This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About CRDF18
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About CRDF18
04-08-2020
28Posts
0Likes
0Solutions
Apr 08, 2020Last Visited
User
Activity
User
Profile
Latest posts by CRDF18
| Subject | Views | Posted |
|---|---|---|
| 4331 | 02-07-2020 02:07 AM | |
| 4475 | 01-20-2020 03:59 AM | |
| 6251 | 10-22-2019 06:16 AM | |
| 6543 | 10-08-2019 02:47 AM | |
| 6802 | 10-07-2019 03:03 AM |
User Badges
Community Statistics
| Member Since | 05-29-2018 03:31 AM |
| Date Last Visited | 04-08-2020 11:12 AM |
| Posts | 28 |
03-13-2019
05:39 AM
I even tested it at the same time tried a few things, made sure the i had the correct pin, token wasnt about to expire, even waited for a next token code but still nothing. It seems there may be nothing obvious that has changed but i will have to wait for TAC to get back to see if they can think of anything, but i am probably going to have to schedule in some time out of hours upgrade again and test it again and again
... View more
03-13-2019
05:00 AM
Hi from the end users perspective it was from the global protect client that kept on asking them to enter a passcode again so i would say it from the portal, NOT the gateway. On our RADIUS server you would see 2 hits for each attempt, one success and one failure. Even though at the other end (VPN client end) the user would just be prompted for a passcode again. The RADIUS logs say user authentication failed, check RSA logs. RSA has a bit more info but seems to point to the user not putting in the correct token code or bad PIN, which i would normally believe but we tried a couple of IT people to test and they couldn't all forget their PIN or type in an incorrect token code at the same time, but then get it working when we tried it on the firewall running 8.0.15. That's why i was thinking maybe something had changed between 8.0 and 8.1 or maybe GP version we have isnt supported in 8.1?
... View more
03-13-2019
04:23 AM
Hi Has anyone had any issues with users connecting in using global protect once they have upgraded from PAN-OS 8.0.15 to any version of 8.1? I had a change window the other night and updated to 8.1.6 which everything worked fine except for VPN access, people connecting in would constantly be prompted to type in the token passcode. We could see errors on our RADIUS server and RSA servers but nothing in the system log on the firewall. As soon i failed back to using 8.0.15 VPN access was restored. I have logged a tech support call about this and pointed out there was a bug we had last year that was fixed but it seems that maybe in 8.1 either this fix hasnt been applied or in 8.1 GP clients log in differently? I am still waiting for TAC to get back to me but i just thought i would reach out on here as well. We are still running GP version 3.1.5-9 as well
... View more
- Tags:
- 8.0
- 8.1
- global protect
01-10-2019
06:09 AM
Thanks there were no disacards when i looked but in the end ive got the chrome update working, but then there was a knock on effect with normal web sites being blocked because of the url filtering profile i had applied. My original aim was to have our normal web access policies to 3 different AD groups (so 2 rules per group) which would block exe, msi, pe etc but above these rules i would have one rule that has the 3 different AD groups in that would allow exe, msi and pe files to a select group of sites in a another url filtering profile to update the like of adobe reader/creative cloud, chrome, visual studio etc. After doing some more tests and a call with PA support, it seems this is not possible, so now im back to square one. What i am now thinking is adding an extra rule for each web access group. At the moment our setup is something like the below. Web access full AD group - zone outside - web access full allowed apps - application -default service - Web access full URL filtering & file blocking profile Web access full AD group - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile What i propose to do is the following Web access full AD group - zone outside - any application - any service - web access full URL filtering with approved category & file blocking profile allowing EXE & PE file types Web access full AD group - zone outside - web access full allowed apps - application -default service - Web access full URL filtering & file blocking profile Web access full AD group - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile but now i have just typed that out i dont think that will work as the first rule would allow all applications so the other rules wouldnt really come into place I think i need a break from this and come back to it with a fresh head lol
... View more
01-04-2019
01:44 AM
I am getting the URL (well IP address) that is being blocked from the data filtering log and adding it to the custom URL category applied to the bypass policy but it still doesnt work. I have even populated the custom URL category with *.getgo.com, launch.getgo.com as well as the IP from the blocked data filering log but no luck. I even decided to take the IP from d ata filering log and add it to the destination address in the bypass policy but that doesnt work either, it still hits the original web access rule not the bypass. I am only testing with goto meeting at the moment but i will need it working for chrome and Adobe creative cloud as well... i can see this being a long and difficult process Yes we are using SSL decryption.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-08-2020
11:12 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks