This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About tszafalowicz
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About tszafalowicz
03-10-2020
3Posts
0Likes
0Solutions
Mar 10, 2020Last Visited
User
Activity
User
Profile
Latest posts by tszafalowicz
| Subject | Views | Posted |
|---|---|---|
| 4858 | 03-21-2019 02:08 PM | |
| 1394 | 03-21-2019 01:53 PM | |
| 1405 | 03-21-2019 11:08 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-20-2019 12:48 PM |
| Date Last Visited | 03-10-2020 12:35 PM |
| Posts | 3 |
03-21-2019
02:08 PM
Didn't mean to "me too" your post! @BPry wrote: If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap. Do you know off hand how I would sign up for the beta program? Thanks! Troy
... View more
03-21-2019
01:53 PM
Hi Remo, Thanks for your feedback and input! "Wait? ... What?" was my exact reaction when I was informed that by TAC. I did also immediately reach out to our SE after the implementation failed and got off the phone with TAC. He was stumped as well and he was under the impression our implementation strategy would work, just like me. No advanced use case here; just simply looking for a certificate that is signed by our internal PKI CA. If the certificate is found, we can safely assume that the endpoint is a domain-joined asset and allow it access to connect to the GlobalProtect Gateway. No certificate, no access. Interestingly enough, when I generate the certificates on the firewall, specify the CA certificate in a certificate profile and test like this, it works as you would expect it to work with our own certificates. So maybe the issue is with our own PKI? Still stumped with this one. TAC did inspect the certificates we were trying to use for this while on the call and determined they are valid as well. Confused on this. Thanks, Troy
... View more
03-21-2019
11:08 AM
For some background: We recently impelmented a data protection strategy within our organization and would like to restrict the Global Protect remote access VPN service only to domain-joined laptops. Since all our endpoints within our environment receive a machine certificate signed by our Internal PKI Root CA, we wanted to leverage those certificates to validate domain membership. I have our Trusted Root CA certificate (and key) imported on the firewall and leveraged that in a Certificate Profile. After a failed implementation and a 4-hour support call with Palo, TAC determined that either A) the certificates need to be generated on the firewall or B) the machine certificates (all of them) need to be imported into the firewall. For obvious reasons, managing all our domain's machine certificates for external laptops on the firewall is not feasible. We've explored implementing a SCEP server in the past, but had nothing but issues. This leaves us with generating the Root CA and generic machine certificate on the firewall and then having to deploy those to all the endpoints, rather than using existing certificates that are machine-specific. It would be helpful if Palo Alto leveraged the benefits of PKI and a chain of trust and only required the Root CA certificate to be on the firewall and approve any certificates signed by it.
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks