This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jmrodriguez
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jmrodriguez
08-04-2023
23Posts
2Likes
1Solution
Aug 04, 2023Last Visited
User
Activity
User
Profile
Latest posts by jmrodriguez
| Subject | Views | Posted |
|---|---|---|
| 3855 | 10-25-2012 09:18 AM | |
| 3830 | 10-25-2012 09:15 AM | |
| 3724 | 09-03-2012 11:36 PM | |
| 3157 | 08-31-2012 03:52 AM | |
| 2430 | 08-31-2012 03:41 AM | |
| 3726 | 08-31-2012 03:41 AM | |
| 3724 | 08-30-2012 05:01 AM | |
| 4248 | 08-29-2012 05:04 AM | |
| 3726 | 08-16-2012 11:18 PM | |
| 4204 | 08-16-2012 05:20 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 08-30-2012 05:01 AM | |
| 1 Like | 09-03-2012 11:36 PM |
User Badges
Community Statistics
| Member Since | 10-27-2011 03:29 AM |
| Date Last Visited | 08-04-2023 07:54 AM |
| Posts | 23 |
| Total Likes Received | 2 |
10-25-2012
09:18 AM
Hi everybody. Up to now, I've had working a Globalprotect configuration, with only a Server Certificate, and it worked very well. After upgrading to version 1.1.7, I've received the message: "The paloalto.xxxxx.es certificate is not signed by a trusted certificate authority.". That is a problem for "no on demand" VPN connections, because you have to click "Continue" to make VPN connection work. Do you know how I could solve this? One solution is to create another certficate based on a Trusted CA certificate and send it to all the clients to install it, but it is difficult to do in our situation right now. Could you help me please? Thank you very much.
... View more
10-25-2012
09:15 AM
Hi everyboy. Up to now, I've had working a Globalprotect configuration, with only a Server Certificate, and it worked very well. After upgrading to version 1.1.7, I've received the message: "The paloalto.xxxxx.es certificate is not signed by a trusted certificate authority.". That is a problem for "no on demand" VPN connections, because you have to click "Continue" to make VPN connection work. Do you know how I could solve this? One solution is to create another certficate based on a Trusted CA certificate and send it to all the clients to install it, but it is difficult to do in our situation right now. Could you help me please? Thank you very much.
... View more
09-03-2012
11:36 PM
1 Kudo
Hello mindterra. In group name I've specified "cn", no "internet". One important thing is that "memberUid" in Group object must match with "uid" in user object. That is, check strings that appear in memberuid field in group objects; it must be the login name of the users, more than the complete name (jdoe vs John Doe) Bye bye.
... View more
08-31-2012
03:52 AM
Hi. Finally I've created a shell script using vpnc command to connect and add the routes. It works. In my opinion, PaloAlto should offer a solution for GlobalProtect VPN on Linux platforms, in case they want to take advantage over their competitors. Bye!
... View more
08-31-2012
03:41 AM
Hi. Thank you Jacek. Finally I've created a shell script using vpnc command to connect and add the routes. It works. In my opinion, PaloAlto should offer a solution for GlobalProtect VPN on Linux platforms, in case they want to take advantage over their competitors. Bye!
... View more
08-31-2012
03:41 AM
Hi. Thank you Jacek. Finally I've created a shell script using vpnc command to connect and add the routes. It works. In my opinion, PaloAlto should offer a solution for GlobalProtect VPN on Linux platforms, in case they want to take advantage over their competitors. Bye!
... View more
08-30-2012
05:01 AM
1 Kudo
Hi everybody. For your information, the configuration above is correct. The problem is that it's necessary to specify a domain in LDAP server configuration. After that, the scenario works well. I can selected users and groups on security rules... Great!!!. Thank you.
... View more
08-29-2012
05:04 AM
Hello. My situation is: - GlobalProtect VPN configurated -> user identification via GP then. - LDAP profile configurated -> authentication works well - Authentication profile configurated. - User Identification, Group Mapping configuration: - Group Objects: - Object Class: posixGroup - Group Name: cn - Group Member: memberUid - User Objects: - Object Class: inetOrgPerson - User Name: uid Extract with slapcat: ---------------------- dn: cn=Administradores,ou=Grupos,dc=example,dc=com cn: Administradores gidNumber: 1 structuralObjectClass: posixGroup entryUUID: 1dacb5d4-85f9-1031-95fb-b388bfd09fc7 creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20120829074432Z objectClass: posixGroup memberUid: prueba entryCSN: 20120829112946.273933Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20120829112946Z dn: cn=prueba,ou=Usuarios,dc=example,dc=com sn: prueba cn: prueba uid: prueba userPassword:: e01ENX1iKzBKTmZNdFFFSnh1cVN5a3FPNWJBPT0= uidNumber: 5 gidNumber: 1 homeDirectory: /home/users/satec1 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: a6c2f1f4-860c-1031-989f-db7857189845 creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20120829100422Z entryCSN: 20120829100422.934537Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20120829100422Z ----------------------------- I can use the created groups on OpenLDAP correctly, in firewall rules: admin@PA-2050> show user group-mapping state all Group Mapping(vsys1, type: other): Mapeo_Grupos_LDAP Bind DN : cn=admin,dc=example,dc=com Base : dc=example,dc=com Group Filter: (None) User Filter: (None) Servers : configured 1 servers X.Y.Z.8(389) Last Action Time: 1489 secs ago(took 1 secs) Next Action Time: In 2111 secs Number of Groups: 3 cn=vpn,dc=example,dc=com cn=usuarios,ou=grupos,dc=example,dc=com cn=administradores,ou=grupos,dc=example,dc=com admin@PA-2050> And I can connect to VPN and the user is identified: admin@PA-2050> show user ip-user-mapping all IP Ident. By User Idle Timeout (s) Max. Timeout (s) --------------- --------- -------------------------------- ---------------- ---------------- 192.168.46.3 GP prueba 3651 3651 Total: 1 users admin@PA-2050> But the problem is that user is not "mapped" in its group, Administradores: admin@PA-2050> show user ip-user-mapping detail yes IP address: 192.168.46.3 User: prueba Ident. By: GP Idle Timeout: 3529s Max. TTL: 3529s Groups that the user belongs to (used in policy) admin@PA-2050> So when I create a firewall rule as origin user the group Administradores, the traffic generated by the user "prueba" doesn't match with that rule. I think it must be a problem with "User Object" configuration but I can't find doc about that, an example like AD in the document: http://live.paloaltonetworks.com/docs/DOC-3221 . Anybody with a similar configuration could help me? Thank you very much. To be sure, I created on my OpenLDAP server a user account that has the same name in cn, sn, and uid: test.
