About Rievax

Hi @steppinthrax    Assuming you are talking about a client on the Internet connecting to your public GP Portal. Did you have a look at the PanGP Service and PanGP Agent Logs? Those are very verbose and shall give you the answer of your question. Open the GlobalProtect  client --> Settings --> Troubleshooting tab :     Problems usually are around the DNS name / FQDN / URL that is not reachable and certificates not valid.   Regards, R. ... View more

@BPry , @aleksandar.astardzhiev    Dear all. Thanks for your answers! To be honest, I was reading the Best Practices article for securing User-ID and in many other places in PA doc, they warn not to enable User-ID in Internet / Untrusted zones. Having a closer look, the possible issue seems to be related more in regards to WMI probing (which is not enabled in my case)... Brute force attack should not be a problem since this is an OTP SecurID access that I would use in my Authentication Policy rule (BTY, I tested in from a DMZ zone, and I know that works fine).   Still, by reading your answers, this does not seems to be a problem to your eyes enabling User-ID in the Internet / Untrusted zone. Or I am mistaken, and there is another way to have an attached Authentication Policy Rule without enabling User-ID for the Zone?   My second issue is regarding the Captive Portal Redirect Host and SSL Service Profile... I originally built it for "Internal" use, and because there's only one Captive Portal setup I will have to re-create a proper Redirect Host / SSL Service Profile / Split DNS setup to have it accessible internally and externally.   Thanks again for your suggestions.   Regards. R.  ... View more

Hi TylerHay,   I posted a full how-to earlier but it has never been published... There might be a delay or a bug somewhere in the forum... Anyways, it should not be a issue. Make sure the certificate you import in the client is fully recognized by the PA firewall (including the root CA that signed this certificate - the attached certificate profile should be linked to this root CA...). Regarding the SAN, I just added the IP address in the certificate. Worked well 1st time.   Hope that helps... and maybe the full description I did this morning will be posted eventually.   Regards. X  ... View more

Hello TylerHay,   There are really no tricks... Here's a working config I just did in my lab. It might give you an idea of what went wrong with your setup.   On the PA Firewall: Create a CA root: No need to enter any other information as this is to create a self signed cert later Now, create the self signed certificate. Make sure you signed it with the CA we just created. Enter at least the valid IP in the attributes to make this certificate valid: You will end up with something similar:   Now, select the self-signed certificate (PA-UID-Cert in this case) and export it with the private key:   Now, create a certificate profile with no other information than the CA root that has been created: Assign this Certificate profile too the "Connection Security" tab:   You can now add the user ID agent configuration: Commit the changes.   On the UserID server: Add the certificate :   Save and commit the changes... Go to "User Identification". After a few seconds, it should change the status to connected:   On the PA side, it says the same:   Hope that helps! R. ... View more

Dear all,   For your information, this was a bug introduced in newer versions of GP. Versions 5.1.5-20 and up should have the problem solved.   Regards.   R. ... View more

Hi Varun,   Yes, I already created a ticket, but I also wanted to have the community input on GP versions.   Regards,   R.  ... View more

Hello,   Sorry for the late answer as had to test in other places to get a base reference. So I went with the suggestion to capture packets (at the PA Firewall transmit stage) and noticed that in Brazil, I have lots of fragmentation happening:     Now, I will try to reach the ISP but it seems from the Cisco router suggested configuration that the MTU is 1492. I confirmed that by using ping packets of 1464 (+28 of overhead) - higher are failing:   Our WAN tech tried to manually set 1500 but the end-result is the same. We will have to talk to the ISP now.   That being said, could this be the reason why decryption is failing? Some odd issues when the PA tries to re-assemble the packets and scan the images? Quite new to PA and decryption, so I definitely don't know that answer - yet.   Again, thanks for any comments.   Regards. R. ... View more

Hello,   We did not have any issue last year when upgrading our HA cluster - but I would suggest you to make sure to read the prerequisites in the upgrade notes first.   Also, before upgrading, double-check that your "Dynamic Updates --> Applications and Threats" is up to date.   Lastly, based on my experience, the most stable version of 8.1 we ran were 8.1.4 and 8.1.10... maybe jumping directly to the last version will fix your issue.   R. ... View more

Hello @nagarjuna.b    Thanks for the answer.   This morning, I did re-enable decryption again for a specific test workstation but had none of those Decrypt-errors I had yesterday at implementation time... No clue from where is was coming. To answer more specifically your question, the Decryption profile is quite open (like the Default) and the web site goes with  TLS 1.2, ECDHE_RSA with P-256, and AES_256_GCM... which is exactly what PA generates when decryption is enabled. That being said, the loading page delays are still there.   Focusing on UPS.COM web site, when decryption is enabled in this particular location (big city in Brazil), it takes 5 seconds to load the root site (/) and 5 to 7 minutes to load some JPGs and GIF files (numbers are coming from Developer Tools in Firefox / Chrome) - making the page virtually hang. Disabling decryption makes this site display in about a second. I did not see any kind of related information in Data Filtering / Wildfire Submissions logs. In other Office Locations around the globe that I tested, I did not have these delays with decryption enabled.   Interestingly, many other sites are just working OK but also notice delays in loading (or non-loading) images. I though that could be an interesting point.   Any help / clues are appreciated. Thanks!   R.   ... View more

Hi drewdown,   Thanks for the answer to the problem! I was looking for that since 3 days ago... apparently this is a new bug introduced lately:   https://github.com/PaloAltoNetworks/minemeld-core/issues/270   I just couldn't figure out how to revert to pip < v10   Cheers!     ... View more

Hi,   Looks like you have a "socket error - Connection refused" in your minemeld-engine.log Maybe you have IPtables / UFW rules based on the IP address... or maybe a static entry somewhere in the nginx configuration.   I'm trying to find myself why a brand new clean installation is not working but in your case it seems to be a good start to look at.   Hope that helps.   R. ... View more