cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About rajjair

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rajjair
‎03-13-2022
since ‎08-12-2019
L2 Linker
User Activity
User Profile
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎08-12-2019 03:32 PM
Date Last Visited ‎03-13-2022 01:30 AM
Posts 16
Total Likes Received 4

Re: Troubleshoot Split Tunnel Domain & Applications and Exclude Video Traffic

by in GlobalProtect Articles
‎03-12-2022 08:04 PM
‎03-12-2022 08:04 PM
Thank you for correcting this article in regards to the log files and providing the details very helpful.   However, we seem to be running into an issue with this feature I am just wondering if this has been tested with a recent version of clients and if you guys have a link to try this feature out to confirm this is working as expected to not. In our environment we can see in the pangps.log we can see the video redirect being logged and the session on the firewall also shows the tracker stage of the split-tunnel occurring. However, the video errors out on the browser and the user are not able to play the content, based on the article there is 302 redirect but I don't see that occurring for us on the web trace, this video link is embedded on the site so wondering if this feature works with embedded videos or not.. Any information would help.. I have opened a ticket with support also on this     I also tried to copy the URL and what I noticed on the first try was it fails on the second try it works after I refresh the browser.. but there is no 302 redirect as mentioned in the article above. below is a complete web trace when I have copied the original URL of the video and tried to play it.   Thanks for any info anybody can share... Raj   ... View more

Re: GlobalProtect Pre-Logon Prompting for User Certificate

by in GlobalProtect Discussions
‎10-25-2021 06:19 PM
‎10-25-2021 06:19 PM
You need to ensure the portal and gateway URLs are added to your trusted/Intranet sites in IE and ensure this setting is enabled.     For Edge and Chrome you need to configure "AutoSelectCertificateForUrls" to avoid the pop-up   Microsoft Edge Browser Policy Documentation | Microsoft Docs   ... View more

Re: Global Protect Split Tunnelling on Domains - client version issue?

by in GlobalProtect Discussions
‎10-25-2021 06:03 PM
‎10-25-2021 06:03 PM
Not sure if you are aware but to use DNS based split tunnelling you have to have a gateway subscription on your firewall also   About GlobalProtect Licenses (paloaltonetworks.com) ... View more

Re: Troubleshoot Split Tunnel Domain & Applications and Exclude Video Traffic

by in GlobalProtect Articles
‎10-25-2021 05:33 PM
‎10-25-2021 05:33 PM
In the GlobalProtect Log bundle, we don't have gpsplit.log -- just wondering where specifically is this file "Within the GlobalProtect logs bundle, also review gpsplit.log (the equivalent file on the macOS is PanNExt.log) " ... View more

Re: GP 5.2.6 - Post-VPN-Connect error

by in GlobalProtect Discussions
‎06-03-2021 08:29 PM
‎06-03-2021 08:29 PM
Talking to palo support they say this expected behaviour post-vpn-connect is not support in pre-logon states ... View more

GP 5.2.6 - Post-VPN-Connect error

by in GlobalProtect Discussions
‎05-21-2021 04:21 PM
‎05-21-2021 04:21 PM
Hi    Just wondering if anyone is seeing this issue by chance on windows with post-vpn-connect on GP 5.2.6 I am pretty sure it worked fine with older versions... but we have had other bugs with the older client so can't really roll back   Scenario 1 - If a machine is rebooted the behaviour we see is the post connect command is called however it errors out  "Failed to open process 0. Error 87"   (P6440-T10060)Debug(3390): 05/21/21 16:45:58:179 Full path is "C:\LocalData\_temp\test.bat" (P6440-T10060)Debug(3395): 05/21/21 16:45:58:179 Full command is "C:\LocalData\_temp\test.bat" (P6440-T10060)Debug( 181): 05/21/21 16:45:58:181 Run cmd "C:\LocalData\_temp\test.bat" in session -1 as user (P6440-T10060)Debug( 265): 05/21/21 16:45:58:194 didn't find the specific process. (P6440-T10060)Error(3420): 05/21/21 16:45:58:195 Failed to open process 0. Error 87 (P6440-T10060)Error(3472): 05/21/21 16:45:58:195 Failed to launch command. Error 87. Command "C:\LocalData\_temp\test.bat" as user, timeout 0. (P6440-T10060)Debug(3475): 05/21/21 16:45:58:195 Result is false for run command "C:\LocalData\_temp\test.bat". as user, timeout 0   Scenario 2 - Log out and log back in the post connect command is not called at all do not see any event in the log file for it     Scenario 3 - Refresh the VPN client connection the command is called and it runs fine with no issues   (P6400-T2680)Debug(3525): 05/21/21 16:39:39:897 Expanded "C:\LocalData\_temp\test.bat" to "C:\LocalData\_temp\test.bat" (P6400-T2680)Debug( 190): 05/21/21 16:39:39:897 Vpn event post-vpn-connect has empty checksum (P6400-T2680)Debug( 193): 05/21/21 16:39:39:897 Vpn event post-vpn-connect is valid (P6400-T2680)Debug(3368): 05/21/21 16:39:39:897 Command file is "C:\LocalData\_temp\test.bat". Parameters (P6400-T2680)Debug(3390): 05/21/21 16:39:40:034 Full path is "C:\LocalData\_temp\test.bat" (P6400-T2680)Debug(3395): 05/21/21 16:39:40:034 Full command is "C:\LocalData\_temp\test.bat" (P6400-T2680)Debug( 181): 05/21/21 16:39:40:037 Run cmd "C:\LocalData\_temp\test.bat" in session 2 as user (P6400-T2680)Error( 277): 05/21/21 16:39:40:057 WTSQueryUserToken failed. Error: 5 (P6400-T2680)Error( 318): 05/21/21 16:39:40:066 RunProcessIntoDifferentSession: failed to SetTokenInformation. Error: 1314 (P6400-T2680)Debug(3432): 05/21/21 16:39:40:158 Successfully launched "C:\LocalData\_temp\test.bat" as user, timeout 0. Pid 3132 ... View more

Re: Global Protect Pre-Logon followed by SAML SSO

by in GlobalProtect Discussions
‎12-24-2020 09:34 AM
‎12-24-2020 09:34 AM
To stop the client certificate pop-up you need to make sure the VPN  url is either in your local intranet zone or in your trusted sites with IE Options configured "don't prompt  for  client certificate  selection when no certificates or only one certificate exists " which needs to be set to enable    For Chrome and Edge the policy AutoSelectCertificateForUrls   Microsoft Edge Browser Policy Documentation | Microsoft Docs   Chrome Enterprise Policy List & Management  |  Documentation (google.com) ... View more

Re: GlobalProtect: Implement Split Tunnel Domain and Applications

by in GlobalProtect Articles
‎10-27-2020 06:25 PM
‎10-27-2020 06:25 PM
Is there log file or way to validate the application process id is being split tunnel by gp client ... View more

Re: Global Protect Pre-Logon conflicting with User-ID agent

by in GlobalProtect Discussions
‎10-14-2020 07:24 PM
‎10-14-2020 07:24 PM
On the User ID agent you can create an exclusion for the IPs that you are using global protect agent for as that can be used as user id at the authentication time and no rely on the DC to get user id vpn users also. That is what we do we exclude the IP subnet on the user id ... View more

Re: GP Upgrade issues

by in GlobalProtect Discussions
‎10-14-2020 07:20 PM
‎10-14-2020 07:20 PM
I have experienced a lot issue with GP client and install issue when doing upgrades. I moved to script based install where we trigger an uninstall of the client. Clean the folder and regkey and the perform a fresh install.     ... View more

Re: Global protect and Outlook 2016

by in General Topics
‎04-07-2020 08:08 AM
1 Kudo
‎04-07-2020 08:08 AM
1 Kudo
Karthik,   Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>   For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.   RJ ... View more

Re: Global protect and Outlook 2016

by in General Topics
‎04-06-2020 10:33 PM
2 Kudos
‎04-06-2020 10:33 PM
2 Kudos
Hi All   I had the similar issue and was able to to trace it down NCSI causing the problem, the probe HTTP was failing for me. You can check windows event logs to see if you are facing the same issue - Microsoft-Windows-NCSI/Operational   This is logged in the event it was failing: Capability change on {57a83755-d89b-4a01-a72d-d4786875d856} (0x6008009000000 Family: V4 Capability: None ChangeReason: ActiveHttpProbeFailedButDnsSucceeded)   I need to allow "www.msftconnecttest.com" this site access in pre-logon policy.   For more info check this blog https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your-computer-connects https://www.ghacks.net/2014/02/07/disable-customize-windows-internet-connection-test-improve-privacy/ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10)?redirectedfrom=MSDN     I hope this helps fix your guys issue   RJ ... View more

Re: Split tunneling based on the domain is not working.

by in GlobalProtect Discussions
‎04-01-2020 08:10 AM
‎04-01-2020 08:10 AM
Hey All   If the application process is located in the user profile directory and would like the ability to use that application for exclude and include then please have your SE vote for this feature request  FR#11579   Currently GP client does not support the ability to white-list process id located in the user profile directory. Example application is Microsoft teams   Thanks RJ ... View more

Re: Split tunneling based on the domain is not working.

by in GlobalProtect Discussions
‎03-25-2020 10:31 PM
1 Kudo
‎03-25-2020 10:31 PM
1 Kudo
Hi MickBall   That is what I had and observed also, in the palo traffic logs i could see ms-teams app coming for VPN users. Before I found this forum I had also opened a ticket with support on this issue as wanted a way to confirm traffic for sure is being split or not. What they informed me applications sitting in user context is not supported at this time. I would prefer to use Process ID then IPs as IPs can change and keep config up to date without any automation and checking for changes     ---- Here is what the TAC mentioned to me ---- " The full path of the application to be included from the tunnel is currently only resolvable in PanGPS context for windows it is system service context. While for Mac, it is root context in prelogon and user context after user logon. Currently you have the following path %USERPROFILE%\AppData\Local\Microsoft\Teams\current\Teams.exe In order for PanGPS to resolve the path you will need to shift the path to a system service context as opposed to a user context as shown in the example below, "%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe" Other customer requested us to improve this path issue and submitted it as a feature request. But it has not been implemented yet. So we suggest to avoid this issue by routing. Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).   " ... View more

Re: Split tunneling based on the domain is not working.

by in GlobalProtect Discussions
‎03-25-2020 11:25 AM
‎03-25-2020 11:25 AM
Thanks for that.. I am curious have you tried doing split tunnel based on process name   exclude-applications [ "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\vmware-view.exe" "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\x64\vmware-remotemks.exe" "%PROGRAMFILES%\Microsoft Office\root\Office16\OUTLOOK.EXE" %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe];   Raj ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-13-2022 01:30 AM
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks