About MarkTan

I have a support ticket open about this as well, but I was wondering if anyone has encountered an issue where GlobalPortect does not detect the antivirus installed on your computer for HIP checks to work and know of a fix for it? I have the latest version of Microsoft Security Essentials with the latest version of GlobalProtect (2.0.0). Thanks, Mark ... View more

Hello, Is it possible for Captive Portal to work with RADIUS or AD authentication in a way that if the user logs into their PC and authenticates via AD that they will not have to authenticate a second time via captive portal? Or, does captive portal have to be opened via a web browser to authenticate? Thanks, Mark ... View more

Hello, I have a quick question regarding the capabilities of the Palo Alto's. In this scenario, we want to be able to deny computers who connect via SSL VPN (GlobalProtect) access to the network if they do not have antivirus on their machines. Can Palo Alto do this? If so, can you direct me to the procedures of how to set this up? Thanks, Mark ... View more

Hello, Is it possible for the response pages to be hosted externally on a web server or do they have to be hosted from the Palo Alto? ... View more

Hello, In a scenario with two palo alto firewalls where the active firewall fails over to the passive firewall, if there are IPSEC tunnels established are they suppose to automatically come up on the second firewall when the failover occurs or do we have to initialize them manually? If we wanted them to automatically come up, how would we do so? Can someone provide a configuration example? Thanks, Mark ... View more

Hello, We are currently building out our network infrastructure for a new office and have a question regarding the capabilities of the PA 3000 series firewalls. We want to use to be able to use two PA in high availability mode (active-passive) to do our routing, DHCP for different vlans, antivirus filtering, web filtering, vpn, potentially vlans, and active directory integration for the entire office. We will be implementing about 7 vlans (4 of them requiring DHCP); routing for an office of about 100 employees; internet connectivity for PCs, projectors, smart tvs, etc.; antivirus and other security features of the palo alto; ssl vpn; active directory integration for captive portal; and other items. Can anyone provide some insight on whether two PA 3000 firewalls will be able to handle this load? Also, if anyone has any ideas on the proper method to perform DHCP on 4 vlans via subinterfaces, that would be great. I assume that I define the layer 3 interface, create the subinterfaces with the proper tagged vlan, and then set up the DHCP pool tied to that specific subinterface? Thanks, Mark ... View more

Hello, Just a quick background on my question... We are beginning to implement Palo Alto firewalls in our data center, and we want to start using them for SSL VPN connections. We have already gone through the basic setup process and have the SSL VPN connection working with our test group, which is mapped via LDAP and User ID. Now that this is set up, we want to tighten security around our setup. Specifically, we want to be able to start restricting what access people have when the VPN through the Palo Altos. For instance, one department should only be able to access a specific subnet, while another department may be able to access none or multiple subnets. I have read into two possible solutions: multiple gateways and security policies. However, I wanted to get your opinion on the matter and determine which is better, which is worse, which one makes more sense, other options I should consider, and any other information or recommendations people may have. Aside from that, I have two related questions as well that goes into VPN setup. Under the VPN gateway in the Client Configuration tab, what does Access Route do? If I specify a subnet in that area, does this mean I can only access that particular subnet when I VPN in? Secondly, not sure if its possible, but can you have multiple gateways with the same IP address, but set it up so that it maps to specific AD groups? Just an idea I was throwing around in my head with the multiple gateway solution to see if I can do that to restrict access that way. Any help is greatly appreciated. Thanks, Mark ... View more