This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About MikeMeredith
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About MikeMeredith
Online
24Posts
11Likes
1Solution
Jul 01, 2022Last Visited
User
Activity
User
Profile
Latest posts by MikeMeredith
| Subject | Views | Posted |
|---|---|---|
| 520 | 10-18-2021 06:08 AM | |
| 578 | 09-30-2021 04:57 AM | |
| 694 | 09-17-2021 01:45 AM | |
| 753 | 09-16-2021 06:40 AM | |
| 1554 | 01-17-2021 04:20 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 01-17-2021 04:20 AM | |
| 4 Likes | 03-26-2020 10:20 AM | |
| 1 Like | 07-04-2018 04:24 AM | |
| 1 Like | 03-01-2016 01:58 AM | |
| 2 Likes | 02-18-2016 01:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 12-12-2014 02:54 AM |
| Date Last Visited | 07-01-2022 11:23 AM |
| Posts | 24 |
| Total Likes Received | 11 |
10-18-2021
06:08 AM
Hi! Probably a dumb question, but although I can see the Linux GlobalProtect client in Panorama (Panorama → Device Deployment → GlobalProtect client), I can download a specific version (5.3.1), I can't activate it - when I "activate" it doesn't list any of my firewalls. If I go to the firewalls, it doesn't list the Linux clients and I can't manually upload a Linux client. This is problematic as getting people to update outdated Linux clients is somewhat trickier without being able to force it centrally, and we /do/ get quite a number asking about the Linux client. So is there a way to push the client onto the firewalls in the same way that the rest of 'em work? We're currently running PanOS 9.1.x.
... View more
09-30-2021
04:57 AM
For the benefit of anyone who manages to break things this way, it turned out that the problem was that a URL filtering policy was blocking HIP matches! Don't apply URL filtering to accessing your own servers 🙂
... View more
09-17-2021
01:45 AM
No progress, but one additional clue from the client logs :- P1827-T17939 09/17/2021 09:27:49:048 Debug(1679): SendHipReportToGateway ${somefqdn} returns FALSE. So the gateway is telling the client not to send HIP data after the portal has told it to collect it? Has some daemon on the firewall crashed and not restarted?
... View more
09-16-2021
06:40 AM
Hi! An exciting start to the day - a security policy with a HIP profile ("compliant" - basically running an approved os) that previously worked fine, stopped working for a random selection of people and rapidly became less random and more universal. After ripping out that requirement (so my phone wasn't making quite so much noise), dug into what was going on - seemingly almost all of the HIP data isn't being sent/logged :- msm@helix(active)> debug user-id dump hip-profile-database statistics WARNING: terminal is not fully functional - (press RETURN) Total number of hip in database: 3 Total number of logout records in database: 19577 Total size of hip reports: 67926KB used / -931840KB (there's currently a touch under 600 users logged in) And that negative size worries me. Any ideas for fixes/areas to look at? This has of course been logged to our support team.
... View more
- Tags:
- globalprotect
01-17-2021
04:20 AM
2 Kudos
For the benefit of anyone else who was using a QuoVadis certificate for their GlobalProtect portals/gateways (or presumably decryption), the process of replacing that intermediate is surprisingly easy. Just import the new intermediate certificate using exactly the same name as the old intermediate certificate and it simply gets replaced. Which suggests an improvement - a warning that you're replacing a certificate in use with the option to cancel. You can verify that the new certificate is in place with =openssl s_client -showcerts -connect ${ip}:443= (some of us old farts can't remember those incantations like we used to). Probably blindingly obvious and too late, but someone might find it useful. Oh! And this was with PanOS 9.0.x
... View more
- Tags:
- Certificate Profile
07-01-2020
05:50 AM
Thanks! I suspect you're right, but there was no harm in asking. My support route has me messing around with file blocking to get the file names logged 😐
... View more
06-30-2020
02:16 AM
Probably a bit of weird question this one, but as the Evil Firewall Admin at an academic institution I sometimes get asked weird questions so I thought I'd pass the joy onwards. We have a researcher who is interested in data on piracy, and I thought I'd try to collect some data on bittorrent traffic (which is mostly allowed) including the filenames. Unfortunately the firewall logs don't seem to include the filenames for bittorrent. a) Is this down to a configuration setting I've not found as yet? b) Is there some other way of including that data? It's quite possible I'm asking for something that's effectively impossible but it doesn't hurt to ask. (Running PA5250s in active/standby running PANOS 8.1.15)
... View more
03-27-2020
01:18 AM
Left this dangling all that time ago. The problem was fixed by upgrading to GlobalProtect 5.0.8 (I think). There was a problem with replacing the relevant driver - presumably something unknown was holding onto it preventing the upgrade from occurring. The 'fix' was for the client to replace the driver on a reboot if it wasn't right. Or something roughly along those lines - I'm not a Windows person.
