About alowther_chatham

There are some OIDs for basic stats (at least for 8.1, which I'm stuck on for now) https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/globalprotect-gateway-concepts/globalprotect-mib-support   You can also use the API to query for connected user information. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-manage-globalprotect-users-api   Neither of these methods tells you specifically pool usage, so you would have to calculate that yourself.   see also: https://www.reddit.com/r/paloaltonetworks/comments/fk8c9p/globalprotect_current_users_api/ ... View more

To make sure the cookie is not being used I will take these steps on the client machine - delete the PanPUAC_*.dat files (on my Windows machine these are in %USERPROFILE%\AppData\Local\Palo Alto Networks\GlobalProtect\) - restart the PanGPS service   IIRC, the PanPUAC file contains the GlobalProtect cookie, and I restart the PanGPS service to clear any cookies used by SAML. ... View more

I would upgrade the GlobalProtect clients first.  Some functionality may work, but the documentation for PanOS 9.1 says that the "Minimum Compatible Version with PAN-OS 9.1" is GlobalProtect 5.1   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/associated-software-and-content-versions.html ... View more

It sounds like that user is either behind a captive portal or a device doing TLS/SSL Decryption.  A quick google for "Lightspeed Systems Captive Portal" and "Lightspeed Systems SSL Decryption" show that is a product that can do both. ... View more

There was this issue from about 6 months ago "Installing Microsoft's June 8th 2021 NTLM Elevation of Privilege Vulnerability patches may break the User-ID Agent's connection to Domain Controller(s)" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg   There was also this issue from a few months ago https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-forcing-new.html   I'm not sure what specific patches this thread refers to, but the comments mostly suggest ditching WMI for WinRM https://www.reddit.com/r/paloaltonetworks/comments/rl5ssb/windows_userid_agent_wmi/   What are you referring to when you say "Windows update the broke WMI from the PAN-OS User-ID agent" ?  I've been keeping an eye on these issues, but my PAN-OS User-ID lookups over WMI still seem to be working. ... View more

I'm not sure why you are mentioning Windows.  The native integration is where the Aruba Instant controller will directly update a PaloAlto device using the PaloAlto API.   Impossible to say what is wrong.  Some troubleshooting tasks that jump to mind - Do a packet capture on the firewall to see if the syslog messages are arriving - Check logs.  System logs in the UI.  From the command line there are mp-log files for useridd.log and syslog-ng.log that could be useful. - Verify under User Identification that the server sending the syslog messages is configured as a Monitored Server with your regex profile - Verify the interface receiving the syslog messages has an Interface Management Profile that allows the User-ID Syslog Listener ... View more

Do you mean the issue where the Install in Local Root Cert Store setting was not working?  I believe this turned out to be some obscure bug in GlobalProtect.    What I eventually figured out was that if the file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist then the cert is installed correctly   (T5916) 09/20/19 22:32:07:450 Debug(9370): File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist. (T5916) 09/20/19 22:32:07:762 Debug( 82): Saved root CA(1094 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer. (T5916) 09/20/19 22:32:07:762 Info (2573): Imported root ca.   If that file does exist then the import is skipped incorrectly   (T5916) 09/20/19 22:34:06:117 Debug(7733): Delete the previous trusted root ca file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer (T5916) 09/20/19 22:34:06:117 Debug( 82): Saved root CA(1094 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer. (T5916) 09/20/19 22:34:06:117 Debug(7765): Skip importing trusted root CA to store because portal's server certificate is not verified     There were two ways I found to fix the issue - delete the file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer and then re-download the portal config - reinstall GlobalProtect   I was not able to duplicate the issue in a lab, so I'm not sure what triggers the faulty behavior. ... View more

Not sure about "AC", but I use Aruba Instant clusters.  I integrate user-id with PaloAlto two ways.   First, there is a native integration option https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/RTLS_conf/panFirewallInt.htm   Second, a syslog filter on the PaloAlto Event Regex: User [aA]uthenticat(?:ed|ion) Username Regex: username[-=]([a-zA-Z0-9\\._-]+) Address Regex: [iI][pP][-=]([0-9.]+)   The syslog filter a backup in case the native integration fails.  I am currently trying to report a bug with the native integration where the Aruba will use the PaloAlto API to send a logout followed immediately by a login for an IP.  This often results in the login update not taking effect. ... View more

Thank you.  I think this should work for my situation.  We allow Global Protect to be installed on personal machines, so we don't have the capability to push a trusted cert using group policy or such.   However, when I tried checking this option the cert does not get installed.  I found in the PanGP Service debug logs Saved root CA(...) into file C:\Program Files\Palo Alto Networks\GlobalProtect.tca.cer. Skip importing trusted root CA to store because portal's server certificate is not verified   This is strange since the portal uses a certificate from a trusted 3rd party CA. ... View more