Hi we want to deploy Global-protect app for Android on managed Chromebooks using Google admin console. Requirement: every device needs to be uniquely identified and then allowed. Kind of a device whitelisting for example Host id for windows. Problem 1: when the GP app running in Android container on a Chromebook managed by google admin console, my firewall sees a new serial I'd everytime it connects to firewall in Hip match logs even the host id is different. How can we make sure we use the unique mobile I'd to enforce the whitelist approach in Hip objects? Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration) Problem 3: as per the 3rd party MDM compatibility matrix we only support Global-protect app deployment for andorid on a managed Chromebook using Google admin console. Will we be able to identify Chromebook based on mobile I'd? https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mobile-device-management-systems-support Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. How wever we are not able to and this contradicted above Matrix. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/set-up-a-mobile-endpoint-management-system/manage-the-globalprotect-app-using-a-third-party-mdm/deploy-the-globalprotect-mobile-app/deploy-the-globalprotect-app-for-android-on-managed-chromebooks-using-the-google-admin-console.html
... View more
So i am assuming you have enabled preempt on active firewall Then: The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here? So The secondary will take over as Active and there will be outage as it doesn't have a way out to internet. The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)?till the time you dont have a readability from the second firewall there is no point in configuring ( you can do that by introducing a l2 switch in between internet router and both of the firewalls. Both firewalls are sitting there with no path to the internet. What happens here? If both the firewalls have path monitoring configured then they will play the Game of HA Dance(bouncing between each other) What happens with flapping in this case and not hard path link failure to both firewalls. Same as above Do I bother with virtual router path monitoring or rely on HA monitoring?We use VR path mointoring when we have 2 routes to a destination and we want to remove one when it goes down.in your case IFF you have 2 default routes out for internet (fro 2 ISP) then u can use that.
... View more