About RLJFRY

Hi,   I know this thread is quite old, but I thought I'd share my resolution to the same issue. Of course, it can obviously be different on a case-by-case situation.    My test set-up I created today....   Physical Site A VLAN 1 Physical Site A Net 192.168.1.0/24. Physical Site A PXE 192.168.1.1/32   Physical Site B VLAN 2 Physical Site B Net 192.168.2.0/24 Physical Site B DHCP 192.168.2.1/32 (Palo Alto FW) Physical Site B "IP helper-address 192.168.1.1" (Set on Cisco Switch for VLAN 2) Physical Site B "IP helper-address 192.168.2.1" (Set on Cisco Switch for VLAN 2) Physical Site B client laptop patched into VLAN 2   I built up a test network with physical site A hosting the PXE server on VLAN 1, and site B with the DHCP server running on the Palo Firewall on the interface for VLAN 2. A site-site VPN was configured between the two sites using two Palo FW's.   Both sites have Cisco switches with L3 routing.     The trick was looking at the ip default-gateway set on the Cisco switch. - Basically, the DHCP broadcast comes from the laptop performing a Network boot. The Cisco switch will pick-up these broadcasts and convert them to Unicast and send to both IP helpers on behalf of the client.    If your routing on the L3 switch sends its packets out on the wrong route then the DHCP and PXE requests wont get to the PXE server. In my case I had to ensure that the default gateway set on the Cisco was set to the internal FW interface 192.168.2.1 that is allowed to traverse the site-site VPN.   Once I set this up everything fell into place and the laptop in Site B PXE booted to the PXE server in site A. CISCO CONFIG: show run int vlan 2 interface Vlan2 ip address 192.168.2.253 255.255.255.0 ip helper-address 192.168.1.1 ip helper-address 192.168.2.1 end ip default-gateway 192.168.2.1     My next step is to look into iPXE as PXE on a site-site VPN is far too slow.   Anyhow, I hope that this helps someone in the future. ... View more

Re the Variables working / not working, I’d also like to see some official documentation from Palo on this rather than community posts.  For example I have a case open with Palo support right now that have referred me to this post to show that Variables do work.  I replied saying that I am aware of this thread as I’m in it and I’d like official documentation on this rather than community driven information (no offence meant).  The engineer then referred me to another thread which looks like it’s a community written article: https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Implement-Split-Domain-and-Applications/ta-p/316929   Im interested @bspilde what you were saying in that Palo said variables will not work. Have you got a ticket re this with them?   Personally I’m struggling with GP split tunnelling right now. - I want to send ALL traffic down the Tunnel EXCEPT “xyz”   I was therefore advised by PA support to enable split tunnelling (untick “ Disable the No direct access to local network”) and add 0.0.0.0/0 in the include and add the objects I want to exclude in the appropriate exclusions fields.   The end result is that the domains I add into the domains exclusions are no longer reachable whilst the tunnel is established. The same issue is happening for video traffic (after I enabled the video so go directly) - no video traffic can be played whilst the tunnel is established. The other things I’ve come to discover are the following, and I’d welcome anyone’s feed back on this:   1. Limitation 1: We can only add up to 10 entries in the "Access Route" Include / Exclude? 2. Limitation 2: We are not able to utilize "Address Groups" in the "Access Route" Include / Exclude? 3. The question re the variables which seems to be up in the air.  Im running PanOS 8.1x   The PA support person I’m talking to says that these limits are not correct as of PanOS 8.0.2.   Again, I’d welcome anyone else’s comments as I’m banging my head against a break wall on this one.  Am I getting this wrong!?   Thanks     ... View more

Thanks @yannogrodowicz for confirming.    Yes, of course re the "netstat -anob". I'm so used to looking at the Foreign Address in the results, I didn't stop to look at the Local Address.   Another limitation I've found, at least on our PanOS revision, is that there are a limitation of 10 IP entries that can be entered into the INclude / EXclude fields for the GP Split tunnel "Access Route". Adding more entries just overwrites the existing ones!   Unfortunately it doesn't support Address Groups either, so you're forced to enter address entries or point to existing entries in the Address objects table.    I've reached out to PA support on my existing case to see if this still exists on all the PanOS versions.   Otherwise some may be forced to widen the subnet range in the entries, which would obviously be quite risky.   Thanks again for your help and confirmation.    BTW: I'll post the info I get back from PA support here. ... View more

