About zGomez

Hi, I am trying to configure globalprotect to use SAML authentication for the portal and gateway.  The authentication seems to work but when, but i am not getting a valid client config when i use groups in allow list.  I am sure it is related to group mapping and user id but don't know where exactly it is going wrong.   I have the following configuration on Azure:  When authenticating i am seeing the following in the logs on the gateway.   First it tries with username.firstname this fails then it tries with the formated version and the authentication works. My authentication profile is configured as follows, it also has an allow list that is allowing only certain group. This seems to be working besides the fact that it tries with 2 different formats.  Then the user tries to fetch the config with the same group limitation as the authentication profile this seems to fail.  When i remove the group it works and the client can get it's config. I have double checked the format off the groupname and both are the same. My groupmapping is configured as follows.   Do i need to add alternate username 1:  userpincipalname? The problem is located somewhere over here.  I just don't understand why i works for the authentication and not for the getclient config. Any help on this would be appreciated or some clarification on the claims vs auth/group mapping.               ... View more

Hi, I have a strange issue i am trying to import the globalsign root certificate into panorama device template. I am following this article (also doubt the global sign is needed because when i browse manualy to the EDL the url is singed by Google) Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service (paloaltonetworks.com) I have upload the certificate but renamed it to .jpg you can just rename it to .cer to have a look or open it with Notepad.  The format is correct.  When i try to import this in panorama i always get the error: Import of EDL-SERVICE-HOSTING failed. Failed to find begining of certificate. Make sure certificate starts with BEGIN CERTIFICATE tag  (there is also a spelling mistake in the error should be beginning to my knowledge) When i upload the same cert directly onto the firewalls i have no issue. Anybody experienced this issue with version 10.2.5 ?   CERT CONTENT: -----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE-----       ... View more

Hello,   Since recently we have a few firewalls that we are unable to push because the firewall is checking connectivity to panorama and this is failing.  Inside panorama the device is listed as connected and from the firewall's session table I can see there is an existing session to panorama. 2023-06-07 16:38:38.410 +0200 ACR: Performing panorama connectivity check (attempt 5 of 5) 2023-06-07 16:38:38.410 +0200 [Secure conn] Secure channel for Firewall to panorama communication not enabled for secure conn. 2023-06-07 16:38:56.329 +0200 client dagger reported op command was SUCCESSFUL 2023-06-07 16:38:57.459 +0200 client dagger reported op command was SUCCESSFUL 2023-06-07 16:38:58.807 +0200 Error: pan_comm_get_iplist(cs_conn.c:4711): connmgr: panorama: addr info address: panorama.domain.net error: System error 2023-06-07 16:38:58.808 +0200 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1124): ACR: Failed to establish TCP connection 2023-06-07 16:38:58.808 +0200 ACR: Panorama connectivity check failed for panorama.ontex.net. Reason: TCP channel setup failed, reverting configuration 2023-06-07 16:38:58.808 +0200 ACR: Post-commit connectivity check failed, beginning to revert config.   I already tried increasing timers and amount of retries.   I also verified the firewall is able to reach panorama and is connected. DNS is working. Session table is showing me 2 active sessions to panorama.   show session all filter destination 10.255.125.50 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 6501 panorama ACTIVE FLOW 10.163.66.253[33607]/management/6 (10.163.66.253[33607]) vsys1 10.255.125.50[3978]/VPN (10.255.125.50[3978]) 7007 panorama ACTIVE FLOW 10.163.66.252[45224]/management/6 (10.163.66.252[45224]) vsys1 10.255.125.50[3978]/VPN (10.255.125.50[3978])   anybody else experiencing this?    can i use global counter for management traffic? Only one of the firewalls in the cluster is having this issue, only active one.  Restarting mangement plane did not help.   ... View more

Hi,   My first question regarding the aggregate bandwith feature.  For example on computer location i will assing 100 Mbit of traffic.  At the Guaranteed bandwith ratio I will put in 100% and reserved for Guaranteed bandwidth i also put in 100. So if i have 5 sites they will all receive a guaranteed 20 Mbps.   Suppose all sites together are only consuming 20 Mbps will they still be able to peak to 100Mbps and use what others have not consumed? My QOS profiles are still on Mbps due to migration and should be migrated to percentage.   When I want those 5 sites to break out to the internet on Prisma Access computer location how is this reflected in the QOS. Or does the QOS not apply to internet traffic only between remote sites? What is the internet break out speed on a computer location?   When I run a speedtest to the internet with above settings I can reach around 170 Mbps down and 20 Mbps up this doesn't seem to match the conigured QOS.  (when i turn to overal bandwith to 50 Mbps for example i can still reach the same speed to internet). Also when running iperf between a server in a remote location and a server in our service connection i doesn't seem to reflect the settings.   Any help on explaining this would be appreciated.       ... View more

Hi,   We have an Active/ Active firewall between 2 datacenters.  We have configured a single tunnel on a floating IP that is Active in Datacenter A to a remote Partner.  Firewall in DC A is currently in Active Secondary State,  Firewall in DC B is currently in Active Primary state. The tunnel has both phases up on the firewall in DC A and only the phase 2 on firewall in DC B (expected behaviour). There is no VR sync configured between firewall in DC A and DC B option is not configured. Both firewalls have static routes configured to the destination over tunnel.6. The green line is the working scenario, user logon to citrix farm in DC A(172.25.0.0/24), the application is reachable over the tunnel 6  The red line is the non working scenario, user logon to citrix farm in DC B (172.25.3.0/4), the application doesn't work because I believe it it tryin to send it over the tunnel on firewall DC B that is not fully established. (only phase 2). The orange line is what I would like it to do based on session ownership, sessions setup for the tunnel.   My question is is the behaviour i am seeing expected behaviour or should it work like the orange line?         ... View more