About JoergSchuetter

JoergSchuetter

Hello @egarantiva The zones are defined in "Templates", and used in "Device Groups". The config push is not a one-shot (if I see it right), meaning panorama is pushing in part after the other. We had a similar need, followed the following procedure: - create new zones, but don't assign it to interfaces - push the templates - append new zones to policies (you might need to clone NAT policies) -- I did this using a script, making use of the API - push the device groups - adjust the interfaces (use the new zones) - push the templates - remove the no longer required zones I would not expect the historic logs will change if you change the zones. Best Regards Joerg

JoergSchuetter

Hello @Deepak_K You are able to manage firewalls running 8.1 if panorama is on 9.0. But you will not get the benefit of the new url categories (... risk) unless you have upgraded the firewalls to 9.0 as well.

JoergSchuetter

Replace the plus signs with spaces. The name is already embraced by quotes.

JoergSchuetter

Hello @wookieneck What happens if you add the zones one by one (instead of all at once)? If I remember it right, there are several ways to call the API. Are you using a "simple" POST or are you different various http methods?

JoergSchuetter · ‎05-01-2020

Hello @Stevenjwilliams83 Can you verify the issue is caused by the decryption with browsing the URL https://pypi.org/ in your browser and check the certificate. It could also be, that the firewall does not grant the access, and presents an error page (which is signed with your own certificate, hence the ssl error).

JoergSchuetter · ‎04-23-2020

Hello @rgrant2020 Do you have by chance configured a filter on Device --> Setup --> Interfaces --> Management --> Permitted IP Addresses? If you, you need to add the IPs of your management interfaces as well.

JoergSchuetter · ‎04-22-2020

Hello @twilson63 Yes, you can add/append more NICs to the firewall nodes. The virtual machine "hardware" where the firewall runs on defines the max. number of NICs. The first NIC is used for management, the others can be used for data or HA.

JoergSchuetter · ‎04-17-2020

Hello @Andrew.Vernon If you permit the access on the firewall security policy, then it's possible to facilitate a connection between two GP clients. Check your firewall logs for blocked traffic.

JoergSchuetter · ‎04-14-2020

looks like the issue is addressed with PAN-126014 (which is solved in 9.0.7, but I couldn't spot this fix for 8.1.x) Fixed an issue for GlobalProtect gateways where the Login At and Logout At time fields in the Previous User PDF/CSV report for User Information used the Epoch standard for displaying time.

JoergSchuetter · ‎04-13-2020

You can add multiple nodes to the same device group. How about a device group hierarchy? You define a device group (e.g. name it "common policy") and define the NAT and security policies here. For each firewall node/cluster, you create a new device group, add the firewall node (all nodes of the same cluster) to it and make it a child object of "common policy". This way you make sure the requirements concerning security policy and NAT are fulfilled. But you are still able to add exceptions or further rules if the need arises.

JoergSchuetter · ‎04-09-2020

The fee for 2 HA licenses is typically lower than 2 non-HA licenses (at least if you have an active/passive cluster, not sure if this also counts for an active/active cluster). The ",,,-R" is a license renewal.

JoergSchuetter · ‎04-07-2020

Hello @ALLADASAINITIN I configured my setup before I stumbled over the howto. Trying to verify if I did it correct, I read the howto. The question is: which path is a reply from the gateway IP (ISP 2) taking when sending a reply to the users PC (sent by GlobalProtect) on the Internet? My concern is the "tunnel" traffic between client and VPN gateway.

JoergSchuetter · ‎04-06-2020

Hello @SahulH Using QoS is a way to solve what you need. Please keep in mind that QoS can't be applied on loopback interfaces and that it only works on egress traffic.

JoergSchuetter · ‎04-02-2020

Hello I have read "How to Configure Dual ISP Network with GlobalProtect VPN using a Virtual Router and Policy-Based Forwarding" (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJeCAK) since we had exactly the same challenge a few days ago. I solved it using a second virtual router. If I follow the setup as shown in the HowTo, which ISP is chosen for an reply packet coming in via ISP2? The users PC (to be more precise the GP software) is connecting to the firewalls IP of ISP2, traffic coming in via line of ISP2. Due to having only one default route, I expect that the reply to the PC is sent back via ISP1.

JoergSchuetter · ‎04-02-2020

Hello @MohammedAsik Are you using cookies (see authentication override)? Do you have "Save User Credentials" enabled on the portal config (authentication)? Is "Clear Single-Sign-On Credentials on Logout" disabled on portal config (app)?

JoergSchuetter · ‎04-01-2020

Did you try "set cli scripting-mode on" ?

JoergSchuetter · ‎03-31-2020

The IP address should defined as a static IP in Azure. You can add multiple secondary IPs (static) as well. All of them can have a public IP. On the firewall, configure the IPs as static. The primary IP should have the matching netmask (e.g. /24), but the secondary IPs should be listed with /32. Now

JoergSchuetter · ‎03-30-2020

You can assign tags to the individual nodes. These tags can be used in the software deployment.

