About Brandon_Wertz

@Satyak wrote: Hi Friends,   We have a customer who wants to Export Last 90 days traffic logs from the firewall for Audit Purpose. We have tried to generate them via Custom Managed Reports but no luck and more over we came to know that there is some logs exporting issues in 10.2.4 PAN OS version so we have suggested them to upgrade to the latest 10.2.8-h3   Could you please help me on how to achieve this requirement. Is it possible to export logs of last 90 days or more than that ?   Thanks and Regards Satya Kalyan Just as an FYI excel has a row limit of just over 1 million rows.  Depending on the amount of traffic and logs created by the firewall there's a high probability that export 90+ days of logs to excel will fail because of that limit. ... View more

Maybe your issue could be solved by this?  https://live.paloaltonetworks.com/t5/next-generation-firewall/ngfw-telemetry-uploads-failing/td-p/439841  ... View more

@JamesH1318 wrote: Does PA have a response to CVE-2024-3661 for it's GlobalProtect users? This post is lacking context.  This CVE isn't specific to Palo Alto, and according to NIST is a relatively low risk.       ... View more

@mannix wrote: Greetings all, I hope you can help me.  I currently have Globalprotect set up on a single firewall - both portal and gateway.  We're using Radius for authentication, it is working well.  We want to transition to SAML.  For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place.  Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate.  I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting.      I'd RATHER not re-ip everything.  I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?     I don't THINK I do, if I simply specify the current gateway in the portal config.    Thoughts?  Am I overcomplicating things?   Thanks!     Iain We've recently switched to SAML auth for our GP, and we're told that if using SAML for auth that is the only auth mechanism that can be used.  So no matter how many mechanism you use in an auth profile if SAML is there only SAML will be used.   Not too sure how accurate that is, but that's what we were told from our SE. ... View more

I looked through the release notes and couldn't find anything.  My suggestion would be to open a support case.   I have multiple 3410s/20s running 10.2.7-h8 and we've had no reports of any website slowness. ... View more

I'm not sure if you can go straight from 10.2.X to 11.2.X, that said with 11.2.0 being newly released is there a particular reason why you're going to 11.2.0?  The code is probably no where near ready for a production deployment. ... View more

@BPry wrote: @Sanjay_Ramaiah, If you reach out to a reseller they should be able to help you identify your actual needs. Otherwise as @Claw4609 mentioned you can go through yourself and identify a similar product. The PA-3220 from a quick glance would be your most direct replacement just looking at the spec sheet of the 5400 briefly. You really need your utilization numbers on the 5400 to see what you're actually hitting, and you'd really need to know what features you have enabled to make a direct comparable. If you only have NGFW or you're not even doing that on your checkpoint that severely changes things really quick.  Just FYI, I think the 3200/5200 are going to be EOS soon (if not already) any new hardware purchase should be 3400s or 5400s.     Another consideration point would be SSL decryption requirements.  SSL decrypt really brings down throughput capacity. ... View more

@JakeHarris wrote: We're testing upgrading to version 2.5.x and have run into a few changes with the new features.   We enabled "Use Default Browser for SAML Authentication", because you know ie, is going away.  After doing this, each time our end user authenticates, they receive an "Authentication Complete" Page, with a cryptic message about opening Global Protect and a link that doesn't work.  It comes from https://<VPNGatewayFQDN>/SAML20/SP/ACS   I've searched through documentation and can't seem to find anything about it, nor is it present as a response page you can customize.   Ideally we'd prefer the old behavior, close the browser window / tab that was used for the SAML authentication, but minimally, we need to reword this page so it doesn't confuse users.. Maybe use it as a banner.   This is not the "Global Protect App Welcome Page", that feature is disabled.   Any help would really be appreciated. (I know this is an old thread)   This isn't going to answer your issue, but you're using "default browser because IE was going away.  My company recently ran into this issue.     We use "embedded browser" for SAML auth to Azure AD (Through CIE) for GP.  This wasn't working because the Global Protect software called "Webview" which essentially calls the legacy IE integration for browser authentication.  Webview/IE doesn't support TLS1.3 so we would intermittently get authention failures to GP because of this incompatibility.   Coming in GP client version 6.0.10, I'm not sure about other client version, the GP software will call "Webview2" which calls the "Edge" version to the OS browser.  This call to "Webview2" will support TLS1.3 and will allow the use of the "embedded browser" within the GP client. ... View more

@RajendraSolanki wrote: how many users we can create in the PA-440 Model for the splash page (Captive Portal-based login)? Are you wanting to use local authentication for the captive portal authentication process?  If you are asking for the local database it sounds like there might not be a hard limit per se:  https://live.paloaltonetworks.com/t5/general-topics/number-of-users-on-local-database/td-p/37268  (This topic is really old, but still probably accurate.) ... View more

I think since PAN-OS 10.0 Palo added the required visibility in the ACC tab with a specific section for Global Protect.  There is also specific "Global Protect" logs in the monitor tab. ... View more

If it's "one particular user" then it's probably something with the one user/PC and not a your config issue. ... View more

@armedina wrote: Hello,   So I work in education and our department is currently having an issue with the most recent GlobalProtect update (6.2.2-259) pushed onto us.    Some of our staff members use GlobalProtect on their work-from-home laptops and connect to their office PCs through a RDP connection. We have a document imaging software that staff use which requires GlobalProtect to be activated as well for them to log into the software. Before the update, we were able to activate GlobalProtect on the office PCs and then connect to the document imaging software just fine. Now whenever we try to activate GlobalProtect on the office PC, it'll automatically boot the staff member out of their RDP connection.   I understand that the VPN is switching to an encrypted connection and assigning a new IP, so it makes sense for the connection to temporarily drop between that period. However, prior to the update the remote PCs were working perfectly fine with connecting to GlobalProtect without booting staff members from their RDP connection.   Does anyone have any ideas on what I could try and test to get back to our previous environment? Thanks in advance! When you say "booting from their RDP session" their RDP session is just dropping, right?  If they RDP back into the resource they were on their session on the remote system should be in the same state from the previous connection.   Without hearing more about your setup it's hard to say "why it worked before, but not now" but in general I would expect the RDP session to drop.  If it's MS RDP (mstsc.exe) then you usually got a notification from the RDP application saying you're disconnected and RDP is trying to reconnect.   The GP VPN being enabled should be quicker than the RDP session fully dropping.  That said, maybe there was a configuration difference along with the software upgrade?  Maybe it worked before because split-tunneling was enabled and with the new client version it's not? ... View more

@james_savage wrote: I have some static routes that I am not sure are used anymore in our network. Is there stats anywhere to see if these are being used on the palo? Similiar to the stats you can see on security policy hits or PBF hits If you go to your VR and "more runtime stats" --> Type "S" in the search it will show you your static routes and an "A" for active routes for all your static routes.  Not exactly a hit count, but will tell you if it's actively being used.           ... View more

What's the GP client version?  If Palo has identified this as a known bug, then there's nothing that can be done until they release a patch. ... View more