About rbista

If you have on-demand connect method with GlobalProtect and have encountered issues with the app not being resillient , for e.g.    1. Does not detect VPN disconnects fast enough and continue to think its connected  2. Drops connection when there is temproray network glitches    then please unicast me or reach out to your palo alto networks account team or support so that we can better understand the concerns/requirements to evaluate future enhancements.   ... View more

DPD is not supported on Cisco. This is a Palo Alto feature. You will see that in the ike logs.    Overview Dead Peer Detection (DPD) refers to functionality documented in RFC 3706 , which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.   https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371   ... View more

@rmonvon helped me resolve an issue we were having with decryption.  Due to the changes in how the any -> application-default is now treated, sometimes the App-ID for web-browsing is seen on port 443 within the encrypted stream.  On recommendation, I had to create a special rule for allowing outbound web traffic for the App-ID web-browsing so that it included both service-http (80) and service-https (443) so that websites would work correctly.  I'm unsure if there are other apps that could potentially get wrapped in SSL (say VPN, RDP, etc.) that could be affected due to this change.    Just a heads up on this one.   -Matt ... View more

We do not look like we got honored on this FR, do we? ... View more

Did it ever work?   ... View more

I have resolved this kind of issues by clicking once on the "retrieve licenses link, then do check now.  ... View more

I have been on 7.04 since Dec 2015 and now 7.0.5h2 and thankfully the SSL decryption problrems have been resoved. I would feel safe recommending  7.0.5h2 ... View more

I can see from the above suggestions that you have already tried with ipsec and ssl Certaily ipsec will be faster as it uses UDP   I would like to know the slowness is happening for all the traffic or you are accessing any specific application and testing the same ? ... View more

rbista... there are some hidden accounts. If you run a firewall on specific software version (sorry I can't remember which one but you can check the release notes for the fix to determine it) you can run the command 'show admins all' and it will display hidden admins accounts. My understanding is that these are specific accounts designed for certain processes to use though, that is why they are kept hidden.   Ben ... View more

@rbista  Just in case you are looking for the status, this is still not possible. Currently considered as a feature request. ... View more