About ydhanuka

  I did see the bandwidth was increased to 500Mbps, but wasn't aware that you could bundle them. Is that 500Mbps shared with multiple remote sites or each site gets 500Mbps?  For example, in 1 state, I have 3 different physical locations, would those 3 locations be setup as remote networks and each of them gets 500Mbps or would those 3 share the 500?   the 500mb is assigned to the location and shared among all connected RN, so if one RN is using up 400Mbps, the others are left with 100Mbps   What about the scenario where the service connection is a site that also has users that require internet access? For example, I have a site with 1GB internet that would be considered a SC, since that's where internal resources would be.  However, that same location also has roughly 200 users that would need access to the internet.  In this scenario, would I have my HA pair of FWs be the service connection for Prisma but the users would have to egress locally, since the SC can't be used for internet access?   If so, can I use the same 1GB link for both, or would it require a dedicated circuit for the SC?   A service connection does not allow access to the internet, so in the case of a hybrid site, you would have the SC connect your datacenter services, and either a local breakout for internet, or a second RN ipsec tunnel for internet connectivity. as long as you control your routing, both tunnels can live side by side    How would you segregate those additional zones? Behind the scenes the zones are only mapped to trust and untrust. So if TRUST1 and TRUST2 are mapped to Trusted zone it wouldn't make any difference if you used TRUST1, TRUST2 or even both as source zone for example.    those zones will only be used for logging and reporting purposes, but for enforcement you'll need to rely on User-ID and source/destination subnets. As all the RN and MU sit inside the 'trust' zone, any rule that translates to "from trust to trust allow" would allow all these to connect to eachother, so for your own sanity and visibility, refrain from creating more trust zones as they boil down to the same 'trust' at the security rule level. (for logging each RN automatically gets it's own source zone assigned, that is named exactly like the ipsec tunnel) ... View more

Hi,   I have spoken to Microsoft and taken logs off an affected laptop.  It turns out this is the problematic URL - autologon.microsoftazuread-sso.com If i whitelist this URL then pre-tunnel is unaffected but if i dont a lot of users are getting an issue where their taskbar hangs and they cant login to global protect until they disconnect their wifi and turn it back on.  It must be because the laptops are trying to login to Azure even though our laptops are not Azure joined - they are only Azure registered.   has anyone else seen this before and does anyone know why this would affect the pre-tunnel if not whitelisted   thanks Kevin ... View more

Thanks for sharing the new target date is this month.   The info is in the security bulletin under the Solution section and is up to date as of 5/4/22. ... View more

I verified that you can estimate the uptime of the firewall by running:     nmap -d -v -O <mgmt_ipaddress>     To mitigate this, move the management-interface to a data port, and tie a Zone Protection profile with the option  Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Timestamp (check)   A fix would be to add an option in PAN-OS to enable/disable TCP Timestamps in the management interface (toggle the value of  net.ipv4.tcp_timestamps).  Disabling the option can be achieved by editing the firewall's /etc/sysctl.conf file, and adding value ipv4.tcp_timestamps=0  ( I am with TAC and I verified this by going into root in the firewall in our lab and then running a new scan, which now shows clean).  This will require a Feature Request, please involve your Palo Alto Networks SE to 'vote up' on FR ID: 10815. ... View more

Hi @greg.donohoe    You may want to upgrade your panorama to 10.0.5 if not done already.  Check the release notes here and search for "PAN-152813" https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-addressed-issues/pan-os-10-0-5-addressed-issues.html#panos-addressed-issues-10.0.5   If that does not fix the issue, then I would suggest to open a support case with the tech support from panorama attached.   Hope this helps, Yogesh  ... View more

Hi @RohanArya61    There are few things you can do to isolate the issue.  1: Check the Global protect firewall logs for the logs with respect to the website you are trying to access to make sure it not blocked. 2: Perform packet capture on the firewall for source IP and destination as the site IP if no block logs on firewall.  3: It is possible your public IP on firewall might just be blocked on the server. 4: If using SSL decryption on the firewall, add a rule to bypass SSL decryption for this site and check if that works.    Hope this helps, Yogesh  ... View more

Hey no judgement here, I've done worse (just ask my wife) ;). We all over look things especially when we are all overworked. Glad you got it going! ... View more

Hi @kellysalinas1    This should be possible to do without LDAP and directory sync is going to pull the users/groups mapping bases on what groups are configured in the security policy. For the IP-user mapping, however, you might need a user ID agent since it is remote network and there is no GP.   Hope this helps, Yogesn ... View more

for that you need to create destination as any then under url say specfic site. then you can see url logs but no traffic logs ... View more