About bart.wallace

I'm having trouble finding the correct administrative installation process.  I have several field reps that do not have administrative rights to their laptops.  I need to install GlobalProtect for them and have it pre-configured with proper certificates, portal addresses, etc.  My certificates are self-generated by the firewalls, so are not trusted by a third-party such as goDaddy.  My installation process is: login with a proper administrative account install the proper certificates into local computer and local user stores install the agent using msiexec /i globalprotect.msi POSTVPNCONNECTCOMMAND=\\server\path\logon.bat PORTAL=vpn.domain.us /quiet This sets up the first portal, but I have two portals.  I've tried importing registry files for the second portal and it works for user that ran the install, but not for any other user on the system.  All other users only have the portal created by the msiexec install.  So how do I install the agent with two portals?   When the user first logs in, they are asked to accept the certificate of the portal, even though the cert is previously installed.  This acceptance is only required the first time the user logs in.  How do I have the agent accept this certificate so not to ask the end user? ... View more

Running PanOS 8.1.1 & GlobalProtect Agent 5.1.0 & connect method Pre-logon (Always On)   When connected and authenticated to my VPN from an external network - all is good.  I can restart with a connection to my internal WiFi and my VPN connection shows Internal (because I have Internal Host Detection configured).  If I then open the GP app and select Sign Out, my  VPN client will then give me an error: No Network Connectivity and will not connect.  Looking at the logs within the client, I see a "ConnectSSL: Failed to connect..." error.  The only way to get connected to my VPN at this point is to connect and authentication using an external network.     As long as I don't Sign Out (and I know I can remove this button from end users) through the app, things work as expected going from public to internal to public networks.  But I want to understand all possible scenarios and this is one I can't figure out.   What is happening when Sign Out is selected and why does this cause the VPN client to think there is no network connectivity?   error log snippet . . . (T5116)Debug(6217): 02/28/20 11:18:22:221 Pre-login...,verifyportalcert=yes (T5116)Debug(10082): 02/28/20 11:18:22:221 Check cert of server ***.***.***.*** (T5116)Debug( 777): 02/28/20 11:18:22:221 SSL connecting to ***.***.***.*** (T5116)Debug( 550): 02/28/20 11:18:22:236 Network is reachable (T1660)Debug( 550): 02/28/20 11:18:24:190 Network is reachable . . . (T5116)Debug( 599): 02/28/20 11:18:27:143 Failed to connect to ***.***.***.*** on 443 with return value -1 and socket error 0(0) (T5116)Debug( 781): 02/28/20 11:18:27:143 do_tcp_connect() failed (T5116)Error(10128): 02/28/20 11:18:27:143 ConnectSSL: Failed to connect to '***.***.***.***:443'. Disconnect ssl. (T5116)Debug(10141): 02/28/20 11:18:27:143 Cannot get server cert of ***.***.***.***   ... View more

Is there a way to import an ssh key into a firewall? For instance, I run the following commands: ssh-keygen -t rsa (The public key is now located in /home/demo/.ssh/id_rsa.pub The private key (identification) is now located in /home/demo/.ssh/id_rsa) ssh-copy-id user@myfirewall When I run the ssh-copy-id command, I asks me to login and I get this: Unknown command: ssh-rsa Now try logging into the machine, with "ssh 'user@myfirewall'", and check in:   ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. However, trying to login, it still asks for a password, Thanks, Bart ... View more

I'm writing a script to disable a rule using panxapi.  I'm trying to check to make sure the rule exists.  I've found if I have a typo in the rule name, panxapi will create the rule as a blank, so I need to make sure the rule exists before running panxapi to disable it.  I started testing how to do this and have run across something I don't understand.  Options -g and -s look to be what I would need, but I'm not understanding their results.  If I enter a non-existent rule "Rule.junk" they return different results. -g                get candidate config at xpath -s                show active config at xpath panxapi -h 192.168.x.x -s "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule.junk']" show: No such node status="error" panxapi -h 192.168.x,x -g "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Rule.junk']" get: success My candidate and running config are identical, yet -s says the rule doesn't exist, and -g says it does? Thanks, Bart ... View more

Security dictates I have an L2 network that is electrically separate from my production network, i.e a separate set of switches with no connection to production and is used for management of infrastructure devices only.  I now am setting up a second data center in another city.  I'm fortunate in that my remote data center has been physically located in my local data center and my network stack is complete and tested.  Unfortunately, I've existed with this configuration and my management network is all one big happy L2 network.  My L2 network is called nmnet (network management network) and contains devices staying locally and devices moving to the remote data center.  My problem is twofold: I don't wanti to re-IP all my network management interfaces I want to keep this network intact as my address space is 192.168.x.0/24, so in essence, I want to tunnel across the internet I have equal firewalls at both sites.  I have a firewall in front of my data center, an internal dmz firewall and an external dmz firewall.  I call these DC, DMZI and DMZO respectively.  Traffic flows "south to north" from my DC to DMZI to DMZO firewalls locally and "north to south" from my DMZO to DMZI to DC firewalls remotely - and vice versa. Can I create a set of vwires through my firewalls to my DMZO firewalls and use an IPSec tunnel between my two site DMZO firewalls?  Here's my scenario: DC firewalls: •    ethernet1/2=nmnet-vwire, zone=z.nmnet, physical connection=nmnet L2 network •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzi firewall DMZI firewalls: •    ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dc firewall •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall DMZO firewalls: •    ethernet1/2= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/3 of dmzi firewall •    ethernet1/3= nmnet-vwire, zone=z.nmnet, physical connection=ethernet1/2 of dmzo firewall •    create tunnel.9 assigned to z.nmnet, stpe address 192.168.186.1, mkt address 192.168.196.1 •    create ipsec tunnel with ike gateway interface ethernet1/13 and tunnel interface tunnel.9 I know its long, but hopefully somebody will brave through it with an answer. Thanks, Bart ... View more

Is there a way to use the panxapi module and delete or modify a member from an address group?  I have an address object I no longer use and want to remove all references.  I can use panxapi to delete the address object as long as I manually remove the objects from all groups to which it is a member.  I want to be able to write a program to remove all references, but can't get it to remove from the address groups. Thanks, Bart ... View more

I have the need to create a rule with three applications, ncp, ms-update and ssl.  Two of those applications use their standard ports - ncp (524) and ms-update (80 & 443).  The ssl application uses port 13000 - not the standard 443. If I create a single service object using ports 542,80,443,13000 and use this service object in the rule, can all three applications use any of those ports?  If I create a service object for each application and put the service objects in a service group, then add the service group to the rule as follows: service-ncp: port 524 service-ms-update: ports 80,442 service-ssl: port 13000 service-group: service-ncp,service-ms-update,service-ssl Does this limit each application to the specific ports defined within the service object? My goal is to be very deterministic (we don't need to discuss religious arguments as to my sanity) in my rules - meaning, I want to know and control applications and the ports they use whenever possible and when it makes sense.  What I don't want is cross-talking, in this example, this rule allowing ms-update over port 13000. Thanks for your feedback ... View more

I've successfully created a rule on my firewall using panxapi, but it puts the rule at the bottom.  How can I use panxapi to put a rule in a location other than the bottom (last) rule? ... View more

When both a source address and a source user are specified, is the rule match source address AND source user? source address OR source user? My guess is #1, but I can't find documentation to back that up. Thanks, Bart ... View more

I have a number of rules that are showing unused.  I've read the threads on the counter resets etc. but I'm still looking for a definitive answer - hence my post.  When does a rule become marked as unsed?  Is it after a month, 2 months, a year, since boot?  Is there a setting I can adjust to say a rule is unused after X amount of time? Thanks, Bart ... View more

I'm looking to use FQDNs inside Address Objects but have some reservations.  What happens if my DNS goes down, or becomes corrupted for some reason.  In other words, when using FQDNs, what happens if the PA can't resolve the address?  Is all traffic to FQDN configured objects blocked? As an example, let's say access to my DNS server (or some other critical device) is through a rule with an address object of FQDN and not IP.  Since I know the IP address of my DNS server, would I be able to SSH to it through an IP call or am I totally blocked until DNS comes back online?  If true, I would need a separate rule to allow traffic by IP Netmask to my DNS server just in case DNS goes down and I need to gain access to my server to troubleshoot any problem? Another example would be use FQDN for my email servers.  If DNS goes missing, does all email stop? Thanks, Bart ... View more