About ToshiNakano

Hi,   We are trying to setup always on + Pre-Login with Machine cert which generated by Microsoft PKI and distributed by GPO when user turned on the machine . Then, when user login to the machine, it will use windows logon with SSO.  Like this KB.   https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon   We confirmed a machine cert exists correct location on the Windows machine. Also, we imported the Microsoft Root cert on to Palo Alto. And we configured Portal and Gateway like KB exception is we are using MS PKI. When we login and log off from user, it will switch successfully switch to Pre-Logon. However, when we reboot the machine, Global Protect won't connect automatically with pre-logon. Global protect is disconnected until user login. It seems the cert is the issue.  So far, we found out that if we create Palo Alto generated cert and export the cert with private key, and then import the cert to Windows machine, it will work as expected. We noticed that the main difference between the two is that Palo Alto generated cert has a private key embedded within the machine cert. However, Microsoft auto generated machine cert doesn't have a private key within the cert. If you see at the end of KB, it mentioned "make sure a. it has private key". Is the private key within the machine cert requirement? If so, what is the technical reason? How can we generate a machine cert with a private key by Microsoft PKI?   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0   6. Once imported, double click the imported machine certificate to make sure a. it has   private key b. its certificate   chain is full   upto its root CA. If the chain is missing root CA or intermediate CA, import them to their respective folders as explained in Step 5.         ... View more

I am trying to setup Azue site to site VPN with BGP. IPsec tunnel came up successfully and I can ping from PA BGP Peer IP to Azure BGP peer IP. However, BGP session can not be established. It gets stuck in connect state. I have been reseraching Azure VPN with BGP example in the Inernet but I could not find any example. PA BGP is compatble with Azure BGP?   admin@IaaS-AJWS-PA01(active)> ping source 192.168.123.100 host 10.20.254.254 PING 10.20.254.254 (10.20.254.254) from 192.168.123.100 : 56(84) bytes of data. 64 bytes from 10.20.254.254: icmp_seq=1 ttl=127 time=15.3 ms 64 bytes from 10.20.254.254: icmp_seq=2 ttl=127 time=15.1 ms 64 bytes from 10.20.254.254: icmp_seq=3 ttl=127 time=15.3 ms   PA version is 7.1.14   ========== Peer: Azure-East2 (id 16) virtual router: default Peer router id: 0.0.0.0 Remote AS: 65515 Peer group: PG-Azure-East2 (id 9) Peer status: Connect, for 0 seconds Password set: no Passive: no Multi-hop TTL: 5 Remote Address: 10.20.254.254 Local Address: 192.168.123.100 (R) reflector client: not-client same confederation: no send aggr confed as-path: yes peering type: Unspecified Connect-Retry interval: 15 Open Delay: 0 Idle Hold: 15 Prefix limit: 5000 Holdtime: 0 (config 90) Keep-Alive interval: 0 (config 30) Update messages: in 0, out 0 Total messages: in 0, out 1204 Last update age: 152880 Last error: Flap counts: 4256, established 0 times (R) ORF entries: 0 Nexthop set to self: no use 3rd party as next-hop: yes override nexthop to peer: no ---------- remove private AS number: no ---------- ... View more