This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About OneAmongMany
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About OneAmongMany
03-25-2022
20Posts
1Like
1Solution
Mar 25, 2022Last Visited
User
Activity
User
Profile
Latest posts by OneAmongMany
| Subject | Views | Posted |
|---|---|---|
| 1825 | 09-12-2019 01:37 PM | |
| 6148 | 05-15-2018 03:58 AM | |
| 6158 | 05-15-2018 02:54 AM | |
| 6172 | 05-15-2018 12:57 AM | |
| 9946 | 07-24-2017 01:57 AM | |
| 2898 | 05-11-2017 07:14 AM | |
| 2908 | 05-10-2017 09:44 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-24-2017 01:57 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 13 Likes | |||
| 3 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 09-13-2016 09:23 AM |
| Date Last Visited | 03-25-2022 12:25 PM |
| Posts | 20 |
| Total Likes Received | 1 |
09-12-2019
01:37 PM
I understand that from 9.0 they have changed the certification tracks (adding the PSA in place of the ACE), but since the 8.1 ACE already existed why remove it? Then also why still mention it on the learning home page and link to it? I got an email back in April to say my 'ACE was due to expire in 6 months', so deliberatley waited until now to take the 8.1.....and found this thread when I hit the same message as the OP. I already have a couple of PCNSEs (7 and 8), so I don't 'need' to take the ACE....I just wanted to. Its surprising what a little bit of study/exam prep does for your knowledge of features....
... View more
05-15-2018
03:58 AM
Thanks Bud! Glad its not just me.! ****Edited**** OK, so there is a confirmed bug with the test command: > test authentication authentiocation-profile... resulting in the following error: " Allow list check error: Target vsys is not specified, user "silentbob" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... User Administrator is not allowed with authentication profile LDAP" (membership of LDAP groups is ignored in the authentication profile allow list). Its registered under PAN-80160 - but this is not publicly documented (not in Limitations or known issues of 8.0). Hopefully search engines will bring people here.... 🙂 The bug is resolved in 8.1
... View more
05-15-2018
02:54 AM
Hi Luke The Group-mapping is in place; that user (*domain\username) appears (when I run > show user user-ids) as a member of the correct group (the one named in the Auth profile), so its not that its not up to date. I can run the command with > test authentication authentication-profile username *domain\username or just *username - and unless that specific username is listed in the Auth profile Allow lIst the auth test fails. The fact they are a member of that group (as prove by ' > show user user-ids' output proves) doesn't seem to be taken inot account. To answer your question- yes; either long name or short name ( *domain\username or *username) in the Allow List works the same (my Auth Profile is set ot append it automatically) . Thanks Alex
... View more
05-15-2018
12:57 AM
Hey All While working a support case for a customer, I've come accross an odd situation and before I go log to Palo TAC I wondered if anyone else had seen this/was aware of it: So Authentication profile configured with an allow list restricted for one LDAP group. I can use that Auth Policy in say GlobalProtect and sure enough- only users who are members of that group can connect to the portal. > show user user-ids all -shows the list of users pulled in by User/Group mapping (so the firewall knows a user is in that group), but when I run; > test authentication authentication-profile X username Y ...etc.etc. - this always fails ("User Y is not allowed with Authentication Profile X"), unless I include the specific username in the allow list in the Auth Profile, or I allow 'All'. With and without appending domain info - same result. Looking at the documentation available - all examples of testing an Auth Profile using LDAP, matches the group 'All' (e.g https://www.paloaltonetworks.com/documentation/80/pan-os/cli-gsg/use-the-cli/test-the-configuration/test-the-authentication-configuration 😞 "Do allow list check before sending out authentication request... name "bzobrist" is in group "all" ..." (its never a restricted LDAP group) I did see here : https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-authentication-profile/configure-an-authentication-profile -that "Because you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow Listentry." I am seeing this behaviour with LDAP, both in the customer's environment and I have replicated it simply enough in our lab. Anyone restricted an Auth Profile to an LDAP group and then been able to run the '>test authentication...' cli command and have it work? Many Thanks Alex
... View more
07-24-2017
01:57 AM
1 Kudo
Hi Folks I stumbled upon this article, as while analysing a PCAP for a download issue, I see the next-hop MAC as 00:70:76:69:66:00.... You've mentioned its an internal MAC; in my case we have a service route configured, but the source IP is still that of the managment interface, so I'm guessing I'm seeing it as its the managment interface (and its MAC), passing to the internal MAC. The return path in my case (Receive PCAP) I see coming from a Checkpoint appliance to the MAC of the Data-Plane interface used in the service route. Just though I'd share in the hope it helps explain why you might be seeing 0:70:76:69:66:00. Thanks Alex
... View more
05-11-2017
07:14 AM
Found some more info under /opt/panrepo/logs: Error: sda_bootloader_env_print(sda_bootloader_env.c:37): BOOTLOADER: Can't get full environment from /dev/mtd4 Error: init(sda_bootstrap.c:182): BOOTSTRAP: System is not in management_ready mode, current mode firstboot, skipping load DEBUG: /mnt/install_media: already exists DEBUG: Looking of detected block devices DEBUG: Device /sys/block/sda/device not USB: ... ERROR: btsErrorNoMedia: No USB device found(2) History.log showed the device appeared to have been bootstrapped previously, perhaps without being factory reset: First step of https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/firewall-administration/bootstrap-a-firewall-using-a-usb-flash-drive#_74589 Think this is solved. Hopefully these messages will le tothers find this.
... View more
05-10-2017
09:44 AM
Hi All I am seeing the following in the system log of a PA-200 on reboot: critical hw bootstr 0 No bootstrap media detected I can't find any reference to this message anywhere and indeed all the errors that can be ebcountered while bootstraapping are all severity high, rather than critical: https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/bootstrap-the-vm-series-firewall/bootstrap-errors I have never bootstrapped a device myself, so I don't know if that would have a lasting effect (like it will always check for bootstrap media and leave this message if it doesn't have any)? There's nothing in the USB port, but the only other thing I can think is that the port is erroneously registering something being plugged in. I've not found any other log messages relating to this, just this one 4 times (each time its rebooted). Thanks in advance for any help, anyone can offer. Alex
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-25-2022
12:25 PM
|
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks