Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About MikeMeredith
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About MikeMeredith
Online
20Posts
10Likes
1Solution
Jun 21, 2021Last Visited
User
Activity
User
Profile
Latest posts by MikeMeredith
| Subject | Views | Posted |
|---|---|---|
| 756 | 01-17-2021 04:20 AM | |
| 419 | 07-01-2020 05:50 AM | |
| 490 | 06-30-2020 02:16 AM | |
| 1095 | 03-27-2020 01:18 AM | |
| 17421 | 03-27-2020 01:10 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-17-2021 04:20 AM | |
| 4 Likes | 03-26-2020 10:20 AM | |
| 1 Like | 07-04-2018 04:24 AM | |
| 1 Like | 03-01-2016 01:58 AM | |
| 2 Likes | 02-18-2016 01:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 12-12-2014 02:54 AM |
| Date Last Visited | 33 seconds ago |
| Posts | 20 |
| Total Likes Received | 10 |
01-17-2021
04:20 AM
1 Kudo
For the benefit of anyone else who was using a QuoVadis certificate for their GlobalProtect portals/gateways (or presumably decryption), the process of replacing that intermediate is surprisingly easy. Just import the new intermediate certificate using exactly the same name as the old intermediate certificate and it simply gets replaced. Which suggests an improvement - a warning that you're replacing a certificate in use with the option to cancel. You can verify that the new certificate is in place with =openssl s_client -showcerts -connect ${ip}:443= (some of us old farts can't remember those incantations like we used to). Probably blindingly obvious and too late, but someone might find it useful. Oh! And this was with PanOS 9.0.x
... View more
07-01-2020
05:50 AM
Thanks! I suspect you're right, but there was no harm in asking. My support route has me messing around with file blocking to get the file names logged 😐
... View more
06-30-2020
02:16 AM
Probably a bit of weird question this one, but as the Evil Firewall Admin at an academic institution I sometimes get asked weird questions so I thought I'd pass the joy onwards. We have a researcher who is interested in data on piracy, and I thought I'd try to collect some data on bittorrent traffic (which is mostly allowed) including the filenames. Unfortunately the firewall logs don't seem to include the filenames for bittorrent. a) Is this down to a configuration setting I've not found as yet? b) Is there some other way of including that data? It's quite possible I'm asking for something that's effectively impossible but it doesn't hurt to ask. (Running PA5250s in active/standby running PANOS 8.1.15)
... View more
03-27-2020
01:18 AM
Left this dangling all that time ago. The problem was fixed by upgrading to GlobalProtect 5.0.8 (I think). There was a problem with replacing the relevant driver - presumably something unknown was holding onto it preventing the upgrade from occurring. The 'fix' was for the client to replace the driver on a reboot if it wasn't right. Or something roughly along those lines - I'm not a Windows person.
... View more
03-27-2020
01:10 AM
Thanks for that ... did the trick. For completeness, it is necessary to go into each agent configuration in turn and do the "Okay" thing. Guess this is one downside to my habit of always cancelling out when I'm not making changes!
... View more
03-26-2020
10:20 AM
4 Kudos
Hi! Got a bit of a puzzling issue: This morning was committing a change when I got this mysterious error :- "GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'" ... repeated for each of the GlobalProtect portal agent configurations (six across two portals). None of the changes I've made recently go anywhere near the GlobalProtect portals - there's been a change or two within the gateways but not the portals. The dumped configuration (we check all changes into a repository) contains what I believe to be the right configuration :- » grep system-tray owl.config set global-protect global-protect-portal ThePortal client-config configs chromebooks gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs Default gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows-globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Chromebooks gp-app-config config show-system-tray-notifications value no Although the validate showed a failure, the actual commit worked (although it caused a few extra grey hairs). It gets even weirder: A colleague was trying to find the relevant item within the GUI ("Show System Tray Notifications") and couldn't find it. Whilst it was in my browser initially, after closing the tab and re-opening it, it had disappeared! Anyone see anything like this? Or am I going even madder? Running 8.1.9 on PA5250s
... View more
08-16-2019
04:40 AM
Hi! The driver that comes with the GlobalProtect client (the PanGP virtual adapter interface). One workaround that was suggested can be found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5eCAC - but for some of our users, it keeps happening to the point that they give up with the VPN.
... View more
08-16-2019
02:54 AM
Hi! We have on ongoing issue with Windows users trying to use the Globalprotect client (up to 5.0.3 now) resulting in up to 30% of the clients persistently breaking with a driver issue[0] which has gone on long enough that we're considering using another VPN gateway. Yes it's been raised (nearly a year ago now). Some questions :- a) Are others seeing this at all? b) Are there third party VPN clients that work reliably and will connect to the GlobalProtect portal/gateway? 0: The standard fix for the corrupt driver sometimes seems to work, sometimes works once (but immediately corrupts again).
... View more
01-29-2019
02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped. As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5. You might run into trouble if you're running authorititative DNS servers :- a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era) b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice. I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
... View more
07-04-2018
04:44 AM
Something very similar :- all_pktproc_7: got max gdb failure event, telling all group to restart gdb: 2 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling failure event I just picked out the "Dataplane down" one out as a good event to pick the time out of.
... View more
07-04-2018
04:24 AM
1 Kudo
Also seen here. Two PA5060s upgraded to 8.0.11 from 8.0.9. First one started running 8.0.11 at 05:13 this morning; data plane went 'bang' at 09:10. Switchover occurred with no users reporting issues fine; second data plane went 'bang' at 11:16. Might just be volume of work related. The specific error in the normal logs is "Dataplane down - too many dataplane processes exited."
... View more
12-01-2017
02:56 AM
Hi! I've recently had someone complain that the native macOS/OSX VPN client wouldn't connect to the VPN (PANOS 8.0.6). Turns out that they were using an unsupported macOS version, and weren't using the globalprotect client 'because it didn't work'. The official response to them is a) get a supported version of macOS b) use the GlobalProtect client. But it got me curious. Way back when we replaced a very crufty VPN box with the Palo Altos, I spent some time testing various VPN clients and the macOS native VPN client worked fine. Does anyone know if Apple have 'done something' to break it? Know of a fix? I'm suspecting it's Apple to blame here - 3rd party VPN clients such as Linux (Fedora Core 26) vnpc, Android (vpnzilla), and iOS (reportedly) all work fine. The experience on a macOS device is that the VPN client successfully connects, but no packets appear to flow either way. ✓ msm@TrwynMochyn» ifconfig utun1
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 148.197.84.55 --> 148.197.84.55 netmask 0xffffffff
✓ msm@TrwynMochyn» netstat -in | grep utun1
utun1 1280 <Link#15> 0 0 0 0 0
utun1 1280 148.197.84.55 148.197.84.55 0 - 0 - -
✓ msm@TrwynMochyn» ping 148.197.84.55
PING 148.197.84.55 (148.197.84.55): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
^C
--- 148.197.84.55 ping statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss
... View more
03-01-2016
01:58 AM
1 Kudo
Just to confirm that suspicion - the updates to my test firewall and Panorama went through fine today whereas I was seeing this issue yesterday.
... View more
02-24-2016
08:02 AM
Thanks.
That's pretty much the solution I've used. I just wanted to know if I was missing something obvious.
... View more
02-24-2016
03:50 AM
It's perfectly possible I'm being unusually dumb here, but I can't see an elegant way of allowing application usage on non-standard ports - for example ssh on tcp/32777. The obvious way of doing it is to allow a rule that allows appid:ssh on service:ssh-ports (being a service group consisting of tcp/22 and tcp/32777).
That works fine, but is rather clumsy when you have a rule that has thousands of applications with service set to "application default" (you end up with dozens of rules to cope with all the non-standard ports).
I looked to see if you can change the 'application-default' for an application to add custom port numbers.
I've tried creating a custom application which is tcp/32777 and a parent application of 'ssh'. Doesn't seem to work.
Am I missing something obvious? Or am I not trying hard enough with the custom application rule?
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
33 seconds ago
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
