About Maxstr

Oh, I see what you mean. I should create a new profile with only RSA checked. So does that also mean I need to disable those ciphers on the web server? Or does the PA negotiate the protocol on its behalf? ... View more

Interesting, so I've added the root CA and intermediary CA, and now it shows the server's certificate under the other two. I thought that would fix the issue since it all lined up nicely, but no dice... I'm still getting the errors (first "decrypt-error" then "decrypt-param-unsupport").   So just to verify, the rule should be untrust to trust, source any, destination [the public IP of the server]? ... View more

The certificate is RSA,not DHE. However, noticed that there is an Digicert intermediary certificate in the chain. Do I need to load the intermediary into the PA? I obviously don't have their private key ... View more

It's a basic certificate aquired from Digicert.com. When I look at the certificate itself, it says its RSA SHA256, 2048-bit. But I don't see where it says the encryption algorithm, though (like AES-128CBC or AES-256GCM). I will ask the CA vendor ... View more

Ok, I checked the decryption profile, and the default already has every option checked. Seems to be some other issue then ... View more

Thanks, that's what I ended up doing. I created a new custom report for my VPN zone, for Traffic Summary grouped by source user. I also threw in Application just to see what the users were doing, but that can be removed for a regular list     ... View more

I'm having a similar issue, I am try to enable internal host detection. But the GP client keeps trying to contact our external gateway and failing with "invalid gateway", so it never gets to the internal detection.   I'm not sure how to U-turn NAT it, because the GP gateway doesn't have internal IP address. ... View more

  @reaper wrote: You could push the client through a software management tool and set the configuration in registry by means of Global Policies If users download the client from the GP portal, they'll simply download the executable and will need to imput the portal IP manually to have the client download the configuration   That's what I have been doing so far. But for users that are not on our AD domain, I have to instruct them to enter the IP themselves.    I don't understand why the GP client doesn't come with the settings automatically. It's being downloaded directly from my firewall, it seems like common sense to include an XML or something that would have the connection info.    So what is the "Agent Configuration" tab for if it doesn't actually configure the agent? ... View more

Nice, thanks for taking the time to write an informative answer. I didn't know the other features such as USB were over a different port, I thought it was all tunneled over SSL.   When I look at my traffic, I'm only seeing ports 80, 443, and 8443. It seems everything is tunneled over SSL. We are using a VMAP server though, which all clients must connect to first. Maybe thats the difference?     Thanks! ... View more

I think I understand that, but why does the PA identify certain SSL traffic by it's application name, while others are just "SSL"?   For example, Facebook is over port 443, but it doesn't say "SSL" in the logs, it says "facebook-base". Same thing for other pre-decryption applications, like Google.   So why can't the PA identifiy "vmware-view" instead of just "SSL"? ... View more