About SuperMario

Hi @RaymondMullin    The user mapping should always work because the userid is learned from the authentication. Whereas in the case of the group mapping, we need to pull the information from your LDAP server and group-mapping configuration. Hence, the group-mapping attribute fields need to be aligned to the user authentication profile attributes.   Here is an example: If you are using  sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration. Best practice configuration: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html ... View more

Hi @RaymondMullin, that is correct. ... View more

Hi @marceli.namyslo ,   Yes, it is possible. Keep in mind that the configuration will be applied from top to bottom, hence, if the default config is at the top of your configuration list, it will always be used if the user/group and OS are set to match any. However, if you created a new config, which is at the top and is specific to a set of users/groups, and still is not being picked up, this means that our Prisma Access device is not able to recognize the user-id/group. You may need to open a TAC case to further troubleshoot your user-id configuration. Note: for Group based configurations should be configured via their distinguished name (CN=xyz,....DC=corp,DC=com)   Here is an example:     Let us know if you have any further questions.       ... View more

Hi Daniel Li,   You need a  GlobalProtect subscription  for the following feature: Split tunneling based on destination domain, client process, and video streaming application. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html   Excluding routes does not require an additional license. ... View more

Hello Everyone,   I have tested this on 5.0.8 and 5.1.1 and got a successful result. When tested, I closed the zoom app before connecting to Prisma Access VPN, upon connecting, I opened the zoom client and join a meeting.   Here is an example of the "netstat -anob" output from my windows machine: 10.10.11.3 is my Prisma Access GP IP and 10.55.80.54 is my local (physical interface) IP.   This is how my configuration looks like:   I also tried adding the 0.0.0.0 on the include list, and the result was the same.   If you are still having issues, please open up a tac case and a member of our team will be more than happy to assist troubleshooting this issue. ... View more

Hi Chacko,   Unfortunately, you will have to open a TAC case to troubleshoot this. As you mentioned, you need to run some CLI commands to verify and troubleshoot the configuration.   However, here is my suggestion, from my experience, most of the time the issue is due to a format mismatch on the authentication policy vs the group mapping format. Here is an example: If you are using  sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration.   Also, in a standalone Prisma Access deployment without a Master Device, you can use a group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice. Detailed instructions: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7_id8663ef7a-f62f-44ab-9ae8-113239a11b89   Instructions for the configuration specific to Prisma Access: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access Best practice configuration: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html Multiple Username formats configuration: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.html   I hope this helps.   ... View more

The netstat output shows that UDP traffic is going through the physical interface, hence, the heavy traffic is being split. Only the TCP traffic with Destination Port 443 is going through the tunnel. Your traffic logs which illustrate the UDP traffic are from one hour and a half ago.  Are you still seeing UDP traffic on the latest traffic logs? If so, are they from a device that was recently connected or have verified it received the latest Prisma Access - GlobalProtect Portal configuration?     ... View more

In windows, run the command: "netstat -anob" to verify if traffic is generated by zoom's PID and executable [Zoom.exe]. Make sure you are using our latest GP client version 5.0.8 or 5.1.1. ... View more

Make sure your GP client fetches the new configuration from the portal. The best way to make sure you fetch the latest config from your portal is by restarting the PanGPS service or rebooting the computer. Performing a refresh connection action on the GP client options not always forces the client to request the lastest portal configuration as it may depend on how you configure the client connection. ... View more