About BLH

Woop woop.. From the PAN-OS 7.0.4 release notes:   Added a new CLI operational command ( set authentication radius-auth-type <auto|chap|pap> ) to address an incompatibility issue between PAN-OS and some RADIUS servers. With this fix, you can manually override the automatic selection mechanism introduced with Challenge-Handshake Authentication Protocol (CHAP) support in PAN-OS 7.0 to select either CHAP or Password Authentication Protocol (PAP) as needed.   TLDR; CLI command set authentication radius-auth-type <auto|chap|pap> ... View more

Haven't tried applying it to such a scenario before, but you can use regex in address groups (and I guess could use that to block FQDN's ?) https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/60257   Edit: Missed the part about decryption. Anyway, above, for what it's worth. ... View more

Found this issue on another firewall (Panorama 7.0.2) - I could also resolve it by modifying the RADIUS configuration. Great find! ... View more

All versions of NPS (2008 <-> 2012 R2) should behave the same way. Dump below is from a 2012 R2. First a CHAP request is sent, that is rejected, and then PAP is tried.   The Event Viewer will also indicate two logins. Subsequent logins are only sent using PAP though.   Might be worth a shot to re-create the RADIUS server profile on the firewall. What does a Wireshark trace from the NPS look like?   The whole CHAP implementation in 7.0 is pretty silly. The failover only works half the time for the inital logins, it causes massive issues with Multi Factor Authentication solutions using RADIUS Challenge/Response, there's no tickbox to turn it off and completely baffling that CHAP, instead of MS-CHAPv2 is supported..     ... View more

Is the Network Policy (or Connection Request Policy, if using overrides), specifically configured to only allow PAP?   ... View more

Are you using the NPS for administrator or GlobalProtect access? What version of PAN-OS? What does the Event Viewer on the NPS say? Event Viewer -> Server Roles -> Network Policy Server ... View more

Unfortunately it's a known issue with PA-2050's. As config grows larger over time, commit times will keep on increasing. Sometimes it gets slightly better/worse from version to version, but there's no real 'fix' AFAIK :smileyplain: ... View more

CBT Nuggets have a introductory course: https://www.cbtnuggets.com/it-training/palo-alto-firewall RouteHub also have a collection that is a bit more feature-specific: Palo Alto Networks Training I've gone through both video series, and was not very impressed by either to be honest - I found them too basic. CBT does a really good job at explaining GlobalProtect though. ... View more

RADIUS authentication with Challenge/Response seems to be broken. Besides that, I'm seeing good results with 7.0 as well. ... View more

Welcome to the forums Kirk, If you go to the Monitor -> Traffic and filter on your IP ( addr.src in x.x.x.x ) can you see the Google applications being blocked? Example below shows how Google Docs is blocked and Dropbox is allowed and what rule causes that. ... View more

As far as I know, that would only be possible if combining a Certificate Profile with the Authentication Profile. For proper 2FA, you should have a dedicated RADIUS 2FA server. ... View more

http://smspasscode.com works nicely for admin and GlobalProtect access (disclaimer; I used to work for the company). Very flexible product. Whatever you do - just stay away from RSA :smileylaugh: ... View more

There's quite a few threads with the same topics - all of the have the same suggestions as above, which haven't helped anyone yet. It appears the VM series require a license deployed, in order to view the live monitoring traffic - however I have yet to encounter this anywhere in official documentation. ... View more

Is the VM registered with a license? Ref. this thread: PA-VM-100 No traffic logging ... View more

Bump. Anyone? ... View more