Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About MikeMeredith
About MikeMeredith
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
3 weeks ago
17Posts
9Likes
1Solution
May 15, 2020Last Visited
User
Activity
User
Profile
Latest posts by MikeMeredith
| Subject | Views | Posted |
|---|---|---|
| 345 | 03-27-2020 01:18 AM | |
| 7245 | 03-27-2020 01:10 AM | |
| 7526 | 03-26-2020 10:20 AM | |
| 1063 | 08-16-2019 04:40 AM | |
| 1097 | 08-16-2019 02:54 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 4 | 03-26-2020 10:20 AM | |
| 1 | 07-04-2018 04:24 AM | |
| 1 | 03-01-2016 01:58 AM | |
| 2 | 02-18-2016 01:03 AM | |
| 1 | 01-11-2015 12:13 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 |
User Badges
Public Statistics
| Date Registered | 12-12-2014 02:54 AM |
| Date Last Visited | 3 weeks ago |
| Total Messages Posted | 17 |
| Total Likes Received | 9 |
03-27-2020
01:18 AM
Left this dangling all that time ago. The problem was fixed by upgrading to GlobalProtect 5.0.8 (I think). There was a problem with replacing the relevant driver - presumably something unknown was holding onto it preventing the upgrade from occurring. The 'fix' was for the client to replace the driver on a reboot if it wasn't right. Or something roughly along those lines - I'm not a Windows person.
... View more
03-27-2020
01:10 AM
Thanks for that ... did the trick. For completeness, it is necessary to go into each agent configuration in turn and do the "Okay" thing. Guess this is one downside to my habit of always cancelling out when I'm not making changes!
... View more
03-26-2020
10:20 AM
4 Kudos
Hi! Got a bit of a puzzling issue: This morning was committing a change when I got this mysterious error :- "GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'" ... repeated for each of the GlobalProtect portal agent configurations (six across two portals). None of the changes I've made recently go anywhere near the GlobalProtect portals - there's been a change or two within the gateways but not the portals. The dumped configuration (we check all changes into a repository) contains what I believe to be the right configuration :- » grep system-tray owl.config set global-protect global-protect-portal ThePortal client-config configs chromebooks gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs Default gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows-globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Chromebooks gp-app-config config show-system-tray-notifications value no Although the validate showed a failure, the actual commit worked (although it caused a few extra grey hairs). It gets even weirder: A colleague was trying to find the relevant item within the GUI ("Show System Tray Notifications") and couldn't find it. Whilst it was in my browser initially, after closing the tab and re-opening it, it had disappeared! Anyone see anything like this? Or am I going even madder? Running 8.1.9 on PA5250s
... View more
08-16-2019
04:40 AM
Hi! The driver that comes with the GlobalProtect client (the PanGP virtual adapter interface). One workaround that was suggested can be found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5eCAC - but for some of our users, it keeps happening to the point that they give up with the VPN.
... View more
08-16-2019
02:54 AM
Hi! We have on ongoing issue with Windows users trying to use the Globalprotect client (up to 5.0.3 now) resulting in up to 30% of the clients persistently breaking with a driver issue[0] which has gone on long enough that we're considering using another VPN gateway. Yes it's been raised (nearly a year ago now). Some questions :- a) Are others seeing this at all? b) Are there third party VPN clients that work reliably and will connect to the GlobalProtect portal/gateway? 0: The standard fix for the corrupt driver sometimes seems to work, sometimes works once (but immediately corrupts again).
... View more
01-29-2019
02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped. As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5. You might run into trouble if you're running authorititative DNS servers :- a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era) b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice. I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
... View more
07-04-2018
04:44 AM
Something very similar :- all_pktproc_7: got max gdb failure event, telling all group to restart gdb: 2 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling failure event I just picked out the "Dataplane down" one out as a good event to pick the time out of.
... View more
07-04-2018
04:24 AM
1 Kudo
Also seen here. Two PA5060s upgraded to 8.0.11 from 8.0.9. First one started running 8.0.11 at 05:13 this morning; data plane went 'bang' at 09:10. Switchover occurred with no users reporting issues fine; second data plane went 'bang' at 11:16. Might just be volume of work related. The specific error in the normal logs is "Dataplane down - too many dataplane processes exited."
