This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Jeff_K
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Jeff_K
09-15-2022
15Posts
3Likes
1Solution
Sep 15, 2022Last Visited
User
Activity
User
Profile
Latest posts by Jeff_K
| Subject | Views | Posted |
|---|---|---|
| 2385 | 05-17-2013 04:42 AM | |
| 2385 | 05-16-2013 06:35 PM | |
| 2452 | 05-16-2013 12:24 PM | |
| 3355 | 04-20-2012 11:38 AM | |
| 6303 | 04-19-2012 01:02 PM | |
| 1968 | 04-19-2012 06:20 AM | |
| 1968 | 04-19-2012 05:30 AM | |
| 3682 | 04-11-2012 06:21 AM | |
| 4019 | 04-04-2012 11:19 AM | |
| 9068 | 03-09-2012 09:52 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-07-2012 01:24 PM | |
| 1 Like | 04-19-2012 06:20 AM | |
| 1 Like | 04-11-2012 06:21 AM |
User Badges
Community Statistics
| Member Since | 08-26-2011 11:11 AM |
| Date Last Visited | 09-15-2022 04:21 PM |
| Posts | 15 |
| Total Likes Received | 3 |
05-17-2013
04:42 AM
In regard to the Captive portal comfort page, it would be great if the user input form script called by <pan_form/> could be modified to include a field to enter the domain ... this would avoid a lot of confusion. Anyone know if this is possible? Thanks, Jeff K
... View more
05-16-2013
06:35 PM
This is useful information. I can see this working for a single domain but we have multi domains. I suppose I could put a bogus domain name in the RADIUS profile, then at least the authentication attempts will fail and a bad ip-user-mapping will not be created. I subsequently tried this but got undesirable results. An authentication request with domain information is passed untouched to the RADIUS server but the resulting ip-user-mapping is created with whatever domain is set in the RADIUS profile. Thanks! Jeff K
... View more
05-16-2013
12:24 PM
Our captive portal is configured to use RADIUS (Cisco Secure ACS) to authenticate our AD users. The Cisco ACS will authenticate a user even if they do not include their domain information in the userid string... 'userid' rather than 'domain\userid'. The problem with this is that a user who authenticates with only their userid ends up with a ip-user-mapping that will not match a userid that is pulled in with the User Identification Group Mapping Settings. Our Cisco ACS box does not appear to be able to filter the undesirable ones out. Has anyone dealt with this already? Maybe there is a way to sanitize the input on the Captive portal comfort/login page? Thanks, Jeff K
... View more
Labels:
- Labels:
-
User-ID
04-20-2012
11:38 AM
Yes, you can write security policies as you describe. We're running over 30 User-ID Agents (version 4.1.2). They're collecting AD account logon information from the security logs of our Windows domain controllers. We found it best to place one (or more for redundancy) at each site ... they can consume a considerable amount of bandwidth if you have an agent monitoring a domain controller over a WAN link. We have yet to address the many wireless devices in our company that do not log on to our Windows domain ... Android phones and tablets, iPads, warehouse barcode scanners, etc. The plan is to glean user/IP information from the RADIUS MS-PEAP authentication records and feed it into the User-ID Agent using it's API support. Jeff
... View more
04-19-2012
01:02 PM
I had the same problem when using Firefox. As already suggested, use IE or do it from the command line using "tftp import keypair". Pkcs12 format is fine ... you don't need to use PEM. Jeff
... View more
04-19-2012
06:20 AM
1 Kudo
I don't think sFlow is supported in any version... just Netflow starting in version 4.1. Jeff
... View more
04-19-2012
05:30 AM
The release notes confirm Netlfow support first appeared in version 4.1. Jeff
... View more
04-11-2012
06:21 AM
1 Kudo
The current documentation about "Container Pages" and the URL profile "Log container page only" option is summed up in this Knowledge Base document: https://live.paloaltonetworks.com/servlet/JiveServlet/downloadBody/2386-102-1-5808/Container%20Page%20filtering.pdf The one and only important piece of information this KB article adds is the connection between the "Log container page only" option and \Device\Setup\Content-ID\Container Pages sjamaluddin, how do you know that "The principal of the 'Log container page only' is to log only the main page..."? The documentation doesn't say this. Dominic, I'm not so sure the default "Container Pages" has all the content types available ... how do you know this? I'm seeking concise documentation on this topic ... where is it? Thanks! Jeff
... View more
04-04-2012
11:19 AM
Has anyone done anything with the Content-ID container pages to control the URL logging? Are you using a Custom 'URL Content Types' list? What are the supported URL Content Types? The documentation is sorely lacking . Thanks, Jeff K
... View more
- Tags:
- 4.1
- content-id
Labels:
- Labels:
-
Content-ID
03-09-2012
09:52 PM
Yes, you need the AD group mappings in order to get the users inside of them. You can then create policies that control access based AD groups and users. Subsequently, the PAN needs the IP to user mapping that the User-ID agent provides so it can identify the user and apply the policies. Jeff
... View more
03-08-2012
07:24 AM
I think the User-ID Agent must process every relevant event in the security log regardless of your include/exclude list. The include/exclude list is simply a control mechanism for what addressing the agent ultimately provides user mapping for. I think including all addressing will have negligible effect on performance. I wouldn't want the agent to do a WMI probe of an external client. For external users it might be better to run a separate agent with all the probing options turned off... exclude all private addressing and include 0.0.0.0/0. Jeff
... View more
03-08-2012
06:41 AM
The command "show user user-IDs" displays your AD user to AD group mapping... not the username to IP address mapping that the 4.1.x User-ID Agent does. You need to: configure a LDAP Server Profile. \Device\Server Profiles\LDAP configure a Group Mapping to pull in your wanted AD groups and their associated AD members. \Device\User Identification\Group Mapping Settings Jeff
... View more
03-08-2012
06:14 AM
I guess the answer to my question is no. I am surprised by this... it's something I would expect to be able to do. My query stems from a problem I was having when using the GUI to import certificates that where externally generated and signed (for Forward Trust and Secure Web Gui use). Through trial and error I finally was able to accomplish the import using the CLI. I was curious to know why it didn't work using the GUI. I may start a new discussion to expound on the certificate import issue. Thanks! Jeff
... View more
03-07-2012
01:24 PM
1 Kudo
In your pan-2 pic it shows the PAN connected but you don't have any Connected Servers (Windows Servers) ... you need to configure the User-ID Agent to monitor the security event log of specific DC's. Do this in the 'Discovery' section. Jeff
... View more
03-07-2012
09:55 AM
Is there a way to determine the CLI equivalent of a command/task done within the management GUI? For example, with PAN 4.1.2, what is the CLI equivalent of the GUI when you import a pkcs12 format certficate? thanks, Jeff
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks