This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About RonCarmack
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About RonCarmack
03-24-2023
12Posts
6Likes
0Solutions
Mar 24, 2023Last Visited
User
Activity
User
Profile
Latest posts by RonCarmack
| Subject | Views | Posted |
|---|---|---|
| 3028 | 08-17-2022 05:14 AM | |
| 3436 | 03-09-2020 08:07 AM | |
| 3537 | 03-04-2020 11:34 AM | |
| 10612 | 12-17-2019 05:57 PM | |
| 10900 | 12-16-2019 05:22 PM | |
| 5152 | 12-09-2019 03:49 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 3 Likes | 12-09-2019 03:49 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 2 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 12-04-2019 12:51 PM |
| Date Last Visited | 03-24-2023 12:28 PM |
| Posts | 12 |
| Total Likes Received | 3 |
08-17-2022
05:14 AM
Thanks for your post. I performed this similar fix on a firewall/Panorama and it resolved the issue. I was seeing the SC3 and bad certificate errors as well.
Thanks
... View more
03-09-2020
08:07 AM
Thanks, I upgraded to 1.1.60 and the addresses look good now.
... View more
03-04-2020
11:34 AM
I upgraded Expedition to version 1.1.59 and it's telling me that all of my address objects, that are set to "ip ranges", are invalid. They aren't invalid. I can add them to my Palo Alto firewall in the same format without issue. I'm unable to add address objects using the "ip range" selection. I imported a Cisco ASA config.
... View more
- Tags:
- bug
- troubleshooting
12-17-2019
05:57 PM
Hello, Thanks for your help. The second link you posted provided the debugs I needed to solve this issue. I thought I was receiving the machine certificate judging by the information I saw in the GlobalProtect Settings > Host Profile. The certificate section showed the machine name. But I could never fuly confirm it. I could never get the certificate attributes to match. The second link provided these commands: Debug commands to show the HIP information in the database: > debug user-id dump hip-profile-database entry > debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username> The first two commands showed the user information and HIP information. Including the certificate information with attributes in the format needed to setup the values. To gain greater visibility, the hip debugs can be enabled via the CLI commands below. The messages are printed to the 'useridd.log' file. These commands showed the actual matching for the HIP objects and profiles. > debug user-id set hip all > debug user-id on debug > tail follow yes mp-log useridd.log The next three debug commands allowed me to see why the attribute match was failing. I was currently trying to match on "issuer". I could see the value the machine cert provided didn't match my value. After adjusting it, I received the message from the Gateway > Agent > Hip Notification, that my system passed the HIP check. I tried other attributes but I can see that the attributes I tried aren't listed in the database. Thanks for your help!
... View more
12-16-2019
05:22 PM
Hello, I've been unable to get my HIP check to work when checking for attributes in a machine certificate. Other HIP checks do work. I'm using my root cert for the Certificate Profile. I don't have/use a intermediate cert as this is a lab. Some of the things I've tried. 1. I configured a certificate profile with the root cert. 2. Portal > Agent > Config Selection Criteria > Device Checks. I selected the root cert profile. 3. Portal > Agent > App > Machine cert is selected. 4. Portal > Portal Data Collection > Certificate Profile my root cert profile. 5. Portal > Agent - "Collect HIP Data" is selected. I'm verifying the HIP checks using HIP Notification under the Gateway Agent. Like I said, my other HIP checks are working. Opening the GlobalProtect settings on a laptop and viewing Host Profile, shows the machine name under "Certificate". The right side of the screen shows the certificate in the form -----BEGIN CERTIFICATE----....... I'm using 9.0.3h3 and GP client 5.0.5. Thanks
... View more
12-09-2019
03:49 PM
3 Kudos
You must use Always-on when implementing internal host detection.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks