cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About tszafalowicz

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
tszafalowicz
‎03-10-2020
since ‎03-20-2019
L1 Bithead
User Activity
User Profile
User Badges
Public Statistics
Date Registered ‎03-20-2019 12:48 PM
Date Last Visited ‎03-10-2020 12:35 PM
Total Messages Posted 3

Re: PAN-OS 9.0 Released - Stop and Think

by in General Topics
‎03-21-2019 02:08 PM
‎03-21-2019 02:08 PM
Didn't mean to "me too" your post!   @BPry wrote: If you have spare lab equipment I highly recommend signing up to participate in future beta programs going forward; it's a great way to get to mess around with new features and seeing what Palo Alto has on the roadmap.    Do you know off hand how I would sign up for the beta program?   Thanks! Troy ... View more

Re: Feature Request: Do Not Require Machine Certs to be Imported on the Firewall

by in General Topics
‎03-21-2019 01:53 PM
‎03-21-2019 01:53 PM
Hi Remo,   Thanks for your feedback and input!  "Wait? ... What?" was my exact reaction when I was informed that by TAC.  I did also immediately reach out to our SE after the implementation failed and got off the phone with TAC.  He was stumped as well and he was under the impression our implementation strategy would work, just like me.   No advanced use case here; just simply looking for a certificate that is signed by our internal PKI CA.  If the certificate is found, we can safely assume that the endpoint is a domain-joined asset and allow it access to connect to the GlobalProtect Gateway.  No certificate, no access.   Interestingly enough, when I generate the certificates on the firewall, specify the CA certificate in a certificate profile and test like this, it works as you would expect it to work with our own certificates.   So maybe the issue is with our own PKI?  Still stumped with this one.  TAC did inspect the certificates we were trying to use for this while on the call and determined they are valid as well.  Confused on this.   Thanks, Troy ... View more

Feature Request: Do Not Require Machine Certs to be Imported on the Firewall

by in General Topics
‎03-21-2019 11:08 AM
‎03-21-2019 11:08 AM
For some background: We recently impelmented a data protection strategy within our organization and would like to restrict the Global Protect remote access VPN service only to domain-joined laptops.  Since all our endpoints within our environment receive a machine certificate signed by our Internal PKI Root CA, we wanted to leverage those certificates to validate domain membership.  I have our Trusted Root CA certificate (and key) imported on the firewall and leveraged that in a Certificate Profile.   After a failed implementation and a 4-hour support call with Palo, TAC determined that either A) the certificates need to be generated on the firewall or B) the machine certificates (all of them) need to be imported into the firewall.   For obvious reasons, managing all our domain's machine certificates for external laptops on the firewall is not feasible.  We've explored implementing a SCEP server in the past, but had nothing but issues.  This leaves us with generating the Root CA and generic machine certificate on the firewall and then having to deploy those to all the endpoints, rather than using existing certificates that are machine-specific.   It would be helpful if Palo Alto leveraged the benefits of PKI and a chain of trust and only required the Root CA certificate to be on the firewall and approve any certificates signed by it. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-10-2020 12:35 PM
Latest Tags
No tags yet
Likes Given To
View All
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks