About saint-paul

saint-paul · ‎05-26-2017

I installed App protection 702-4044 today, rebooted panorama and restarted the management process on the firewalls as described in the Paloalto newsletter I got today. This also solved the problem

saint-paul · ‎05-02-2017

So I got the mail today about the certificate which is about to expire. I installed App protection 694-4000 on the Panorama as described . After the reboot I no longer have communication between my 2 PA-2050 boxes and Panorama. The log is no longer updated and it shows the 2 boxes "Device State" as Disconnected. I currently run 7.0.10 on all devices. I also installed 694-4000 on the firewall boxes and rebooted them, but it didn't change anything. Reverting to a previous versioun of app definition did not help (which seems clear as the new certificate gets probably not rolled back) Even a Rollback of the config on the Panorama did not help. Anyone has an idea what could be wrong?

saint-paul · ‎02-12-2014

I had a similar problem and it had to do with a configured proxy in windows which could not be reached. Perhaps you have a similar problem.

saint-paul · ‎03-06-2013

Thanks for your answer, but this doesn't change anything. Edit: Ok ,I think I narrowed the problem down to a DNS problem, I changed dns and service route for the dns, now that I rolled back this changes I have it back working. Somehow the LDAP query to our AD for the users seems to get broken by this change, not sure why though. The changes seemed correct to me. Edit2: Found it, because I changed the service route, security policy rules where wrong/missing for accessing the LDAP.

saint-paul · ‎03-06-2013

Running an 2050 Active Passive HA pair. Yesterday I noticed that I couldn't login with the Globalprotect client. After some investigation I noticed that I could log in on the Globalprotect Portal web page, but after the login the page which offers the client downloads would not show up and the connection was reset after a timeout of ~30 seconds. I suspended the active node, when the other node was active I could access the portal page and the client login was also working again. I rebooted the box with the portal page problem, but the login still doesn't work when I make this node active again. Is there a way to reset the Globalprotect page one this device. I'm running Panos 4.1.6, should I try "reinstall" in the software page? Thanks

saint-paul · ‎02-04-2013

Thank you, this solved the problem. I had some strange glitch that the nat rule wouldn't accept to IP of the interface, it always reset to "none". I had to delete the rule and recreate it, after that I had to move the NAT rule up as it was shadowed by an other rule. It then finally worked.

saint-paul · ‎01-31-2013

Hello, I followed the instructions in the paloalto "understanding NAT-4.1RevC" pdf for implementing U turn NAT. It works when I try to access a server in the DMZ from the trusted zone via it's public untrusted IP. I have now a web server which somehow tries to do a http connect to it's own URL, which describes Case 5 in this document "server in the same zone as the client" I followed the instructions: NAT rule: DMZ-Zone to Untrust Zone with destination public IP translated to private IP and source translated to untrusted Interface and IP. I even created a security policy although the document says it is not needed as the traffic is in the same zone. The problem is that I can't get it working the connection always times out, the same when I try to access the Public IP from an other server in the DMZ. I worked around the problem by setting up a DNS in the DMZ which points the URL to the servers private IP. I can't see any traffic in the traffic logs which is probably due to the inter zone traffic. Has anyone an idea why this isn't working? Thanks

saint-paul · ‎05-10-2012

Hi, I also migrated from CP. Our integrator proposed to use a tool from tufin http://www.tufin.com/ . I decided against it and recreated the rules manually, so I could do a little clean up of the rules. For that reason I can not comment if the tool is usable for migration to PA, but perhaps it's the direction your looking for.

saint-paul · ‎04-05-2012

Hi, I followed the document on how to create VPN for IOS devices with certificates, and I got it working. I was wondering how I can deny a device VPN access for a device which is lost or stolen. Deleting the certificate Client ID certificate on the PaloAlto Box does not help. The device can still connect. The user can change his password but I would prefer that a connection attempt is already blocked. Do I need to work with certificate revocation for such a feature? Is there a description how such an architecture can be used with the AploAlto? Am I right that you need an external CA instead of the PaloAlto box for such a feature? Thanks for any help

saint-paul · ‎03-20-2012

Thanks. And for those having trouble importing template, how to fix version checking in cacti with xml version hash error http://docs.cacti.net/howto:determine_cacti_template_version

saint-paul · ‎02-09-2012

Kamish, thank you for your help. I'm running an user identification agent which is running fine. (seeing users in Policy logs) Im using LDAP for global protect authentication as the user identification agent profile is not in the list of authentication methods. (Our integrator helped me getting this working) I think you missunderstood my Problem. Every user in the AD can log in via Plobal Protect Portal or client. It just doesn't work when I want to restrict the login to users in an AD group. I can work around this by adding the users individually in the allow list an not use the AD group. The other problem is that the connection with the GP client does only work under the "Windows 7" administrator account on the netbook I use to test, if I launch the connection logged in as a user which has administrator rights on the Netbook the connection hangs like described. I have tested with my private laptop now which has no company AD profile, here the connection works, even if I'm not logged in as administrator. The problem here is definatly caused by problems between GP client and Windows7 OS, but I can't find the cause.

saint-paul · ‎02-02-2012

Hello, I'm tring for a week now to configure Global Protect. And have only been partially successful. My config is PanOS 4.1.1 and GP client 1.1.2 on PA 2050 Boxes. No GlobalProtect Licence. I encountered 2 Problems which I can't solve. 1. I have configured LDAP to get the credentials from our AD server and got this part of the authentication working. I can login on the Global Protect page on the Palo Alto Box and can also connect using the GPclient. (well partially see point 2) I now want to configure the PA to only allow users to connect which are in an AD group. I created a Group in AD and placed a user in this group (not an OU). In "User Identification" I created an entry in "Group Mapping Settings", there I select the same LDAP "Server Profile" I also use in the "Authentication Profile" for Global Protect. In "Group Include List" I set the AD group I created int the AD. (here seems to be a Bug I can only navigate 2 branches in the LDAP tree, but I tricked by modifiing the Base DN of the LDAP profile until I could select the group and then setting the Base DN back to the original setting). This seems to be correct because entering "show user group list" in the CLI shows the group with the LDAP path I selected to include in the Group mapping. Calling "show user group list" in the CLI shows the user I added in the AD group and also shows the group short name. I am now unable to add this group in the allow list of the authentication profile. It only shows users and groups defined in the "Local User Database" If I enter the group name manually, authentication will fail. In PA-4.1_Administrators_Guide.pdf I can read to click Edit Allow List.. I have no such button, just add and delete. Adding an AD user manually to the list will only allow this user to log in as it should, I just can't get it working with the AD group. 2. I have a lot of trouble with the Global Protect client, I installed the client on a Dell LAtitude 2110 Netbook with windows7 32bit and sometimes can connect but most of the times the client hangs in the status "Connecting please wait". Under "Administrator" account the connection works everytime like it should. I completely disabled the Firewall and uninstalled antivirus but the connection is still just properly functional under administrator. (Tried installing as administrator, tried installing as user which has administrator rights, same result) Here is where it fails: (IP masked) (T864) 02/02/12 13:57:12:685 Debug(4497): CPanMSService::RetrieveGatewayInfo, cert is 00288D50 (T864) 02/02/12 13:57:12:685 Debug(4499): Pre-login... (T864) 02/02/12 13:57:12:685 Debug( 142): active session id is 2 (T864) 02/02/12 13:57:12:685 Debug( 167): found process id 4616 (T864) 02/02/12 13:57:12:685 Debug(5060): PrepareRequest... (T864) 02/02/12 13:57:12:685 Debug(5068): WinHttpOpenRequest... (T864) 02/02/12 13:57:12:685 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest... (T864) 02/02/12 13:57:43:011 Error(5083): PostRequest failed with error code 12002. (T864) 02/02/12 13:57:43:011 Debug(4597): Failed to pre-login to the gateway ip.ip.ip.ip (T864) 02/02/12 13:57:43:011 Error(4356): Failed to retrieve info for gateway ip.ip.ip.ip. (T864) 02/02/12 13:57:43:011 Debug(4366): tunnel to ip.ip.ip.ip is not created. Does the Old SSL client still work? I downloaded it from the support site but can not figure out how to install it on the PC, I guess it can only be uploaded to the PAlo Alto Firewall running an older PanOS which did not use Globalprotect yet? By reading the discussion Groups I can see that I'm not the only one having a hard time.

saint-paul · ‎11-23-2011

Edit: I must have done something wrong yesterday, because today I noted that it doesn't work.. Still get the mesage when commiting to "managed devices. vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not an allowed keyword vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not a valid reference /Edit: Hi, I think I solved the problem. I noted a problem while creating new tunnel interfaces, those interfaces where grey while pre update created interfaces where green. I then noted that only the new interfaces had vsys1 next to them. So I activated the virtual system feature on the devices. After this I had the reassign security zones and vsys to all interfaces. I also had to maunally remove global protect entries from the config xml as I could not get the error message away via the web gui.

saint-paul · ‎11-16-2011

After upgrading to 4.1 don't use your bookmark to login on the webinterface, just enter the IP in the URL bar, the login page URL has changed. Took me also some time to figure it out.

saint-paul · ‎11-16-2011

No, everything is running on 4.1

Member Since	‎07-29-2011 12:21 AM
Date Last Visited	‎06-09-2017 01:50 AM
Posts	20
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎06-09-2017 01:50 AM

About saint-paul

Re: Panorama shows FW as disconnected after App and Threats Update

Panorama shows FW as disconnected after App and Threats Update

Re: GlobalConnect is slow to connect

Re: GlobalProtect portal corrupt.

GlobalProtect portal corrupt.

Re: Conversion Tool

Re: Why would someone use "Next VR" for next hop?

Re: Panorama shows FW as disconnected after App and Threats Update

Panorama shows FW as disconnected after App and Threats Update

Re: GlobalConnect is slow to connect

Re: GlobalProtect portal corrupt.

GlobalProtect portal corrupt.

Re: Problem with interzone U turn NAT

Problem with interzone U turn NAT

Re: Conversion Tool

Block VPN access for lost iphone/ipad

Re: Cacti - Templates

Re: Trouble setting up Globalprotect

Trouble setting up Globalprotect

Re: Trouble after upgrading to 4.1

Re: PaloAlto Supported OS and Browsers

Re: Trouble after upgrading to 4.1