JoergSchuetter · ‎03-30-2020

Maybe you can solve this on the ftp server itself? If you do prevent file listing (dir, ls, ...), the users can only download a file if they know the name. Would this approach help?

JoergSchuetter · ‎03-27-2020

Hello I'm trying to read (and store) the QoS data (using API calls). Reading the data is working fine (for physical interface and for tunnel interface). But I'm not sure how to interpret the data. The result was translated into xpath and value: /node/classes/class[@classid='7']/priority 0 /node/classes/class[@classid='7']/eg-bw 1 /node/classes/class[@classid='7']/em-bw 500000 /node/classes/class[@classid='7']/pass-bytes 7582778023 /node/classes/class[@classid='7']/wred-bytes 15013905 /node/classes/class[@classid='7']/tmot-bytes 0 /node/classes/class[@classid='7']/delay 1 /node/classes/class[@classid='7']/qlength 4 My unterstanding below, please help/correct priority = 0 --> low prio eg-bw = guaranteed bandwidth em-bw = max bandwidth pass-bytes = bytes passed in this class? is this a 64bit signed integer? wred-bytes = bytes discarded (wred)? is this a 64bit signed integer? tmot-bytes = ? delay = packed delay in ms? qlength = bytes waiting for being transported?

JoergSchuetter · ‎03-26-2020

Hello @sahithyan.subbu Try to define the pool in Agent --> Client IP Pool Make sure the pool in Agent --> Client Settings --> `config name` --> IP Pools is empty You might need to remove the complete gateway config. Then start with the "Client IP Pool" before clicking on "Client Settings".

JoergSchuetter · ‎03-26-2020

Hello @doug-elliott We did a downgrade from 9.1.x (don't know the exact details) to 9.0.6 (in Azure). Not sure if this can be compared to your situation, since the 9.1 was not configured at all (besides the mgn interface and the local admin user). Keep in mind that the default user (admin) might not be configured. In the deployment task we provided a different user name.

JoergSchuetter · ‎03-26-2020

The majority of QoS rules ignore the application. They simply match the destination server (which is used for software deployment only) and are put in class 7 (which has a max bandwidth configured). The "normal" fileserver traffic is listed in the QoS policy, hence put in class 4.

JoergSchuetter · ‎03-26-2020

Hello @jesuscano Uploading/installing the GP software is working fine here (Panorama = 9.0.4, firewall node = 8.1.13). Please share the error message.

JoergSchuetter · ‎03-25-2020

I would like to share issues with GlobalProtect, and what was done to fix it. QoS with loopback interface Due to high network load on the Internet line, we wanted to priorize (or limit) some traffic. It took several hours (testing, reading documents, having a PA supporter analyzing the issue, ...) until the root cause was identified. Applying QoS on a loopback interface is simply not supported. So we had to migrate the GP gateway from a loopback to a secondary IP (you can have more than one secondary IP) on the physical interface. The secondary IP was added with netmask /32. We had to update our security policy due to the interface of the gateway is now part of a different zone. Limit bandwidth of SMB traffic A good amount of traffic sent to the clients is caused by our software deployment (and patch management). The files/packages are provided on SMB-fileshares. By limiting this traffic (QoS policy based on the servers, regardless of the application) we ran into unexpected side effects with our fileservices (which is served by other servers, not related to the ones limited). There is only one "SMB-process" on the client machine. If a SMB connection to server A (our software deployment server), then this process chokes on SMB connections with server B. Luckily we are able to shift software deployment from SMB to http(s).

JoergSchuetter · ‎03-24-2020

The time is displayed as "seconds since 1970-01-01 00:00:00 UTC". If you run on a Linux system date --date=@1581517627 you will have the date and time based on your local timezone Wed 12 Feb 2020 03:27:07 PM CET I bet there are better ways to translate the timestamp back into something readable. The formula in Excel is something like "=(A1-Date (1970,1,1)) *86400"

JoergSchuetter · ‎03-21-2020

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine. If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

JoergSchuetter · ‎03-21-2020

Hello We increased our Internet speed beyond 1Gbs. The connection between the firewall node and the Internet switch is facilitated using one SFP-Port (1Gbps). Is it possible (and supported) to combine Cu-Ports and SFP-Ports (both with the same speed and duplex) into one aggregated-ethernet? All interfaces on the Internet switch are 1G Cu ports.

JoergSchuetter · ‎03-17-2020

The Palo Alto Terminal Server Agent is the tool you are looking for. You need to register these agents on each firewall (cluster) you need the information on. Sharing the user ID information between the firewall systems doesn't seem to work.

JoergSchuetter · ‎03-17-2020

There is also a GP VPN client for Linux. Granting other (3rd party) VPN clients should be possible, but this eliminates a few features. For example, you can no longer define split tunnel config.

Date Registered	‎02-18-2018 07:04 AM
Date Last Visited	14 hours ago
Total Messages Posted	57
Total Likes Received	18

Online Status	Offline
Date Last Visited	14 hours ago

Strata

Prisma

Cortex

About JoergSchuetter