Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About sjamaluddin
About sjamaluddin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
11-20-2017
96Posts
52Likes
16Solutions
Nov 20, 2017Last Visited
User
Activity
User
Profile
Latest posts by sjamaluddin
| Subject | Views | Posted |
|---|---|---|
| 817 | 09-18-2014 09:10 AM | |
| 668 | 09-18-2014 08:47 AM | |
| 771 | 07-26-2014 12:45 AM | |
| 176 | 07-26-2014 12:40 AM | |
| 842 | 07-26-2014 12:34 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 04-12-2014 03:37 PM | |
| 2 | 08-28-2013 02:40 PM | |
| 1 | 04-10-2012 02:59 PM | |
| 1 | 03-13-2012 08:31 AM | |
| 1 | 05-17-2012 02:28 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 06-15-2011 09:58 AM |
| Date Last Visited | 11-20-2017 02:45 PM |
| Total Messages Posted | 155 |
| Total Likes Received | 52 |
09-18-2014
09:10 AM
When upgrading to a new major release, you'd have to download the new baseline first. So in this case you'd need PAN OS v6.0.0 in the device (even if you don't install it) and then download and install PAN OS v6.0.1 or v6.0.x You ought to be able to see PAN OS v6.0.0 through the same check now, since you can see PAN OS v6.0.1 however, if there is a problem. perhaps you can try the upload file PAN OS v 6.0.0 manually?
... View more
09-18-2014
08:47 AM
1 Kudo
Can you please ensure that "UseriD is enabled" under the zone you are trying to monitor these users off of? Check under Network>>Zones >> check the box for UserID
... View more
07-26-2014
12:45 AM
One would user UserID agent - if you have a distributed DC set up - across multiple WAN locations. That way you can run the UseriD Agent on each DC at the remote location and keep their chatter local. Then only send the filtered (specific IP to user mappings) across the WAN to a head end firewall. If however, you'd like to keep everything under one administrator groups's control (sometimes server folks and network folks have trouble sharing info.), then it may be easier to simply run the UserID agentless on the firewall. That way, only the access to AD via the LDAP admin account will be needed to have the firewall talk to the DCs. This would be preferred i n cases where the DCs and firewall are all local and there is no WAN link to cross.
... View more
07-26-2014
12:40 AM
Hello You said that the user was not part of any group. As such, have you added that user to the Authentication profile for GP Portal / GW as an individual user there? You can do the reset command - as that forces the LDAP server to pull all the users/ groups from the AD again (before its hourly update). If you add a new user to a group or to AD, the firewall groups ought to be reset so as to pull any new users / groups on the AD
... View more
07-26-2014
12:34 AM
UserID agent 6.0x supports AD 2012 The latest and current version of the UseriD Agent is 6.0.3
... View more
07-26-2014
12:19 AM
When you have no IP to user mapping for a particular IP address, for traffic that comes in on a zone that has User Identification enabled, AND a CP policy is enabled, then the CP page should be triggered. When looking at the Security policy, you are trying to restrict traffic for only "Known" users - whether they known via the User ID agent, or CP, or GP, the security policy will control what traffic is allowed for what users. If you choose to put "unknown" or "any" - that would imply that you do not really care about "known" users. The security policy is more for controlling who gets what access. To trigger the CP policy, you ought to look at the CP policy and the zones and addresses for which you'd like the CP policy triggered.
... View more
07-26-2014
12:12 AM
When you logon with the administrator credentials, you may be being ignored by the UserID agent (check your configs, as admin users are often part of the ignore list). So, when you log on with administrator credentials, the firewall may not have a mapping for you, (as administrator) and so the CP page is exhibited. The reason folks put the administrator account in the Ignore List is to not create a mapping for that account as many services log in with that account (in the background) and can potentially overwrite the actual user to IP mapping for a user who may be at that IP address. If that is the case, that your administrator user is in the ignore list, the CP page is to be expected but only for web browsing and https:// To not see this page, consider creating a CP policy such that it excludes your DCs so that your policy will read "no captive portal" for the set of IP addresses that are Domain Controllers - where you log on with your administrator account.
... View more
07-26-2014
12:03 AM
You may be forced to open a case with your distributor, but they can then open a case with Palo Alto Networks Support. I fear this issue needs some further investigation, so if you were to get a Support case going, you are right, it would be faster. Also, yes, the procedure should be the same, to open a case for non hardware related issues. However, it may be best to consult your distributor as I am not privy to the contracts for Italy.
... View more
07-25-2014
04:02 PM
1 Kudo
Hello If you were to increase the delta to be 5 sec. you are correct in all the ways you have understood this. The main concern will be that you may see a lot more "unknowns" on the firewalls (because there may be traffic to the firewall even before the user tries to send out traffic) You may then see the firewall requesting mappings for these "unknowns" to all your DCs so the traffic from the firewall towards the DCs may increase in size and the firewall would then be sending these out to all the DCs so the overall problem of congestion may be exacerbated. However, there is no hard and fast line. If you increase the delta and see no "real" increase in the troubles you all are seeing right now, you could increment that to 3 or more seconds. The PAN makes a list of "unknown IP addresses" and requests them in bulk to the DCs Overall this may have consequences on the memory used by the Userid daemon and overall performance (management plane) may be affected.
... View more
07-25-2014
02:00 PM
Thanks for sharing I seems that we will have to look deeper. From what you showed: From the netstat log, only one connection has source port within range of (User) source port range configured in TsAgent (20000-57499). TCP 172.30.2.121:23939 204.79.197.200:443 ESTABLISHED The others are within the System Source Port range (57500-65499). Either that single connection is the only logged-on user traffic at that time, or somehow the (User) source port allocation range not in effect? Would you be able to open a Support case for this?
... View more
07-25-2014
11:17 AM
Could you share the netstat from the server running the TS Agent?
... View more
07-25-2014
09:54 AM
Sorry, typo: The command is show session all filter source <source user> Am trying to determine if you are missing info in only the GUI logs or does the device genuinely not see the users mapped correctly. The URL filtering logs will not show the user when users are mapped from the TS agent The traffic logs should and the session info should
... View more
07-25-2014
09:31 AM
To view user ip port mappings you should use show user ip-port-user-mapping When looking at the URL Filtering Logs the information for TS Agent user ip mappings is not available in there. The debug logs of user id daemon would also show the correct mappings. However, if you are not hitting the correct security rules, then there appears to be another issue. What do you see in the traffic logs? Can you share the output of a "show session info filter source <source user>"?
... View more
07-25-2014
09:13 AM
What is the version of the PAN OS on the firewall? Also, is this happening on the GUI only, or do you find that the CLI also reports the same incorrect info for the ports and shows no users for the source user?
... View more
07-25-2014
09:02 AM
Hello While we investigate why the ports are showing up as the system source ports rather than the user source ports, could you please confirm one thing: do you have User Identification enabled on the zone this traffic comes in on? This might explain the "empty" field you see for source user. Also, what is the version of the PAN OS on the firewall? Also, is this happening on the GUI only, or do you find that the CLI also reports the same incorrect info for the ports and shows no users for the source user?
... View more
07-11-2014
09:01 AM
Your config on the firewall is expecting IP instead of FQDN Check below. Choose the appropriate option and the error should go away.
... View more
07-09-2014
11:51 AM
What version of PAN OS are you running on the two HA peers? The new user that was added, was he added to a group called "domain users"?
... View more
07-09-2014
11:43 AM
Would you be able to uninstall and then reinstall GP v2.0.3 anew? What OS are you trying to load this on? Are you trying to install by connecting to the portal or was it a clean install from the MSI file from the support.paloaltonetworks.com site?
... View more
06-20-2014
08:28 AM
The PCs that are being probed are likely not set for WMI responses. As for why it works when the user logs in again, that is how IP to user mappings are made so that makes sense. In addition to WMI probing, (considering these appear to be failing) you can be monitoring other servers in the Windows domain (e.g. file maps. printers, exchange mail servers) so that you can maintain the mapping and the user does not have to log in to refresh the mappings To be able to maintain mappings as the user maps drives etc. enable "server session read" on the UserID agent and the UserID agentless on the firewall so even if WMI probes you may have success in maintaining the user to ip mappings without relying solely on when the users log in. HTH
... View more
06-17-2014
02:45 PM
1 Kudo
Ensure that the certificates and their signer certificates (in a chain) are all included in the GP Portal >> Client Configuration >> Root CA section. That became mandatory in the later versions of PAN OS v5.0x
... View more
06-17-2014
10:12 AM
We released 1.2.x and 2.0.x - the two trains in parallel. And yes, you are correct, if you were to download GP 2.0.3 and activate it on the firewall, the users will be prompted to upgrade their GP client version whenever they connect to GP next. Thanks
... View more
06-13-2014
09:45 AM
Though it is always preferred to keep the PAN OS and UserID agent at par, even though you can of course run them as kadak said.
... View more
05-29-2014
02:51 PM
Thanks for your response.Perhaps this needs a deeper look. Would you be able to create a support case to have the PAN engineers take a look? Or, could you please try and restart the web server? debug software restart web-server Are you seeing any issues with any of the other response pages?
... View more
05-28-2014
10:55 AM
Hello Did you all make any recent config changes, like enable multi vsys?
... View more
05-23-2014
04:04 PM
There have been some folks complaining of this but the problem appears out of the blue and intermittently. If you are seeing this, could you please share the details of the client machines. We have had some complaints but it is hard to replicate the issue and as such, any new data would help every one and would help us narrow down the problem. Thanks!
... View more
04-25-2014
02:08 PM
You would have to ensure that the entire certificate chain (in your case the intermediate) that may have been used to sign the server certificate is imported onto the PAN firewall. Under the following tab: Network>>Global Protect>>Portal>> Client Config where it says "Root CA" - please include the requisite certificates to complete the certificate chain if they are in the PAN firewall, you can use the drop down. HTH
... View more
04-12-2014
03:37 PM
1 Kudo
Do you know if those PCs from where the usernames appear without the domain are perhaps running some sort of service in the background that is only associated with the username (and is missing the domain). Do you see logon event on the AD / DC security events with just the username? What is the user-ip-mapping on the UserID agent when you see the logs on the firewall show only the username?
... View more
04-12-2014
03:30 PM
What happens if the user adds the prefix to the username to specify the child domain so that when the request is forwarded from the PAN firewall towards the RADIUS server the request is as follows ChildDomain\username rather than the user just trying to authenticate with the username only?
... View more
04-12-2014
03:24 PM
1 Kudo
NTP content was modified in content 428 to counter certain apps that were using the same udp port 123 to pass traffic. The behavior has been corrected will appear as such the next release.
... View more
10-07-2013
10:49 AM
1 Kudo
If there are users that have disappeared completely since disabling Server Session, are you not logging those users through a regular AD log on event? Could you check whether or not there is a log on entry for those users in AD If Server session is the only way you were logging those users then that may explain why those users have disappeared from your logs (and why they may not be falling in the correct security rules). Please ensure that the DC has these users' log on events and if not - then that would imply that you are only using server session to map these users in which case you may be forced to re-enable server session.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-20-2017
02:45 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
