About Javith_Ali

  We have configured the internal globalprotect gateway and have the requirement that only internal/external GP gateway connected users can access the intranet/internet resources and users traffic without GP connectivity should be blocked by PA.   Now everything working fine except in below scenario where user deleted the GP agent, but they are going through the same HIP profile policy. (HIP data in DB not getting deleted, everything in cache)     HIP based policy is configured properly in PA (to check whether phone is android/ios/windows) All the GP agents are sharing the HIP data at the time of connectivity and matching the HIP based policies properly. The problem now is HIP data collected during the first time joining is kept in the HIP PA database for longtime and if the same user is disconnected the GP and browsing without GP connection , then same HIP policy is triggered (by using the data in HIP DB collected during the first time GP login). is there any possibility of whether HIP DB cache can be cleared frequently, so that user cannot delete the agent and join again without GP agent into the network. is there anyother possibility to resolve this issue? ... View more

I have pair of 2000 series firewall running on PAN-OS version 7.1.7. we have deleted the below FQDN objects from the PA(objects and policies), but still its refreshing and querying the DNS server through the managment interface. i cannot find any known issue with PA2020 and 7.1.7 as well. Please suggest   adnetadmin@fw-elab-01(active)> request system fqdn show FQDN Table : Last Request time Mon Oct 23 16:47:41 2017 --------------------------------------------------------------------------------                       IP Address     Remaining TTL     Secs Since Refreshed -------------------------------------------------------------------------------- VSYS  : vsys1 (using mgmt-obj dnsproxy object) files-info.com  (Objectname BAD-URL-files-info.com):                         Not used updater.skillbrains.com  (Objectname updater.skillbrains.com):                     Not resolved VSYS  : shared (using mgmt-obj dnsproxy object)   ... View more

DNS configured in GP settings: Primary DNS 10.250.1.1, secondary DNS 10.250.1.2   Access route: split tunnel- 10.250.0.0/16 allowed in GP.   Once clients are connected to globalprotect, they are getting the above DNS settings. so the traffic going to internet also resolving in above Internal DNS server.   Now i have the requirement for GP users, when traffic going to internet, it should resolve using public DNS say 8.8.8.8 or 4.2.2.2 and the traffic going to 10.250.0.0/16 to GP tunnel should resolve to  DNS 10.250.1.1, secondary DNS 10.250.1.2.   I have configured as per below KB for fulfil the above requirement. its working fine, some of the users complain about internal DNS server issue for GP connected internal sites sometimes. However internet traffic resolution working fine. so we have removed this config   https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Proxy-for-GlobalProtect-Clients/ta-p/124541   Kindly suggest if there is any workaround for this requirement     ... View more