Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About BruceBennett
About BruceBennett
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
yesterday
33Posts
14Likes
2Solutions
Jan 22, 2021Last Visited
User
Activity
User
Profile
Latest posts by BruceBennett
| Subject | Views | Posted |
|---|---|---|
| 95 | 2 weeks ago | |
| 657 | 04-17-2020 07:28 AM | |
| 4667 | 04-07-2020 06:12 AM | |
| 4844 | 04-01-2020 02:53 PM | |
| 4938 | 03-27-2020 04:49 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 10-15-2019 02:53 PM | |
| 1 | 12-01-2019 06:35 PM | |
| 4 | 10-31-2019 05:48 AM | |
| 1 | 12-02-2019 06:07 PM | |
| 1 | 11-08-2019 01:22 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 5 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 05-27-2016 12:32 PM |
| Date Last Visited | yesterday |
| Total Messages Posted | 33 |
| Total Likes Received | 14 |
2 weeks ago
We did something similar when we were waiting on a new device to be delivered. You should not have any issues with differentiating the traffic. On ours, the zones are assigned to the tunnel interface for each of the tunnels and a different zone applied to the user VPN compared to the IPSec tunnels. It really is not much different than having multiple tunnels to sites that you want different rules for each tunnel. That is a very simple answer, but when we did it, it really was not complicated at all. 1) Yes. 2) Not sure if there is a term for it. 3) It does not require a different license than the GlobalProtect license, and that might not be required depending on how you are using GP. Good luck, Bruce.
... View more
04-17-2020
07:28 AM
If you see it as an application in your traffic monitoring, then you should be able to create a rule, specifically blocking that application before your allow rule. I had to do the same thing with Webdav and Sharepoint in a recent implementation. If the traffic is only showing up as SSL traffic, then I do not think you can specifically block a program/application. Also, since it is SSL type traffic, you will need to do SSL decryption for that traffic before it would be identified as an application other than SSL. Not to go too far on this response, but if it is not a standard application and you are doing SSL decryption, you may be able to create your own custom application that is specific to that WINSCP traffic and block the traffic as described above. Sorry, I do not know much about WINSCP.
... View more
04-07-2020
06:12 AM
Hi @nnaik Your articles are great! They will be very useful for our split tunnels. I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.) That only leaves my issue with MS Network Location Awareness. Again, thank you very much!
... View more
04-01-2020
02:53 PM
@jdelio Thanks for your response. Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.
... View more
03-27-2020
04:49 AM
@jdelio I appreciate what you guys are doing here, just took me a while to find it. One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue? Thanks again for your team in this challenging time.
... View more
01-10-2020
02:25 PM
@vsys_remo That is a good question, because I don't see "the global protect login option on the windows logon screen". Looking at the windows login screen from both PCs, PC1 does show a "GlobalProtect Status:", while PC2 does not. I do not remember taking any different steps between the two PCs, but definitely does stand out as a difference between the two. I thought that part of the configuration was pushed down from the portal configuration, so I am obviously missing a step or something on PC2. My goal is to be able to push this down to the users with the least amount of interaction possible.
... View more
01-10-2020
11:38 AM
I am building out a test environment using GP as always-on/prelogon. The issue that I am seeing is that one test user, this seems to work fine and another test user it does not. Both users are running the same PC type and same Windows 10 updates into the same AD environment for in office authentication. Current GP version 4.1.12 (I am trying to resolve this issue before updating to GP 5.0.x, that update is going to be a test against the locked down nature of the PCs in the environment). PC 1: Once logged into Windows, GP uses Windows SSO and authenticates to the portal/gateway and the PC is on-net. PC 2: Once logged into Windows, GP pops up a window with the user account listed but requires a password to continue with the authentication. I am not sure where to look to see what the difference in how GP is functioning on the two PCs. I feel like I have gone through the systems logs thoroughly, but I must be missing something since both PCs are functioning differently.
... View more
12-13-2019
06:34 AM
@MickBall Hi, With your users that are seeing the issue: Is it consistently the same users, or does that change? When the users do see the issue, is it as simple as them closing Outlook and opening it up again to fix it?
... View more
12-10-2019
05:37 AM
This is interesting because we use O365 and I see the same kind of thing. With initial connection, if you start up Outlook right away, about 50+% of the time you will get exactly what you described in the initial post. Then, you close Outlook and open it again and all is well. It is like the routing is just not there initially and has to figure it out. Since we are using O365, the addresses are very dynamic, so I cannot add the routes. Your insight has helped me understand what is happening and I will have to see what I might be able to get done. Thanks for the post and your resolution.
... View more
12-02-2019
06:07 PM
1 Kudo
@BPry How do you determine the right settings, are there general guidelines or some reference available?
... View more
12-01-2019
06:35 PM
1 Kudo
We had PAN Proffessional Services help us with our Azure deployment and they recommended going with individual firewalls and use Azure for load balancing between them. We went in expecting to run actuve/passive HA, but implemented their recommendation and it has been running great since it was installed. Unfortunately, I cannot give you the details behind why the recommendation to not use HA, other that two different PAN Engineers telling us that HA and Azure just don't work well together.
... View more
11-26-2019
06:16 PM
Thank you. I found out today the entry needed to be a PTR record. As soon as I changed the entry to one with a PTR record it started working.
... View more
11-21-2019
12:23 PM
I am still having a problem with pre-logon in the mornings, but it is connecting after a logout or reboot. One of the things that you may need to look at is the authentication for your pre-logon. If you have the client certificate as required, that may be part of the problem ( I am speculating). I have that set to none and pre-logon works for me after a logout and reboot, just not after a night with the computer off, booting in the morning. Also, I am sure you have them right, but I messed that up the first time setting it up. Do you have the pre-logon agent config as the first config? I am still chasing my demon related to the initial boot of the day, and hope that someone else responds to the thread and has the magic answer, but I wanted to try and help since we are chasing similar issues. Bruce.
... View more
11-19-2019
05:10 AM
Thank you for the replies, I appreciate the help. I have decided to back out the internal gateway changes I made and go with no internal gateway for further testing. Unfortunately, I am not going to get to test this with an internal user until next week. Based on the comments, it looks like I was headed the right direction. Testing config: no internal gateway, block access to external gateway, internal host detection enabled. Thanks again to everyone that replied!
... View more
11-18-2019
10:17 AM
@vsys_remo That is how I understood what I had read, that I did not have to define an internal gateway as long as the DNS lookup was working. But some working in your response has me questioning it a little. I am confident that I put in the FQDN and IP address correctly, but you mentioned "It tries to resolve the specified IP and if the specified name is coming back from the DNS". if I lookup the address by FQDN I get the IP address, but if I try to look up the IP address, I do not get the FQDN. The direction of that lookup seems odd, but would explain why it is not seeing it as internal. @SteveCantwell I have setup an internal gateway for testing, but it just does not seem like it is necessary, based on Remo's response and the configurations I have looked at. The internal gateway that I setup is pretty basic and will not create a tunnel, so I think it addresses what I need, but will have to wait for my internal test user to become available for testing again. Thank you both for the responses. This one has just got me twisted a bit. I think I am following the steps, and even talking through them with my PAN contact, but things are just not flowing as expected.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Likes From
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
