About reaper

Hi!   did you set up tunnel mon itoring? that actively helps to disable rouytes when a tunnel goes down ideally use BGP instead of static routes as well (but tunnel monitor should help you out in this) ... View more

have you disabled ZTNA? in my experience you log on the first time, change password, disable ZTNA, device reboots, login with default admin, change password again, commit and then you should be ok   are you able to share the output from your CLI ? ... View more

That process should be pretty solid 1.1) update content and antivirus 1.2) install plugins if any Make sure you double-check if there are any variables being used and theyre copied over to the new devices ... View more

typically you should set up your 'ingress' rules so you allow only what you absolutely need and drop everything else good practice is to put those rules at the very top of your rulebase so an accidental 'any any' further down doesn't let in any bad things from the internet a typical layout would be something like this:   -block embargo countries and known malicious IP addresses (from palo EDL for example), set the service to 'any' -allow inbound server connection (smtp,https,...). make sure you define app-id and ports (app-default is fine, just don't put 'any' in the service) -allow in/outbound IPSec -allow inbound GlobalProtect -drop (this is silent making it 'stealth') all other packets from source untrust (destination ANY so it accounts for NAT rules etc), set the service to 'any'       As @Tom  mentioned, if you are hosting admin access on your untrust interface, migrate that access to GlobalProtect as soon as possible (#1 top priority) as this is extremely risky ... View more

unfortunately theres not a lot of information to work with here did you verify the link with DUO is still 'valid': no expired certificates, no new security policy that blocks access to duo, different NAT, expired service account,...  ... View more

You will be able to connect to other MU-SPNs (like japan) or even establish an SC from inside China but there would not be a guarantee this connection is not metered/shaped or even closed at any time as this is an unauthorized VPN It may also bring additional governmental scrutiny   Officially you should have a termination point inside China (a palo firewall with GlobalProtect enabled for example) with an approved Cross Border Line (CBL) to a peer outside of china, from there you can connect an SC to prisma access even if you have prisma access inside china, it needs to be connected to the rest-of-the-world prisma access via this CBL method ... View more

the first thing you should check in this case is the user attribute mapping: in the prisma access (or global) configuration scope, go to Identity Services > Cloud Identity Engine verify what the primary username is set to and compare that to the usernames you are seeing from the user-id agent   if the userid agent sends you domain\user, set the CIE primary to SAM Account Name, if the format is user@domain, set the primary to User Principal Name   this can happen if you instruct CIE to fetch one type of username format while receiving a different format from the uidagent i.e. your groups come loaded with username references that don't match the actual usernames       ... View more

That's the weird thing... they discontinued expedition without a viable free alternative, there's only the 'migration factory team' in professional services   so for now your only recourse would be the dockerized open source versions on github ... View more

@Fariq_Zaidi you may want to to look into Prisma Browser for this While currently sftp is not supported natively you could make a portal available inside the browser that allows users to securely download files ... View more

hi @BradQin    Unfortunately Palo Alto decided to terminate expedition and removed the download you can still find dockerized versions on places like github, but none are 'official'  ... View more

Q1 depends how your system is set up: do you have a password profile that locks your account if you tried the wrong password too many times and are you exposing something to the internet (portal, GUI) where someone could try to brute force your admin account, thereby locking it ? if you totally lost your password and are unable to get back in, you can boot into maintenance mode and load a previously saved config. If you haven't created any backups, you'll need to factory reset and start over unfortunately Q2 how did you revert? did another admin account work?  ... View more

just to concur with @BPry : GlobalProtect will retain its functionality for the foreseeable future but Palo made some changes in the SKUs associated with GlobalProtect to reflect their new 'Prisma Access Agent' which will run side by side with GlobalProtect and offer slightly different functionality - You can keep using GlobalProtect for free on all your hardware and VM firewalls - if you need mobile devices, HIP, IPv6 etc, the new license SKU will be PAA but it is fully compatible with GP ... View more

do you also have 3 SC tunnels or just the one?  if just the one, make sure that tunnel is not ECMP'd (sticky to 1 circuit) is it set up using BGP or static routes?   sorry for the stupid questions, your picture wasnt attached 😉 ... View more