This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About Carracido

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Carracido
‎04-23-2024
since ‎07-07-2015
L3 Networker
User Activity
User Profile
Latest posts by Carracido
View All
User Badges
Community Statistics
Member Since ‎07-07-2015 03:06 AM
Date Last Visited ‎04-23-2024 07:17 AM
Posts 109
Total Likes Received 4

Re: Active Directory Users & Computers slow over GlobalProtect

by in General Topics
‎10-07-2020 07:02 AM
‎10-07-2020 07:02 AM
Hi @DougVanAllen ,   actually for us it was the other way around, upgrading to 5.2.2 fixed the issue with ADUC.     ... View more

Re: Active Directory Users & Computers slow over GlobalProtect

by in General Topics
‎08-21-2020 04:02 AM
‎08-21-2020 04:02 AM
We had this issue with several users and the workaround suggested on the article sorted the issue out.   Adding a dummy domain on the split tunnel tab worked. Note: without "no direct access to local netwok" othersie this will nullify the fix of using the domain in split tunnel. From the admin-guide: "Disable the No direct access to local network option (Split TunnelAccess Route). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks."   The 2nd workaround is to disable weakhost mode from the powershell with commands: Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled} Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv6 set interface $_.InterfaceIndex weakhostsend=disabled}   Both workarounds worked fine for all the users.   Does anyone know if this design is intended to be changed in future GP releases? I guess this is a something for a feature request. Did someone requested one for this matter?   Thank you! ... View more

Panorama: cannot use in templates objects from DG

by in General Topics
‎08-13-2020 01:33 PM
‎08-13-2020 01:33 PM
Dear Community,   I have a Panorama with several firewalls in a device group under the share one. I have several templates and I cannot select any shared object from DG into any part of template configuration, for example adding an address object as an interface´s address or into the user ID´s include list. I´m using super admin account to attempt the configuration It´s like the device group and template are not bound at all. Any idea why this can happen?   Many thanks in advance! ... View more

Re: Active Directory Users & Computers slow over GlobalProtect

by in General Topics
‎07-27-2020 01:15 AM
‎07-27-2020 01:15 AM
Hi @scott.chaput ,   By IP scopes of Globalprotect IPs you mean the fqdn address of portal/gateway?   Thank you! ... View more

Is windows VPN client and split tunnel supported?

by in General Topics
‎07-22-2020 09:16 AM
‎07-22-2020 09:16 AM
Dear community,   I configured Windows 10 vpn client to connect to the globalprotect gateway and it works fine, the only thing that it´s not working is split tunneling.   Cannot see the Access Route For Third Party Client on the gateway like this example: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIDCA0   Then checking the documentation it seems like the Windows VPN client is not supported: https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-x-auth-ipsec-clients-are-supported This could explain some of the features not working fine.   Could someone confirm if globalprotect with windows vpn client and split tunnel should work?   Thank you in advance!    ... View more

user-id agent sending IP mapping with blank/no username

by in General Topics
‎07-01-2020 08:58 AM
‎07-01-2020 08:58 AM
Dear community,   I have an environment where I monitor the AD servers with Windows user-ID agents to retrieve the user-ip mappings   There are users with several AD accounts and it´s normal seeing the same IP being mapped to different usernames deppending on what resources the user gets access to.   Sometimes I see randomly in the traffic logs the username blank associated to the IPs and the deny policies are applied to this traffic. It happens like this: Minute X: user-mapping is okay Minute X+1: user-mapping is blank Minute X+3: user-mapping is okay again   I checked with "show log userid ip in <IP> direction equal backward" what mapping the user-id agent are sending and I realized that when I see no-mapping or blank mapping on the traffic logs, the mapping the user-id agent is sending to the firewall associated to the IP is the machine name. Like this: domain\machine_name   Is expected the user-id agent sending the mapping in that format?   Thank you for your answers.     ... View more

Log collection after migrating Panorama from legacy to Panorama mode

by in General Topics
‎06-30-2020 10:09 AM
‎06-30-2020 10:09 AM
Hi Community,   Hope all of you are doing great and healthy.   I have a little issue I´d like to check with you for some advice.   I´m migrating 2x Panorama VM in HA from legacy to Panorama mode with M-100 log collector in a collector group. https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-log-collection/log-collection-deployments/deploy-panorama-with-dedicated-log-collectors.html   I have some questions regarding this deployment. After migration: 1) Could I keep the existing log collector for historical logs and create new collector group with local collectors for storing new logs? New collector group with local collectors configured as follows: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-log-collection/log-collection-deployments/deploy-panorama-virtual-appliances-with-local-log-collectors.html   -> If answer is yes: 2) Could that be accomplished just by removing the firewalls from existing collector group with M-100 and adding the firewalls to new collector group with local collector?     Thank you in advance for your answers.   Carracido.   ... View more

Re: xdr agent download 22MB with each check-in

by in Cortex XDR Discussions
‎06-08-2020 01:21 PM
‎06-08-2020 01:21 PM
@BPry Thank you for your answer.   Now the traffic got stable but the day EDR data collection was enabled there was a high increase in received traffic.   Do you know if it´s normal that the very first time that EDR data collection is enable this causes high bandwidth consumption to stabilize after some hours?   Thank you!  ... View more

xdr agent download 22MB with each check-in

by in Cortex XDR Discussions
‎06-03-2020 08:48 AM
‎06-03-2020 08:48 AM
Dear community,   I hope you all stay safe and doing great.   I noticed that per each 5-minutes check-in the cortex XDR agents they will get 22MB back from the cloud. I think this is considerable amount of data if there´s no policy/content update to be sent from Cortex XDR cloud to the agents.  This is happening for each agent and it´s impacting the network.    Does anyone know if is expected to receive this amount of data from the Cortex cloud each check-in?     Thank you in advance.   ... View more

Re: User-ID: Is possible to retrieve groups without sever monitoring?

by in General Topics
‎05-15-2020 12:59 PM
‎05-15-2020 12:59 PM
Hi @Abdul_Razaq ,   Yes, it´s possible, just had the chance to verify this.   Thank you for your answer.   Cheers.   ... View more

User-ID: Is possible to retrieve groups without sever monitoring?

by in General Topics
‎05-14-2020 01:54 PM
‎05-14-2020 01:54 PM
Hello community,   I´m sharing with you this doubt you maybe can help me with:   I´m only interested in having the group-user mappings and not ip-user mappings. Is this possible?   Furthermore, is it possible to retrieve group-user mappings without having to configure the server monitoring?   The idea is to configure the LDAP server profile and then the group mapping, is this enough to fetch the users within the groups or for this I will also need to edit User-Id Agent setup settings and configure a Sever monitoring?     Thank you!     ... View more

downtime for migration from MPLS to VPN with BGP with bgp routing

by in General Topics
‎03-20-2020 12:57 PM
‎03-20-2020 12:57 PM
Hello community!   I have currently two sites connected through MPLS and I plan to configure a VPN with bgp routing to migrate traffic.   I am calculating the downtime that may require the migration from MPLS with static routing to the VPN with bgp routing.   I´m considering the following: - Routes learned from IBGP has default AD = 200 and static route has default AD = 10 - After configuring BGP to route traffic over the VPN I should have the routes learned from BGP installed on the RIB but not on the FIB because the static route AD is lower - To make the firewall placing the BGP routes into the FIB I will give the AD of the static route a bigger value than the bgp route.  - After the switch between static-dynamic routing to bring the traffic into the VPN I´m gonna clear all the existing sessions to avoid performance issues. I think the effective downtime could be not even 5 minutes. What do you think?   Thank you in advance! ... View more

Re: tunnel monitor with VPN tunnel in passive mode

by in General Topics
‎02-26-2020 01:15 AM
‎02-26-2020 01:15 AM
Thanks so much for your answers!   I have another question: Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right?   Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor?  My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course)     Thank you in advance! ... View more

tunnel monitor with VPN tunnel in passive mode

by in General Topics
‎02-25-2020 09:56 AM
‎02-25-2020 09:56 AM
Hello community,   Do you think if having tunnel monitor for an IPSec tunnel in passive mode makes any benefit?   When tunnel monitor detects tunnel down, the firewall would attempt to accelerate the recovery by negotiating new IPSec keys. If firewall in passive node it wouldn´t be able to initiate the negotiations from its side in order to reestablish the tunnel, am I right?   Thank you in advance!     ... View more

Panorama VM running on ESXi 6.7?

by in General Topics
‎11-11-2019 02:51 PM
‎11-11-2019 02:51 PM
Dear community,   I had a Panorama VM running Pan-OS 8.1 without any issue on top of VMware ESXi 6.7, after upgrading to 9.0.4 the host is rebooting the VM from time to time with the following error log: "..........reset by vSphere HA. Reason: VMware Tools heartbeat failure. A screenshot is saved at......"   The screen-shot taken when the VM crashes is just a full black picture.   According to the compatibility matrix don´t know if ESXI 6.7 is supported but the VM was working totally fine with before upgrading to 9.0 https://docs.paloaltonetworks.com/compatibility-matrix/panorama/panorama-hypervisor-support    Does anyone have stable VMs running on top of ESXi 6.7?   Thanks in advance.     ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-23-2024 07:17 AM
Latest Tags
No tags yet
Likes Given To
Likes From
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks