About BrianRa

Remo,   Thank you again for the reply.  This did not quite fit our environment.  We are using drive encryption that then logs into windows with SSO based on the credentials provided during the drive decryption.   Brian ... View more

Remo,   Thank you for the reply.  I will look into your write up.  We still have a ticket open with support on this subject as it is still not functioning.   Brian ... View more

jprovine,   That is correct.  You will need to change the version when you want to update it.   On the other topic if you create the agents: jprovine_agent     filter on: <domain>\jprovine domain_agent vendor_agent Then you will fall into the first agent group and everyone else will fall into the second agent group that has an allowed domain account.  This is just like the security rules for creating priority. My admins have both the admin and user VPN security groups associated with them.  But the admins have special rights because their agent group is above the domain user agent group on the list.  I have not managed to break anything by creating more specific filters in the agents if this is a concern of yours.   Brian ... View more

jprovine,   If you restrict it based on your user only (LDAP/AD/Local Firewal) and put that Portal Agent first you will fall into that group and only you.  Everyone else will filter through to the next Portal Agent.   Brian ... View more

You do not need to create an additional portal but a new Agent within the existing portal.  Then you can modify the settings I previously mentioned for your new group to allow download and install. ... View more

jprovine,   Yes there is a way to disable their ability to upgrade.  GlobalProtect -> Portal -> Agent -> App setting for "Allow User to Upgrade GlobalProtect App" to Disallow This will not stop them from using the portal only from being able to upgrade it.  Remember this is a push when the connection is either created or updated.  This is not an immediate change, you may want to set this and wait overnight for everyone to log back in and get the updated profile from the firewall. ... View more

jprovine,   You can use any supported version of the GlobalProtect client. Another option would be to download the clients to the firewall you want to test with.  Set them as active and download each one to your computer.  Then set the one you are currently using back to active. We have not had problems playing with multiple versions of the GlobalProtect client.   Brian   <EDIT> I have never tried downloading the GlobalProtect client from Palo Altos web page and using it.  We have always downloaded it to the firewalls. </EDIT> ... View more

jprovine,   That deals with the cert being used by the site you are connecting to.  You can ignore that in the client/agent configuration in the Portal section if you want for testing. Basically the certificate asociated with https://vpn.yoursite.com does not match what the client is looking for.                         Brian   ... View more

jprovine,   One thing to consider and an option we've used for testing.   First any time you are doing testing make sure you change the GlobalProtect -> Portal -> Agent -> App setting for "Allow User to Upgrade GlobalProtect App" to either Disallow or Allow Manually.  If you have anything else it may try to override what you are testing with the production version.   When we test a new client I set the above App setting to Disallow and Download/Activate the version I want to test.  I then download it and install from vpn.firewall.com (your DNS name) manually.  Once we have done this we just Activate the production version we are using again.   Brian ... View more

BTG-charlie,   Sorry, no we are using HA-pair PA-3000 firewalls.  We do have the "GlobalProtect Portal" license.  But from what I understand that should not be required for this to work (PAN techs clarify??).  That should be more related to MDM, HIP checks, etc.  I may be wrong because we wanted those features out of the gate so I have not configured the PA OS without that license.   I was told that configuring multiple Portals/Gateways on one IP was not possible.  That is why we used the Agent profiles within the same Portal/Gateway. What you are trying to do (if I understand correctly) should be possible with one Portal/Gateway and multiple Agents. Network -> GlobalProtect -> Portals -> <Portal_Profile> -> Agent -> <an agent for each type of user> Network -> GlobalProtect -> Gateways -> <Gateway_Profile> -> Agent -> Client Settings -> <matching config and name for each Portal agent>   Once those have been created (under the gateways you will set different IP ranges for each) you will build Policies that allow traffic from those IP ranges to your other Zones/Interfaces. First create the Policy Based Forwarding rules.     VPN IPs to DMZ,External,Trusted,etc Then create the Security rules.     VPN Group1/IP Range/Security Group/Users to Trusted/IP Range/Zone using Applications/Services.     Trusted/IP Ranges/Zone to VPN Group1/IP Range using Applications/Services.  These are just examples of rules but it is the general concept. Brian ... View more

BTG-charlie,   The creating of these profiles is possible all within the same Global Protect Portal and Global Protect Gateway.  We are doing this. Domain users - full tunnel, limited internal network access, HIP checks, OS based Domain admins - full tunnel, all internal networks access, HIP checks, OS based Domain vendors - split tunnel, specific internal network access, no HIP checks, OS based Firewall user vendors - split tunnel, specific internal network access, no HIP checks, OS based Mobile domain users - split tunnel, specific internal access, HIP checks, iOS based (each of these groups is provided a separate 1918 space IP range for easier Security Policy management)   The only part that you stated that worries me is doing different connection types with the same users.  We are basing this on OS type and user credentials (security groups, firewall groups, or specific users).  You will not be able to have one user that can log in using the same computer/device and the same user credentials to different VPN groups/profiles on the same IP using one portal/gateway or multiple portals/gateways.  A HIP check will also not help with this as it is a pass/fail criteria and does not allow you to move down to the next connection in the list.   If you go to Network -> Global Protect -> Portals -> GP_Profile -> Agent -> this is where you will create all the profiles I listed above. The same is the case for Network -> Global Protect -> Gateways -> GP_Profile -> Agent -> Client Settings -> match the profiles created in the Portals. Once both of those are created you will use Security Policies to control the access that the VPN clients get.  Again we do this based on VPN IP, Domain Security Groups, Firewall Groups, Users, and HIP checks.   Hope that is helpful. Brian ... View more

MPI-AE, we are using GP 3.1.3 and 3.1.5 on iOS phones, Windows 7 Ent, and Windows 8 Ent. With no other 3rd party credential providers installed SSO works on the Windows machines without a problem.  The OS detection, user/group mapping, and HIP checks are all working correctly as well.   Unfortunately we are having problems with SSO with our drive encryption and other credential provider components.  As of yet we have not found a solution for that.   Brian ... View more

Shannon,   It looks like there are a couple of ways to configure multicast in PAN OS, doing a google search for "pan firewall multicast" brings up a multiple options.  Unfortunately I haven't played with it at all on PAN firewalls so I don't have any specific advice on it.  A support case might be helpful for some relevant documentation to your situation as well as other peoples experience here. It may also help to describe what you are doing so people can point you in the right direction.    Brian ... View more