About Jatin.Singh

We are connected via Global Protect are having issues where the session gets disconnected overnight. Is there a way to override this setting only for one user ? Does below settings change will affect all users     We are using split tunnel.   Could you please advise if any workarounds can be made ? just to keep the heart beat active at least ?   I am reading here that only way to achieve this is to create a new GP portal    https://live.paloaltonetworks.com/t5/general-topics/globalprotect-timeout-only-for-one-user/m-p/100943#M44327 ... View more

Can we disable the global protect portal & gateway and reactivate it whenever we needed it instead of deleting it entirely?   We are using 9.1.3 ... View more

We have ClearPass integrated to Palo Alto. ClearPass sends user-id to the firewall upon successful authentication. Customer is experiencing an issue where the laptop (on wireless) would fail to access Internet at re-authentication.   There is another client device that is login with the same user-id. I think the question here is with user-identity, does PA allows a one-to-many (one user-id to multiple IP) relationships???   Also we see the ClearPass re-authenticating the user and it is successful. However, we do not see the corresponding timestamp re-authentication appearing on the PA. The timeout wasn’t reset back to 9 hrs (as configured in the global setting). Is that normal?   In the screen capture seen below for today, I had restarted the wireless at 9.16am. But there was no user-id mapping for the IP address. You can see there is a close correlation on the PA at 9.17am. I did a second restart of the wireless on the client at 9.24am. There was a user-id mapping and it was able to access Internet. The timestamp on PA was at 9.24am. However, at 10.01am, it appears there is another successful mapping of the user-id to IP on the PA but there wasn’t any re-authentication on the ClearPass.     ... View more

Could you please advise how to schedule GlobalVPN reports, I found a way of generating them, but is there a way to shcedule them? ... View more

Our GlobalProtect VPN was using a self-signed certificate which got expired caused end users not being able to connect to the VPN. This raises the question that what are the ways to get alerted for these sort of incidents. Is there any in-build mechanism on the firewall or the Panorama that we could use to get notified of the Certificate Expiry incident before happening? Thanks   Model: PA5020 ... View more

For all the websites, the recpatcha seems to give an error but works when we keep trying. We have tried different browsers and machines and seems to be same issue. We isolated bypassing palo alto and seems to work correctly.   Can this be a issue related to Palo alto?   Below are the website that they use for the recaptcha http://patrickhlauke.github.io/recaptcha/ https://www.google.com/recaptcha/api2/demo https://urlfiltering.paloaltonetworks.com/query/             ... View more

We have set Disconnect on ideal for 20 min and we have tried to log off from the PC and login after 20 mins and GP is still connected,what could be the issue.   Inactivity logout seems to work after 2 hours   Palo version 8.1.13 GP- 5.1.1   ... View more

For the last few days, we have been trying to import firewalls into Panorama and have not been successful at it.   Panorama firmware is  9.0.7 Palo Alto firmware: 8.1.13   Description of issue: During the importing process, I was able to extract the configs from PA firewall onto the Panorama. However, when I tried to commit the configs back to PA firewall from Panorama. The commit would fail, and the reason for the failure is because there’s missing IP addresses in ‘Objects’.   Following is the commit error   rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not an allowed keyword     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 is an invalid ipv4/v6 address     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 invalid range start IP     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not a valid reference     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination is invalid   Error: Failed to find address 'Host_13.55.26.51-32'     Error: Unknown address 'Host_13.55.26.51-32'     Error: Failed to parse nat policy     (Module: device)     Config 'AGENT-CONFIG':     GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'.     (Module: sslvpn)     Commit failed   it seems like the problem is with the missing objects during the importing process. As an example, the total amount of addresses on the firewall is 490. However, we can only see 460 after the configs have been copied over from Panorama to the firewall.   We have also tried adding  Host_13.55.26.51-32' manually to panorama as a shared object but still cannot commit    we did upgrade our Panorama firmware recently from 9.0.4 --- > 9.0.7. And our firewall firmware from 8.0.13 -> 8.1.13 ... View more

One of our client is getting previous week’s report on Weekly report emails. We have modified the dates of the report but this does not change thing.   Checking to see if there is any other setting changes we can perform?   It is a Weekly Activity report with: Top 10 users & Top 50 Application   We also made changes to it from " last calendar week" to "last 7 calendar days" but still receiving  last week report   Followed this KB -  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClvuCAC       Please see config below   ... View more

Panorama shows that all devices have "No device group assigned" in the Managed Devices, Summary screen, but the devices look fine in the Device groups screen. This is also resulting in being unable to commit changes to the firewalls.   This issue happened earlier on today, and went away with a reboot of Panorama, but appears to have come back.   What can be this issue?   Version -  9.1.0 ... View more

We are rolling out GP with SSO with Pre-login using certificates as of last week. The GP agents are connecting at pre-auth and subsequently doing SSO once the user signs in with cached credentials.    After the weekend, we are having multiple users reporting they cannot login.    We are seeing lots of events 'globalprotectportal-auth-fail' with description 'GlobalProtect portal user authentication failed. Login from: 124.189.178.11, Source region: AU,  User name: andrew.gee, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, Reason: Cookie expired, Auth type: cookie.' We have cookie authentication override enabled on both gateway and the portal using the same CA Root, what can be the reason for this error and users not able to login ? ... View more

We are currently attempting to update our globalprotect client on our Palo Alto firewall, a PA-500. The version we are attempting to download is 5.0.8.   Currently when attempting to download we get the following error       Which hasn't given us much indication of what the issue is, and how to rectify it. We have checked the logs in an attempt to find additional information, which has given us the following information   administrator@PA-500> tail follow yes mp-log ms.log 2020-03-19 16:43:01.287 +1100 client dagger reported op command was SUCCESSFUL 2020-03-19 16:43:04.840 +1100 No upload information available sh: -o/tmp/pan/downloadprogress.10006: No such file or directory grep: /tmp/pan/downloadprogress.10006: No such file or directory NO_MATCHES 2020-03-19 16:43:06.623 +1100 Error:  pan_jobmgr_downloader_thread(pan_job_mgr.c:1110): DOWNLOAD job failed NO_MATCHES   We have also tried the following. - Restarting the Management Plane, with no change - Attempted to download PAN-OS 7.1.25 (currently running PAN-OS 7.1.5) which seems to fail with the same message - Changed the Service Route for PA updates to e1/5, with no change. - Tried a tcpdump from the management plane when clicking 'Download' but could not spot the traffic (1x port 443 tcpfump filter, 1x all traffic - pcaps attached)   There doesn't appear to be any dropped sessions in the pcap so we currently don't think it's our upstream firewall. ... View more

Hi Guys, I am just wondering if the following scenario is possible  Load balancing between the two client  VPN Gateways so half the clients connect to one VPN server at site A, and the other half connect to Site B.Palo alto firewalls on both sides. ... View more

We’ve recently upgraded our PAN from 8.0.4 to the latest version (8.1.13) successfully.   Now the issue is that we’ve been getting an email stating that “registering Wildfire Public Cloud has been successfully” every 20 minutes.   Is there a way to make this particular email to stop?   Subject:  INV-FW1 - SYSTEM ALERT : medium : Successfully registered to Public Cloud wildfire.paloaltonetworks.com domain: 1 receive_time: 2020/02/28 16:57:28 serial: 012001004743 seqno: 3597815 actionflags: 0x0 type: SYSTEM subtype: wildfire config_ver: 0 time_generated: 2020/02/28 16:57:28 dg_hier_level_1: 0 dg_hier_level_2: 0 dg_hier_level_3: 0 dg_hier_level_4: 0 vsys_name: device_name: INV-FW1 vsys_id: 0 vsys: eventid: wildfire-conn-success object: fmt: 0 id: 0 module: general severity: medium opaque: Successfully registered to Public Cloud wildfire.paloaltonetworks.com   Also I tested the wildfire connection and it is successful.     djthirl@INV-FW1> test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n)   Test wildfire Public Cloud           Testing cloud server wildfire.paloaltonetworks.com ...         wildfire registration:         successful         download server list:          successful         select the best server:        panos.wildfire.paloaltonetworks.com ... View more

We are using PANOS 9.1 and latest DNS security. Any thoughts on these errors from proxy log? 172.16.1.1 and 172.16.1.3 are Microsoft AD DNS servers.Can these be effecting performance of traffic?   2020-02-17 08:30:23.583 +1100 Error:  pan_dnsproxy_recv_server_udp_cb(pan_dnsproxy_udp.c:222): [udp]: fd 48 from 172.16.1.1 to 0.0.0.0 process server failed! 2020-02-17 08:30:24.490 +1100 Error:  pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1491): [DNS Proxy/21572/12452/-]:[Drop Rcvd Server Pkt]: invalid UDP socket! 2020-02-17 08:30:24.490 +1100 Error:  pan_dnsproxy_recv_server_udp_cb(pan_dnsproxy_udp.c:222): [udp]: fd 56 from 172.16.1.1 to 0.0.0.0 process server failed! ... View more