About CHKlomp

@BPry  , Thanks for your time. I'm thinking the best solution is to create a custom check for a registry key. We can have a custom registry key added for those devices that need access, while not being part of the domain. With regular key rotation, security should not be compromised in a significant matter. ... View more

@BPry , Yes, so if we want to use the name of the device, how would we go about validating it's membership of an AD group? Or how else would we use the device name for validation?   Thank you for your time.   ... View more

@BPryThanks for you response. However we're looking for a more dynamic solution, where we won't have to update the HIP-object every time we need to make an exception. Therefore we were looking at AD domain groups, where the customer can add computer names to this AD group, when access is needed for a non-domain system. This way they won't need to go through a formal change process, which takes a long time (relative to fixing a system's access). ... View more

Thanks for your time Steve, This is a new connection. Network B already has a routing to a network A for another customer. Therefore we need to source NAT A to C, as C is new to B and therefore can be routed back over the VPN tunnel. However as network C does not really exists in the environment traffic originating from B to C is not flowing back to A as it goes into the untrust zone in stead of zone A. Though my source NAT rule was setup bi-directional, I had to setup a reverse destination NAT for traffic from B to C NATed to A, to get this all to work. It kind of defeats the purpose of making a rule bi-directional.   Here is the traffic log before and after the destination NAT rule (B to A): Type Threat/Content Type Generate Time Source address Destination address NAT Source IP NAT Destination IP Rule Source Zone Destination Zone Inbound Interface TRAFFIC end 25-10-2021 12:13 B.122.99 C.77.24 B.122.99 A.10.24 VPN from 3rdParty vpn A tunnel.6 TRAFFIC drop 22-10-2021 15:30 B.122.99 C.77.144     VPN from 3rdParty Block vpn untrust tunnel.6   Security Rules Name Source Zone source Address Dest Zone Dest Address Action VPN from 3rdParty vpn B.122.96/28 zoneA A.10.0/24 C.77.0/24 Allow VPN from 3rdParty Block vpn B.122.96/28 any any Block     NAT Rules Name Org.Source Zone OrgDest Zone Org.Source Address Org.Dest Address Org.Service Source Translation Dest Translation B to A vpn untrust B.122.96/28 C.77.0/24 any   address A.10.0/24 A to B zoneA untrust vpn A.10.0/24 B.122.96/28 any static-ip C.77/24 bi-directional ... View more

I'm interested in a private CA push to the PAN f/w's. We're using Ansible, but have not found yet how to use the PAN module to import the new certificate... Is there any link to the instructions how to do that?   ... View more

Thanks @BPry    It's what I was suspecting. Just wanted to make sure I did not miss any options... ... View more