... View more
03-27-2020
01:10 AM
Thanks for that ... did the trick. For completeness, it is necessary to go into each agent configuration in turn and do the "Okay" thing. Guess this is one downside to my habit of always cancelling out when I'm not making changes!
... View more
03-26-2020
10:20 AM
4 Kudos
Hi! Got a bit of a puzzling issue: This morning was committing a change when I got this mysterious error :- "GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'" ... repeated for each of the GlobalProtect portal agent configurations (six across two portals). None of the changes I've made recently go anywhere near the GlobalProtect portals - there's been a change or two within the gateways but not the portals. The dumped configuration (we check all changes into a repository) contains what I believe to be the right configuration :- » grep system-tray owl.config set global-protect global-protect-portal ThePortal client-config configs chromebooks gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal ThePortal client-config configs Default gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows-globalprotect-testing gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Windows gp-app-config config show-system-tray-notifications value no set global-protect global-protect-portal AutoPortal client-config configs Chromebooks gp-app-config config show-system-tray-notifications value no Although the validate showed a failure, the actual commit worked (although it caused a few extra grey hairs). It gets even weirder: A colleague was trying to find the relevant item within the GUI ("Show System Tray Notifications") and couldn't find it. Whilst it was in my browser initially, after closing the tab and re-opening it, it had disappeared! Anyone see anything like this? Or am I going even madder? Running 8.1.9 on PA5250s
... View more
08-16-2019
04:40 AM
Hi! The driver that comes with the GlobalProtect client (the PanGP virtual adapter interface). One workaround that was suggested can be found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5eCAC - but for some of our users, it keeps happening to the point that they give up with the VPN.
... View more
08-16-2019
02:54 AM
Hi! We have on ongoing issue with Windows users trying to use the Globalprotect client (up to 5.0.3 now) resulting in up to 30% of the clients persistently breaking with a driver issue[0] which has gone on long enough that we're considering using another VPN gateway. Yes it's been raised (nearly a year ago now). Some questions :- a) Are others seeing this at all? b) Are there third party VPN clients that work reliably and will connect to the GlobalProtect portal/gateway? 0: The standard fix for the corrupt driver sometimes seems to work, sometimes works once (but immediately corrupts again).
... View more
01-29-2019
02:14 AM
In short, DNS flag day is about dropping support for communicating with broken "DNS servers" that don't support EDNS (one feature of which is support for DNS within UDP packets of size > 512 bytes) - there are currently work-arounds in place that slow down DNS. As support for EDNS has been around for years, it's time the work-arounds were dropped. As an indication of how old this stuff is, I recall testing that EDNS support worked when I rolled out a Cisco FWSM back in 2004/5. You might run into trouble if you're running authorititative DNS servers :- a) On really ancient DNS software (Microsoft DNS has been mentioned although I suspect they're talking about NT4 era) b) Behind a broken firewall that assumes that DNS packets > 512 bytes is in error. For anything released in the last 5 years this would probably mean a deliberate configuration choice. I'm running some of my authorititative DNS servers behind PA firewalls and have tested them for complience a couple of days ago - no issues.
... View more
07-04-2018
04:44 AM
Something very similar :- all_pktproc_7: got max gdb failure event, telling all group to restart gdb: 2 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling early dp down fail gdb: 3 tracked gdbs, calling failure event I just picked out the "Dataplane down" one out as a good event to pick the time out of.
... View more
07-04-2018
04:24 AM
1 Kudo
Also seen here. Two PA5060s upgraded to 8.0.11 from 8.0.9. First one started running 8.0.11 at 05:13 this morning; data plane went 'bang' at 09:10. Switchover occurred with no users reporting issues fine; second data plane went 'bang' at 11:16. Might just be volume of work related. The specific error in the normal logs is "Dataplane down - too many dataplane processes exited."
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks