trust zone

Re: Restricting VPN access to internal services on per-user basis

Re: Restricting VPN access to internal services on per-user basis

Re: Restricting VPN access to internal services on per-user basis

Restricting VPN access to internal services on per-user basis

Warning on commit new config - anyone recognise the cause?

Re: Dual Factor Authenticatin for Global Protect - possible?

Re: Dual Factor Authenticatin for Global Protect - possible?

Dual Factor Authenticatin for Global Protect - possible?

Unlock your full community experience!

About darren_g