... View more
Labels:
- Labels:
-
User-ID
08-16-2012
11:18 PM
Hi Jacek. Yes, It is possible, but there is a serious problem with split-tunneling. You can see the discussion in: . Are you using more than one access routes in your configuration? Thank you.
... View more
08-16-2012
05:20 AM
Hello Sri. I've tested this with a Cisco VPN client in a Windows machine, Cisco VPN Client in a Linux Machine, vpnc daemon in a Linux Machine, Shrew software in a Linux machine and Shrew software in a Windows Machine, with the same result.... Is it a compatibility problem of PaloAlto devices? I think IPSec connections are based on a RFC standard.............. Thank you very much...
... View more
08-14-2012
03:23 AM
Hi Lauro. You're right. I've carried out some tests by changing DNS configuration in GlobalProtect Gateway. As you say, it tries to summarize all the networks: DNS networks and access routes networks........ what a folly!!! It'd be a good idea that Sri could specify here his GlobalProtect configuration. Thank you.
... View more
08-14-2012
02:35 AM
Thanks Lauro. It is very strange behavior . Let's see if together we can find the solution .
... View more
08-14-2012
12:30 AM
Hi everybody. Sri, I've configured our firewall with your two access routes: 100.1.1.0/24 and 100.1.2.0/24 and this is the client routing table: IPv4 Tabla de enrutamiento =========================================================================== Rutas activas: Destino de red Máscara de red Puerta de enlace Interfaz Métrica 0.0.0.0 0.0.0.0 192.168.1.5 192.168.1.20 25 100.1.0.0 255.255.252.0 192.168.46.3 192.168.46.2 100 As you can see, it summarizes the routes. I'm using Cisco VPN Client version 5.0. Please, could you tell me your configuration? I'll try to open a case. Thank you very much.
... View more
08-13-2012
04:21 AM
Hi everybody. I've got a strange problem related to split tunneling in PAN configuration. The situation is: - Portal and Gateway configuration in PAN-2050 with PANOS 4.1.7 (same results with 4.1.6 and 4.1.5). - VPN client Cisco compatible (Windows and Linux, same results) - IP Pool: 192.168.46.0/24 - Access routes: 10.0.0.0/8 and 172.16.0.0/12 The problem is the following one (X.X.X.X is the public ip address of the VPN gateway): - If I configure one access route, 10.0.0.0/8, it works well, the client routing table is correct and I have connectivity through the tunnel: root@vangogh:/home/juan# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.46.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 X.X.X.X 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 root@vangogh:/home/juan# - If I configure one access route, 172.16.0.0/12, it works well, the client routing table is correct and I have connectivity through the tunnel: root@vangogh:/home/juan# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.46.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 X.X.X.X 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 root@vangogh:/home/juan# - But if I configure both access routes (desired configuration), it seems that the VPN client "summarize" both access routes and create a kind of default route, losing Internet connection: root@vangogh:/home/juan# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.46.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 X.X.X.X 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0 root@vangogh:/home/juan# Any ideas? Any similar problems? Thank you very much.
... View more
Labels:
- Labels:
-
Configuration
-
Networking
07-31-2012
04:42 AM
Hi again. I've seen the failed NAT and when it happens: This is a connection RTP from a phone to our telephony provider, and it works: 67130 rtcp ACTIVE FLOW NS 10.42.38.250[3001]/LAN/17 (94.124.28.150[2940]) vsys1 212.230.32.192[23639]/INTERNET (212.230.32.192[23639]) But, after that, another connection using the same source port, it doesn't work: 127233 rtcp ACTIVE FLOW 10.42.56.253[3001]/LAN/17 (10.42.56.253[3001]) vsys1 212.230.32.192[21789]/INTERNET (212.230.32.192[21789]) Most of the situations: it fails with ports 3000 and 3001. Thank you.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks