Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- ›
- About fcremer
About fcremer
Announcements
Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-18-2015
5Posts
1Like
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by fcremer
| Subject | Views | Posted |
|---|---|---|
| 668 | 03-04-2013 01:31 AM | |
| 668 | 01-15-2013 05:11 AM | |
| 668 | 01-15-2013 02:14 AM | |
| 545 | 10-27-2012 03:04 PM | |
| 8143 | 12-06-2011 08:42 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 01-15-2013 02:14 AM |
User Badges
Public Statistics
| Date Registered | 07-27-2011 04:54 AM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Total Messages Posted | 5 |
| Total Likes Received | 1 |
03-04-2013
01:31 AM
Hi all, It seems we were able to solve the issue on our end. We did an upgrade to 5.0.2, but that didn't solve it. After troubleshooting with support, we found out that the log records without user info actually were caused by user information cache timeouts. The reason that logs with and without user information were mixed had to do with the fact that we only logged on session-end. So, what we did to resolve the problem was enable WMI probing and allow WMI requests on all client hosts. This fixed the problem entirely. I guess that increasing the cache timeout on the User-ID Agent would have the same effect. The only thing we do not know and cannot find out without testing (don't have any time for that) is what the difference was between the firewalls running 4.1.6 and now 5.0.x. Frederic
... View more
01-15-2013
05:11 AM
We have 2 domain controllers in 1 domain, same subnet, both Windows 2008, nothing fancy. I tried the 3 options: only the User-ID Agent, only the PAN Agent, both combined. Always the same issue.
... View more
01-15-2013
02:14 AM
1 Kudo
Hi, I'm having exactly the same problem with a customer. PA-2020 standalone, PanOS 5.0.1. Most traffic is 'tagged' correctly, sometimes it isn't. We did not experience this issue on the previous software version, which was 4.1.6. I implemented PAN Agent only, User-ID Agent 5.0.1-2 only, and combination of both, but the issue always remains. I also have a quite aggressive group mapping interval, I'll try lowering it to 5 minutes, but doesn't look from your experience that that solves the issue. I have a case open with support for this, but so far not much luck ... Frederic
... View more
10-27-2012
03:04 PM
Hi, I have a PA-200 at home and am doing some tests with regard to the reported throughput speed using the "show system statistics session" command. To give an idea: I have a PA-200 sitting between my desktop computer and the internet, which is connected through a 60 Mbps line. I am testing with an SSL encrypted constant download, which went up to 6-7 MB/s before I put the PA-200 in place. If the download is not running, the firewall reports a throughput of 0 to a couple of kbps. When I start the download, the throughput hangs stable around 80 Mbps. However, my download tool reports an actual download speed of 4.8 MB/s. If I'm calculating correctly, that should be around 40 Mbps I have created an application override and custom application for this specific download, in order to bypass the App-ID engine. There is no SSL decryption in place, the firewall is letting the traffic go through using a plain any-any-any rule (with threat prevention enabled, but should not be used since there's an app override). So the question is: why is the firewall reporting double the throughput of the actual transfer?
... View more
Labels:
- Labels:
-
App-ID
12-06-2011
08:42 AM
Hi, I'm setting up GlobalProtect, which works just fine. Now I want to restrict GlobalProtect access to only 1 AD group. I created a separate GP authentication profile with my ssl_vpn AD group in the allow list, but as soon as I commit that allow list, not a single user can log in to the GlobalProtect anymore. Is this the correct way to configure this? I also tried configuring the AD group as source user on the GlobalProtect portal definition, but that didn't help either. I'm suspecting that there is a problem with the retrieval of the groups and the group membership from the AD server. We added the AD group to the AD after configuring the AD server definition in the PAN firewall, after which we couldn't see it in the web interface listed in the available AD groups. However, in CLI the "show user group-mapping state <domain>" showed the group, so it seemed to be retrieved by the PAN. We configured the GlobalProtect settings via CLI, since the group was not visible in the web interface. Could this be related? Any other way to get more information about the available groups on the device? Edit: PA-2050 cluster, running 4.1.0, group mapping is configured on the firewall.
... View more
- Tags:
- globalprotect
- ssl-vpn
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
