About aceandy79

Just found this topic as work in a University, and have started getting the same enquiries from students wanting to use Nintendo Switch. Our dynamic IP & port setup is resulting in a NAT Type D on their consoles. I had made the network dual-stack, and had optimistically hoped the gaming networks would be using IPv6 and thus avoid this issue, but it seems not... Will probably go with the static NAT IP per private subnet idea and see how that goes. Thanks. ... View more

Ok have set up the filter and then tried downloading from Play Store. These lines keep appearing more often than anything else:   pkt_outstanding 6 0 info packet pktproc Outstanding packet to be transmitted pkt_alloc 16 0 info packet resource Packets allocated pkt_swbuf_fwd 14 0 info packet pktproc Packets transmitted using software buffer flow_tcp_non_syn 1 0 info flow session Non-SYN TCP packets without session match flow_tcp_non_syn_drop 1 0 drop flow session Packets dropped: non-SYN TCP without session match   There is no split tunneling configured.   Thanks,   Andy. ... View more

Hi Reaper,   No decryption   Policy shows traffic being allowed, although I have not precisely been able to tie down the destination IP address used by Google Play Store. Anyway, I saw no logs in monitor for traffic being denied in an outbound direction. No threats were found matching the source IP address of the client device. I have had a look through global counters but there is so much in there, do you have any hints? I did a filter on severity drop and could not see anything incrementing.    Thanks.   ... View more

Thanks for the input. Will upgrade to 3.1.1 and see what happens. ... View more

Was going to say something similar. Does your internal network have a route for  10.20.30.0/24 for the returning packets? ... View more

Hi, yes I agree a security policy rule using the User-ID column can be used to block the traffic of a connected client, but the key here is that would only take effect after they've connected. What I was hoping to be able to achieve is to prevent a specific user authenticating in the first place, who is a member of the larger AD group referenced in the Allowed List.   As far as I can tell, the initating packets to set up the IPSec tunnel do not include a User-ID at this point, you only start seeing that column populated after the tunnel is established.  ... View more

 Thanks BPry. Since opening the thread, I've tested myself on two Macbook Pro's. One had the agent already installed, which continued to work once the OS was upgraded to Sierra. The other one however did not have the agent installed, and was added after I upgraded to Sierra. The installation appeared to go fine but the agent cannot connect to the GlobalProtect gateway. Having looked at the logs it seems the PanGPS service does not start correctly. The impression from the client is that it's attempting to connect but failing and giving up after 30 seconds. On the gateway no connection is received.   Would be interested to hear your experience. ... View more

In some of the documentation for VPNC it describes the split-tunneling scenario, and that where it can see different routes/prefixes being injected by the GlobalProtect gateway, the client will summarise those with a 0.0.0.0/0 route. ... View more