About TomYoung

Hi @Sujanya ,   @reaper is correct that ideally the Day 1 Configuration is for Day 1, but it is good to try to add them later rather than never.   If you load the Day 1 Configuration on the NGFW and then add it to the appropriate device group and template stack in Panorama:   The above configuration will work. The Day 1 Configuration will be local to the firewall. If you have duplicate policies or objects, you will get an error.  This is unlikely unless you have configured some Day 1 items before. Network or device configurations will not be overwritten unless you select Force Template Values. To manage the Day 1 Config from Panorama, you have a few of options.   Import the firewall configuration into separate a separate device group and template (1st URL below).  Messy. Import the NGFW configuration to Panorama and load config partial the pieces (2nd URL below).  Still messy. Create a Day 1 Configuration for Panorama.  Maybe messy maybe not. Import but do not load it.  Do not load the Day 1 Configuration on the NGFW. Add the Day 1 Configuration device group and template to the candidate configuration via load config partial. Nest the Day 1 Configuration device group (sample_devicegroup) into your hierarchy and add the Day 1 Configuration template (iron-skillet) to your stack. Try the commands below at your own risk to see if it adds the Panorama Day 1 Configuration device group and template to your Panorama candidate configuration.   load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='sample_devicegroup']  to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from <day1filename>   load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='iron-skillet']  to-xpath /config/devices/entry[@name='localhost.localdomain']/template from <day1filename>   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/load-a-partial-firewall-configuration-into-panorama   Thanks,   Tom   Edit:  With regard to Panorama, loading the Day 1 Configuration for a new Panorama build is ideal.  It also includes modifications to the "shared" device group and items under the Panorama tab in addition to the device group and templates referenced above. ... View more

Hi @jeromecarrier ,   That is indeed a mystery.  In my environment, I have "Save User Credentials" set to No, and I am always prompted for credentials.  Maybe an uninstall/reinstall of the GP client may help.  You may need to open a TAC case.   I would like to know the resolution.   Thanks,   Tom ... View more

Hi @jeromecarrier ,   As mentioned above, change "Save User Credentials" to No.  Please see the pic below.     You may also want to verify that "Use Single Sign-On" is disabled for Windows and MacOS under the App tab.     Thanks,   Tom ... View more

Hi @jeromecarrier ,   1.  If you change Save User Credentials to No under Network > GlobalProtect > Portals > [edit] > Agent > Configs > [edit] > Authentication, the user will have to enter their username and password every time. 2.  If you set "Allow User to Change Portal Address" to No under App in the same agent client config, then the user will not be able to change the portal address.  Note that this document -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-app-tab says that you "must supply the default portal address in the Windows registry or Mac plist".   Thanks,   Tom ... View more

Hi @HCLCNNSecurity ,   Very cool.  So you could do it through separate IP addresses or just put the users in the security policy.  I wonder if Cloud Identity Engine would be able to get your Azure AD groups?  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine  I haven't used it yet.   Thanks,   Tom ... View more

Hi @PingMyServer ,   Yes, Expedition can make changes directly to a device via API.  You start by adding the device to Expedition.  https://www.youtube.com/watch?v=r_l_NjGHv90   You could also use the CLI.  I have found that to be very useful for bulk changes.   Thanks,   Tom ... View more

Hi @Han.Valk ,   Thanks for the info!  Great stuff!  Some of that is located here -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0.   MS has publicly stated that it will do away with the registry workaround in March 2023 for security reasons.  Please see this thread and the associated links -> https://live.paloaltonetworks.com/t5/general-topics/user-identification-and-winrm-on-http/m-p/481674.   Thanks,   Tom ... View more

Hi @HCLCNNSecurity ,   The easiest way to accomplish what you want is to use the Config Selection Criteria under the Network > GlobalProtect > Gateways > Agent > Client Settings as @Adrian_Jensen mentioned.  It does support groups, but only LDAP, and you were clear that you did not have LDAP, only SAML.  If you want it working today, you can add each user to your 2 Client Settings (1 for each subnet).  If you don't have that many users, it shouldn't take too long.   I have to ask the question, "What do you want to use the separate IP pools for?"  If it is for the security policy, may I suggest configuring the users there instead?  That would save the step of configuring the gateway.   Another thing you could try is to create 2 Dynamic User Groups for each department.  You could manually assign the users the tags under Objects > Log Forwarding > Add > Log Type = auth > Filters.  The tags would match the DUGs.  You could then use the DUGs in the security policy, gateway client setting, or both.   I know!  This could be a lot of work!  The best solution would be group mapping to support SAML as many customers are moving to Azure AD.  Another alternative if you want to query Azure AD via LDAP is to purchase Azure AD Domain Services or perhaps build a DC with Azure AD Connect.   Thanks,   Tom ... View more

Hi @sujithGovindaraj ,   I remember split-tunneling working fine on macOS with older GP clients, but split DNS did not.  All DNS requests went through the tunnel.  GP 5.2 now supports split DNS.  https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/split-dns   You may want to confirm on your GP client whether the issue you are encountering is split tunneling or split DNS.   Thanks,   Tom ... View more

Hi @jorgenfrejso ,   You are correct.  You cannot have a rule with application-default and specific ports.  You are also correct that it is a good idea to clone the rule and have 2 rules - 1 with application default and 1 with specific ports.  In this case since "ssl" only has the default port of tcp/443, I would change application-default to those 3 ports - tcp/443, tcp/563, and tcp/993.   If you left the rule with "ssl" and any for the services, the security rule would allow a few packets on all ports until the application is identified.  This method is the least secure.   Thanks,   Tom ... View more