This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About cmateam

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
cmateam
‎08-18-2015
since ‎04-10-2012
L3 Networker
User Activity
User Profile
Latest posts by cmateam
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-10-2012 10:51 AM
Date Last Visited ‎08-18-2015 09:07 AM
Posts 76
Total Likes Received 7

Using Purchased Certificate for SSL-VPN Portal/Gateway

by in General Topics
‎07-13-2012 09:37 AM
‎07-13-2012 09:37 AM
We have our GP portal/gateway externally facing. We’ve designated a host name for people to access the portal so they don’t have to remember the IP address - from both Untrust and Trust Networks. Currently the portal throws a certificate warning in it's setup. I purchased a certificate from a public CA for that host name, and uploaded the cert, intermediate cert, and key to the firewall, and set the server cert in both the portal and gateway to that specific certificate, which works great and does not give an error. When navigating to the host name I get a valid certificate and all works well with logging in and downloading the GP agent. However, when the agent/client connects I get a failure because it can’t connect and it shows that it’s trying to connect to the IP address on port 443, but is unable to. The logs say  there is a Protocol error and that I should check the server certificate. I’ve tried a combination of Trusted Forward, Untrust Forward, Root CA Certificate in the cert options, but have not had any luck.  The things I am reading and the documentation on the PAN support site seems either really unclear or inconsistently documented. Any help with that would be great. Is this even a reasonable expectation or am I out the money for a certificate? ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎07-13-2012 08:24 AM
‎07-13-2012 08:24 AM
I didn't do a . test, but I have a admin account that is prefix_name style and that works great on my Mac. So I'd assume it's the same as the .?  ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎07-12-2012 09:46 PM
‎07-12-2012 09:46 PM
James, I was told that 1.1.6 would be release in conjunction with PANOS 4.1.7 update early August and the name space issue would be resolved.  This is per my sales engineer. ... View more

Re: Internal route problem

by in General Topics
‎07-11-2012 12:45 PM
‎07-11-2012 12:45 PM
Thank you so much!  That did the trick!  ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎07-11-2012 08:27 AM
‎07-11-2012 08:27 AM
Interesting.  That's a lot of work for users who have accounts already setup on their Mac's.  Installing third party software, if it works, seems like a better solution for a temp problem (hopefully its temp, anyway).  Good to know this fixes the issue. ... View more

Re: Internal route problem

by in General Topics
‎07-11-2012 07:44 AM
‎07-11-2012 07:44 AM
I'm having an internal routing issue still....anyone? anyone? I opened a support case last night but have not heard anything more. ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎07-11-2012 07:41 AM
‎07-11-2012 07:41 AM
James, Glad I'm not the only one having this problem.  Does the . work?  We have firstname lastname and that doesn't work like you mentioned.  Our email addresses work for logins as well, but did not have any luck with that. Spaces work great on a windows side, but they mentioned the next release fixes the space problem. I've been anxious for this as I have mac users needing VPN access.  I was told you can use other IPsec clients to connect, so I was going to look for one for the Mac. ... View more

Re: How to protect an https webserver in the dmz with vulnerability protection ?

by in General Topics
‎07-05-2012 04:03 PM
‎07-05-2012 04:03 PM
I am wanting to do this.  So I assume I upload certs and keys for our web servers to the FW.  What do you do if there is an intermediate cert for those certs.  Do you upload that as well? Thanks. ... View more

GP VPN dual factor auth, and contractor access.

by in General Topics
‎07-02-2012 03:59 PM
‎07-02-2012 03:59 PM
I have two questions regarding the Global Protect Gateway / Portal (SAN the GP Licensing) - I am wanting to setup two factor authentication for users to authenticate to Global Protect Gateway/Portal with a (common) client certificate installed on their machine that our IT department installs. I currently have just AD authentication integrated but want to prevent personal computers from logging into the portal and downloading the software and connecting into our network (even though we place VPN traffic into another subnet seperate from our Trust and Untrust network). It also provides additional security if a user account is compromised. My question is, do I specify this at the Gateway, and then export the client cert to be installed on each individual machine.  Is this a correct understanding? -My second question is about allowing a contractor VPN into our network.  Since we want to provide a common cert to our staff, I don't want to provide the same cert to a contractor.  Must I create another Gateway and Portal to allow this guest to access what is needed inside our network with a completely different certificate.  When this contractor is done, I can just expire the cert?  Is this even possible under the GP san additional licensing? How would one accomplish this, can I create simply another portal, and certificate?  ... View more

Internal route problem

by in General Topics
‎06-26-2012 10:21 AM
‎06-26-2012 10:21 AM
Had a question about internal routing. We have eth port assigned to a trust network which is a 192.168 network.  We also have a Avaya VoIP PBX that is vLan'd on this network and the routing is managed on an internal core switch to access this network.  In our single virtual router I have a route for the 192.168.0.00/16 with next hop to the Gateway.  I also have a network and an additional 172.16.0.0/17 route with a next hop to the core switch.  We put our PAN2020's in place this past weekend, and our old firewall had a static route for the phone system exactly like this.  I am able to ping the phone server at the 172.16.x.x range, and can traceroute it as well (however the first hop times out). However trying to access the web management of the server, or using a service tool, or any application that can connect into the phone server fails. When I monitor the connections on the firewall, it just say the applications are incomplete as if it makes the connection, but does not return the connection. What am I missing?  ... View more

Re: Authentication using LDAP/AD

by in General Topics
‎06-25-2012 08:42 AM
‎06-25-2012 08:42 AM
I was having this same problem and switched to Kerberos (assuming it's an AD environment?).  Worked like a charm. ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎06-23-2012 06:10 PM
‎06-23-2012 06:10 PM
I see GlobalProtect and PanGPS running.  Under another account, it only shows GlobalProtect.  This is on the same computer.  We do have spaces in our user names.  When do you expect this fix to be released?  We just put our PAN's into production and have Mac users who need VPN access. Thanks. ... View more

Re: Mac GlobalProtect = Detected another instance

by in General Topics
‎06-22-2012 08:49 AM
‎06-22-2012 08:49 AM
This issue seems to be related to my account specifically.  However, I never had Global Protect installed previously.  So I am at a loss on this one.  Hmm.. ... View more

Mac GlobalProtect = Detected another instance

by in General Topics
‎06-21-2012 08:04 PM
‎06-21-2012 08:04 PM
I just setup SSL-VPN access on our PAN-2020s and downloaded the latest Global Protect Bundle that was released on June 20th, 2012 - v. 1.1.5.  I logged into the portal in my mac and installed the version for Mac running OS X 10.7.4 (64bit) and once the application was done installing I get a popup that says "An old GlobalProtect instance exists, new instance cannot be started!". I've never installed GlobalProtect before, and am unsure as to why I am getting this error. This is typical logging information from Console after installing: 6/21/12 8:55:30.482 PM com.paloaltonetworks.gp.pangpa: P 421-T2823  Jun 21 20:55:30:481807 Info (1009): found another instance: 0 6/21/12 8:55:31.976 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa) Throttling respawn: Will start in 9 seconds 6/21/12 8:55:41.069 PM com.paloaltonetworks.gp.pangpa: P 429-T2823  Jun 21 20:55:41:69004 Info (1009): found another instance: 0 6/21/12 8:55:43.119 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa) Throttling respawn: Will start in 8 seconds And this is after I uninstalled: 6/21/12 8:58:06.675 PM Installer: **** Summary Information **** 6/21/12 8:58:06.675 PM Installer:   Operation      Elapsed time 6/21/12 8:58:06.675 PM Installer: ----------------------------- 6/21/12 8:58:06.675 PM Installer:        disk      0.01 seconds 6/21/12 8:58:06.675 PM Installer:      script      0.00 seconds 6/21/12 8:58:06.675 PM Installer:        zero      0.02 seconds 6/21/12 8:58:06.675 PM Installer:     install      11.12 seconds 6/21/12 8:58:06.675 PM Installer:     -total-      11.15 seconds 6/21/12 8:58:06.832 PM Installer: IFDInstallController F2001E10 state = 5 6/21/12 8:58:06.832 PM Installer: Displaying 'Install Succeeded' UI. 6/21/12 8:58:06.000 PM kernel: PsvDrv[line 75]: ctl_deregister failed with error 16 6/21/12 8:58:06.000 PM kernel: Kext com.paloaltonetworks.kext.pangpd did not stop (return code 0x5). 6/21/12 8:58:06.000 PM kernel: Kext com.paloaltonetworks.kext.pangpd can't unload - module stop returned 0xdc008017. 6/21/12 8:58:11.815 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa[639]) posix_spawn("/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect", ...): No such file or directory 6/21/12 8:58:11.815 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa[639]) Exited with code: 1 6/21/12 8:58:11.815 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa) Throttling respawn: Will start in 10 seconds 6/21/12 8:58:12.934 PM sandboxd: ([349]) WebProcess(349) deny file-read-data /Library/Managed Preferences/chris baker/.GlobalPreferences.plist 6/21/12 8:59:51.842 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa[653]) posix_spawn("/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect", ...): No such file or directory 6/21/12 8:59:51.843 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa[653]) Exited with code: 1 6/21/12 8:59:51.843 PM com.apple.launchd.peruser.1247467267: (com.paloaltonetworks.gp.pangpa) Throttling respawn: Will start in 10 seconds I have to go hack a hidden plist file under /private/var/db/launchd.db/com.apple.launchd.peruser.1247467267 and reboot my machine to stop the process from trying to launch the application that has since been removed. Tomorrow I plan to revert back one version of the GPBundle and try that to see if it works.  Has anyone else seen this issue?  Thanks. ... View more

Re: HA Active/Passive Management Design

by in General Topics
‎05-04-2012 07:13 AM
‎05-04-2012 07:13 AM
Per my original question, can the management ports be subnetted to my LAN zone with an IP address that I can access from the LAN zone - instead of having to walk into my Data Center with two laptops to manage the firewalls.  This will also be particularly important as I will need to manage two additional firewalls at a second location via a IPSec tunnel. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2015 09:07 AM
Latest Tags
No tags yet
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks