This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About darren_g

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
darren_g
‎06-24-2025
since ‎09-16-2012
L4 Transporter
User Activity
User Profile
Latest posts by darren_g
View All
User Badges
Community Statistics
Member Since ‎09-16-2012 09:05 PM
Date Last Visited ‎06-24-2025 04:02 PM
Posts 287
Total Likes Received 57

Re: Global Protect Pre-Authentication with public SSL cert

by in General Topics
‎09-14-2014 08:39 PM
‎09-14-2014 08:39 PM
Hulk. OK, after reading that, it looks like I can deploy this using the same process I use to get Lync certificates to work - but the document indicates that if I enable pre-login, Global protect will reject login from devices which aren't configured with a certificate? Is this the case - so if I enable pre-login, users can't connect to the VPN without having a valid machine certificate issued by the internal CA? Even if they have a valid Global Protect access? Just looking to confirm this one way or another - we have some Mac users who use our VPN where I can't issue certificates (because they're not in the domain, for starters). Thanks ... View more

Re: Global Protect Pre-Authentication with public SSL cert

by in General Topics
‎09-14-2014 05:21 PM
‎09-14-2014 05:21 PM
hshah wrote: Hi Darrent If you are not interested in "Certificate based" Authentication than, following document is useless. https://live.paloaltonetworks.com/docs/DOC-5229 In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration. Let me know if this helps you. Regards, Hardik Shah Hardik. Is this all I have to change? Is there any requirement for modification on the remote end of the VPN client? To clarify - if I do this, does this mean that the PC will pre-logon to the VPN prior to the user entering credentials into the Windows 7 login screen and run domain scripts etc? Sorry if I'm not being clear enough - I can't believe this could be that simple. 🙂 ... View more

Global Protect Pre-Authentication with public SSL cert

by in General Topics
‎09-10-2014 06:37 PM
‎09-10-2014 06:37 PM
Folks. My boss wants me to implement "pre-authentication" for my Global protect clients, so that they authenticate against AD before logging on to their laptops when on VPN, and ergo run login scripts, group policies etc. I have https://live.paloaltonetworks.com/docs/DOC-5229 and read through it, and it describes setting up using self-signed certificates. I've actually got valid, official CA issues certificates on my Palo Alto's for Global protect (vpn.organisation.org format, from Verisign). Is there a similar procedure I can use to get pre-authentication working using these real certificates rather than self-signed ones? Thanks. ... View more
Labels:

Re: Weighted dynamic routing on edge - possible?

by in General Topics
‎08-24-2014 09:30 PM
‎08-24-2014 09:30 PM
That's great information Hardik, thank you. I'll be sure to come back if I can't make it work. ... View more

Re: Weighted dynamic routing on edge - possible?

by in General Topics
‎08-24-2014 09:23 PM
‎08-24-2014 09:23 PM
Sweet! Thanks. The logic behind it is backward from what I would expect (the backup link being the default route), but I can make that work. I assume this works on PanOS 5.x and 6.x as well? Thanks again! ... View more

Re: Commit times

by in General Topics
‎08-24-2014 09:20 PM
‎08-24-2014 09:20 PM
rsullivan wrote: I'd like to hear some feedback from users on the 3050 hardware. We currently use the 2020's and commit times are between 30-60 minutes. We've been using this platform for several years and been through tech support dozens of times on this issue. I understand it's more of a hardware design issue and has been corrected in newer models. For anyone on the 3000 series can you give me some feedback on commit times? We have roughly 300 rules and are running in HA active/passive. Thank you I've got a HA pair of 2020's at my main site, and a single 3020 at a remote. I can download (with a slower link), install and validate two dynamic updates (content and virus) on the 3020 in the time it takes to HALF commit the virus definition update on the 2020's. The 3020 commits config changes like lightning compared to the 2020. The big difference is the 3000 series has more RAM for the management plane and a faster processor. If you can convince management to upgrade your 2020's - do it. You won't regret it. ... View more

Weighted dynamic routing on edge - possible?

by in General Topics
‎08-24-2014 09:16 PM
‎08-24-2014 09:16 PM
Folks. Current company is looking to expand to another site (yay for me - I get to upgrade my 2020's to 3020's at the head office!), however I'm in a bit of a quandary on getting the new site working. The new site is going to have two internet links for diversity/redundancy, but  I'm *not* going to be running BGP or any serious internet protocol at the edge. What I'd like to do is terminate the internet (ethernet services) on the Palo Alto and run some form of weighted dynamic routing protocol - tell them to use link A as a primary, but if it fails to cutover to link B for the default route. Does Palo Alto support something like Cisco's policy based routing to manage this? I don't want to just rely on link up/link down states to determine which link to run out of - I'd like to have some kind of active monitoring on the main link which knows when/if the link goes down and changes the default route to the second link. Anyone know if this is possible? Or will it need manual intervention to cut over to the second link? Thanks. ... View more
Labels:

Re: Alternatives to Panorama for log collecting?

