About NGS_SOC

access route 192.168.0.0/24 is a simple one and goes to split tunnel 192.168.0.0/24 and 172.16.0.0/24 are more complex access routes and goes to tunnel everything ... View more

Split tunnel on IPSEC is working but only if the networks are simpler enough. For examples if access routes are 192.168.0.0/24 and 172.16.0.0/24 this goes to full tunnel. Technical limitation probably will never fix. Cisco IPSEC are stuck only to 8 hours and other IPSEC flavors (IPSEC on MacOSX) have even worst timeout. ... View more

Hi, seems your are working with a External Block List or DBL Dynamic Block List, which is not working as expected. Maybe these links can be useful for your installation. Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device Working with External Block List (EBL) Formats and Limitations ... View more

You cannot redirect known user to captive portal, CP is only available to unknown IP/User mapping. There are several ways to force domain credentials ( for example explicit login via script, exchange/shared folder/printer accesses etc) but in my option the best way to always keep user-if mapping during the ip lifecycle is the 802.1X & syslog integration within new PANOS 6.0. ... View more

Hi, Cisco's tunnel group and group policies cannot directly migrated into PA Global Protect gateway. The rule is a single PSK/CERT group per GP gateway, once you need more a new gateway has to be created. In Cisco vision the use of multiple vpn-group was done to segregate traffic in layer3+ pool containers, using PA and its user identification, always present in GP, you can achieve the same security level with only one gateway (and related tunnel group) with a bunch of security rules based on User-ID. ... View more