This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About BeardedTree
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About BeardedTree
12Posts
0Likes
0Solutions
Last Visited
User
Activity
User
Profile
Latest posts by BeardedTree
| Subject | Views | Posted |
|---|---|---|
| 1988 | 03-25-2021 10:04 AM | |
| 4656 | 12-14-2020 12:06 PM | |
| 4660 | 12-14-2020 12:04 PM | |
| 4761 | 12-13-2020 12:06 PM | |
| 586 | 12-12-2020 06:25 AM |
User Badges
Community Statistics
| Member Since | 10-13-2020 03:45 PM |
| Date Last Visited | |
| Posts | 12 |
03-25-2021
10:04 AM
From what I've seen with deployments of GP in combination with pre-logon, mostly in combination with AD/SCCM/Azure managed endpoints, a machine certificate is the easiest method on the Portal and Gateway if you have a freshly spun-in devices (Also easier in deployment with less user complaints). As the portal needs some form of authentication at first, unless you specify that anyone can connect, in practice you either deploy a machine certificate in the image of the device to identify it and have a certificate profile to verify the authenticity. The other option is to have a user connect manually at first (With a local or external account) after which authentication cookies are generated and placed on the machine locally. The cookie is valid for your selected period (Due mind the Portal and Gateway both have their own settings where the certificate for encrypting/decrypting needs to match and you can have different timers for each). When the machine boots up, if the user has logged in before, it connects to the portal due to the settings it received previously, and connects to the gateway presenting the cookie it has locally. The gateway inspects the cookie and connects the device if the cookie is still valid and assuming you don't set the authentication to also force a certificate check or additional MFA.
... View more
12-14-2020
12:06 PM
Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.
... View more
12-14-2020
12:04 PM
How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.
... View more
12-13-2020
12:06 PM
Did it all of a sudden stop working or is this a new implementation or upgrade? One thing to look for is that on the local firewall Panorama is allowed to push Objects: As you're stating a blank push of a firewall policy without objects is working I believe this is enabled. Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW. If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.
... View more
12-12-2020
06:25 AM
Taking the original error and picking it piece by piece. Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName. It would seem that their side does have their Local ID Field and IP Field are filled with an IP address however the certificate they use doesn't seem to have a SAN at all, or a matching IP address SAN on the certificate. Looking at the last bit my guestimate would be the second case. Next step would be to verify if this is actually the case by either having them check the config or make a PCAP of the initial exchange to capture the certificate info (Depending on the Ike version and mode of connection (Main/aggressive)).
... View more
12-12-2020
06:13 AM
Are you seeing the "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." only on the passive device, and does the MGMT IP of the passive device have connectivity to your Minemeld URL? As you're stating that manually forcing an update I'm assuming that it does, however I might be interpreting your scenario sketch wrongly. What we've seen with some of our customers is that the error "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." at times is shown on the active device when there are no new or removed IP addresses on the EDL instead of a "Succesfully connected, no changes to the list were detected, using old copy" message. With a manual refresh you force out the old EDL information and it would be expected to see that it updated successfully. Could be a simple issue of wrong error code shown but still might be worth making a case with TAC to confirm this is the case.
... View more
12-11-2020
08:13 AM
That would mean the Peer firewall is sending it's IP address as Local Identifier, however the question is if this is also defined on the certificate the Peer is using as that needs to match aswell. So the Peers Certificate would need a SAN Attribute "IP Address" with it's IP.
... View more
12-11-2020
08:00 AM
Gotcha, just to clarify did you also designate SAN attributes for your firewall cert and for the cert the other firewall is using? Like: The additional attributes are SAN items which seem related to the error where no additional attributes were found. It would end up local something similar to the below screenshot if he other side has a certificate with Email Otherunit@local.local. Lastly the intermediate and/or root need to be marked in the certificate store as trusted CA's
... View more
12-11-2020
07:21 AM
Are you sure you've imported the peers certificate, or signer of the certificate, in the local firewall and added a certificate profile containing this certificate which applies on the VPN? The Peer Identification, local and peer, needs to match on both sides (Reverse local/Remote) and the Cert Profile, if containing the cert marked as trusted, should set up the Phase 1 connection.
... View more
12-11-2020
01:24 AM
If you can generate a new certificate it would defiantly be worth generating a new one containing additional SAN entries. I'd suggest tagging on the SANs Hostname, FQDN and IP address and check if you can get the firewall to recognize these attributes as the Peer Identification.
... View more
12-10-2020
02:04 PM
The error seems to suggest that either A. The other side is sending a local identification that does not match any SAN that is present on the certificate or B. Does not contain a SAN attribute on the certificate at all. Are both sides under your control, where you're able to generate a new certificate if need be or inspect the current attributes of the certificate it's using? Also make sure the Certificate Profile on the VPN contains the Intermediate, Root or Self Signed certificate and is marked as a Trusted certificate in the local device store.
... View more
12-10-2020
01:48 PM
If your security policy is set to have any source IP it would mean that access would not be limited to the ms-office365 application. Once you add the explicit required apps to the rule they are seen as separate entities and one would for instance be able to web-browse to your internal server without any intention of the ms-office365 application..
... View more
Contact Me
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks