Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About RSteffens
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About RSteffens
yesterday
19Posts
0Likes
2Solutions
Jun 23, 2021Last Visited
User
Activity
User
Profile
Latest posts by RSteffens
| Subject | Views | Posted |
|---|---|---|
| 263 | 3 weeks ago | |
| 291 | 3 weeks ago | |
| 307 | 3 weeks ago | |
| 383 | 3 weeks ago | |
| 504 | 3 weeks ago |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes |
User Badges
Community Statistics
| Member Since | 03-23-2021 05:04 PM |
| Date Last Visited | yesterday |
| Posts | 19 |
3 weeks ago
OK Thanks! Yes I use a local firewall CA. I'll just experiment then. Again, thank you very much!
... View more
3 weeks ago
And if you don't mind, one more question. (see screenshot below) Is it best practice to check all of these boxes on the cert profile for the GP and GP Client certs? Or are there any that could break the system if left checked? Thanks!
... View more
3 weeks ago
That was it! Totally obvious - "type" needed to be set to local database. I have no idea how I overlooked that! Thank you so much! One other question while I'm at it. Under the global protect portal agent configs (first screenshot above), is it important to check "install in local root certificate store" for the "Trusted Root CA's"? I have already installed those (PA generated, self signed) root CA's manually on the computer I'll be using for remote access, and I'm the only GP user, and using GP on only one single device. Thanks!
... View more
3 weeks ago
Yes! It's set to "no" in both portal and gateway. I am authenticated with that setup, but without ever entering the password of the user. But I want to enter the user password as part of authentication.
... View more
3 weeks ago
Hi Everyone - I am wanting to use auth profile AND client certificates (with cert profile). I figured out that if I re-issue the client cert with a CN that is the same as the name of my user who wants to log in, and change the cert profile username to Subject (instead of none), everything works and I don't get the error above! I'm able to get in that way. Only thing is, I'm never prompted to enter the user's password. I'd still like to be prompted for the actual user password as well in order for them to log in. Do you know if this is possible, when authenticating with an auth profile + client cert profile as I've outlined above? Do you think GP authentication using a auth profile + client cert profile as implemented above, is a secure enough way to manage the PA remotely? Thanks!
... View more
3 weeks ago
So I deleted the settings, GP portal, etc and completely rebuilt the GP infrastructure from the ground up. But now I'm getting these errors when I commit: GlobalProtect portal(.......)setting is invalid: auth-profile exist(method none), client-cert-profile none no username. (Module: sslvpn) GlobalProtect gateway(.......) setting is invalid: auth-profile exist(method none), client-cert-profile none no username.(Module: rasmgr) Anyone know what the problem is? Randy
... View more
3 weeks ago
Hi! No I'm the only admin. It's got to be something I changed somewhere, or else an update that nuked things. Yes, the authorize message is linked to the only user account who has GP access for offsite management, we have no other GP users.
... View more
3 weeks ago
PS: I've double checked against two other PA guides: https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232 and https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK All my settings are correct, exactly as outlined in these documents. What else should I check?
... View more
3 weeks ago
Hello Everyone, I had global-protect working perfectly. Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore. I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"! I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message! I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing! Any help you can provide would be much appreciated! Thanks!!
... View more
a month ago
Well I figured out how to get it working! The problem was that every zone users are authenticating from needed a management profile with response pages turned on. That seems counter intuitive as I was thinking only the destination zone should need that. But I turned on for both source and destination zone and everything immediately started working. FYI, I’m using the latest version of pan os 10.
... View more
a month ago
Hello! Quick question: I have captive portal set up for one zone and it works well, where my captive portal "redirect host" ip is in the same zone/subnet as my users who need to authenticate. But I'm needing to expand this so that users from several zones/subnets can authenticate via captive portal. The problem I'm having is that for users in zones/subnets external to the captive portal IP, the redirection gets stuck. External users are redirected to the correct zone URL, but they get no response at that URL and the redirection times out. I have set up the correct security policy rules to allow the user zones to communicate with the redirect host IP captive portal zone. I can ping the redirect host IP from the external zones users are trying to authenticate from. But users in external zones never see the redirect web form. Does anyone have this working and can you advise what I'm overlooking? Thanks!
... View more
05-19-2021
07:14 PM
Well it looks like I may be wrong about my above conclusion! The netstat output of the working computer is exactly the same as the output of the non-working computer pictured above! The only other difference between the computers is that the working computer is running MacOS 10.14.6, and the non-working is running MacOS 11.2.3. If anyone has any pointers, I'd be glad to hear.
... View more
05-19-2021
11:39 AM
Here are photos showing the problem. The first is netstat output showing DNS routing when not connected to GP, everything works as expected. The second photos shows what happens to DNS when I connect to GP. 10.0.0.1 is the IP I was given from the IP pool after I connected to GP. DNS obviously doesn't work.
... View more
05-19-2021
11:08 AM
Hello! Quick question. I just configured global protect. When I first configured it, I was sending all traffic through the tunnel which wasn't working well. So afterword I set it to allow split tunneling. But here's the problem: The first computer (MacOS) which I enrolled in GP when I was forcing all traffic through the tunnel, now will not connect to the internet when connected to GP, although it does connect to GP assets fine. Another MacOS computer that I enrolled after I turned on split tunneling, works to access internet perfectly as well as GP assets Turns out this is a DNS issue on the first computer. The routing table in the troublesome computer reveals I have duplicate DNS entries in the routing table, two that are pointing to the IP I receive after connecting to the GP gateway (these have priority as they appear first in the list), and two more that are pointing where they should. When I manually update my routing table to remove the DNS entries pointing to the IP I receive after connecting to the GP gateway, all my troubles vanish, I can access the GP assets, as well as my local network. However restarting the computer and reconnecting to GP restores the routing table to the incorrect state. When I disconnect from GP, the rogue DNS entries disappear and my routing table behaves normally allowing normal internet access. When I reconnect to GP, my DNS routing table entries again are messed up. I have deleted the GP app and re-installed, but the incorrect routing table entries are still there. I have flushed my routing table completely, but upon connecting to GP, the rogue DNS entries in the routing table mysteriously appear. As I said above, I enrolled a second computer in GP and it connects normally and doesn't have the rogue DNS entries. It's just the first computer that is messed up now, the one I enrolled when I was still forcing all traffic to use the GP tunnel. Any idea what I can do to fix the problem?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
