About TonyDeHart

TonyDeHart · ‎09-15-2023

So I tried this and while it does fix the login to the VPN client itself it does NOT fix the certificate error with the Portal Web GUI. If I go to a device that has never logged in before the portal uses the self-signed cert instead of the proper cert assigned to the portal. Possibly the only real solution is to get a proper SAN cert with IP addresses in SAN component but I'm still baffled why the portal cert changes when modifying the gateway.

TonyDeHart · ‎09-14-2023

I'm not near where I can make this change and test but I'll do so in the morning and give it a try. The only difference in your config vs what I tried that I can see is the addition of the two Certificate Attributes for IP address and SAN name. I only had the IP address in the common name field. What is throwing me is that the step where you set the GP Gateway Cert - when changed - effectively knocks out the PORTAL HTTPS WEB GUI cert (where you'd go, authenticate and then download the GP client). That was unexpected as I would have thought your step (and mine too) where the GP Portal Service Profile is set would control the cert attached to the GP Portal Web Site. As soon as I change the cert on ONLY the gateway I get a cert error on the Web GUI for the Portal which makes no sense to me.

TonyDeHart · ‎09-14-2023

So I guess I'm not smart enough to figure this out. I created at first a self-signed certificate and checked the CA box when creating it and could add the certificate to the portal but it always fails saying the server certificate can't be verified. I then signed it using the root CA for the firewall that I had created some time ago and it'll let me add the root CA to the trusted root ca list but of course not the self-signed one and with that it still doesn't work. So I thought I had to change the SSL cert profile on the Authentication profile (GP Gateway->Authentication->SSL/TLS Service Profile) but then, much to my surprise, the PORTAL cert changes (https://portalfqdn.com) which made no sense to me. Why would the PORTAL cert change when I'm at the gateway level changing the certificate. Not sure where to go with this for self-signed now or what part of this I'm missing.

TonyDeHart · ‎09-13-2023

That is a brilliant idea thank you! I've got a backup VPN setup that I can test this with. Honestly, though, the bigger concern is the LAN cutoff as we have users who need to print (yes...printers) so cutting them off could prove problematic but that might be easily worked around with some exceptions and perhaps dictating a subnet they need to use. I'm really hoping they can address this with a client update however.

TonyDeHart · ‎09-13-2023

The https://tunnelcrack.mathyvanhoef.com/details.html references Mozilla VPN, Surfshark, Malwarebytes, Windscribe, Cloudflare. Maybe I'm reading more into that than is intended but it says explicitly they worked with these vendors and produced a patch If others are taking the approach that no further action is necessary and Palo Alto does the same, I suppose we'll have to live with it but its odd, in my opinion, for a vendor to throw up their hands and say, "Sorry, you'll have to live with this." Full excerpt below: To protect users, security updates were prepared during a 90-days coordinated disclosure in collaboration with CERT/CC and various VPN vendors. Some example patched VPNs are Mozilla VPN, Surfshark, Malwarebytes, Windscribe (can import OpenVPN profiles), and Cloudflare's WARP. If updates for your VPN are not available, you can mitigate the LocalNet attack by disabling local network access. You can also mitigate attacks by assuring websites use HTTPS, which many websites nowadays support.

TonyDeHart · ‎09-13-2023

https://security.paloaltonetworks.com/PAN-SA-2023-0004 This bulletin states that there is no fix for the GP Client. Does anyone know if they are working on one? The idea of locking down completely the local LAN could prove difficult and after a discussion with GoDaddy (our cert provider) they state they will not issue a cert with an IP address in the SAN (I'm aware others might do so). Seems that according to other sites other VPN clients are fixing this so is a GP update imminent?

TonyDeHart · ‎09-13-2023

I'm probably being stupid so I apologize but what is meant by "prefixes"? You mean the subnet prefixes such as /16, /24, etc?

TonyDeHart · ‎09-13-2023

Is there a way to setup TWO IPsec tunnels using different paths (for instance, two different ISP's) and have them share the traffic load between the two vs having a primary and backup? I'm aware we can setup two tunnels and use path monitoring to fail over from one tunnel to the other but is there a way to have two or more tunnels and have the traffic load balanced and still function should one path go down? Right now I'm anticipating we'll need a number of additional routes added to our route table for a backup path with duplicate routes but different metrics between tunnel.1 and tunnel.2 but I'd rather have address X be the next hop and then X forwards to tunnel.1 or tunnel.2 to utilize both paths so one isn't sitting idle. Bottom line is we just want to utilize all the bandwidth we have available but maintain some failover capability should a path drop. FYI this would be for PAN-OS 10.2.

TonyDeHart · ‎08-03-2023

Either there is something unique to my situation or I'm missing something. I did open a ticket with Palo on this but spent some time on it and it is still a mystery why SNMP queries to the IP on interface Ethernet1/17 are not working. I can see ingress traffic to that IP from the machine making the query but there are never any return packets and packet captures likewise show the get request but no response. Hopefully support will have an answer and if so I'll post it here.

TonyDeHart · ‎08-02-2023

Thanks for the suggestion. I'll see where they may be a place that is appropriate but I can't think off hand right now where there would be a place for it that traffic would ever reach since anything valid (outside of intrazone) would hit other rules above it. Perhaps I can also place a rule above somewhere with a very limited scope to see how it fairs before a wider application.

TonyDeHart · ‎08-01-2023

We currently have the ability to use WildFire Inline ML via the Antivirus Profile settings on our PA-5220's. However, all models currently are set to ACTION = DISABLE. I do NOT know why other than either that is what it defaulted to on a previous upgrade or my predecessor had a reason to leave it off. What is the best approach to activating this without potentially causing issues with false positives but NOT leaving us more vulnerable while we turn it up? I assume setting the action to ALERT-ONLY (override more strict actions to alert) would be the option to choose but the I'm concerned by it overriding more strict options it is effectively going to turn OFF scanning/analysis that is already in effect. I'd appreciate any insight from others with more experience. Thank you.

TonyDeHart · ‎07-31-2023

Apparently I do need assistance. I had a ticket open with Palo because I thought I needed to do something with service routes but that is for SNMP traps only I'm told. It isn't clear to me (other than some rule) why I can't get SNMP queries to work on the inside Ethernet1/17 interface. I didn't see the query hitting the traffic monitor so I'm not sure what is happening yet or if some rule is necessary. Essentially I need Netflow and SNMP queries on the same Ethernet1/17 interface IP.

TonyDeHart · ‎07-27-2023

I'm configuring NetFlow on our PA-5200. I'm collecting the data in What's Up Gold. WUG has a limitations (it appears) that the NetFlow IP that I use for the IP address also has to be respond via SNMP on the same address. However, the PA-5200 cannot send NetFlow traffic out its MGMT interface so I'm using our inside trusted interface to send Netflow traffic. Can I configure our inside network interface IP to respond to SNMP queries while leaving the SNMP working on the MGMT interface? I don't want to change the SNMP interface/IP used in our Service Route config because we already have other devices talking to that interface and I don't want to have to reconfigure other SNMP tools. I'm hoping this is possible.

TonyDeHart · ‎07-24-2023

Something interesting I noticed too is that if you adjust percentage values for Panorama's logging and reporting setting the percentages allocated and disk space allocated update for all but the GlobalProtect setting also. It is as if the GUI isn't paying attention to it just like the CLI command.

TonyDeHart · ‎07-24-2023

I wanted to use the "show system logdb-quota" CLI command on our Panorama VM to determine the retention days for GlobalProtect and it appears to be missing in this command. Is there another that can give you the number of days properly? I only get system, config, hip-reports and appstat returned when I issue that command. I seem to be running short on space for GP and need to adjust it but wanted to gauge how much others should be changed and how that impacts GP going forward. I didn't set the original values and not sure what the defaults are but config seemed unreasonably high. > show system logdb-quota Quotas: system: 25.00%, 3.351 GB Expiration-period: 0 days config: 25.00%, 3.351 GB Expiration-period: 0 days hip-reports: 1.00%, 0.134 GB Expiration-period: 0 days appstat: 35.00%, 4.692 GB Expiration-period: 0 days Disk usage: system: Logs and Indexes: 3.3GB Current Retention: 161 days config: Logs and Indexes: 896.4MB Current Retention: 720 days appstatdb: Logs and Indexes: 4.7GB Current Retention: 529 days hip-reports: Logs and Indexes: 0 Current Retention: 0 days Any suggestions?

Member Since	‎02-09-2023 07:25 AM
Date Last Visited	‎02-25-2026 05:38 AM
Posts	122
Total Likes Received	25

Online Status	Offline
Date Last Visited	‎02-25-2026 05:38 AM

About TonyDeHart

GlobalProtect - reject logon attempts for GP versions less than X

Re: GlobalProtect SSL Cert change take effect immediately or require new GP session login?

GlobalProtect SSL Cert change take effect immediately or require new GP session login?

Re: Meraki behind PA - Unfriedly NAT

Re: Webpages are loading very slow

Re: URL Filter Inline Categorization SLOW/DELAY - troubleshooting?

Re: URL Filter Inline Categorization SLOW/DELAY - troubleshooting?

Re: URL Filter Inline Categorization SLOW/DELAY - troubleshooting?

URL Filter Inline Categorization SLOW/DELAY - troubleshooting?

Re: How can I see if my FW has already been exploited by the CVE-2024-3400?

Re: GlobalProtect SSL Cert change take effect immediately or require new GP session login?

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: Webpages are loading very slow

URL Filter Inline Categorization SLOW/DELAY - troubleshooting?

Re: How can I see if my FW has already been exploited by the CVE-2024-3400?

Re: Clarification on App Rule - I thought I understood this

Re: GlobalProtect SSL Cert change take effect immediately or require new GP session login?

Re: GlobalProtect Automatic Update screenshot?

Re: PA-VM in Azure - multiple Zones? (e.g. DMZ,Trust,Unstrust,etc)

Re: FQDN Object in Policy - not working but FQDN seems to resolve properly

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

PAN-SA-2023-0004 - GlobalProtect fix being worked on for this vulnerability?

Re: Dual IPSEC tunnels load balanced between two endpoints

Dual IPSEC tunnels load balanced between two endpoints

Re: SNMP response on two interfaces? Possible?

Re: Antivirus Profile - Wildfire Inline ML - best approach to enabling?

Antivirus Profile - Wildfire Inline ML - best approach to enabling?

Re: SNMP response on two interfaces? Possible?

SNMP response on two interfaces? Possible?

Re: show system logdb-quota missing globalprotect stats

show system logdb-quota missing globalprotect stats

Unlock your full community experience!

About TonyDeHart