About jharlow

jharlow · ‎08-10-2018

I have one FR ID: 7832 : User-ID needs to support Azure AD authenicated users. I have no idea what the status is, other than the SE stating it is a "highly requested feature" Saidly, they do not seem to be in much of a hurry as this was requested in January. I would like to see something more like Uservoice. Let people vote on items and then service can comment and commit to them based on their rating. I see a lot of providers using this service now.

jharlow · ‎03-15-2018

Thanks for the feedback. I was able to transfer my config. I figured out that after importing the config one has to load it as well.

jharlow · ‎03-12-2018

Currently have a PA500 (in virtual wire mode). Ordered a replacement PA220. I followed the instructions on connecting to the new unit and assigning a new IP address. It too is in Virtual wire mode. I need to understand how to transfer my configuration to the new unit. Also need to understand how to connect the device to the production network without taking down the network (lol). I am assuming I can just connec a wire to vw 2 port? Just want to confirm. Thanks!

jharlow · ‎01-25-2018

I appreciate your responses. I think we are going to make the move to the PA220. It will also give me a device to finally use to migrate from our current setup (ASA as NAT/VPN and PA for filtering and reporting) When I originally configured the PA, I configured it in virtual wire mode and never wanted to make the switch since it was in production. I can start with the PA220 as an actual L3 device, configure the rules, NAT, VPN etc and then place it in production. Off to discuss this with our vendor. Thanks again. Any other words of wisdom since you have experience both the PA500 and PA220? I know I have to get a rack kit as it is a smaller unit. any other guidance will be appreciated.

jharlow · ‎01-25-2018

I see the option under User-ID for NTLM (currently unchecked). Simply checking this is all that is needed? You mentioned it grabs the credentials from the browser, but if the user's machine is no longer on a local premise AD (simply connected via AzureAD through Windows 10), will there be credentials to grab? Let's assume the individual is prompted, however often will this take place (session cookie, restart of browser, PC restart, etc.) And lastly, since yes, NTLM is a Windows thing, how will Mac's and iOS devices handle this process? Will they simply get prompted to login and if so, the same last question applies (length of time). I sent a request to support about AzureAD. This really needs to be added as there are more of us looking to move to Azure and less on-premise. Maybe PA version 11. 🙂

jharlow · ‎01-24-2018

Thanks for your thorough response. What is NPS rate? The security zones and polices are neither an issue. There are two reasons that I am considering the upgrade option. One, our renewals are up (which are annual) and the cost for renewing all of the same services are actually cheaper on the PA220. Second, and to some might not be a big need but the performance with commits are just brutal and as you mentioned, we are not even utilizing this thing. With the plan to move everything over from our ASA to the PA just adds more concern as more will be on the PA which would cause commits to even be slower than they are now. Even the overall management of the device just feels sluggish. Maybe this is due to being a 7 year platform (although we puchased it 4 years ago). I am hoping that what they say is true and managing the PA220 is a better experience.

jharlow · ‎01-24-2018

Sales team reached out to me recommending that we upgrade our PA500 to the PA220. We are a small company with a data pipe of 100MB. We do not have a lot of settings on the PA500. On an average we have around 1500-2000 sessions per the UI Home page. Looking at the ACC, I set it to 24hours and athe highest is around 22,000 (looks like about an average or 15,000 during business hours). We currently have 14 security policies (including the two intrazone defaults). We do not have NAT setup yet as we are using a Cisco ASA for NAT; however, that will all be moved over this year. The question I have, is there any reason why we should or should not opt to upgrade to the PA220 over the existing PA500? I know the main reason he recommended it is that the PA500 has an extremely slow management commit and he states this was resolved in the PA220. This is something I know others have mentioned regarding the PA500 in the forums. Thanks for any advise. Any one that has also made this move and have any advise, that would be great too.

jharlow · ‎01-24-2018

If we were to pull all of our domain controllers from on-premise, wouldnt that kill the first two options? GlobalProtect might be the only option but frown on as it is something that we will have to install. What APIs are you referring to?

jharlow · ‎01-23-2018

We currently use User-ID with an on-premise Active Directory server. We are planning on moving to Azure AD (not to be confused with AD services in Azure). Are there any plan on getting User-ID to work with AzureAD (web Auth)? What other options can I use to continue to use User-ID if we do not have Active Directory on premise? Thanks.

jharlow · ‎05-17-2017

Excellent. Thanks.

jharlow · ‎05-17-2017

DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA). As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)? You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow? Sorry, still a newbie to PAN. Thanks.

jharlow · ‎05-16-2017

Any chance, this process is documented somewhere ?

jharlow · ‎05-16-2017

Yeah, I would do it manually as well. The issue I have and I am assuming this; is making the change from vwire to L3 would require resetting the device (lossing all of my custom settings I have now; aka URL filtering rules.) Is that correct?

jharlow · ‎05-16-2017

@OtakarKlierCan we be friends? 🙂 Wow! That was easy enough and does exactly what I needed! Thanks! Curious, is that basically what I need to do to make this a layer 3 device versus vwire, minus NAT rules? Or a different way to ask, is all that is needed is to create the same NAT rules from the ASA on the PA and this is a L3 device or is there more to that?

jharlow · ‎05-16-2017

Gotcha! I dont know if I can use that method as of yet. Our PA is in transparent mode, as the only policies we have in place is for URL filtering and AV/Malware scanning. We have an older Cisco ASA that handles NAT. The goal is to transition over to the PA, but getting there from where we are now ... Any case, your response helps me understand what I can do. Thanks.

Member Since	‎03-19-2015 02:57 PM
Date Last Visited	‎04-30-2020 03:06 PM
Posts	43
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎04-30-2020 03:06 PM

About jharlow

Re: Feature Request List

Re: Replacing PA500 with PA220

Replacing PA500 with PA220

Re: Upgrading from PA500 to PA220

Re: User-ID with Azure AD

DNS top applications?

Re: Upgrading from PA500 to PA220

Re: Upgrading from PA500 to PA220

Re: Feature Request List

Re: Replacing PA500 with PA220

Replacing PA500 with PA220

Re: Upgrading from PA500 to PA220

Re: User-ID with Azure AD

Re: Upgrading from PA500 to PA220

Upgrading from PA500 to PA220

Re: User-ID with Azure AD

User-ID with Azure AD

Re: Blocking All Internet Traffic from certain PCs

Re: Setting Up MS DirectAccess

Re: Blocking All Internet Traffic from certain PCs

Re: Blocking All Internet Traffic from certain PCs

Re: Blocking All Internet Traffic from certain PCs

Re: Blocking All Internet Traffic from certain PCs

Network Security

Cloud Security

Security Operations

About jharlow