Thanks @yannogrodowicz    That's some helpful insight there, and much appreciated.    I'd already read the article re the split tunnel features (https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications) but I couldn't find any mention of variable support. I'll take your word for it. 🙂   It's good news that you managed to bypass the MS Teams traffic using a mixture of the variables and subnets, I'll look to do the same. It's a shame that the Split Tunnel doesn't support EDL's as I could have utilised Minemeld for this without doubling up my work. Anyhoo, this is good news you got it to work! 🙂   Could you advise as to when you experienced the changes take effect on the VPN clients? From the general consensus it seems to be once a VPN client has made connection, disconnects and reconnects. This would make sense as if gives the client the chance to pull the policy update and apply it on next connection.   Finally, and I ask this question because I couldn't seem to get it to work... It would be good to see if an excluded Client Application Process Name (not IP or domain) is bypassing the tunnel and going direct, or at least some of it's traffic.    I know I could look at the FW logs, but that would obviously only show me traffic that the firewall is seeing and therefore routing over the GP VPN, not what traffic is going direct. I know I could run a netstat on the clients and get the apps process ID and see what connections it's making, but that wouldn't show the route the process is taking.    Using tracert/traceroute isn't going to work either as that's not the App Process we're whitelisting. - It's Team.exe or Zoom.exe for example that the GP VPN client is looking out for to bypass and not tracert.exe   I tried adding the paths to tracert.exe to the Client Application Process Name but this didn't seem to work, yet adding IP exclusions such as 8.8.8.8 happen pretty much straight away. So it made me wonder if the Client App bypass was working at all?   Does anyone know of a way of proving the Client App Process is bypassing some traffic at least? I think I'm overlooking something quite simple? It's been a tough couple of weeks on the brain haha!   Thanks!   John                 ... View more

Hi all,    Am I reading this right in that PanOS doesn't seem to support environment %Variables% in the path name of the executable you're trying to add to the "Include/Exclude Client Application Process Name" fields, be it with or without a GP license!? That's big oversight if that's the case. Has anyone got this confirmed by PA support?   If it makes a difference to the PanOS, we're at 8.1.x and have a GP license.   I'm basically also looking to add Teams and Zoom to the exclusion list by executable, but it's pretty pointless if neither will work? Or is Zoom working using the .exe path name in conjunction with the IP exclusions for it's IP blocks?   Also, are you guys seeing the new GP config changes apply after reconnecting / disconnecting and then reconnecting the GP client again? - I asked PA support when the GP configs get applied and they weren't sure, and advised me that's it's best to uninstall the GP client and clear a registry key and remove the GP services following a config change, and referred me to the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJDCA0   This seems rather drastic!   Thanks,   John ... View more

@Sec101 Haha! Glad to help.   That's the beauty of community support 🙂       ... View more

Just a note on the suggesting of importing of the Office 365 config and overwriting your existing config which is a bit bizarre!!!   When this article says "T ake into account that this procedure will replace any configuration you might have with this new collection of nodes. Your old configuration will be lost. " it literally means ANY config... no matter if its an existing security feed config etc, it will be ovewritten!!!   HOWEVER, fear not...   1. You should have taken a backup of the system before-hand right? E.g: * A VM snapshot if running on a VM.  * An export of the existing config to a text file.   2. Even if you do choose to OVERWRITE your config, you can roll it back by immediately pressing REVERT button in the Config section.   3. Despite what the article says, you do not need to OVERWRITE, but you can APPEND the config instead if you wish, therefore keeping your existing configs and complimenting them with the Office 365 config. - Just make sure you miners, processors and outputs aren't clashing.    Remember - you can REVERT.   Once you're happy, then you can COMMIT. ... View more