About Jatin.Singh

The firewall internal interface used to have GP portal configured and then removed, we found the XML API does not work on the standard port 443. In web browser an API call returns the 404 error. Pcap shows that the firewall does not reply to the call. We need this for Clearpass integration, and when testing with a different port (with NAT) it works on browsers but not the Clearpass.    Could you please help with the troubleshooting.     It works on the public interface     we have GP portal running on the public interface so we are using port 4443 to access the API and NAT’ing it to a loopback interface on 443 with management profile. We tried the similar setup on the internal interface and it works ok. But not port 443.     Followed this document    https://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf     ... View more

Could you please confirm if proxy is supported on the Android GP App. Our end users are using proxies on mobile devices including iOS, Chromebooks, and Android. It appears that only the GP clients on Android are having issues connecting. The GP client reports that there is no internet connection. This used to work 1-2 weeks ago(on old GP version 5.2.4) so not sure if the new GP App on Android is causing the problem. Below article says the proxy setting is only supported on Windows and MacOS, but it actually works on iOS and Chromebooks, so could you please confirm? thanks. https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/tunnel-connections-over-proxies   GP-VERSION - 5.2.5 It working when we do not use proxy ... View more

Recently enabled split tunneling for our Global protect VPN, and have added some domains into the split tunnel.   For some users domain split tunneling doesn't work.   The domains configured to be included in the split tunnel are as follows   *autologon.microsoftazuread-sso.com *enterpriseregistration.windows.net *.microsoftonline.com   We are trying to add these domains to include domain list- however, when Global protect is connected, effected users are unable to connect to these services at all.   Without the split tunnel the functionality was immediately restored for affected users   Now we came across this document which says that Microsoft recommends to use IP addresses instead of FQDN  for office 365 applications when configuring split tunneling   https://live.paloaltonetworks.com/t5/general-articles/globalprotect-optimizing-office-365-traffic/ta-p/319669   However this document explain excluding routes scenario.   So my question is will this method work for include routes too?   ... View more

We are connected via Global Protect are having issues where the session gets disconnected overnight. Is there a way to override this setting only for one user ? Does below settings change will affect all users     We are using split tunnel.   Could you please advise if any workarounds can be made ? just to keep the heart beat active at least ?   I am reading here that only way to achieve this is to create a new GP portal    https://live.paloaltonetworks.com/t5/general-topics/globalprotect-timeout-only-for-one-user/m-p/100943#M44327 ... View more

Can we disable the global protect portal & gateway and reactivate it whenever we needed it instead of deleting it entirely?   We are using 9.1.3 ... View more

We have ClearPass integrated to Palo Alto. ClearPass sends user-id to the firewall upon successful authentication. Customer is experiencing an issue where the laptop (on wireless) would fail to access Internet at re-authentication.   There is another client device that is login with the same user-id. I think the question here is with user-identity, does PA allows a one-to-many (one user-id to multiple IP) relationships???   Also we see the ClearPass re-authenticating the user and it is successful. However, we do not see the corresponding timestamp re-authentication appearing on the PA. The timeout wasn’t reset back to 9 hrs (as configured in the global setting). Is that normal?   In the screen capture seen below for today, I had restarted the wireless at 9.16am. But there was no user-id mapping for the IP address. You can see there is a close correlation on the PA at 9.17am. I did a second restart of the wireless on the client at 9.24am. There was a user-id mapping and it was able to access Internet. The timestamp on PA was at 9.24am. However, at 10.01am, it appears there is another successful mapping of the user-id to IP on the PA but there wasn’t any re-authentication on the ClearPass.     ... View more

Our GlobalProtect VPN was using a self-signed certificate which got expired caused end users not being able to connect to the VPN. This raises the question that what are the ways to get alerted for these sort of incidents. Is there any in-build mechanism on the firewall or the Panorama that we could use to get notified of the Certificate Expiry incident before happening? Thanks   Model: PA5020 ... View more

For all the websites, the recpatcha seems to give an error but works when we keep trying. We have tried different browsers and machines and seems to be same issue. We isolated bypassing palo alto and seems to work correctly.   Can this be a issue related to Palo alto?   Below are the website that they use for the recaptcha http://patrickhlauke.github.io/recaptcha/ https://www.google.com/recaptcha/api2/demo https://urlfiltering.paloaltonetworks.com/query/             ... View more

We have set Disconnect on ideal for 20 min and we have tried to log off from the PC and login after 20 mins and GP is still connected,what could be the issue.   Inactivity logout seems to work after 2 hours   Palo version 8.1.13 GP- 5.1.1   ... View more

For the last few days, we have been trying to import firewalls into Panorama and have not been successful at it.   Panorama firmware is  9.0.7 Palo Alto firmware: 8.1.13   Description of issue: During the importing process, I was able to extract the configs from PA firewall onto the Panorama. However, when I tried to commit the configs back to PA firewall from Panorama. The commit would fail, and the reason for the failure is because there’s missing IP addresses in ‘Objects’.   Following is the commit error   rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not an allowed keyword     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 is an invalid ipv4/v6 address     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 invalid range start IP     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not a valid reference     rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination is invalid   Error: Failed to find address 'Host_13.55.26.51-32'     Error: Unknown address 'Host_13.55.26.51-32'     Error: Failed to parse nat policy     (Module: device)     Config 'AGENT-CONFIG':     GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'.     (Module: sslvpn)     Commit failed   it seems like the problem is with the missing objects during the importing process. As an example, the total amount of addresses on the firewall is 490. However, we can only see 460 after the configs have been copied over from Panorama to the firewall.   We have also tried adding  Host_13.55.26.51-32' manually to panorama as a shared object but still cannot commit    we did upgrade our Panorama firmware recently from 9.0.4 --- > 9.0.7. And our firewall firmware from 8.0.13 -> 8.1.13 ... View more