This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Andrew.Vernon
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Andrew.Vernon
04-20-2021
4Posts
1Like
0Solutions
Apr 20, 2021Last Visited
User
Activity
User
Profile
Latest posts by Andrew.Vernon
| Subject | Views | Posted |
|---|---|---|
| 2464 | 04-17-2020 12:06 PM | |
| 2622 | 04-17-2020 08:42 AM | |
| 2147 | 12-12-2019 01:43 PM | |
| 2245 | 12-10-2019 08:40 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 04-17-2020 12:06 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-05-2019 01:10 PM |
| Date Last Visited | 04-20-2021 01:53 PM |
| Posts | 4 |
| Total Likes Received | 1 |
04-17-2020
12:06 PM
1 Kudo
That traffic isn't even making it far enough to have security rules applied. We have our VPN subnets in their own zone and no intrazone traffic is being logged. But, looking at the routing table, I only see a /32 for my own GP IP address. Subnets in my split-tunnel address group appear with the agent virtual IP as the next hop. That suggests that I may need to add the client address block to the split-tunnel.
... View more
04-17-2020
08:42 AM
One of our help desk analysts working remotely asked why he was unable to use remote administration tools to assist end users also connected to the GP gateway. I'm not able to find a definitive answer in the docs and KB, but I expect this is by design. Can anybody confirm this, and is there a mitigation besides providing support staff with a virtual desktop on the inside LAN for administrative tasks?
... View more
12-12-2019
01:43 PM
For the Authentication Enforcement Object (Objects > Authentication), I found creating a shared object (one used across all device groups) made the authentication profiles invisible. When I created the AEO in the device group covered by that particular template stack, the profiles were available to select. This occurred because I was using Panorama for device management. I'd have to walk back through the exercise on a stand-alone device to see if there's a similar distinction between the device level shared context and a specific vsys. (I only have single instances on my firewalls, so nothing really needs to be "shared.") It's not exactly as @reaper suggested, but their suggestion took me to the right place. I'm skipping the authentication policy step since further reading suggests it may not be needed for GlobalProtect. May have to revisit it after some testing. So short answer is: Just turn off the "Shared" checkbox when setting authentication enforcement.
... View more
12-10-2019
08:40 AM
I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using Mitch Densley's video guide for PAN-OS 8.x as a starting point, I've gotten my Duo application set up, along with an authentication profile. However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in. Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-20-2021
01:53 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks