About TomYoung

Hi @Callum_Bisley ,   An Access-Reject message means that RADIUS is working fine.  The user was rejected by NPS policy.  Also, the system log "invalid username/password" also indicates the PA is talking to NPS fine.  You are correct to say, "there is something occurring in my AD."  The best place to look for the reason NPS is rejecting the request is under the Windows Event Viewer in the Security logs.   Your other config looks fine at 1st glance.  It looks like you have followed this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK.   You can also test RADIUS without the VSAs by creating a local admin under Administrators and selecting RADIUS_ADMIN as the authentication profile.  You can even assign your CorpAdmin role there.  Of course, that doesn't scale well, but it allows you to eliminate some variables in your testing.   Thanks,   Tom ... View more

Hi @benball ,   This is very common with PAN-OS 8.1 and below.  Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.  Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.   Create a new rule to allow web-browsing on service-https, and your configuration will work.  This means that you configured decryption correctly!  [Edit yet again.]  Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.  So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.   PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/features-introduced-in-pan-os-9-0/app-id-features.html#id1787EF00LF4   Thanks,   Tom   PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.   ... View more

Hi @ce1028 ,   Great question!  I didn't realize zones were a limitation of the Shared device group.  The zones are populated by the devices or reference templates in the device group.  Since Shared is read only, it appears that you cannot save those fields.   What you can do is create a new device group, e.g. "Shared Rules", under Shared and make it the parent of the other device groups.  (You can have 4 device groups in a hierarchy).  You can add a reference template with zones to Shared Rules.  Then you can create share security policies for all of your firewalls in this one device group.   Thanks,   Tom   Hi @ce1028 ,   I have an update!  You can use Shared for common policy rules!  You can move a rule from another device group and the zones work fine.  Also, once you have imported the zones in a rule, they show up in the drop down for new rules.  You could also type the zone in manually without the dropdown.   Hope this helps,   Tom ... View more

Hi @pomologist ,   Great document find!  Why don't you add the management zone to your authentication policy?  Am I missing something?   Hi @BPry and @OtakarKlier ,   In the newer PAN-OS, the Captive Portal Settings tab under Device > User identification has been renamed Authentication Portal Settings.  When I edit the setting and click on help, I see this message.     So, I don't think it is only for User/IP mapping or only triggers on unknown users in the newer PAN-OS.  Also, in the Authentication Policy, you have a drop down for source users that can specify any, unknown, etc.     I have tested this with GlobalProtect, and I am required to authenticate on the web redirect page.  My User-ID vpn-client data source existed before the captive-portal data source was generated.   I hope this helps,   Tom ... View more

Hi @tamilvanan ,   Yes, this can be done.  In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled.  https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1   Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked).  As the name implies, no encrypted tunnel is formed between the client and the gateway.   This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.   Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab.html.   Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/globalprotect-gateway-concepts/types-of-gateways.html.   Thanks,   Tom ... View more