This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Klaverblad
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Klaverblad
01-30-2023
17Posts
5Likes
1Solution
Jan 30, 2023Last Visited
User
Activity
User
Profile
Latest posts by Klaverblad
| Subject | Views | Posted |
|---|---|---|
| 1604 | 08-02-2022 03:11 AM | |
| 2924 | 03-29-2021 06:56 AM | |
| 4405 | 02-16-2021 10:51 PM | |
| 3538 | 12-22-2020 11:56 PM | |
| 4111 | 12-16-2020 02:09 AM | |
| 4083 | 12-15-2020 10:54 PM | |
| 4087 | 12-15-2020 10:51 PM | |
| 4098 | 12-15-2020 10:29 PM | |
| 4226 | 12-15-2020 07:54 AM | |
| 1256 | 10-06-2020 11:50 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-29-2021 06:56 AM | |
| 1 Like | 12-16-2020 02:09 AM | |
| 3 Likes | 09-25-2020 12:00 AM |
User Badges
Community Statistics
| Member Since | 07-14-2020 10:49 AM |
| Date Last Visited | 01-30-2023 11:46 AM |
| Posts | 17 |
| Total Likes Received | 5 |
08-02-2022
03:11 AM
Hi,
A relatively old post perhaps. But I'm having a bit of a challenge understanding the limitations properly.
So we have a firewall (and a panorma). We'd like to configure our firewall to use (A)AD and user groups in policies and autorisations like portals and gateways.
First the firewall needs to understand where it can get AD group information? So it will query AD for groups? It will receive more groups back than 1000 (which is not a lot) and fail enumeration? What happens if we narrow down the location in active directory by specifying a location to enumerate? And this contains <1000 groups by itself. However these groups here are filled with groups themselves (nesting). How does that count toward this limit?
Is there a difference in PAN-OS version that may have increased the limits? Or do we really need to work with multiple locations (which is also limited) to create a situation where the firewall is actually capable of obtaining everything it needs to, to be able to do its work ?
... View more
03-29-2021
06:56 AM
1 Kudo
Looking at the timestamp of this 'not closed or archived' thread. I confirm this is (still) not working after 8 years. The clients do not downgrade automatically to the activated version on the firewall in transparant mode. In interactive mode users will offered a pop-up. I assume the OP never filed a feature request or it never got through. Can anyone from PA verify/confirm this ? Tested on Pan-OS 9.1 and GP 5.2.4.
... View more
02-16-2021
10:51 PM
I'd love to see Palo Alto support / moderators monitor threads and add links to official documentation about such topics: Active/active firewall and global protect (and/or panorama). I'd appreciate documentation that provides supported configurations in all possible scenarios including this one.
... View more
12-22-2020
11:56 PM
Hi Sarah, The fix has been implemented in 9.1.7
... View more
12-16-2020
02:09 AM
1 Kudo
The situation is resolved. The Global Protect settings in the portal config were never wrong. We are using Panorama to manage the firewalls. The issue was that there was a pending change in superadmin context which failed to commit the relevant firewall which happend to be in the Network configuration section, which had nothing to do with Global Protect. In Panorama the commit and push would say Ok, but in the commit details the relevant FW stated commit failed, this was overlooked. Therefore the changes in Network configuration and thus in Global Protect settings were never actually committed. This is somewhat of GUI design issue with Panorama. It doesn't do a great job in letting you know if the commit (and push) completely went ok all the way.
... View more
12-15-2020
10:54 PM
I tested uninstalling the GP agent 5.2 and remove all registry and configuration files. Manually install old/current version 5.1.4 again. Perform a first time connection, upon logging in to the portal again I am presented the interactive upgrade. /sad
... View more
12-15-2020
10:51 PM
Another thing that I haven't been able to confirm yet is the usage of pre-logon. While the documentation says the upgrade only works in user mode AFTER the connection to the network is made. The pre-logon portal profile is currently set to disallowed upgrades. I'm assuming that would mean that the upgrade popup cannot be triggered in the device mode, thus can never install an upgrade before windows logon and/or do it transparantly.
... View more
12-15-2020
10:29 PM
Come on, is this the best we can do in the community? Copy paste a knowledge base article? Without even reading the OP? I already found that one and verified this information before posting. The only thing that can be true in that text is: " The automatic update also depends on what the previous version was installed. If it is an older version, some existing information may have not been carried forward." In that, if 5.2 does something different compared to 5.1 and thus will not work transparantly. However, so far I have been unable to find that particular information to confirm this is true or not.
... View more
12-15-2020
07:54 AM
I am currently testing a profile in the GP portal to allow transparant upgrades for a select group of users. The profile 'Any' is not allowed to upgrade. Current version of GP agent: 5.1.4. Upgrade version now active: 5.2.4 All users in the selected group reported they received the interactive popups to perform download and install. One user performed a 'refresh connection'. Another user performed a cold boot of their laptop. So for now, it looks like the setting 'allow transparantly' does allow these user to perform the upgrade, but it does not perform the upgrade silent, which I believe is the idea of this setting?
... View more
10-06-2020
11:50 PM
It looks like Global Protect is a hot issue and specifically in combination with prelogon functionality. We're also having a situation that appears to difficult to explain. The idea is: When handing out devices with global protect preinstalled and preconfigured in the windows registry. A receiving user who has never logged into that device should be able to do so with the help of global protect prelogon (creating a device tunnel before any user tries to log in to windows). From then on, the device should always try to setup a device tunnel when it is turned on. But it should use the device certificate to do so. For some unknown reason, with some of our users (yes not all !?!) at a certain moment something happens (yes very vague so far). The device will start trying to create a tunnel with seemingly user authentication (because 2FA request is triggered), before any user actually logs in to Windows. So, for some reason the agent is no longer trying to create a device tunnel with the device certificate. It is all of sudden trying to create a (prelogon) tunnel with user creds. Since the 2FA request is triggered, I assume that the username and password have been succesfully provided by saved credentials. Because the cookie lifetimes are configured so, they are no longer valid the next morning.
... View more
09-25-2020
08:05 AM
Its confirmed to be a bug: To be fixed in: PAN-151458 (A/A GP Gateway Inactivity Logout timer not Recognizing HIP and Disconnecting). This fix is not yet implemented nor will it be in 9.1.5. So we'll have to wait for at least 9.1.6. In the meantime the workaround is to set the inactivity logout long enough so nobody will get disconnected because of this. Typical workday = 9hours including brakes. So 10-11hrs ?
... View more
09-25-2020
12:43 AM
I found a reason why anyone might see this registry key change. If I create an agent configuration for prelogon with the pre-logon account, and connection method: pre-logon (Always on). (Quite confusing). And I create another agent configuration for users (any) with the connection method: user-logon (always on). In this scenario, if you want to enable prelogon to always start, you need to add the registrykey prelogon=1. However I have confirmed when a user logs in, the agent configuration for users will change the registrykey prelogon to 0.
... View more
09-25-2020
12:28 AM
Hi Jdoherty1103, We are experiencing the same thing and it does appear that this setting is somehow involved in our situation. What we're also seeing is succesful HIP Checks in PANGPS log. We assume that the HIP check is performed properly (based on the events in the PanGPS log), but somehow with the 'wrong firewall/gateway'. According to the description of the inactivity logout value, it is triggered by not receiving HIP checks within the given amount of time. Next to that we also witnessed keepalive timeouts happening at the inactivity logout value. We suspect this happens because of the inactivity logout threshold is triggered. The gateway thinks it did not receive HIP checks, starts sending keepalives. Now this is a point where we don't fully understand what's happening. When the gateway does send a keepalive according to the capture, nothing comes back. Regardless of the suggestion that the HIPS check would indeed be sent to the other firewall. Why would any client not reply to a mere keepalive (once every 10secondes, for 50 seconds). Are you using an active/active firewall setup? If you'd change the inactivity logout value to 10-12 hours as a workaround for not having disconnects until the root cause/solution is found. Currently we have a case open with TAC
... View more
09-25-2020
12:00 AM
3 Kudos
I understand I am not required to allow telemetry. That is not my concern in this. After the upgrade to 9.1.2+ a high/red alert is repeatedly shown in the system logs that telemetry is simply not configured and cannot be used until, according to the procedure, the certificates are in place. If anyone is not required to allow telemetry why didn't they choose to: - Make enabling telemetry participation an opt-in feature, or - Add a more intuitive notification AND alert (informational): "Telemetry is not configured. Please see manual how to enable it." Just adding a high alert to the system logs, because a new feature is not configured is unnecessary and created some confusion. Missing/faulty/expired certificates is typically a bad thing and often does need immediate attention. In this case it does not.
... View more
09-23-2020
11:41 PM
I still don't completely understand this. We upgraded to 9.1.4 and now we're required to allow telemetry data to PA? Or accept a constant high alert in the system logs: no valid device certificate found. Why not allow customers to opt-in to this kind of functionality or at least explain this in a popup screen like a reminder: "you need to configure this post-upgrade, etc. or opt-out see: "explanation here and here"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-30-2023
11:46 AM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks