About Rboehme

I did accept the key on both firewalls and then enabled encryption but again it caused issues with HA1 not coming back, also issues with then VPN tunnel (as before) and also user ID didnt work i had to run the command "debug user-id refresh group-mapping all" to get that working again.   So obviously there is issues with enabling encryption for HA ... View more

Hello, Is ping allowed in the Interface Management Profile that is applied to the interface? This is in addition to the allow security policy.   Regards, ... View more

Hi James,   from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before.   The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs.   Kind regards, Rene ... View more

While my response doesn't come with an authoritative 100% assurance, I would suspect the answer to your question is "it does not."   Pre-Logon is a function of Global Protect where the user on the machine is currently unknown.  "Known-user" comes from various authentication sources UIA/GP/CP/SSO (NTLM).  I can't imagine you'd have that many security rules which would be attributed to a "pre-logon" identified user. ... View more

@Rboehme, The servers in Group1 will be polled and contact will stop once a user is matched authenticated. If the entire Group1 does not find a match it will continue to Group2. If The first polling server in Group1 never goes down then I believe your assumption is correct that the others will never be consulted.  ... View more

Do look at the packet flow process noted above. The general flow is:   Routing lookup -  This is needed to assign zones and know the egress interface NAT - This occurs then to get the final ip addresses after NAT Security policy check - now we have all the information to confirm if the flow is permitted Deeper inspections - if permitted, we perform any deep inspections applied to the policy   https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081 ... View more

I think you're mingling 2 concepts of the ldap server, being group membership information and userID information   the ldap profiles can be used to extract groups, users and group membership from the ldap server. in the ldap profile one server is used for retrieval and authentication, as all servers in the profile should contain the same information (the ldap tree with all the groups and users for it's domain)   userID does not use the ldap profile: user to IP mapping is gained through UserID agents, Captive portal, API calls ,.. and only after the firewall gains a user-ip mapping is the user matched to a user object and group membership obtained through the ldap   so no information should be lost unless your ldap servers do not replicate their ldap tree information   for UserID information, all 4 servers should be polled by a UserID agent to detect the distributed logins     ... View more

Actually what you can to is:   - attach your trust interface to the VR - attach your untrust interface to the VR - go to the CLI and enter "ping source <ip-of-trust-interface> host <ip-of-host-in-untrust-zone>   A setup like this would normally be trust (LAN) to untrust (internet) so in my case it would be:   ping source 192.168.0.1 host 8.8.8.8   If the ping succeeds you know that your VR is working.   ... View more

Dear cpainchaud ,   thank you for your suggestion. I will check that out. At least I got a clue now. I will get back here if I found a solution. ... View more

Hi...Please contact Support so that we can troubleshoot the SCP issue that you are experiencing.  Thanks. ... View more

Hello Rene, If the VPN tunnel has been assigned to a different zone, you may try to create a custom report to get login details done by the VPN users. Thanks ... View more