About BPry

@buppd96, The examples that you have listed are all categorized as games, can you just block the category for students? Most schools that I've worked with will end up blocking games, proxy-avoidance-and-anonymizers, unknown, and newly-registered-domain to deal with this sort of thing. Then you can make exceptions for any particular domains that you actually want to allow.   I'd also caution that you need policies to actually drive this and technology is just there as assistance and identification. You aren't going to be able to fully prevent students from bypassing filtering, they simply have too much time to try and find ways around your filtering and are too incentivized to do so.  ... View more

@M.Theeuwes, Sadly there's not a lot of good solutions for this outside of custom monitoring being built out. You can get an active client list through the API and validate that they have a HIP report on the firewall active within a provided timeframe. It's a tacky solution to something that shouldn't need to be monitored, but that's what I've found to be the best middle ground.  ... View more

@T.ZAKK, If I'm understanding the issue properly this isn't a problem. You would just need to have the proper routing and security policies in place to facilitate the traffic to actually pass from your GlobalProtect clients to all of the rest of the firewall's connected resources. This means that your "public" firewall needs to have routes and security entries to facilitate access to everything else, but your "non-public" firewalls will also needs routes to know where to pass your GlobalProtect clients alongside their own rules to allow the traffic.  Hopefully that makes sense, but in short you'll just need to verify that everything is aware of the GlobalProtect subnets and routes them back to the "public" firewall and that everything is properly allowed from a security policy aspect across all firewalls.  ... View more

@TomCole, Can you confirm that you're actually seeing two versions of GlobalProtect actively installed and not just a failing upgrade? I've personally never seen GlobalProtect install two versions of the agent at the same time (minus having multiple installations like the Win64 agent and the Windows Store application).    If you're just seeing an endless upgrade loop and the actual upgrade process is failing, that is sadly something that I find to be very common. If you have your agent upgrade process set to be transparent, it's also something that is harder to identify as a user to report unless you're actively looking at connected versions on the firewall or some other utility. A lot of people will utilize deployment tools like SCCM or Intune due to these upgrade challenges. Personally I like to leave them on the firewall and simply utilize HIP checks to denote when a user is N+1 versions behind so that they can get things corrected, and then block anything that is older from connecting to resources and force the user to upgrade.  ... View more

@john64, This sounds like you have an ARP entry that isn't getting updated through GARP like it should.  ... View more

@M_Pandya, OMP is a Cisco protocol, you won't see it utilized outside of Cisco. You probably want to look into AppFabric and read up on how that functions  ... View more

@Carracido, I would recommend opening a ticket with TAC and reporting the behavior. Outside of initial configuration and dialing-in the time attribute settings that you have set, most people wouldn't have a reason to utilize this command to lift this block. I would not expect this to be expected behavior seeing as the debug command is supposed to clear the listing without regard for duration, so I'm guessing that this is a bug that people just haven't noticed because it would be an infrequent action.  ... View more

@dmgeurts, I agree with @OtakarKlier, split-tunneling traffic is something that I don't recommend unless absolutely necessary.    I have seen inconsistencies when you try to include wildcards for split-tunnel domains where it's captured more traffic than intended, so what you're seeing isn't abnormal behavior in my experience. Behind the scenes I'm actually not sure how GlobalProtect identifies the domain you have specified and whether or not that it should route through the GlobalProtect network interface or not. It's understandable to me that some traffic would need to be sent through the tunnel before GlobalProtect can identify whether it should be there or not, much the same as you'd see when allowing access based off of application or app-id.  ... View more

@CEhrl, I think your best course of action here is to pursue why the application split-tunneling isn't working consistently. You'll likely have an easier time chasing that with TAC than you will trying to get GlobalProtect agent/adapter behavior modified since that would be seen as a feature request.  ... View more

@m.wattar, Can you share a screenshot of the error that you are running into? That isn't a standard message and it's possible that what you're seeing is a HIP message and your organization doesn't allow ethernet connected devices for some reason.   I'd also validate that you're running the proper agent. If you're using a M-series processor then Parallels actually runs Windows ARM which will require a completely different client than what you would normally deploy.  ... View more

@darren_g, I would create a new hip-profiles entry that matches the inverse of what you're currently checking. As an example, if I was trying to have a profile that matched devices running GlobalProtect agents that I didn't want to support I would have something like this: <entry name="Non-Supported-Agent"> <match>not ("Supported-GlobalProtect-Agent" or "Supported-Beta-GlobalProtect")</match> </entry>   As you can see above what I'm saying is that this "Non-Supported-Agent" hip-profile should be matched if the device does not match my "Supported-GlobalProtect-Agent" or "Supported-Beta-GlobalProtect" profiles. Any hip-profile can use existing hip-profiles as matching criteria, and here I'm just saying that this particular profile is what I'm going to match on if you aren't running an agent that I've specified.    Then you would use that hip-profile as matching criteria in a deny security rulebase entry. I'd personally recommend checking your HIP logs to ensure that you've built out this profile properly before enabling the rule. That would look something like this though: <entry name="NSA Detection Drop"> <from> <member>BYOD-GlobalProtect</member> </from> <source> <member>BYOD-GlobalProtect</member> </source> <to> <member>any</member> </to> <destination> <member>any</member> </destination> <application> <member>any</member> </application> <service> <member>any</member> </service> <action>deny</action> <log-end>yes</log-end> <log-setting>Email-Alerts</log-setting> <description>Drop NSA agents from accessing resources</description> <group-tag>DENY</group-tag> <tag> <member>DENY</member> </tag> <profile-setting> <group> <member>Default-Protection-Profile</member> </group> </profile-setting> <source-hip> <member>Non-Supported-Agent</member> </source-hip> </entry>   Hopefully this gives you the building blocks to build out what you would want to run personally. Personally I would also ensure that you have a hip-notification setup to notify the user that you're dropping their traffic and any remediation steps that they may need to take.  You can also utilize the API alongside custom reports heavily when you start doing stuff like this as well. As an example we have a script that monitors for anyone matching this HIP profile to send a Slack alert to our helpdesk staff so they're aware of the issue if the user calls, in addition to sending the user an email that includes more information than what we would fit in the HIP message.   Depending on exactly what you have specified you quite possibly will need to build out multiple profiles and multiple rules and hip-notifications to account for everything.  ... View more

@L.Cartooms, These events are point in time, so the past events would not clear from the logs once the domain is categorized. It would simply suppress the event from being generated again since it's no longer unknown.  ... View more

@SyafiqBharudin, 10.1.15 doesn't exist, you can verify by looking at the release notes for PAN-OS 10.1 https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/. The latest release is 10.1.14-h14 and PAN didn't actually include any detailed release notes in that version. Short of jumping major versions, you would need to reach out to TAC to get an estimate of 10.1.15 release date or verify whether this was one of the issues addressed in 10.1.14-h14 that they didn't feel like detailing.  In other releases, and under normal situations, PAN details CVEs pretty extensively when fixes are made to address them. This leads me to believe that the fix actually isn't out yet for 10.1 for some reason.  ... View more