by in General Topics
‎07-15-2014 06:51 PM
‎07-15-2014 06:51 PM
Steven. Thanks for the reply. I think QRadar is probably out of the question - looking at the US prices I flinched! My biggest issue with Splunk is that it appears to be more than I need, and I'm not sure how it integrates with the Palo Alto at all - but I'm also not sure how else I would go about getting log storage and reporting off the devices themselves - yes, I can dump it to Syslog - but getting meaningful analysis out of a Syslog server has always been an exercise in frustration. Have you actually implemented Splunk in conjunction with the Palo Alto at all, and are able to say how well it works compared to the on-the-box reporting? Thanks ... View more

Alternatives to Panorama for log collecting?

by in General Topics
‎07-15-2014 03:42 PM
‎07-15-2014 03:42 PM
Hi. After a recent failure HD on my normally active firewall, it appears I'm going to lose close on 12 months of logs because Palo Alto has no defined process to get the logs off a failed hard drive (where the log partition is still accessible) onto the replaced drive. Yes, I have tried scp log export/import - I've swapped the old HD in and gotten it to the point I can get an export, but I can't re-import it. Anyway, that's not the point of this. My boss wanted an alternate solution to keeping the logs on the device, so as to avoid this in future - Panorama of course came up, but the pricing for it is *completely* ridiculous, so it's out of the question. Does anyone have suggestions to an alternate, external log collection point which can give me meaningful data/reports? I don't mind if it costs a bit - but my boss baulked at the much higher amount we were quoted for the VM version of Panorama, so I'd like to keep the costs down to maybe $2-3k if I can. I've heard Splunk mentioned, but a quick perusal looks like it's *way* overkill for what I want. Anyone else got a solution/suggestion? Cheers. ... View more

Re: Moving/importing logs after HD failure

by in General Topics
‎07-07-2014 05:45 PM
‎07-07-2014 05:45 PM
hshah wrote: Hi Darren, I am not sure if this idea would work, but worth trying. connect faulty HDD to linux box, now SCP its log to SCP server. Now, re-SCP it to newer HDD partition. For this you might need TAC help, as you do not have root access. Regards, Hardik Shah Hardik. I am working on something quite similar. I am currently moving the logdb directory (what I can get of it, which is most) from the failed hard drive to a Linux server. Once I have moved this data, I will create an archive in the correct format (gzipped tar) and see if I can SCP it back to the repaired firewall unit using the commands in the documents Hulk showed above. If it works, it's an exercise in frustration - Palo Alto should make this so much easier - but if I manage to get the majority of my data back, I'm happy with that. ... View more

Re: Moving/importing logs after HD failure

by in General Topics
‎07-07-2014 03:00 PM
‎07-07-2014 03:00 PM
hshah wrote: Hi Darren, IF HDD is corrupt, then how did you login to firewall now ?  Based on answer solution will vary. Regards, Hardik Shah It's been replaced, and the device put back online (as the passive node in the cluster). I'm trying to put the old logs back before I put it back into active mode. ... View more

Re: Moving/importing logs after HD failure

by in General Topics
‎07-07-2014 02:59 PM
‎07-07-2014 02:59 PM
HULK wrote: Hello Darren, This DOC may help you to import Logs into PAN FW. CLI Commands to Export/Import Configuration and Log Files Else, PAN support engineer would be able to copy the logdb file into the proper directory. Thanks Thanks - those might help - I'm experimenting now to see how I can make this work. ... View more

Re: Moving/importing logs after HD failure

by in General Topics
‎07-06-2014 10:52 PM
‎07-06-2014 10:52 PM
PA2000. I can get (have got) the old data - I just don't see any method (FTP, SCP etc) to put it back on the new drive bar pulling it out and using an external drive cradle. ... View more

Moving/importing logs after HD failure

by in General Topics
‎07-06-2014 10:36 PM
1 Kudo
‎07-06-2014 10:36 PM
1 Kudo
Hi. Recently, owing to an unplanned abrupt shutdown of my active firewall, I ended up with a hard drive corruption which prevented it from booting up (thank $deity for HA pairs). Quite apart from PA's *ridiculously* bad response time to replace the hard drive (which is being/will be discussed with my support partner, trust me), I need to know if anyone knows how I can get the logs from the old drive onto the new one? I spent about 4 hours copying them before I installed the new drive - and the first thing the damn thing did on bootup was erase the private data - including the logs I had painstakingly copied to the device. So - does anyone know if I can get the log files *back* onto the device before I kick it back into "active" mode? Or do I need to shut it down now that it's got all its config and stuff back on it, then copy the files back from the old drive again and put the new one back into service? I can recover all but one day of the old logs - and give that there's almost 12 months of log data on the old drive, I'm loathe to lose it if I can avoid it. Thanks for any input. ... View more

Re: High Availability weirdness

by in General Topics
‎06-25-2014 06:17 PM
‎06-25-2014 06:17 PM
I will log a case and see what happens. Thanks for your input ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-24-2025 04:02 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks