About blwallace

I'm having trouble finding the correct administrative installation process.  I have several field reps that do not have administrative rights to their laptops.  I need to install GlobalProtect for them and have it pre-configured with proper certificates, portal addresses, etc.  My certificates are self-generated by the firewalls, so are not trusted by a third-party such as goDaddy.  My installation process is: login with a proper administrative account install the proper certificates into local computer and local user stores install the agent using msiexec /i globalprotect.msi POSTVPNCONNECTCOMMAND=\\server\path\logon.bat PORTAL=vpn.domain.us /quiet This sets up the first portal, but I have two portals.  I've tried importing registry files for the second portal and it works for user that ran the install, but not for any other user on the system.  All other users only have the portal created by the msiexec install.  So how do I install the agent with two portals?   When the user first logs in, they are asked to accept the certificate of the portal, even though the cert is previously installed.  This acceptance is only required the first time the user logs in.  How do I have the agent accept this certificate so not to ask the end user? ... View more

Running PanOS 8.1.1 & GlobalProtect Agent 5.1.0 & connect method Pre-logon (Always On)   When connected and authenticated to my VPN from an external network - all is good.  I can restart with a connection to my internal WiFi and my VPN connection shows Internal (because I have Internal Host Detection configured).  If I then open the GP app and select Sign Out, my  VPN client will then give me an error: No Network Connectivity and will not connect.  Looking at the logs within the client, I see a "ConnectSSL: Failed to connect..." error.  The only way to get connected to my VPN at this point is to connect and authentication using an external network.     As long as I don't Sign Out (and I know I can remove this button from end users) through the app, things work as expected going from public to internal to public networks.  But I want to understand all possible scenarios and this is one I can't figure out.   What is happening when Sign Out is selected and why does this cause the VPN client to think there is no network connectivity?   error log snippet . . . (T5116)Debug(6217): 02/28/20 11:18:22:221 Pre-login...,verifyportalcert=yes (T5116)Debug(10082): 02/28/20 11:18:22:221 Check cert of server ***.***.***.*** (T5116)Debug( 777): 02/28/20 11:18:22:221 SSL connecting to ***.***.***.*** (T5116)Debug( 550): 02/28/20 11:18:22:236 Network is reachable (T1660)Debug( 550): 02/28/20 11:18:24:190 Network is reachable . . . (T5116)Debug( 599): 02/28/20 11:18:27:143 Failed to connect to ***.***.***.*** on 443 with return value -1 and socket error 0(0) (T5116)Debug( 781): 02/28/20 11:18:27:143 do_tcp_connect() failed (T5116)Error(10128): 02/28/20 11:18:27:143 ConnectSSL: Failed to connect to '***.***.***.***:443'. Disconnect ssl. (T5116)Debug(10141): 02/28/20 11:18:27:143 Cannot get server cert of ***.***.***.***   ... View more

Is there a way to import an ssh key into a firewall? For instance, I run the following commands: ssh-keygen -t rsa (The public key is now located in /home/demo/.ssh/id_rsa.pub The private key (identification) is now located in /home/demo/.ssh/id_rsa) ssh-copy-id user@myfirewall When I run the ssh-copy-id command, I asks me to login and I get this: Unknown command: ssh-rsa Now try logging into the machine, with "ssh 'user@myfirewall'", and check in:   ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. However, trying to login, it still asks for a password, Thanks, Bart ... View more

I'm writing a script to disable a rule using panxapi.  I'm trying to check to make sure the rule exists.  I've found if I have a typo in the rule name, panxapi will create the rule as a blank, so I need to make sure the rule exists before running panxapi to disable it.  I started testing how to do this and have run across something I don't understand.  Options -g and -s look to be what I would need, but I'm not understanding their results.  If I enter a non-existent rule "Rule.junk" they return different results. -g                get candidate config at xpath -s                show active config at xpath panxapi -h 192.168.x.x -s "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule.junk']" show: No such node status="error" panxapi -h 192.168.x,x -g "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule.junk']" get: success My candidate and running config are identical, yet -s says the rule doesn't exist, and -g says it does? Thanks, Bart ... View more

Security dictates I have an L2 network that is electrically separate from my production network, i.e a separate set of switches with no connection to production and is used for management of infrastructure devices only.  I now am setting up a second data center in another city.  I'm fortunate in that my remote data center has been physically located in my local data center and my network stack is complete and tested.  Unfortunately, I've existed with this configuration and my management network is all one big happy L2 network.  My L2 network is called nmnet (network management network) and contains devices staying locally and devices moving to the remote data center.  My problem is twofold: I don't wanti to re-IP all my network management interfaces I want to keep this network intact as my address space is 192.168.x.0/24, so in essence, I want to tunnel across the internet I have equal firewalls at both sites.  I have a firewall in front of my data center, an internal dmz firewall and an external dmz firewall.  I call these DC, DMZI and DMZO respectively.  Traffic flows "south to north" from my DC to DMZI to DMZO firewalls locally and "north to south" from my DMZO to DMZI to DC firewalls remotely - and vice versa. Can I create a set of vwires through my firewalls to my DMZO firewalls and use an IPSec tunnel between my two site DMZO firewalls?  Here's my scenario: DC firewalls: •    ethernet1/2=nmnet-vwire, zone=z.nmnet, physical connection=nmnet L2 network •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzi firewall DMZI firewalls: •    ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dc firewall •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall DMZO firewalls: •    ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dmzi firewall •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall •    create tunnel.9 assigned to z.nmnet, stpe address 192.168.186.1, mkt address 192.168.196.1 •    create ipsec tunnel with ike gateway interface ethernet1/13 and tunnel interface tunnel.9 I know its long, but hopefully somebody will brave through it with an answer. Thanks, Bart ... View more

Is there a way to use the panxapi module and delete or modify a member from an address group?  I have an address object I no longer use and want to remove all references.  I can use panxapi to delete the address object as long as I manually remove the objects from all groups to which it is a member.  I want to be able to write a program to remove all references, but can't get it to remove from the address groups. Thanks, Bart ... View more