This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About TSilverline

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
TSilverline
‎10-29-2021
since ‎11-06-2016
L3 Networker
User Activity
User Profile
Latest posts by TSilverline
View All
User Badges
Community Statistics
Member Since ‎11-06-2016 06:42 PM
Date Last Visited ‎10-29-2021 12:28 PM
Posts 41
Total Likes Received 7

Re: Panorama reset Authentication Profile (Certificate Profile based Authentication) via CLI

by in General Topics
‎08-17-2019 07:16 PM
‎08-17-2019 07:16 PM
If you have access to CLI, create a new authentication-profile using the set authentication-profile command. Then, assign the authentication profile to the user you want to login with using set mgt-config users *username* authenticaton-profile command ... View more

Re: DNS Block and Notification on Specific Networks

by in General Topics
‎08-17-2019 06:57 PM
‎08-17-2019 06:57 PM
There is no method to return a display to the user that their DNS settings need to be updated. The NAT idea is interesting and maybe the best option besides expecting your users to eventually figure it out. I would certainly not use spoofing - and it wouldnt resolve the overall problem.  Sure, Google's DNS servers are probably the most popular but there are infinite other options people could use that would break. Personally, I would just publish the policy that you don't accept static IP (or DNS) configurations and let users figure it out.  But obviously, every organization is different. ... View more

Re: SSL Outbound decryption - Outbound traffic

by in General Topics
‎08-17-2019 04:28 PM
1 Kudo
‎08-17-2019 04:28 PM
1 Kudo
The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers.  I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc. This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/   Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.   If windows, the easiest way do deploy these is using GPO. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy   If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally. ... View more

Re: Cant find option to take ACE exam

by in General Topics
‎08-17-2019 03:22 PM
‎08-17-2019 03:22 PM
Trying to understand the issue.   So you are saying that the ACE exam is not available under your normal account but is available under some different company account?    Or you have two different logins to PAN?   If you are sure you are in the right place and it is not showing as available you should reach out to the nextwave support team to investigate. ... View more

Re: Global Protect with RSA SecurID and Group Mapping for Security Policy

by in General Topics
‎08-17-2019 03:19 PM
‎08-17-2019 03:19 PM
@Mick_Ball wrote: I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".   The firewall will then see user fred smith as domain\fred smith.   the only additional requirement may be to tell radius server to ignore or accept any domain.   Foir some reason I didn't actually try at first this because you seemed to be speculating about the solution; but it was indeed the correct answer. After adding the domain prepend, the group mapping function started working and I am now able to use AD groups for RSA authenticated users in my security policy! No changes to RSA RADIUS server needed. Thanks! ... View more

Re: Global Protect with RSA SecurID and Group Mapping for Security Policy

by in General Topics
‎08-13-2019 12:52 PM
‎08-13-2019 12:52 PM
Thanks again for your reply. Can you help me better understand what you mean by it being more a component of UserID?   I understand the concept of mapping users to different agent configurations based upon groups - but i dont know how to use the groups of an authenticated RSA user for this purpose because RSA doesn't appear return all of the users groups.  This seems pretty straightforward using straight AD, or using local groups in the FW..  But I am not sure how to do it when authenticating against RSA.   So, in your configuration, in which identity source are the groups configured?  If AD, could you help me understand how you configured this?  If somewhere else, can you explain how you configured the groups and got it all working?   Thanks! ... View more

Re: TCP issues when moving an application through a Palo Alto FW

by in General Topics
‎08-12-2019 10:58 AM
‎08-12-2019 10:58 AM
Check Point should be able to tell you why it's dropping the packets.  I would start there and figure out what it doesn't like and then determine how that is happening to the packets. ... View more

Re: How do you deal with Service Route and MGT port redundancy?

by in General Topics
‎08-12-2019 10:52 AM
1 Kudo
‎08-12-2019 10:52 AM
1 Kudo
Make the interface you want to attach the service route to a redundant (aggregate ethernet) interface. ... View more

Re: NAT PPTP VPN

by in General Topics
‎08-12-2019 10:50 AM
‎08-12-2019 10:50 AM
What are you trying to NAT?  The description has the same destination translation as destination address. ... View more

Re: DHCP Options

by in General Topics
‎08-12-2019 10:36 AM
‎08-12-2019 10:36 AM
This is certainly supported now. Can you probide more details on what you would like to do and what's not working? https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/dhcp/dhcp-options/dhcp-options-43-55-and-60-and-other-customized-options.html   ... View more

Re: Global Protect with RSA SecurID and Group Mapping for Security Policy

by in General Topics
‎08-12-2019 09:24 AM
‎08-12-2019 09:24 AM
Thanks for the reply.  Did you then use the groups returned in your security policies?  Or did you have multiple portals/gateways handing out different IP address ranges authenticating different user groups?  Or did you simply allow/deny access based upon group membership? ... View more

Global Protect with RSA SecurID and Group Mapping for Security Policy

by in General Topics
‎07-31-2019 11:39 AM
‎07-31-2019 11:39 AM
I have setup Global Protect with RSA SecurID authentication.  I would like to use the Active Directory groups of these users in my security policy to then allow or deny access to resources based upon their membership.    I have configured the group mapping settings and the firewall is pulling in the AD groups.  However, the policies I have created are not being matched.  It appears since the authentication is via RSA it is not associating the user with the AD groups it is pulling via the group mapping since the user is not associated with the domain.   I found this article which is relating:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQdCAK but it only seems to be working for the initial authentication, not for actual security policy access post authentication.   IIs there a way to get this working or is there a better method for restricting resource access based upon group membership when authenticating via RADIUS to RSA SecurID? ... View more

Re: HIP Checks for Browser Version

by in General Topics
‎07-17-2019 10:45 AM
‎07-17-2019 10:45 AM
I still don't see any way of using these methods to evaluate whether browser or java versions would be up to date.  Especially since the registry key only offers an exact match of a specic value this whole process seems limited.   Only thing I think could be done is to create dozens of HIP checks matching every single version released and constantly update the firewall every time a new version is released.  This sounds completely unrealistic.   I would like t a way to do this like the patching or antivirus options which let you say if my patches are out of date for X days I match the Av out of date HIP object.  There's no way to say if my version of Java is horribly out of date and I am vulnerable to exploits not to allow a connection? ... View more

Re: HIP Checks for Browser Version

by in General Topics
‎07-16-2019 02:42 PM
‎07-16-2019 02:42 PM
Thanks for the replies but these steps aren't really getting me to what I need. When I do the custom check all it says is whether or not the browser exists or is installed on the system. That registry key shows the value, but the PAN won't just grab the value, it will only try to match on it. Am I missing something? Customer also has requested similar functionality around Java versions.  This seems like a reasonable request but can't find any way of doing it.   Any other thoughts? ... View more

HIP Checks for Browser Version

by in General Topics
‎07-08-2019 02:39 PM
‎07-08-2019 02:39 PM
I have a customer that would like to limit GP authentication based upon browser version running on the clients.  They would like to collect all browser versions and then start blocking connections from clients below minimum settings.   Trying to figure out how to do this but not seeing any straightforward method to collect all web browser versions.   Any thoughts? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-29-2021 12:28 PM
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks