About Brandon_Wertz

Unfortunately I don't have any other ideas, other than opening a support case getting TAC to take a look. ... View more

@dmgeurts wrote: I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session. However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?   Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets. That really doesn't make much sense.  2 networked (routed) endpoints shouldn't be talking faster than firewalls directly connected to each other.  I've never ran a A/A deployment so unfortunately I don't have much insight to share.  I'm assuming you have the HA1, HA2, and HA3 interfaces defined?  The HA3 link as I understand it is required for an A/A deployment.     Are your management and data CPUs all running at normal percentages?  ... View more

@kemeris wrote: I use Android StrongSwan only for testing purposes, as it allows me to easily inspect logs. My main goal is to set up a Palo Alto IPSec tunnel that works with native Windows and macOS clients, so no third-party client is needed. We already have a VPN solution that requires a separate VPN client. Oh ok, Windows/MacOS is a free/included license.    If you already have a separate VPN solution with a separate VPN client, what purpose will Global Protect serve?  I understand the desire to not deploy a second VPN client onto an endpoint, but if you're wanting to use Global Protect I'm not sure there's a supported way forward without using the Global Protect endpoint software. ... View more

@G.Varkey wrote: No blocks observed but US gateways are dropping the traffic going to ohio.gov were as the UK gateway it works. The logs do not show any blocks. Any ideas how to troubleshoot would be helpful. Opened a TAC case however its dragging out for 3 days now How do you know the gateways are dropping the traffic?    It sounds like one potential might be an IP protection thing happening in CF against the US GW IPs?  As subscribers to the Prisma service we have no access to the virtual FWs so the only way to diagnose the potential "dropping" issue is for TAC to do analysis on the infra.     --edit-- This would be a VERY intrusive option, but you could remove your US gateways from deployment 1 at a time, then redeploy them.  This would create new IPs for the gateways in the deployed regions.  Doing so would be a very direct way to see if it's an IP issue.  This drastic of a step could potentially mean disruption of services though if your current GW IPs are used in an allow list for things like MFA or some other public service. ... View more

@kemeris wrote: Hello,   I am totally new to Palo Alto and trying to set up VPN connection from Android Strongswan VPN Client app to Palo Alto without GlobalProtect. I have requirement so client's IP is unknown and can be any public IP. At the moment IPSec tunnel is UP but I always setting error on client side: "setting up TUN device failed, no virtual IP found". Is it possible at all set up such VPN on Palo Alto?     Thank you in advance.     @kemeris -- It's been my understanding that the Global Protect client VPN functionality doesn't work or isn't stable if not using the GP client software.  You mentioned an Android OS the GP client would be a license purchase requirement, but I don't think there's a way around it.  Even if it does work, I don't think it would be a supported option so any issue you might run into in the future would be at your own risk. ... View more

@O.Pavlyk wrote: It dosen`t work!!!!!! Saying "it doesn't work" to a 3 year old post, and a 5 thread doesn't really help solve your problem, or the OPs.  If you're having an issue and were looking for some help if you shared some details maybe we can help determine how to resolve your issue? ... View more

@TomasMedina wrote: The connection to internal resources is via VPN through a policy in GP. We have deployed GP on SCM, not on the firewall. We have reviewed the logs and TAC has reviewed the evidence we have sent them, but they only give us indications that it is a problem with the power process of the endpoints when they hibernate. Here is the lastest TAC response.       When I mentioned "Look at the GP logs on the firewall" and when you say "We have deployed GP on SCM, not on the firewall." we're both saying the same thing.  You might have "deployed" the Global Protect VPN service via Strata Cloud Manager (An orchestration tool) but all that is, is a view into a virtual cloud hosted Palo Alto managed FIREWALL...it's still a firewall.   The note you've shared from Palo TAC is something similar I've extensively troubleshot within my organization.  Are you using Lenovo laptops by chance?  We had a lot of issues with both the wireless network adapter on Lenovo laptops having stability issues that needed driver updates to solve our "VPN problems."    What looked like a "GP problem" for us was a hardware/driver issue on the wireless network adapters across tens/hundreds of laptops.  Looking through our GP logs TAC was also able to identify power adapter/sleep issues of our laptops that was interfering with the GP software functionality.   You originally mentioned that users are online working then "all of a sudden they disconnect."   TAC mentioned power changes in the clients.  When your clients are having issues are they stationary & connected to a docking station?  Maybe try updating both the laptop firmware (drivers) as well as drivers of the docking station itself? ... View more

@quocthinh.9666 -- Since the management interface can be pinged from outside of the subnet I'm going to assume everything is good from the management profile perspective, but check that.  Are there other hosts in the same management network on the same nodes (A or B?)  Can VM from node A ping something in node A?  Does the node A switch see the MAC of both the VM and the firewall?  The management interface isn't using a unique service route?  I would also confirm the subnet mask and default gateway value are correct. ... View more

@TomasMedina wrote: @Brandon_Wertz wrote: @TomasMedina maybe I'm not understanding what you're trying to say here: But to me this means they're "refreshing" their VPN connection.   If their VPN is working, they can access internal resources then all of a sudden they can't access internal resources but they can access things not internal like things on the Internet.  That probably means the VPN isn't connected, it got disconnected somehow.  Especially if refreshing the VPN connection resolves their issue.   Have you looked at the GP client logs for the time period that internal resources aren't accessible? Yes, we have, and yes, the source user is blank. So, I think you are right, the VPN is disconnecting somehow, but we don't know why this is happening.  TAC told us it could be because of the windows power settings, but it is not solved by increasing the idle time. @TomasMedina -- The source user being blank only matters if access to the internal resources have a security policy with a user requirement, is that a portion of the policy?  Right now all of this is just conjecture because we need more details.  You mentioned TAC, were the GP client logs collected when the users couldn't access the internal resources?  Were they analyzed?  Did anyone look at the GP logs from the firewall?  Did it in-fact show there was a client disconnect?  Or was it like @BPry mentioned it is simply because user attribution is being lost?  What's the user attribution method?  What's the timeout?  Did anyone look at the User-ID logs on the firewall?   There are so many different possibilities for the issue and questions related to the actual thing that's going on.  The first step I'd start with is GP client logs collected from the client at the time of the issue, which TAC should already be doing. ... View more

@TomasMedina wrote: The GP client does not disconnect at all. It just loses connectivity, perhaps it is lost through the service connection. If it was the SC, I assume your clients are on Prisma Access, then refreshing the client connection wouldn't resolve the SC (IPSec) connection issue. ... View more

@TomasMedina maybe I'm not understanding what you're trying to say here: But to me this means they're "refreshing" their VPN connection.   If their VPN is working, they can access internal resources then all of a sudden they can't access internal resources but they can access things not internal like things on the Internet.  That probably means the VPN isn't connected, it got disconnected somehow.  Especially if refreshing the VPN connection resolves their issue.   Have you looked at the GP client logs for the time period that internal resources aren't accessible? ... View more

This sounds like their GP client goes into a disconnected state, and the users don't recognize the VPN is disconnected. ... View more

@Demong wrote: @Brandon_Wertz thanks, but for my SOHO tasks this box works enough. And I still hope to... Good luck ... View more

@Demong -- Unfortunately.  The box is a brick.  The hardware itself has been EOS for almost 2 years.  6.X is EOS, 7.X is EOS, 8.X is EOS, 9.X is EOS, 10.0 is EOS & 10.1 is soon to be EOS.  You will probably have a better chance at winning the lottery than making this PA-500 useful to you. ... View more