cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About AnalysisMan

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
AnalysisMan
‎05-04-2022
since ‎03-11-2013
L3 Networker
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎03-11-2013 08:22 PM
Date Last Visited ‎05-04-2022 08:14 PM
Posts 49
Total Likes Received 24

Re: User-ID with Azure AD

by in Integration Discussions
‎04-18-2022 12:34 PM
‎04-18-2022 12:34 PM
Hello PAN team,   Were there any updates about supporting Azure AAD for User-ID since Jeff Hochberg commented in 2019?   Thanks, ... View more

Re: Cannot connect to Globalprotect

by in General Topics
‎12-02-2021 10:19 AM
‎12-02-2021 10:19 AM
Hi @FarzanaMustafa,   We had many cases with this problem. This error is usually seen when the GlobalProtect client is upgraded, but GP is not installed correctly. And the general uninstalling/reinstalling doesn't help in this case.   This KB should fix the issue.   Error: Failed to find PANGP virtual adapter interface when connecting to GlobalProtect https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5eCAC&lang=en_US   Hope this helps! ... View more

Re: cannot commit - failure parsing config response module dhcpd

by in General Topics
‎11-29-2021 03:09 PM
1 Kudo
‎11-29-2021 03:09 PM
1 Kudo
Why don't you check the logs with 'less mp-log ms.log' via CLI? The error is related to DHCP configurations.   Thanks, ... View more

Re: GP Issue Gateway Fake

by in GlobalProtect Discussions
‎11-29-2021 02:33 PM
‎11-29-2021 02:33 PM
Hi Chanderjain,   If the GP configurations are okay, then the following steps should resolve the issue. • Disable  WMI  services: run -  services.msc  - Windows Management Instrumentation(WMI) - stop the service. • Delete the files under  C:\Windows\System32\wbem\Repository • Open Windows Registry ( Regedit ) Go to  HKEY_LOCAL_MACHINE > Software and HKEY_CURRENT_USER > Software . Delete the  Palo Alto Networks  folder. • Delete the same if the same folder is present in any other user under  HKEY_USERS . • Un-install  GlobalProtect  from Windows ' Programs and Features .' • Make sure that the virtual adapter is not present in the Network adapter settings. •  Reboot  the machine. •  Reinstall  GlobalProtect with admin privileges. • Confirm that  WMI  service is running. Hope this helps! ... View more

Re: Global Protect - valid certificate when using Azure SAML authentication

by in GlobalProtect Discussions
‎11-17-2021 04:58 PM
‎11-17-2021 04:58 PM
@MichaelMedwid  As BPry mentioned, you should get a CA certificate for the GP portal and gateways. In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -> Certificate Management -> Certificates).   The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing. How to setup Azure SAML authentication with GlobalProtect https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE   You may refer to this KB for the SAML IdP. Identity Provider Configuration for SAML https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2   Hope this helps! ... View more

Re: HIP Match for Microsoft GUID

by in GlobalProtect Discussions
‎11-17-2021 04:27 PM
1 Kudo
‎11-17-2021 04:27 PM
1 Kudo
@SubaMuthuram  You can create a HIP profile with the Host ID on the Objects -> GlobalProtect -> HIP Objects -> General > Host Info > Host ID.   The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by device type:   Windows —Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid) macOS —MAC address of the first built-in physical network interface Android —Android ID iOS —UDID Linux —Product UUID retrieved from the system DMI table Chrome —GlobalProtect-assigned unique alphanumeric string with length of 32 characters   * Refer to HIP Objects General Tab. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-general-tab.html   ... View more

Re: GlobalProtect doesn't upgrade

by in GlobalProtect Discussions
‎11-17-2021 04:16 PM
‎11-17-2021 04:16 PM
I didn't get the same issue when I activated 5.2.8 from 5.2.7. However, several users failed to upgrade the GP client, so they followed the following KB. The typical uninstallation/installation GP client didn't work in this case. Error: Failed to find PANGP virtual adapter interface when connecting to GlobalProtect https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5eCAC&lang=en_US   Hope this helps! ... View more

Re: Global Protect license usage and behavior on running out

by in GlobalProtect Discussions
‎11-15-2021 04:34 PM
1 Kudo
‎11-15-2021 04:34 PM
1 Kudo
Hi @MichaelMedwid  I presumed that the 1025th session would be dropped due to the hardware limitation. Here are the SNMP OIDs that you can draw SNMP graphs for the GlobalProtect sessions, and you may set up a threshold alert when it reaches a specific value like 800 sessions.   GlobalProtect gateway % utilization panGPGWUtilizationPct.0 1.3.6.1.4.1.25461.2.1.2.5.1.1 PAN-COMMON-MIB GlobalProtect gateway max tunnels panGPGWUtilizationMaxTunnels.0 1.3.6.1.4.1.25461.2.1.2.5.1.2 PAN-COMMON-MIB GlobalProtect gateway active tunnels panGPGWUtilizationActiveTunnels.0 1.3.6.1.4.1.25461.2.1.2.5.1.3 PAN-COMMON-MIB   You can simply test with a snmpwalk query for the active GP connections. snmpwalk -v3 -l authPriv -u SNMPUser -a SHA -A "Auth_Password" -x AES -X "Priv_Password" 192.168.1.1 .1.3.6.1.4.1.25461.2.1.2.5.1.3   FYI, for the SNMP setup Device -> Setup -> Operations -> Miscellaneous -> SNMP Setup   Thanks, ... View more

Re: Block uninstall Global Protect

by in GlobalProtect Discussions
‎11-10-2021 01:09 PM
2 Kudos
‎11-10-2021 01:09 PM
2 Kudos
There is an option that you can do that in the GP Portal settings. Network -> GlobalProtect -> Portals -> click the portal name -> Agent -> click the Config. Find the 'App' tab on the Configs. Click the App Configurations called 'Allow User to Uninstall GlobalProtect App'. There are three options: Allow, Disallow, Allow with Password.   Please see the following document for more details. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-app-tab.html ... View more

Re: HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

by in General Topics
‎11-26-2020 12:10 AM
5 Kudos
‎11-26-2020 12:10 AM
5 Kudos
FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was). Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup) Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit. This workaround should bring up the HA1 Backup. Hope this helps! * Refer to my blog with screenshots. https://www.analysisman.com/2018/12/pan-3220-ha1backup.html ... View more

Re: Active Directory Users & Computers Latency with GlobalProtect

by in General Topics
‎11-23-2020 02:49 PM
‎11-23-2020 02:49 PM
It looks okay in GP 5.1.7. ... View more

Re: Active Directory Users & Computers Latency with GlobalProtect

by in General Topics
‎11-23-2020 12:46 PM
1 Kudo
‎11-23-2020 12:46 PM
1 Kudo
I have faced this issue in GP v5.2.4 as well. ... View more

Re: OSPF BPA PARAMETERS

by in General Topics
‎02-03-2020 11:27 AM
‎02-03-2020 11:27 AM
There are two pieces in this question. I believe that you are asking related to 2) because you manually shut down the tunnel.   1) Tunnel monitor (reducing the tunnel failover time) Reduce the Monitor profile 'Interval' and 'Threshold' on the Network -> Network Profiles -> Monitor. 2) OSPF timing (reducing the convergence time) Reduce the Hello Interval (sec) - by changing the 'Hello Interval' (default: 10 seconds) on the Network -> Virtual Routers -> OSPF.   Hope this helps,   ... View more

Re: Global Protect Azure SAML authentication

by in General Topics
‎02-03-2020 10:50 AM
1 Kudo
‎02-03-2020 10:50 AM
1 Kudo
The log shows that it's failing while validating the signature of SAML. You may try this out: 1) Uncheck 'Validate Identity Provider Certificate,' and 'Sign SAML Message to IDP' on the Device -> Server Profiles -> SAML Identity Provider. 2) Set to 'None' in 'Certificate for Signing Requests' and 'Certificate Profile' on the Device -> Authentication Profile -> authentication profile you configured for Azure SAML.   Hope this helps,   ... View more

Re: DHCP Relay with Source Nat blocked

by in General Topics
‎02-03-2020 10:32 AM
‎02-03-2020 10:32 AM
It's hard to pinpoint the issue without details, but the article says as below. "This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device."   1) I recommend you to check the network reachability. 2) Check the firewall rules. 3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall. > show counter global filter severity drop > show counter global filter delta yes severity drop   Hope this helps,   ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-04-2022 08:14 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks