This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About s.williams1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
s.williams1
‎11-25-2019
since ‎08-29-2017
L4 Transporter
User Activity
User Profile
Latest posts by s.williams1
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎08-29-2017 07:06 AM
Date Last Visited ‎11-25-2019 03:34 PM
Posts 103
Total Likes Received 4

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 12:24 PM
‎10-09-2017 12:24 PM
admin@PA500-01> show user group name "cn=domain users,cn=users,dc=domain,dc=lan" | match steven.williams [5510 ] domain\steven.williams [5515 ] domain\steven.williams.da admin@PA500-01>   I sure am.    This one too.   admin@PA500-01> show user group name "cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan" short name: domain\paloaltoadmins source type: ldap source: Domain_Users_and_Groups [1 ] domain\steven.williams.da admin@PA500-01>   Something just isn't making sense. ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 12:14 PM
‎10-09-2017 12:14 PM
admin@PA500-01> show user group list cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan cn=domain users,cn=users,dc=domain,dc=lan Total: 2 * : Custom Group admin@PA500-01> ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 12:09 PM
‎10-09-2017 12:09 PM
lost me. What group?  ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 12:04 PM
‎10-09-2017 12:04 PM
Already there:   ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 11:25 AM
‎10-09-2017 11:25 AM
Well if I set the authentication profile to "all users" it works just fine.    Enter password : Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "domain.lan\steven.williams.da" is in group "all" Authentication to LDAP server at 10.100.21.210 for user "steven.williams.da" Egress: 10.100.20.20 Type of authentication: GSSAPI Starting LDAPS connection... Succeeded to create a session with LDAP server DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=domain,DC=domain,DC=lan User expires in days: never Authentication succeeded for user "steven.williams.da" admin@PA500-01>   So the Bind account is working, its just not working for a specific user group.    admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan short name: domain\paloaltoadmins source type: ldap source: Domain_Users_and_Groups [1 ] domain\steven.williams.da admin@PA500-01>   sees the user but can never auth with it. And yes I have created a user account in the local admins to match this.  ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 10:22 AM
‎10-09-2017 10:22 AM
The show user group list only shows the user/groups in the Group Mapping Settings which from what I am reading this is not needed when doing WEB GUI auth.    Also that command you mention doesnt exist:   PA500-01> set system setting > ctd ctd > logging logging > mp-memory-monitor Set monitoring of management memory > packet packet > packet-descriptor-monitor Set monitoring of packet descriptors > pow pow > shared-policy Shared policy management via Panorama > ssl-decrypt ssl-decrypt > template Template management via Panorama > url-database URL database > url-filtering-feature change URL filtering feature settings > util util > wildfire wildfire settings > zip zip     ... View more

Re: Authentication seems to be the most difficult task....

by in General Topics
‎10-09-2017 09:51 AM
‎10-09-2017 09:51 AM
That command returns nothing. So I assume it cant see it? ... View more

Get newly added Device in sync with Panorama

by in General Topics
‎10-08-2017 12:06 PM
‎10-08-2017 12:06 PM
I have been manging a PA-500 individually for a few months due to it being on Code 5.x and it not being able to be managed by my Panorama 8.x server. So I have finally brought this PA-500 up to code 8.x, runs like an old three legged dog now, but now I need to start managing with with Panorama. So how do I make sure I do not override the current config with essentially an empty device template? I think I imported a configured device a few months back and must have done it wrong it all the local config settings were overriden and lost when I did a push to the device.    So how do I essentially import the current local config on the PA-500 and get it in sync with the panorama?   ... View more

Re: The Mysterious "stun" application

by in General Topics
‎10-06-2017 09:57 AM
‎10-06-2017 09:57 AM
So I have a rule to allow stun applicaiton on application default service ports but i see it hitting my allow all at the end of the list on different ports. So should I allow "any" on the service ports section? ... View more

The Mysterious "stun" application

by in General Topics
‎10-06-2017 09:11 AM
‎10-06-2017 09:11 AM
Does anyone have a understandable explaination of this application called "stun" from what I can gather its used for things like skype and facetime, but it generates a lot of traffic in my network. While yes we are lync/skype in house and there are the occosional calls out to the internet, I see this application going out to google public IPs on port 19305 and 19302, I see ports 5055 being used as well. How do you control this application? ... View more

Authentication seems to be the most difficult task....

by in General Topics
‎10-06-2017 06:10 AM
‎10-06-2017 06:10 AM
No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":   admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password Enter password :   Allow list check error: Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins admin@PA500-01> ! ! ! dmin@TN-19023-PA500-01> show user group-mapping state all Group Mapping(vsys1, type: active-directory): Network_Administrators Bind DN : ldap.read@domain.lan Base : DC=domain,DC=lan Group Filter: (None) User Filter: (None) Servers : configured 4 servers 10.100.6.205(636) Last Action Time: 19 secs ago(took 0 secs) Next Action Time: In 41 secs 10.100.6.210(636) 10.100.21.210(636) 10.110.6.210(636) Number of Groups: 1 cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan admin@PA500-01> ! ! !     ... View more

Anyone running Sophos antivirus/webfiltering solution on client machines?

by in General Topics
‎10-04-2017 03:34 PM
‎10-04-2017 03:34 PM
It appears that the sophos client on the windows machines uses its service account username to browse on behalf of the user. So essentially being a proxy for the user, the issue is from the monitoring aspect of the palo alto, I can't see the true user-id that is browsing. Anyone run into this or something similar? Any fixes on the palo alto side ? ... View more

How do I fix this?

by in General Topics
‎10-02-2017 04:37 PM
‎10-02-2017 04:37 PM
Trying to connect PA-500 to user id agent on domain member server and keep getting this from the agent ID app log.   10/02/17 18:33:09:959[ Info 1219]: New connection 10.100.20.20 : 33369. 10/02/17 18:33:09:975[ Info 1292]: Device thread 1 with 10.100.20.20 : 33369 is started. 10/02/17 18:33:09:975[Error 3352]: Failed to validate client certificate, thread : 1, 1-0! 10/02/17 18:33:09:975[ Info 1615]: Connection 10.100.20.20 : 33369 closed. 10/02/17 18:33:15:076[ Info 1219]: New connection 10.100.20.20 : 57572. 10/02/17 18:33:15:076[ Info 1292]: Device thread 1 with 10.100.20.20 : 57572 is started. 10/02/17 18:33:15:076[Error 3352]: Failed to validate client certificate, thread : 1, 1-0! 10/02/17 18:33:15:076[ Info 1615]: Connection 10.100.20.20 : 57572 closed. 10/02/17 18:33:20:193[ Info 1219]: New connection 10.100.20.20 : 38663. 10/02/17 18:33:20:193[ Info 1292]: Device thread 1 with 10.100.20.20 : 38663 is started. 10/02/17 18:33:20:193[Error 3352]: Failed to validate client certificate, thread : 1, 1-0! 10/02/17 18:33:20:193[ Info 1615]: Connection 10.100.20.20 : 38663 closed.   I created a self signed cert on the device.  ... View more

Re: Building New Polices for New Firewall Implementations

by in General Topics
‎09-28-2017 10:18 AM
‎09-28-2017 10:18 AM
Ya and really that can only be done by digging into logs of daily traffic patterns. I mean I am going to miss stuff for sure, so tickets will come for things that people could access the day before "Go live" but I am trying not to stress myself out with knowing every single thing I need to allow. I mean what I did for a small site running a PA-500 was create an allow all policy and move it to the bottom right before clean up rule, then watched traffic for days and build policies above the allow all to see what was still getting caught by the allow all, but again this was a small site. Now looking at a datacenter replacement where almost 85% of internet traffic is going I don't have that kind of time. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎11-25-2019 03:34 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks