This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About fjwcash
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About fjwcash
10-13-2022
167Posts
30Likes
17Solutions
Oct 13, 2022Last Visited
User
Activity
User
Profile
Latest posts by fjwcash
| Subject | Views | Posted |
|---|---|---|
| 1560 | 12-09-2021 04:26 PM | |
| 1563 | 12-09-2021 04:20 PM | |
| 1618 | 12-09-2021 02:27 PM | |
| 1582 | 12-09-2021 02:00 PM | |
| 1437 | 10-25-2021 10:49 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-19-2018 03:26 PM | |
| 1 Like | 01-27-2020 02:24 PM | |
| 1 Like | 12-09-2021 04:26 PM | |
| 1 Like | 11-05-2020 08:14 AM | |
| 1 Like | 10-13-2020 11:06 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 2 Likes | |||
| 1 Like | |||
| 4 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 05-06-2016 10:51 AM |
| Date Last Visited | 10-13-2022 11:59 AM |
| Posts | 167 |
| Total Likes Received | 30 |
12-09-2021
04:26 PM
1 Kudo
Ah, there's a Target column in the Policy view page. By default, it lists "any" which includes all devices in all child device groups to where the policy is created.
In theory, we could create our one-off rules in the GP Device Group, and target them to only the specific Child Device Groups (aka specific firewalls) where it's needed. As we add those devices to more sites, we add them to the target list. Eventually (hopefully), that list grows to include all Child Device Groups and it switches over to "any".
Neat. I think this will actually work. Was wondering what the Target tab was for, as I couldn't see a reason for targetting rules to only specific child device groups, but now it (mostly) makes sense!
Thanks for the pointer! I will have to play with this a bit to see if this will do what I want it to do.
And, I think this will actually help to clean up our one firewall that has completely different Security Policies compared to every other site, so it has an (essentially) duplicated ruleset done in the lowest device group (local to the firewall) with a "Deny all" rule to short-circuit the inherited rules from parent device groups.
... View more
12-09-2021
04:20 PM
Interesting. Seems like an overly complicated, round-about way compared to making the "enabled" tag override-able. 🙂 Wonder what the Policies tab --> Security Policies --> Post page would look like? Would you see all the rules as "enabled" and then have to drill down into specific rules to see what it's targeted to? Or have to use the "Preview Rules" button to see what will actually get pushed to the firewall?
Still think having the enable/disable toggle work in child device groups is a better/cleaner solution. 🙂
(Could also be that our device group hierarchy isn't ideal and there's better ways to arrange things. We have 1 firewall per child device group.)
... View more
12-09-2021
02:27 PM
I'm guessing this would be a Feature Request, as it's something that's not available in Panorama 7.x, 8.x, or 9.x (haven't checked 10.x).
Is there a way to disable Policies (whether Security, NAT, QoS, etc) that have been inherited via the Device Group hierarchy?
Meaning, if I have 3 Devices Groups (GP, Parent, Child), and I put 10 Security Policies into GP, and 10 different Security Policies into Parent, is there any way to mark those as "disabled" within the Child Device Group?
So far, I have not been able to find a way to do this from within the Child Device Group context. I can disable the rule in the DG they originate in, but that marks it as disabled for all device groups lower in the hierarchy.
Why do I want to do this, you ask? Because it would be really nice to be able to write a single set of Security Policies to cover all configurations in the GP, some more specific Security Policies in the Parent, and then just disable the ones that don't apply in specific Child device groups.
Right now, we have 50 firewalls that cover elementary schools, secondary schools, and non-school / admin sites. They all get the same base set of rules that are defined in a common parent device group. Then we have a set of rules that are specific to an HVAC panel, to a PA system, to an irrigation controller, to a sign controller, and to a couple other one-off devices. These are created in the Child DG for each firewall, and we have to clone these to other Child DGs when the devices get installed into other buildings. It's a pain keeping track of which schools have which rules enabled when cloning needs to happen for a new device.
It would be nice to just have all the rules available to all Child DGs, and we just enable/disable the relevant rules in the Child DG.
... View more
12-09-2021
02:00 PM
We don't have the logs anymore as we've removed all ECDSA certificates from our GP setup. The certs don't even exist anymore. We don't use device certs, these were the certificates used in the gateway configuration. This was simply changing the self-signed CA root certificate and the certificates used for the gateways (signed by the root CA) to ECDSA. The portal uses our domain's wildcard cert. With the ECDSA certificate enabled on the gateway, Windows and MacOS, Android and iOS GP clients were able to connect to the gateway without issues. Linux clients, regardless of GP client version, would connect to the portal, authenticate the user, connect to the gateway, then error out with something along the lines of "can't authenticate server" when it went to establish the SSL connection to the gateway. The really interesting part was that manually loading https://gateway.address/whatever-the-pre-flight-URL-is in a web browser on the same Linux station worked. It was just the GP connection that failed. Nothing in the gateway configuration on the firewall changed, except which certificate was in use (RSA or ECDSA). We flipped it back to RSA, and Linux clients could connect without issue. Flipped it back to ECDSA, Linux clients would not connect. We even configured 1 gateway with RSA certs and another gateway with ECDSA certs, and would either get a working connection or a failed connection based on which username we logged in with (the username determines which gateway is used). Tried with GP 5.1.x, 5.2.x, and 5.3.x and the results were the same. Linux clients could not authenticate the gateway and would not establish a connection if the gateway used ECDSA certificates. We've since moved back to RSA certificates for everything on our firewalls, and won't be looking into ECDSA anytime in the future. We have more Linux stations than Windows in our workplace, so we need to make sure the Linux stations connect to GlobalProtect.
... View more
10-25-2021
10:49 AM
You need to create two separate LDAP Server Profiles (one for each server). Then you need to create two separate Authentication Profiles (one for each LDAP server). Then you need to create an Authentication Sequence that lists which order you want to query the LDAP servers. Then you configure your GlobalProtect setup to use the Authentication Sequence to authenticate clients. That way, when a client connects to GlobalProtect and puts in their username and password, GlobalProtect will check the LDAP servers in the Authentication Sequence. If there's a working authentication from the first LDAP server, then the client is connected; if not, the second LDAP server is checked. If there's a working authentication from that one, then the client is connected; if not, the connection fails. You have to treat the LDAP servers as separate entities.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-13-2022
11:59 AM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks