About bdunbar

bdunbar · ‎11-10-2014

We had a near miss on our PA-200. Got it recovered (thanks, support team!) by reseting to factory default and restoring the configuration, but it would have been a lot quicker if we'd had a current configuration to restore from, instead of having to first save, then reset, then restore. But I want to automate the process of saving a configuration so the -next- time this won't be such a hassle. I think I can simply script a process to login to the host via ssh and dumb the configuration to disk. Unless there is a feature where this can automagically happen?

bdunbar · ‎10-17-2014

Update. The problem was Internet Explorer. Ben installed Chrome and LO it worked without issue. I'd not noticed because the first thing I do on a new host is install Chrome or Firefox.

bdunbar · ‎10-17-2014

PAN-200 Version: 6.0.1 GP Agent: 2.0.4 Having a problem with a laptop (Windows 8.1) and authenticated using certificates and active directory. Palo Alto and network newbie. New to Windows .. I've been a linux admin for so very long. Help ... So .. we doubled the size of our IT department with a new hire, Ben. Ben used a loaner laptop for a week, until 'his' arrived. (Active Directory Domain Controller resides at another site. We connect to them at boot time using GPAgent, with the PAN-200 acting as a CA for the machine certs. It's worked well for my laptop (OS X), a test laptop (Win 8), and New Guy's loaner laptop (Win 8). The windows machines present the domain login at boot and all appears to be well.) The process we have to setup machines is roughly .. Admin generates new certificate, signed by CA. Export as PKCS12, email to user. Verbally provide the passphrase. They import, placing it in the personal cert folder. Ben's new laptop arrived. Generated a new certificate per above. Installed it on new laptop per published instructions. Login to https:\\PAN-IP and it tells him ... 'bad certificate'. Downloaded the .msi and forwarded to him via email .. he installed. Same problem with GP Agent: 'bad certificate'. Removed the certs using the windows cert manage, reinstalled with a NEW certificate. Same problem. Removed the certs from IE and reinstalled the NEW certificate .. same problem. Revoked the cert from the OLD laptop and reinstalled a new certificate .. and it works. It does the same thing when I login with 'my' AD credentials. So I think I've fault isolated the problem to 'the new laptop'. Logs \ System tells me 'GlobalProtect portal user authentication failed. Login from: xxx.xxx.xxx.xxx, User name: , Reason: client cert invalid. I'll accept the cert is invalid, I just don't see how. Where in the Wide World of Sports does one start to troubleshoot this stuff with Win 8.1?

bdunbar · ‎10-14-2014

Interesting: the service was not installed. Re-installed the client and we're in. And now .. I know. Thank you gentlemen and/or ladies.

bdunbar · ‎10-14-2014

Ben - the end user - replied .. This is what the log shows. It just repeats the InitConnection 341 and 349 codes and only does the 71/73/297 errors when I try to apply the setting s we put in. (T788) 10/14/14 09:14:09:488 Info ( 341): InitConnection ... (T788) 10/14/14 09:14:09:488 Info ( 349): Connecting to Pan MS Service end (T788) 10/14/14 09:14:14:474 Info ( 341): InitConnection ... (T788) 10/14/14 09:14:14:474 Info ( 349): Connecting to Pan MS Service end (T788) 10/14/14 09:14:19:481 Info ( 341): InitConnection ... (T788) 10/14/14 09:14:19:481 Info ( 349): Connecting to Pan MS Service end (T788) 10/14/14 09:14:24:003 Debug( 71): CTranslate: dwSidLen is 24 (T788) 10/14/14 09:14:24:003 Debug( 73): CTranslate: sid is S-1-5-21-708218115-2184454047-3009540740 (T788) 10/14/14 09:14:24:003 Debug( 71): CTranslate: dwSidLen is 24 (T788) 10/14/14 09:14:24:003 Debug( 73): CTranslate: sid is S-1-5-21-708218115-2184454047-3009540740 (T788) 10/14/14 09:14:24:008 Debug( 297): CPanGASetting:OnBnClickedSave - resend credentials (T788) 10/14/14 09:14:24:488 Info ( 341): InitConnection ... (T788) 10/14/14 09:14:24:488 Info ( 349): Connecting to Pan MS Service end (T788) 10/14/14 09:14:29:474 Info ( 341): InitConnection ...

bdunbar · ‎10-13-2014

PA-200 Software version 6.01 GP Agent 2.0.4 I've installed GP client on perhaps a dozen workstations, and finally have one that will not authenticate. Help. Installed the machine certificate okay, installed the agent. Opened the app from the system tray, put in correct credentials, click 'Apply' and .. nothing happens. Where do I begin troubleshooting this bear?

bdunbar · ‎10-08-2014

We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set. After lunch I'll see about getting the clients logged in at boot. The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it. I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.

bdunbar · ‎10-08-2014

I've setup and having some minor issues. What log files on the PAN-200 should I be looking at?

bdunbar · ‎10-07-2014

Thank you!

bdunbar · ‎10-07-2014

Or The Further Adventures of a Networking Neophyte PA-200 Software Version: 6.0.1 GlobalProtect Agent 2.0.4 Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center. They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot. I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot. I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect. I'm searching, and will continue to look, but .. is it even possible?

bdunbar · ‎10-06-2014

Interesting: LOCAL_CP is one of three auth profiles on the device. The others are Keberos Auth - using this to login admin accounts authorized to Active Directory Windstream Active Directory - this is my problem child, right now. AD account is first.last login as first.last 2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar 2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar'> 2014-10-06 16:48:50.493 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,brian.dunbar> 2014-10-06 16:48:50.494 -0500 authentication failed for local user <brian.dunbar(orig:brian.dunbar),LOCAL_GP,vsys1> 2014-10-06 16:48:50.494 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: brian.dunbar authresult not auth'ed 2014-10-06 16:48:50.510 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False. 2014-10-06 16:48:50.510 -0500 User 'brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134. 2014-10-06 16:48:50.510 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False login as netbios\first.last 2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: corp-cicayda\brian.dunbar 2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','corp-cicayda\brian.dunbar'> 2014-10-06 16:49:04.011 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar> 2014-10-06 16:49:04.011 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:corp-cicayda\brian.dunbar),LOCAL_GP,vsys1> 2014-10-06 16:49:04.011 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed 2014-10-06 16:49:04.021 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False. 2014-10-06 16:49:04.021 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134. 2014-10-06 16:49:04.021 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False login as first.last@post-windows-2000.domain 2014-10-06 16:49:21.859 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar@corp.cicayda.com 2014-10-06 16:49:21.860 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar@corp.cicayda.com'> 2014-10-06 16:49:21.869 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar> 2014-10-06 16:49:21.869 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:brian.dunbar@corp.cicayda.com),LOCAL_GP,vsys1> 2014-10-06 16:49:21.869 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed 2014-10-06 16:49:21.881 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False. 2014-10-06 16:49:21.881 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134. 2014-10-06 16:49:21.881 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False EDIT It looks like the problem is that vsys1 is associated with 'LOCAL_GP'. So .. I need to define a new virtual system (vsys2?) and associate that with LDAP. I'm skimming virtual systems docs - very slick. I'm liking PAN more, and more. Once I get it working I might well fall in love with it ... EDIT Nope. I was wrong. But looking to fix the above I made it right ... Network - Global Protect - Portals - edit .. Authentication from 'GP_Portal' (what we had setup for local access prior to getting AD stood up) to 'Windstream Active Directory' aka the profile I setup for LDAP/AD. And I'm in. Groovy. Thanks!

bdunbar · ‎10-06-2014

Yes, I realized my mistake (see edit). I inserted that value there: no dice.

bdunbar · ‎10-06-2014

Also have you specified any users in the allow-list, Device - Authentication Profile Name: Active Directory Allow List: All login attribute in the authentication profile is set to sAMAccountName ? I don't see a login attribute there. But in Device - User Identification - Group Mapping Settings .. Name: Windstream AD User Objects - user name 'sAMAccountName' EDIT Correction to the above - I put 'sAMAccountName' in the auth profile 'login attribute'. Committed. Same issue.

bdunbar · ‎10-06-2014

PAN-200 Software version: 6.0.1 GlobalProtect Agent: 2.0.4 New domain, built on Windows Server 2012 R2. I'm missing _something_. Setup as below and I cannot login with the domain name account to the VPN. It's got to be one .. little .... thing. Device - Setup - Services - Services Features: Service Route Configuration / Destination Destination: <ip of domain controller> Source Interface: Any Source Address: 209.59.29.193/26 Device - Server Profiles - LDAP - created server profile 'Windstream-AD' Server Name: tn-ad-01 LDAP Server: <redacted IP> Port: 389 Unchecked SSL Entered NetBIOS domain name Type: Active Directory Clicked the Base Drop down and voila: I got a base LDAP information, all filled in. Entered BIND DN and valid credentials. Device - User Identification - Group Mapping Settings Found the Server Profile 'Windstream-AD' Click 'Group Include List' and it found the list <netbiosname>\ns-vpnusers And .. now what? Is there something else? The two users in the group ns-vpnusers cannot login with their domain credentials. Man - what am I missing?

bdunbar · ‎09-30-2014

That was the trick - thank you very much.

Member Since	‎06-25-2014 10:47 PM
Date Last Visited	‎08-18-2015 09:06 AM
Posts	45
Total Likes Received	17

Online Status	Offline
Date Last Visited	‎08-18-2015 09:06 AM

About bdunbar

Re: IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

Contact a Sales Engineer

Re: IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

IP Renumbering - trying to avert a slow motion disaster

Re: Emergency FTP on a Friday Night

Backup Configuration of a PA-200

Re: PA-200 - commit change and then nothing

IP Renumbering - trying to avert a slow motion disaster

Re: IP Renumbering - trying to avert a slow motion disaster

Re: Backup Configuration of a PA-200

Re: Backup Configuration of a PA-200

Backup Configuration of a PA-200

Re: Login problem - old user, new laptop and a confused administrator

Login problem - old user, new laptop and a confused administrator

Re: GlobalProtect Client and Windows 8

Re: GlobalProtect Client and Windows 8

GlobalProtect Client and Windows 8

Re: Connect client at boot time

Re: Connect client at boot time

Re: Connect client at boot time

Connect client at boot time

Re: PAN-200 and Active Directory - Part II

Re: PAN-200 and Active Directory - Part II

Re: PAN-200 and Active Directory - Part II

PAN-200 and Active Directory - Part II

Re: For my next feat . . . User Identification and Active Directory

Unlock your full community experience!

About bdunbar