About dmifsud

I would check the system log with filter ( type  eq auth), and also the authd log from the CLI (less mp-log authd.log) as a starting point.     ... View more

XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).   XFF for Security Policy doesn't change anything with routing/zones, the session will still match the same zone-pair as before, and the source address will still be the proxy IP so will follow the same return route. The difference is that security rules are enforced based on the XFF IP instead of the source address, if one is parsed.   ... View more

SAML is only supported for iOS with On-Demand.   What Features Does GlobalProtect Support? (paloaltonetworks.com) ... View more

Hey there,   The commands are now under 'gp-broker' instead of 'ssl-vpn', and everything looks a bit different now in 10.2. Hope this helps.   Regards, - DM     ... View more

Hi Michael,   The Certificate profile config is indeed for all operating systems, but at least in 9.1 the " Allow Authentication with User Credentials OR Client Certificate" setting can be configured per operating system. You could have it like this for example:   Cert profile: configured for all OS Windows: Allow Authentication with User Credentials OR Client Certificate = NO OS Android: Allow Authentication with User Credentials OR Client Certificate = YES   This should result in Windows needing a Client Cert + User Credentials, but Android would need only one or the other.   Your second option is also valid. You can use OS in the Config Selection Criteria of the Portal to give a different Portal config to different OS's, and those different Portal configs send them to different Gateways which have different cert profile configs.   - DM ... View more