... View more
12-01-2017
02:56 AM
Hi! I've recently had someone complain that the native macOS/OSX VPN client wouldn't connect to the VPN (PANOS 8.0.6). Turns out that they were using an unsupported macOS version, and weren't using the globalprotect client 'because it didn't work'. The official response to them is a) get a supported version of macOS b) use the GlobalProtect client. But it got me curious. Way back when we replaced a very crufty VPN box with the Palo Altos, I spent some time testing various VPN clients and the macOS native VPN client worked fine. Does anyone know if Apple have 'done something' to break it? Know of a fix? I'm suspecting it's Apple to blame here - 3rd party VPN clients such as Linux (Fedora Core 26) vnpc, Android (vpnzilla), and iOS (reportedly) all work fine. The experience on a macOS device is that the VPN client successfully connects, but no packets appear to flow either way. ✓ msm@TrwynMochyn» ifconfig utun1
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 148.197.84.55 --> 148.197.84.55 netmask 0xffffffff
✓ msm@TrwynMochyn» netstat -in | grep utun1
utun1 1280 <Link#15> 0 0 0 0 0
utun1 1280 148.197.84.55 148.197.84.55 0 - 0 - -
✓ msm@TrwynMochyn» ping 148.197.84.55
PING 148.197.84.55 (148.197.84.55): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
^C
--- 148.197.84.55 ping statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss
... View more
03-01-2016
01:58 AM
1 Kudo
Just to confirm that suspicion - the updates to my test firewall and Panorama went through fine today whereas I was seeing this issue yesterday.
... View more
02-24-2016
08:02 AM
Thanks.
That's pretty much the solution I've used. I just wanted to know if I was missing something obvious.
... View more
02-24-2016
03:50 AM
It's perfectly possible I'm being unusually dumb here, but I can't see an elegant way of allowing application usage on non-standard ports - for example ssh on tcp/32777. The obvious way of doing it is to allow a rule that allows appid:ssh on service:ssh-ports (being a service group consisting of tcp/22 and tcp/32777).
That works fine, but is rather clumsy when you have a rule that has thousands of applications with service set to "application default" (you end up with dozens of rules to cope with all the non-standard ports).
I looked to see if you can change the 'application-default' for an application to add custom port numbers.
I've tried creating a custom application which is tcp/32777 and a parent application of 'ssh'. Doesn't seem to work.
Am I missing something obvious? Or am I not trying hard enough with the custom application rule?
... View more
02-18-2016
01:03 AM
2 Kudos
It's do-able at the cli with some shell scripting.
If you export the configuration in set cli config-output-format set format, then a relatively simple shell script is sufficient to point out various objects :-
for obj in $(awk '/^set address/ {print $3}' firewall.conf)
do
echo $obj $(grep $obj firewall.conf | wc -l)
done
A count of 1 is worth investigating, and this method can be extended to look at other object types.
... View more
10-22-2015
06:16 AM
And like Linux you can use 'h' to show a help screen with more commands on.
... View more
01-11-2015
12:27 PM
Thanks again. I'll get onto all the necessary details tomorrow when I log a call with support. But some quick responses :- Yes the useridd process is hogging cpu at times (show system resources follow ("top" is quicker to type) shows useridd at 99% often). Can't list the groups through the firewall presently (I get an error), but there's a fair few - I recall seeing a figure of 3,000 but don't quote me on that. Yes the firewalls have been rebooted after the problem arose; they operated fine for a day and then we started being unable to commit changes (as you can imagine when migrating a large ruleset from an old firewall there's a few changes to be made!). No users authenticating (or being identified) as yet. There's no real traffic passing through, although we've done some "bench tests" - before adding in the AD details! And lastly for now :- msm@Hula(active)> show system info hostname: Hula ip-address: 10.14.4.64 netmask: 255.255.254.0 default-gateway: 10.14.5.254 ipv6-address: unknown ipv6-link-local-address: fe80::290:bff:fe37:dd0c/64 ipv6-default-gateway: mac-address: 00:90:0b:37:dd:0c time: Sun Jan 11 20:19:24 2015 uptime: 2 days, 13:34:16 family: 5000 model: PA-5060 serial: 001901000769 sw-version: 6.0.7 global-protect-client-package-version: 0.0.0 app-version: 480-2519 app-release-date: 2015/01/06 14:56:48 av-version: 1459-1932 av-release-date: 2015/01/08 04:00:01 threat-version: 480-2519 threat-release-date: 2015/01/06 14:56:48 wildfire-version: 0 wildfire-release-date: unknown url-filtering-version: 0000.00.00.000 global-protect-datafile-version: 0 global-protect-datafile-release-date: unknown logdb-version: 6.0.6 platform-family: 5000 logger_mode: False vpn-disable-mode: off operational-mode: normal multi-vsys: off
... View more
01-11-2015
12:13 AM
1 Kudo
Thanks for the reply. I'm also pretty sure that disabling the "AD" profile will sort things out, but that's a test for Monday unless there's a CLI command along the lines of "commit when you next have a chance to do so" 🙂 There are two LDAP server profiles, but only one is enabled (the Active Directory one). I'd be mildly surprised if there are network issues between either PA-5060 and the relevant AD server as although they're on different VLANs, there not a great deal of network between them. But I'd not be very surprised to find our Active Directory is in a bit of a state - a certain well known Python script that exports the binary database (1.6Gbytes!) to a text version took over a week to run just before Xmas. I'll raise a support call with our reseller and mention 225414. A short extract from the output of tail follow yes mp-log ms.log:- 2015-01-11 07:38:41.515 +0000 device server refresh triggered via sysd
2015-01-11 07:38:41.515 +0000 Aborting. Another refresh in progress2015-01-11 07:38:42.162 +0000 client useridd disabled/restarted
2015-01-11 07:38:44.171 +0000 client useridd enabled
2015-01-11 07:38:44.171 +0000 device server refresh triggered via sysd
2015-01-11 07:38:44.172 +0000 Aborting. Another refresh in progress2015-01-11 07:38:44.823 +0000 client useridd disabled/restarted
2015-01-11 07:38:45.579 +0000 client device reported Phase 1 was SUCCESSFUL
2015-01-11 07:38:46.842 +0000 client useridd enabled
2015-01-11 07:38:46.843 +0000 device server refresh triggered via sysd
2015-01-11 07:38:46.843 +0000 dnscfgmod: Main refresh function: (unknown)
2015-01-11 07:38:46.849 +0000 dnscfgmod:Fqdn refresh job 14006 scheduled
2015-01-11 07:38:47.503 +0000 client useridd disabled/restarted
2015-01-11 07:38:49.510 +0000 client useridd enabled
2015-01-11 07:38:49.511 +0000 device server refresh triggered via sysd
2015-01-11 07:38:49.511 +0000 Aborting. Another refresh in progress2015-01-11 07:38:50.187 +0000 client useridd disabled/restarted
2015-01-11 07:38:52.189 +0000 client useridd enabled
2015-01-11 07:38:52.190 +0000 device server refresh triggered via sysd
2015-01-11 07:38:52.190 +0000 Aborting. Another refresh in progress2015-01-11 07:38:52.844 +0000 client useridd disabled/restarted
... View more
01-10-2015
07:14 AM
Hi! I'm new here, so will probably be asking lots of dumb questions ... but hopefully relatively interesting dumb questions. Currently running PANOS 6.0.7 on a pair of PA-5060s (active-passive). Not currently live (switchover day is 17th January), and we're considering upgrading to 6.1.1 next week. Recently (last few days) ran into an issue whereby configuration commits are being blocked (" Another commit/validate is in progress. Please try again later"). I can work around this by doing a graceful reboot of our pair of PA-5060s but this seems a little extreme and I thought I would dig into it a bit deeper (and raise a support call). Only significant change recently (did I hear "Yeah! Right!" from the hecklers at the back?), was the addition of one of our Active Directory servers to Device-> User Identification -> Group Map Settings. What I've been able to figure out on my own was that there seems to be a job (show jobs all) called "AddrObjRefresh" that seems to be kicking off every 10 seconds or so :- Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2015/01/10 14:54:20 8290 AddrObjRefresh ACT PEND 0% 2015/01/10 14:54:09 8289 AddrObjRefresh FIN OK 14:54:19 2015/01/10 14:53:59 8288 AddrObjRefresh FIN OK 14:54:08 2015/01/10 14:53:48 8287 AddrObjRefresh FIN OK 14:53:58 2015/01/10 14:53:38 8286 AddrObjRefresh FIN OK 14:53:47 2015/01/10 14:53:27 8285 AddrObjRefresh FIN OK 14:53:37 2015/01/10 14:53:17 8284 AddrObjRefresh FIN OK 14:53:26 2015/01/10 14:53:06 8283 AddrObjRefresh FIN OK 14:53:16 2015/01/10 14:52:56 8282 AddrObjRefresh FIN OK 14:53:05 2015/01/10 14:52:45 8281 AddrObjRefresh FIN OK 14:52:55 2015/01/10 14:52:35 8280 AddrObjRefresh FIN OK 14:52:44 2015/01/10 14:52:24 8279 AddrObjRefresh FIN OK 14:52:34 2015/01/10 14:52:13 8278 AddrObjRefresh FIN OK 14:52:23 2015/01/10 14:52:03 8277 AddrObjRefresh FIN OK 14:52:12 2015/01/10 14:51:52 8276 AddrObjRefresh FIN OK 14:52:02 2015/01/10 14:51:42 8275 AddrObjRefresh FIN OK 14:51:51 Now for some questions :- Would you think that this might be what is interfering with our commit issue? Is running AddrObjRefresh so frequently a normal thing? If not, is there anything I can do to diagnose what it is trying to do? Is it possible/sensible to try and temporarily stop the AddrObjRefresh job from being scheduled? Please be gentle: I'm a clueless newbie
... View more
Labels:
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Latest Tags
No tags yet
Likes From
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
