About ericgearhart

bulent wrote: if you have a config backup I recommend factory reset Wait a second here... have you opened a ticket and sent a tech support file to PA support yet? There might be a simple fix that lets the commit complete, or at least some debug command on the commit that provides more detail      ... View more

Honestly Greg at this point we're looking to buy a pair of ASAs and go the AnyConnect route for remote user VPN access. If you guys ("you guys" being PA) feel it's useful and a feature that makes sense, I'd ask that you guys go ahead and put in an FR/bug report/whatever for it. I hate to sound so negative or sour, but GlobalProtect didn't live up to our expectations. ... View more

I just randomly stumbled on that one when I was going over the "big bugs" list, and saw the description on it. It'd be neat if you could try the workaround at some point, but I completely understand the desire to leave it alone because "it just works right now" ... View more

Also the dialog can be disabled, and the AnyConnect client can be configured to simply not connect after throwing an error: Improved Security Behavior When the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates. There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user's local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt. ... View more

This is essentially what I mean... this is Cisco's AnyConnect and the dialog it presents when there's an invalid certificate: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43939 ... View more

So an 'any' app rule with specific services defined worked, while a custom app override didn't work? Weird. Really weird. You're not doing anything like IPS/Flie blocking/DLP in the rule are you? I've had that one bite me recently... the traffic from a SQL client could make it to the server, but specific responses from the SQL server were being dropped. That one was weird too. ... View more

An update on this thread... PA is sending us an eval 5000 series box and an eval 500 series box, and they promise they're going to hook up us with their BreakingPoint test profile so we can import their settings and hopefully recreate their own findings. I'll add to this thread when we get the boxes, get them racked, apply the BreakingPoint test case, etc. ... View more

Also this kind of plugs into another issue with GlobalProtect, in that policy is completely reset when the user reboots. When they reboot, even if there was a way to push this setting to the GP client, the setting would be turned back off on reboot until the user VPNs back in. Not good. ... View more

This is a great answer... I completely forgot about taking advantage of private VLANs to "funnel" the traffic to a control point. ... View more

umphmharding wrote: It would probably be best to consult your local Palo Alto SE about that ticket and the details. I can see the details myself! If I do a 'wget https://my-PA-firewall/device/export.file.php' I can pull a generated tech support file without being authenticated! ... View more

The interesting thing is that 46728 isn't listed at http://securityadvisories.paloaltonetworks.com/ ... ... View more

sraghunandan, I really, really dislike this "feature"... I expressed this in a case I had open as well because I originally thought it was a bug(Case #00107848 - "GlobalProtect advanced mode is enabled after a reboot, even though it is disabled in the portal settings"). I realize it's "by design," but in my humble opinion 'Advanced mode' should default to disabled until the next successful port auth/VPN auth. After the auth, if 'Advanced mode' is enabled when the client refreshes its config from the server, only then should advanced mode come back on. I can already forsee that rebooting and then having access to advanced mode would play havoc with a deployment of GlobalProtect for us, as we're forced to use "OnDemand mode" because we have two-factor authentication requirements that we have to enforce. This issue and other issues we've had are collectively show-stoppers for us implementing GlobalProtect, to the point where my boss has us looking at ASAs in order to move to Cisco's AnyConnect. ... View more