About dreputi

Hello Santonic, It looks like you are describing Active FTP where the client first initiates a connection on Command port 21 to server and the server responds to it. Then server will initiate a connection from its side to client for data connection using port 20. https://live.paloaltonetworks.com/docs/DOC-6936 But PAN uses its ALG(Application Layer Gateway) to inspect the layer 7 packets of the FTP connection ie from client to server's port 21 and its response from server. PAN then sees what ports the client and server's are negotiating, it will open a predict session of type PRED from server's side to Client's side on those specific ports. This is done dynamically so you DON'T have to open up those ports explicitly. When the firewall sees traffic coming from the server matching those ports, then it will convert this PRED session into ACTIVE session. This also means you DON'T have to create new security or NAT rules to allow traffic in the reverse direction. The other alternative is to use a Passive FTP where client only initiates connections in both the directions. Moreover the second session doesn't appear to be correct in your example since the client will not serve anything on its port 20. Regards, Dileep ... View more

You are right Chris! Usually with GP, these are some key things that I ensure with respect to certificates, so just wanted to emphasize that it is taken care. Like we all discussed, the culprit here is the match in the address field for IP/FQDN. Thanks, Dileep ... View more

Hello Kst, Please make sure you have complete certificate chain in the certificates. Add the trusted root certificate in the 'Trusted root certificate column' of the portal. Most importantly, as I have seen in other cases, please check if the portal/gateway certificate has common name as IP or FQDN. You must match the same in the Portal Config>Client Configuration>Gateways>External gateways>Address. Also when the user connects, they must use the same IP/FQDN in the portal address field. Let us know how it works. Regards, Dileep ... View more

Hello Gururaj, I haven't tested this myself but have come across this "PAN doesn't directly support Google Authentication method, but it can be done through FreeRADIUS server. Referred to http://www.virtualvcp.com/tech-guides/36-vmware-view/194-securing-vmware-view-google-authenticator-and-freeradius". Regards, Dileep ... View more

Hello Amacaronis You can refer to Global Protect Administrator's guide apart from the links suggested above. This explains lot of possible ways to configure GlobalProtect like two factor, client-cert authentication, RSA tokens, and more. It also has references to other documents in it. It is pretty big but lot of your doubts should be cleared in this document: GlobalProtect Administrator's Guide 6.0 (English) Let us know if you have any specific questions. Regards, Dileep ... View more

Sorry I missed 'APPLICATIONS' in the above example. But same logic is applied for Applications as well. ie ((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (App1 or App2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...)) Regards, Dileep ... View more

Hello dthibodeaux, You can understand it this way: In a security policy, the match will be for ((source zone, address ,user, hip, destination zone, address, service, URL category)). To this, the ACTION is applied ie allow/deny. If Security profiles are attached, then the ACTION will be based on decision taken by security profiles like url, threat etc. For example: source zone- SZn1, SZn2...(or Any) source address- Saddr1, Saddr2...(or Any) soure user- Susr1, Susr2...(or Any) hip profile- Hp1, Hp2...(or Any) Destination zone- Dzn1, Dzn2....(or Any) Destination address- Daddr1, Daddr2....(or Any) Service- Srvc1, Srvc2...(or Any) URL-Category - Ctgry1, Ctgry2...(or Any) Logic will be like this(Rule match is top to down approach): RULE1: ((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...)) RULE2: ((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...)) To this match, the ACTION is applied based on security profiles. Let us know if that helps. Regards, Dileep ... View more

Hello Gregoux, Please check if the user groups are being pulled in the CLI: >show user group list If it shows up there, it could be a GUI glitch. Try a different browser. -Dileep ... View more

Hello Gregoux, You can refer to this document: Cannot Pull Groups from Active Directory LDAP Server -Also you can check if the Device>User Identification>Group Mapping Settings>Select the profile>Group Include list, if it is properly pulling the group information and if you have correct groups in the include list(if any). -You can also try by creating a new group mapping profile to see if that fixes the issue. -You haven't mentioned if its in panorama or local device. If its panorama, make you have properly selected the master device in the device group because that's where panorama pulls group info from that selected master device. Regards, Dileep ... View more

Hello Mcocat, You can also create a bidirectional NAT rule which looks like this: The source address being the private IP of the server and translated Ip being the public facing IP. This basically splits the NAT rule internally into two- one for outbound and another for inbound. You can refer to above document given by tpiens to understand this better. Regards, Dileep ... View more

Hello Amit, Above is true. Also, you can find more info about configuring PA firewall for management access from page 3-8 in the admin guide: PAN-OS Administrator's Guide 6.0 (English) Regards, Dileep ... View more

Hello Amit, Yes you can use the dataplane port to use it for updates. All you have to do is to setup service routes for whatever updates you need, to use that dataplane interface. Please ensure the following: -your DNS can resolve to updates.paloaltonetworks.com, -There is no deny all rule which can block this traffic -Any upstream device via that interface must allow access on port 443. Please refer to the above document referred by Hulk for assistance with service route. Regards, Dileep ... View more