Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- 5G/IoT
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma Access Insights
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- ›
- About CharlesKoh
About CharlesKoh
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Thursday
10Posts
0Likes
1Solution
Feb 25, 2021Last Visited
User
Activity
User
Profile
Latest posts by CharlesKoh
| Subject | Views | Posted |
|---|---|---|
| 330 | 10-12-2020 07:57 PM | |
| 940 | 07-12-2020 06:02 PM | |
| 993 | 07-12-2020 06:13 AM | |
| 1041 | 07-12-2020 01:17 AM | |
| 805 | 07-08-2020 07:09 PM |
User Badges
Public Statistics
| Date Registered | 04-29-2020 06:09 AM |
| Date Last Visited | Thursday |
| Total Messages Posted | 10 |
10-12-2020
07:57 PM
Hi, Any idea or solution to use api to logged out Prisma Access globalprotect connected mobile users?
... View more
07-12-2020
06:02 PM
@BPry Thanks for the reply. I understand and agree with your point that not all firewalls need the user-id information, Having say that, i wish to know the specifics how to disseminate info of AD grouping among firewalls, rather having them to query AD individually, can this be done? large group of users are remote VPN users (prisma mobile), i get their user-id-ip-mapping via my VM firewall querying prisma as Userid agent, this same VM is querying AD for users grouping. Others local network in-office users are connected to internal gateways, and the same VM firewall is querying these gateways to get the mapping. Other firewalls globally include sites server DMZs, and major datacenter firewalls already had it set to VM firewall as userid agent to get user-id mapping info.. From the traffic log, i do able to see users are identified correctly.. Right now, what we need is to simplify firewall rules in all these regions/areas into AD grouping rules instead of IP based or specific username based. I am trying to find alternative against having all these firewalls querying AD just to make configuration more standardize, example having all firewalls using same template that points to same userid agent to get user info
... View more
07-12-2020
06:13 AM
@BPry Hi. Doing your way, does it mean the pa220 will not have the user id to IP mapping of users coming in from global protect(internal or external) since it is just querying AD? Meaning it only get the ad grouping and user-ip-mapping of those login locally? I have multiple device groups to control different set of policies per group. I wish to know how to best disseminate all user information completely to all firewalls with single source of truth which is why I try make all of them point to a same single userid agent
... View more
07-12-2020
01:17 AM
Hi all, I like to ask if it is possible, and and hot to build a scalable solution for AD grouping info to all firewalls managed by panaroma so that they can create firewall rules based on user id and grouping. Current environment I am testing: 1 panorama 1 VM firewall configured as standalone master device in a device group. It queries AD, look into syslog and connect to other userid agents(global protect internal and Prisma) to get user id information Other firewalls in the environment configured userid agent pointing to the VM to learn all the userid to IP mapping info How should I improve on this existing setup to further learn AD grouping info? So that I can build firewall rules using group info? Else using individual username is too much of a chore to maintain. Thankyou
... View more
07-08-2020
07:09 PM
Thanks a lot 🙂
... View more
07-07-2020
02:46 AM
Hi, if i have a couple of internal gateways (A B C) deployed. When an user authenticated successfully to A, the firewall will get its user-id "xxxx@yyy.com"... how do i share this user-id info to gateway B and C, so that they will be able to map IP - user-ID info? Else the firewall policies i have will only works on A and not on B/C gateways. Thankyou
... View more
06-15-2020
05:53 PM
Hi Wade, Thanks for replying. Just further question on the point 3 with regards to Remote Network sites. I do see the community setting based on the BGP status of the remote network. But on my CPE peering with service connections, i checked the BGP prefixes advertised by these remote sites, i do not see the community tag on it like what i've seen on the mobile user prefixes. Is that the case it should be?
... View more
06-07-2020
08:34 PM
Hi all, i have some questions regarding community settings because we use this in our org to influence routes selection. Based on this document "https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html" 1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region? 2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region? 3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.
... View more
04-29-2020
06:54 AM
Hi, are there currently any ways for us to monitor the utilization for these cloud services?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
