About MCmgt

Is it possible to use HIP Profiles with just custom checks without a HIP license? (Sort of the way you can with URL filtering.) ... View more

Hi,   I'm running GlobalProtect 2.2.1 on PANOS 7.0.7. I'm preparing to upgrade to 2.3 (and beyond) to finally support some newer client devices. This caveat in the 2.3 release notes made me pause:     If your GlobalProtect 2.2 or earlier release configuration uses a gateway server certificate that is not issued by a CA that is trusted by your endpoints (for example, self-signed certificates), then you must add the CA for that certificate to the Trusted Root CA list in the portal client configuration when upgrading to GlobalProtect 2.3 and later releases to ensure that the GlobalProtect agent can connect to the GlobalProtect gateway.   I am using a self-signed cert (SSLVPNCert) produced by the firewall as CA on the Gateway.       (As an aside, I'm guessing that the SSL/TLS Service Profile used here was autogenerated during some upgrade that introduced the SSL/TLS Service Profile feature? Note that it does not appear in the list of SSL/TLS Service Profiles. Should this concern me? )     The Portal uses the same cert.     The Portal Agent has the CA (MCVPN_CA) in the Trusted Root CA list.     The CA does not have the Trusted Root CA box checked under Usage.     Am I good-to-go? Or, is the Trusted Root CA checkbox going to bite me? (If so, is it just a matter of clicking it and commiting?)         ... View more

So, UDP Flood protection on my untrusted zone kicked in for the first (and second) time last night. The end result was not passing traffic each time for about 5-10 minutes. I'm guessing that the CPU (2050) was just spinning its wheels the entire time. I'm just (blindly) using the default values: admin@PA-2050-1(active)> show zone-protection zone outside ------------------------------------------------------------------------------- Zone outside, vsys vsys1, profile SafeZoneProtect -------------------------------------------------------------------------------   tcp-syn              SYN cookies enabled: yes     alarm rate:  10000pps   activate rate:1000000pps   maximal rate:1000001pps     current:         2   packets dropped:0 -------------------------------------------------------------------------------   udp                  RED enabled: yes     alarm rate:   1000pps   activate rate:   1000pps   maximal rate:   4000pps     current:         7   packets dropped:0 -------------------------------------------------------------------------------   icmp                 RED enabled: yes     alarm rate:   1000pps   activate rate:   1000pps   maximal rate:   4000pps     current:         0   packets dropped:0 I am right in thinking that I should be decreasing the rate values so that RED activation and 100% drop kick in faster giving me some CPU to spare? ... View more

I need some reporting advice or consolation that I'm not insane 😉 I have a report defined: Clicking Run Now gives the desired results: Clicking the Export PDF button gives the desired results: However, the problem is the report is included in a Report Group where it inexplicably looks like this: Any ideas on what's going on? ... View more