About Wenar

The updated location of the Microsoft installation/removal tool is Fix problems that block programs from being installed or removed (microsoft.com) ... View more

Hi,   Did you had confirmation about this ? I trying to accomplish exactly the same thing but on globalprotect, and my group never match.     2016-12-16 09:27:36.550 +1100 debug: pan_process_radius_auth(pan_authd.c:1115): Found radius group VPN_1 for user OCEAN\michel 2016-12-16 09:27:36.550 +1100 authentication succeeded for user <vsys1,FreeRadius,OCEAN\michel> 2016-12-16 09:27:36.551 +1100 authentication succeeded for remote user <OCEAN\michel(orig:michel)> 2016-12-16 09:27:36.551 +1100 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: OCEAN\michel authresult auth'ed 2016-12-16 09:27:36.551 +1100 Request received to unlock vsys1/VPN_Auth_ALL/OCEAN\michel 2016-12-16 09:27:36.552 +1100 User 'OCEAN\michel' authenticated. Profile FreeRadius in an authentication sequence VPN_Auth_ALL succeeded. From: 203.147.79.6.   If I use michel account to allow access to globalprotect it works. If I use radius group "VPN_1" to allow access to globalprotect, nothing happen, even if pan retrieve correctly the name of the group.     ... View more

DPD is not supported on Cisco. This is a Palo Alto feature. You will see that in the ike logs.    Overview Dead Peer Detection (DPD) refers to functionality documented in RFC 3706 , which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.   https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371   ... View more

Hello Jdelio,   Nice one. I could see it in the logs but just wanted to confirm. Logs from teh passive, but it became an Active due to heartbeats missing . Preemtion settings 100/50 :   2016/08/25 00:59:41 critical ha             connect 0  HA Group 1: HA1 connection down 2016/08/25 00:59:41 critical ha             connect 0  HA Group 1: All HA1 connections down 2016/08/25 00:59:41 critical ha             connect 0  HA Group 1: HA heartbeat backup is being used to avoid split-brain; the HA functionality is in a degraded state pending the recovery of HA1 2016/08/25 00:59:41 critical ha             connect 0  HA Group 1: HA heartbeat backup connection down 2016/08/25 00:59:42 high     ha             peer-ve 0  HA Group 1: Anti-Virus version does not match 2016/08/25 00:59:42 high     ha             peer-ve 0  HA Group 1: Application Content version does not match 2016/08/25 00:59:42 high     ha             peer-ve 0  HA Group 1: Threat Content version does not match 2016/08/25 00:59:42 info     ha             peer-ve 0  HA Group 1: Anti-Virus version now matches 2016/08/25 00:59:42 info     ha             peer-ve 0  HA Group 1: Application Content version now matches 2016/08/25 00:59:42 info     ha             peer-ve 0  HA Group 1: Threat Content version now matches 2016/08/25 00:59:42 info     ha             ha1-lin 0  HA1 peer link up 2016/08/25 00:59:42 info     ha             ha2-lin 0  HA2-Backup peer link up 2016/08/25 00:59:42 info     ha             ha2-lin 0  HA2 peer link up 2016/08/25 00:59:43 high     ha             state-c 0  HA Group 1: Moved from state Passive to state Active 2016/08/25 00:59:44 info     ha             connect 0  HA Group 1: Control link running on HA1 connection 2016/08/25 00:59:44 info     ha             connect 0  HA Group 1: HA1 connection up 2016/08/25 00:59:44 critical ha             split-b 0  HA Group 1: Going to Passive state due to split-brain recovery (split-brain duration: 1s) 2016/08/25 00:59:44 info     ha             connect 0  HA Group 1: HA heartbeat backup connection up 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/1: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/2: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/3: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/5: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/6: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/7: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/9: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/10: Down 1Gb/s-full duplex 2016/08/25 00:59:44 info     routing        routed- 0  FIB HA sync started when local device becomes master. 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/13: Up   auto duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/14: Up   auto duplex 2016/08/25 00:59:44 info     port    ethern link-ch 0  ethernet1/19: Up   1Gb/s-full duplex 2016/08/25 00:59:45 info     ha             session 0  HA Group 1: Starting session synchronization with peer 2016/08/25 00:59:45 info     routing        routed- 0  FIB HA sync started when local device becomes master. 2016/08/25 00:59:47 info     port    ethern link-ch 0  ethernet1/1: Up   1Gb/s-full duplex 2016/08/25 00:59:48 info     port    ethern link-ch 0  ethernet1/3: Up   1Gb/s-full duplex 2016/08/25 00:59:48 info     port    ethern link-ch 0  ethernet1/9: Up   1Gb/s-full duplex 2016/08/25 00:59:48 info     port    ethern link-ch 0  ethernet1/2: Up   1Gb/s-full duplex 2016/08/25 00:59:48 info     ha             session 0  HA Group 1: Completed session synchronization with peer 2016/08/25 00:59:48 info     port    ethern link-ch 0  ethernet1/6: Up   1Gb/s-full duplex 2016/08/25 00:59:49 info     port    ethern link-ch 0  ethernet1/10: Up   1Gb/s-full duplex 2016/08/25 00:59:49 info     port    ethern link-ch 0  ethernet1/7: Up   1Gb/s-full duplex 2016/08/25 00:59:50 info     port    ethern link-ch 0  ethernet1/5: Up   1Gb/s-full duplex 2016/08/25 00:59:51 info     ha             state-c 0  HA Group 1: Moved from state Initial to state Passive 2016/08/25 00:59:51 info     ha             session 0  HA Group 1: Starting session synchronization with peer 2016/08/25 00:59:54 info     ha             session 0  HA Group 1: Completed session synchronization with peer   Thx, Myky ... View more

Hi all,   How about combining two zone protection profiles? One that is aggressive, for the Untrust zone, and one that is permissive for the Trust zone, that will allow your "friendly" IPs to scan. Than create GP gateway for friendly IPs, push them the route towards Trust / DMZ / whatever you are scanning, and sort them out in their own "scanners" zone. Once they start scanning only permissive profile from the Trust zone will be applied to their scans, allowing them to finish the job. They are coming from separate scanners zone thus esily circumventing aggressive blocking profile on the Untrust zone.   Regards   Luciano ... View more