About BPry

@dwythe, So PAN is changing the naming of the subscription to Prisma Access Agent and that will be the subscription here going forward, so there's a little bit of truth in the fact that you'll no longer be buying a GlobalProtect subscription anymore but rather a 'Prisma Access Agent' subscription. This doesn't change anything for you immediately and you'll be able to utilize both agents with no immediate plan to terminate the legacy GlobalProtect agent anytime soon, it's just a rebranding essentially so that PAN doesn't need to have both clients long-term and can start moving away from supporting two VPN clients.   I am not currently aware of any change in the foreseeable future to remove the free (limited) VPN functionality from the hardware here going forward. If you didn't previously purchase the GlobalProtect Gateway subscription and relied on the free VPN functionality for Mac and Windows clients, I haven't seen any communication stating that this will be removed going forward and PAN would mandate a subscription completely. This wouldn't shock me to see PAN do at some point down the road, but I would be suspect of anyone telling me it was happening immediately if they can't point towards official company documentation stating so.   ... View more

@Tqpharma, You sure that the service just didn't stop or fail to start properly?    The fact that netstat -na | findstr 5007 isn't returning anything when you run it on the server would mean that it isn't listening on the default port, which would explain why it dropped suddenly. Check service status on the Windows side of things and verify that you were using the default port, as it sits there's nothing listening for the Firewall to connect to anymore.  ... View more

@dwythe, Not entirely sure exactly what you're asking, but no you don't need anything specific to make GlobalProtect function and it works perfectly fine with a physical appliance. If you expand on the specific question a bit more we can provide a bit more context.  ... View more

@Alpalo, This isn't currently an option that exists and the portal cannot serve the Windows ARM client; it's a rather stupid limitation at the moment. What you can do is customize the portal login page to direct downloads to an external resource. So you could for example upload the files to an external location and direct users to download the client via that page, instead of through the /global-protect/getsoftwarepage.esp page as a workaround. ... View more

@M.Oswald271605, I don't think you'll find anyone in the community willing to do a screenshare and actively work on configuring your firewall. That is something that professional services, a contractor, or something of the sort would help with.    You should be able to do this yourself easily. Log into the GUI on the firewall and utilize the global search function to see if any of the addresses are even in use by your firewall. You may not even have anything that needs to be updated depending on how open/restricted your configuration is.  ... View more

@L.Rozgon972321, Do you absolutely need multiple portals? The easiest solution here would be using multiple gateways and allow manual selection to control whatever you're using distinct portals for if you're solution would support it.   Alternatively you could essentially reset the portals back to what you want if you enforce the registry or plist values. This wouldn't prevent someone from manually creating a new portal and using it temporarily, but it would make it harder and potentially prevent them from wanting to do so.  ... View more

@D.Davis329631, Just as an alternative, you can edit the MSI using something like Orca to set the portal address and other options without having to use flags. The downside to doing something like that is that you need to perform those edits every time you update your deployed GlobalProtect agent, but at least then you have a simple installer that does everything for the user automatically assuming it's a BYOD endpoint. If you're talking about a managed endpoint this really shouldn't be much of an issue.  ... View more

@SBegass, I don't believe that it's possible to exclude certain event IDs that your agent can read. There's two common scenarios that you'll see for this issue, and that's either building your rulebase with the potential of seeing this admin account recognized or simply excluding those user IDs so you don't see them. ... View more

@gtaboy34, If you look at the traffic from a test client with a URL profile that is set to 'alert' on every category, what does the traffic actually look like? Do you anything from a URL standpoint which is possibly just not matching your custom category, or does it simply not log anything at all?  You used to be able to decrypt this traffic as long as you trusted the Anydesk self-signed certificate that it uses, but that has maybe changed. You also previously needed to have anydesk.com/, *.anydesk.com/, *.net.anydesk.com/, and net.anydesk.com/ for this to filter properly. Again, that could have changed as it's a couple years out of date at this point.  ... View more

@A.Choughule, The migration tool is not supported anymore and would be drastically overkill to use when going between a PAN-OS device to another PAN-OS device. I would go about exporting the configuration from your PA-3220s and importing it onto your new hardware assuming that you either set the same master key between devices so things like the pre-shared-key and phash values are the same or if you've left them as default. This way if you need to make any changes to interfaces you can do that easily directly in the XML before you load it between devices. Once you load the new configuration just check things over and make sure you don't need to correct any validation issues.  ... View more

@HeinzP, I either did not receive this new user in my own upgrades to 11.2.10 or I was allowed to remove it by loading a configuration file that doesn't include this user. Since I manage my devices programmatically I'm actually not positive if I just didn't get this user, or I was allowed to remove it and it isn't strictly required. Can you try just removing the user?  ... View more

@JuanMAbellan, Is this an issue that only started showing up when your devices were updated to 26.1 or is this the first time that you've started trying to decrypt this traffic for iOS devices? Likewise, what application are you talking about and how is it configured? Is this the default Mail app or something like the Outlook app?  ... View more