This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About NikolayDimitrov
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About NikolayDimitrov
03-10-2022
49Posts
15Likes
6Solutions
Mar 10, 2022Last Visited
User
Activity
User
Profile
Latest posts by NikolayDimitrov
| Subject | Views | Posted |
|---|---|---|
| 4317 | 01-24-2022 01:50 AM | |
| 2957 | 09-20-2021 03:20 PM | |
| 3213 | 08-20-2021 12:23 PM | |
| 3251 | 08-20-2021 08:18 AM | |
| 3315 | 08-20-2021 01:16 AM | |
| 1798 | 08-06-2021 05:47 AM | |
| 2162 | 08-06-2021 05:33 AM | |
| 6264 | 08-06-2021 02:49 AM | |
| 2835 | 08-05-2021 09:46 AM | |
| 5849 | 08-05-2021 04:29 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-24-2022 01:50 AM | |
| 1 Like | 08-05-2021 09:46 AM | |
| 1 Like | 07-27-2021 04:49 AM | |
| 1 Like | 07-07-2021 12:13 AM | |
| 1 Like | 07-07-2021 12:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 3 Likes | |||
| 8 Likes | |||
| 2 Likes | |||
| 2 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 06-15-2021 10:38 PM |
| Date Last Visited | 03-10-2022 02:58 AM |
| Posts | 49 |
| Total Likes Received | 15 |
01-24-2022
01:50 AM
1 Kudo
Great thank you! Hope they add the new feature to block also domains if not URL with the host firewall. Till then if the customer also has Palo Alto firewalls maybe this is an option for the Cortex XDR to generate EDL lists that the Palo Alto firewall (Palo Alto Firewall and Cortex XDR integration) can consume: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/manage-external-dynamic-lists.html Also it is good to enable the firewalls access to the Cortex XDR and for the firewall to send its logs to the Cortex Data Lake so the Cortex XDR can see the network taffic: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/get-started-with-cortex-xdr-prevent/set-up-endpoint-protection/enable-access-to-cortex-xdr.html https://www.paloaltonetworks.com/blog/2020/03/cortex-busted-by-cortex-xdr/
... View more
09-20-2021
03:20 PM
If you plan full migration prisma access has cloud GUI console but if you want and need to have on-premise firewalls I suggest using hybrid deployment with Panorama plugin where you manage your on-premise firewalls and the prisma access CAN (service conection), SPN(remote network site) and mobile gateways to get the idea see videos for EDU-118 here https://live.paloaltonetworks.com/t5/blogs/prisma-access-sase-security-edu-118/ba-p/319001 . For the price ask them if you decide to do a demo Prisma access is easy to manage compared to the other cloud solions like this.
... View more
08-20-2021
12:23 PM
From your reply I think that there is no way for the Palo Alto to send this info to the Microsoft AD and for the Microsoft AD to record this and also I did not find Microsoft to have added feature similar to providing a Static Ip address for the VPN to use (Framed-IP-Address attribute) but using a VPN pool on the Microsoft AD. Thanks for confirming this.
... View more
08-20-2021
08:18 AM
Yup this is not my question. My question was how can Palo Alto share the user to VPN ip address mapping to other systems not a specific question about internal configuration. I think that I have written it well that Palo Alto works good as a VPN solution but the systems (that are not Palo Alto) after it may need a way to work with users and groups but the Ip address is no longer real client Ip addres but the VPN address. Does Palo Alto in some way inform the Microsoft AD server (and does the AD server write this information) about what is the assigned VPN IP address to the client during the client authentication to the globalprotect agent(for example LDAP is used as auth profile, so the firewall checks with the Microsoft AD)?
... View more
08-20-2021
01:16 AM
Hello to All, I am interested if Palo Alto is used as the Globalprotect VPN solution but after it there are other systems that may benefit from user group policies, howcan this be done? The issue is that the after the VPN the customer will be seen with the VPN ip address and not the original ip address, so I don't think that the Active directory can be used for resolving the ip to user mapping. I also don't think that Globalprotect provides/writes the VPN assigned IP address in the Active Directory during LDAP/Radius authentication process of the client to the VPN but maybe I wrong about this? The option for the AD to assign the VPN address to Globalprotect seems nice but for 10000 of users it does not seem feasuble to assign a static ip address to each user in the Windows AD and I did not find if you can configure the AD to not use a static ip address but a pool of addresses and then write which ip address it provided to the Globalprotect for VPN assignment. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkxCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail The other thing I thought is to export the Globalprotect logs to a syslog server and from there to get which VPN address was provided to which user or real client ip address (mapping between the VPN address and the real client Ip address).
... View more
08-06-2021
05:47 AM
Can you see this on the Panorama or cloud the web based console (if you are not having panorama)? Monitor -> System log
... View more
08-06-2021
05:33 AM
Have you checked the article below? https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/redistribute-hip-information-and-run-hip-reports.html For using HIP in the security policy : https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html
... View more
08-06-2021
02:49 AM
Hello Just check the Palo Alto Prisma documentation as it covers such cases: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/create-a-service-connection https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/configure-prisma-access-for-networks %%%%%%%%%%%%%%%%%%% To enable tunnel monitoring for the service connection, select Tunnel Monitor . Enter a Destination IP address. Specify an IP address at your HQ or data center site to which Prisma Access can send ICMP ping requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet. If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or add a New Proxy ID that allows access from the infrastructure subnet to your HQ or data center site. %%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% You must configure a static route on your CPE to the Tunnel Monitor IP Address for tunnel monitoring to function. To find the destination IP address to use for tunnel monitoring from your data center or HQ network to Prisma Access, select Panorama Cloud Services Status Network Details , click the Service Infrastructure radio button, and find the Tunnel Monitor IP Address . %%%%%%%%%%%%%%%%%%%
... View more
08-05-2021
09:46 AM
1 Kudo
From the Palo Alto side of things yes but you still need to configure the correct attributes for user/group on the Azure AD (Azure AD should have good guides how it can be used as SAML IdP). After the SAML has imported the users and groups in the Palo Alto/Prisma Access look at : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0 User redistribution inside prisma access should happen automatically but if you also have on premise devices look at: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/redistribute-userid-information-for-users-and-networks
... View more
08-05-2021
04:29 AM
You can see the article from Okta and use it for Azure AD, you just need to find the Azure AD documentation how to set the atributes: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html
... View more
08-05-2021
04:26 AM
This is not for Azure AD but it shows how to extract the SAML atributes for user and group membership: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html
... View more
08-05-2021
04:04 AM
The secondary WAN is if the on premise device has another WAN link and you use it as a backup if the primary link fails (this is if you have Dual ISP in your data center). The secondary WAN link is down and only goes up if the primary link commes up. For Backup SC I think this is if you have two on premise devices that you want if there is an issue with the primary on premise device and its main connection to failover to the other or even an active and standby Data Centers: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/create-a-service-connection https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/configure-prisma-access-for-networks ------------ You can select any service connection that you have already added. Prisma Access uses the Backup SC you select as the preferred service connection in the event of a link failure. Selecting a backup service connection can prevent asymmetric routing issues if you have onboarded more than two service connections. This choice is available in Hot potato routing mode only. ------------ For more about routing see as the Prisma access uses AS prepend with the BGP to control that only the primar service connection is used and not the the backup service connection: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html
... View more
08-05-2021
03:51 AM
There is a guide for this: https://www.paloaltonetworks.com/resources/guides/prisma-access-for-users-deployment-guide I think also SAML is a nice option where the Prisma Access will be SP and Azure AD will be the IdP. https://www.consigas.com/best-practice/remote-access-authentication/
... View more
08-05-2021
03:44 AM
See here: PAN-142785 Enterprise Data Loss Prevention (DLP) does not support customizable response pages and uses the default File Blocking Block Page response page ( Device Response Pages ) https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-enterprise-data-loss-prevention/panorama-plugin-for-enterprise-data-loss-prevention-10/known-issues-in-enterprise-dlp-plugin-101.html So just try activating the Response Page and test. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-response-pages.html
... View more
08-05-2021
03:39 AM
For the prisma access you need to see under the Service Infrastructure as it automatically gives ip addresses to it objects like the Service Infrastructure CAN or Remote Network SPN or the Mobile Gateway. You can also select your local firewall to ping an IP address with the tunnel monitor that is in another site of yours that is again connected to the Prisma access as the idea for the tunnel monitor is to ping an ip address that the ping passthrough the tunnel to reach it. On the Prisma Access side can you try to specify the tunnel monitor ip address to be a DNS server, LDAP server etc. that is in your local Data Center behind the Service Connection.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-10-2022
02:58 AM
|
Likes From
| User | Likes Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 2 | |
| 1 |
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks