About MartinE

I'm having problems getting pre-logon to work on MacOS. There are a number of issues. - To start with, I can't seem to get the GlobalProtect icon from the login screen after several tries. - Then, even when I log in to the device and try to connect to GlobalProtect, I get prompted for keychain access so that GlobalProtect can access the machine certificate. I've seen the document that explains how to give GlobalProtect access to keychain so that I don't get this prompt. Even after making those changes, GlobalProtect doesn't attempt to connect from the login screen. It only attempts to connect when I've logged in to the device. - Another thing I've noticed is, when I look at the GlobalProtect logs for the Mac, I actually see the 'Auth Method' as 'Certificate'. BUT, the source user is the device name (which is defined in the certificate) rather than the 'pre-logon' user which I would expect for pre-logon, before the actual source user. - GlobalProtect version is 5.2.10. Mac OS version is Monterey 12.4   Config settings used: GlobalProtect Portal - GlobalProtect portal > Authentication    - Allow authentication with user credentials or client certificate: Yes    - Certificate profile: None - GlobalProtect portal > Agent Config 1    - Save User credentials: Yes    - Generate cookie for authentication override: Yes    - Allow cookie for authentication override: Yes    - User: pre-logon    - Connect method: Pre-logon (Always-On)   Config 2    - Save User credentials: Yes    - Generate cookie for authentication override: Yes    - Allow cookie for authentication override: Yes    - User: any    - Connect method: Pre-logon (Always-On)   GlobalProtect Gateway - GlobalProtect gateway > Authentication    - Allow authentication with user credentials or client certificate: Yes    - Certificate profile: <root certificate>   Any ideas on what I'm missing? ... View more

I'm considering using Directory Sync for my Panorama-managed Prisma access tenant and would like to clarify certain aspects of using Directory Sync. - Is there a recommended number of Cloud Identity agent hosts to be deployed? - Palo Alto's documentation says the certificates generated using the Cloud Identity Engine apps expires 3 months from issuance date and renews automatically for version 1.5.0 and above. Are there specific ports or app-IDs that need to be allowed in policy to ensure automatic renewal? - In Panorama, when Directory Sync is enabled, a warning message is displayed saying: "After you enable Directory Sync, Prisma access obtains its user and group mapping information from the Directory Sync Service only, and any existing user and group mapping settings will be ignored".     - Given the above error, does that mean there's the possibility of a temporary outage while the firewalls lose/clear any previous AD group information from LDAP profiles and update their information using Directory Sync?     - If there are already policies in place that have been configured using the long-form Distinguished Name, will enabling Directory Sync affect the existing configured policies?   Thanks. ... View more

I have a few users reporting problems with opening some web pages in internet explorer (IE) when connected to GlobalProtect. Clicking on the email link simply opens up a blank page in IE. When the same link is pasted in Chrome, it works OK. When using Cisco AnyConnect, the problem with IE does not occur and email links open as normal.   Has anyone seen a similar issue? Any suggestions of a possible fix? ... View more