This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About keith_johnson
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About keith_johnson
07-24-2019
6Posts
1Like
0Solutions
Jul 24, 2019Last Visited
User
Activity
User
Profile
Latest posts by keith_johnson
| Subject | Views | Posted |
|---|---|---|
| 1553 | 06-18-2019 10:23 AM | |
| 2858 | 10-24-2017 06:51 AM | |
| 2878 | 10-16-2017 11:23 AM | |
| 4053 | 09-18-2017 08:39 AM | |
| 4059 | 09-18-2017 06:10 AM | |
| 4071 | 09-15-2017 11:25 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-18-2017 06:10 AM |
User Badges
Community Statistics
| Member Since | 09-15-2017 11:09 AM |
| Date Last Visited | 07-24-2019 09:42 AM |
| Posts | 6 |
| Total Likes Received | 1 |
06-18-2019
10:23 AM
I imported the root CA cert from our Windows PKI into our Palo, created a subordinate CA cert on the Palo under that, an SSL cert under that that is working to authenticate SAML with Azure AD which was configured with a cert from the same root CA. This is for the user tunnel of GlobalProtect. Our Windows CA is issuing machine/personal store certs to our PCs, but GlobalProtect prelogon isn't successful in using these certs to authenticate a machine tunnel. Manually exporting the Subordinate CA cert from the Palo an importing it into a PC works, but this isn't a scalable solution. The machine certs that are being issued to PCs have the machine name in the Subject of the certs and client authentication in it's attributes. The only red flag I see is that the issuer of the machine certs has the distinguished name for the CA, wheras the root and subordinate certs on the Palo only have the common name of the CA. I have a ticket submitted to Palo support and a techinician has helped me get to this point, but progress slowed and I am hoping others in the community might have some suggestions based on their own experience.
... View more
10-24-2017
06:51 AM
Thanks, jmeurer. I had actullay tried the new HTTPS ELB before the classic ELB, but that didn't seem to work for ADFS. I learned while I setup the classic one that I needed to use TCP instead of HTTPS. It didn't occur to me to backtrack because it seemed to be working at that time. I didn't notice the IP was changing on the classic ELB until later. So far, so good with the network ELB. Thanks, again!
... View more
10-16-2017
11:23 AM
I have setup a classic internal ELB with traffic forwarded to 2 AD FS severs. Internally, by creating a CNAME entry with the FQDN for the ELB, the load balancer forwards to each of the AD FS servers as it should. I have the necessary NAT and security policies as well as policy based forwarding rule as this is the 2nd public interface with forwarding traffic. Public traffic gets forwarded fine to the ELB, as long as the IP address I enter in the destination translation of the NAT policy is set explicitly is current. All of the other references to the ELB can be a FQDN, but since this parameter needs to be an IP, this won't work very long without manually changing this IP as the private IP of the ELB changes frequently. I don't want to change to an external ELB as that would require I use seperate external interfaces on the Palo VM-300, which are precious to us. I don't want to use a 3rd party load balancer as this would complicate monitoring and may not work if we want to implement auto-scaling for this or other projects in the future. The online documentation for ELB and the Palo virutal appliance seem to cover the use case of an external ELB in front of 2 or more virtual appliances, but it isn't clear and doesn't seem to provide relevant information regarding my use case. I had a session with Palo support where I was told that the destination translation needs to be an IP so what I was trying to do wouldn't work, but I wasn't clear whether or not what I want to do at a high level is possible using some other method that I am not aware of. This seems like a major oversight, especially since there is documentation available to use ELB with the Palo VM-300 in another usage scenario. Does anyone have any insight to share?
... View more
09-18-2017
08:39 AM
All of the IPsec VPN tunnels are on the first interface. My reason for having more than one public interface is for forwarding the same ports to different servers of the public IPs, in this case HTTP and HTTPS. So: Public subnet: EIP 0 - Palo management interface EIP 1 - Palo public interface 1 - ports 80 and 443 of server 1 (NAT and security policies) All IPsec VPN tunnels EIP 2 - Palo public interface 2 - ports 80 and 443 of server 2 (NAT and security policies) Private subnet Palo private interface as gateway for all servers in the VPC.
... View more
09-18-2017
06:10 AM
1 Kudo
Hi Warby, Yes, I have set both interfaces to use DHCP and using the defaul virtual router. As it is currently configured, I have both public interfaces in the same public subnet of the VPC. Both servers that have traffic forwarded to them from their respective public interfaces with their NAT and security polices are on the same private subnet. All of the IPsec VPN tunnels are on the first public interface. Are you saying I will need to setup a seperate AWS internet gateway and/or a seperate virtual router for each public interface? Thanks.
... View more
09-15-2017
11:25 AM
I require the same ports to be forwarded to different servers in our Amazon VPC. I've set up 2 interfaces each with their own EIPs and attached them to the VM-300. Traffic flows properly to the first server and the IPsec tunnels work through the first interface. Setting up the 2nd public interface with the same settings as the first and creating the necessary security and NAT policies to allow traffic to flow to the 2nd server shows incoming traffic going to that interface's private IP, but the traffic ages out. If I restart the instance, none of the traffic makes it to either server and the IPsec tunnels will not come back up.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks