About RSteffens

Thanks!    The PA can indeed have multiple CA roots.  That's the way I have done it in the past, with a root CA on the firewall for EVERY service listed above, assuming that if one root was compromised, it could be helpful not to have to change certs for all other services on the NGFW.  I just wasn't sure if that was problematic on any front, other than being a pain to manage.  ... View more

Thanks!   A few questions:   1) Thus far, I have imported self signed certs into the browsers one the endpoints, and marked them as trusted.  That has thus far prevented clients from receiving untrusted errors.    2) I do not use Microsoft CA - all the computers in our business are Macs and we don't use any Microsoft services.  I understand that running an internal PKI is fraught with security risks and should be avoided unless there's an experienced team to manage it.  Should I reconsider this?   3) If I continue using self signed certs, then I'm back to my original question:  Should I use  a bunch of root-cert/end-cert chains for each service on the firewall (thus meaning I may have 4 or 5 chains, with 4-5 individual root certs, for various firewall services) , or should I use one root cert, and have a bunch of end certs signed by that one single root cert, for all firewall services?  I.e, Can all firewall services share the same self signed root cert and just have it's own end cert, signed by that root CA?  Or do I need a separate root Cert CA for every end cert I need?   Thanks! ... View more

Great to hear!  Do you have any further details? Any ETA?   ... View more

I also need Cortex XDR for iOS/iPadOS BADLY.  I'm having to look at other competitors simply because Cortex is not available for iOS or iPadOS.   ... View more

 So far, that doesn't seem to have caused unwanted behavior for us with the existing Okta captive portal setup.  On zones that use it, it authenticates reliably every time users attempt to access the web zone, repeatedly.  I have not encountered a situation where it fails to authenticate anyone.  It's fantastic because it's both multi factor, and auths against existing database of users in the Okta cloud LDAP.      If I could just take the exact way its currently working, and prompt for authenticating using captive portal the same way when accessing the management zone, as it does with the web zone.  ... View more

So I just found this knowledge base article that sounds like what I want to do.    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCEzCAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail   Has anyone ever gotten this sort of thing working?  I currently use the Okta Captive Portal for User ID, but again I can only get it working when http/https traffic triggers the captive portal.  This would offer a great way to authenticate traffic between sensitive zones, if I can get it to work.  ... View more

Thanks very much for your input!  Yes I currently have user-ID set up for several zones, but user-ID captive portal redirect is currently only triggered on those zones when a user attempts to access the internet (user-zone -> internet-zone).   I.e., the redirect is only triggering for http/https traffic.  I have tried doing user ID from a user-zone to management-zone - but I haven't found a way to trigger the authentication redirect to user-id captive portal in this case. Any idea what I should check or what I'm doing wrong? ... View more

That was it!  The guy on the other end had a misconfiguration and I was receiving unwanted traffic from a 2nd address.  Thank you!!   ... View more