About ebrookman

I just stood up my Minemeld instance, was able to get it configured and verified it is pulling data from the default miners.  When following the steps to secure O365, I am getting an error with the miner picking up the data.  It constantly times out.  I have read elsewhere on here that there should only be a read attempt each hour or they will limit your IP. I modified my NAT to a new Public IP for minemeld only, but to no avail.  Please see below the log information and versions:   Ubuntu: 16.04 LTS Minemeld: 0.9.60 Error from Minemeld ... View more

All,   I am trying to import my LDAP groups, but don't want all of them.  I have too many groups to put them in the Include list.  I also have a large number of local.admin and Folder Access security groups.  SInce I can't filter by OU, how can I filter using negate and wildcards for the security groups I don't want?   I am trying to use something like this:   | (!CN=Folder* ) (!CN=Local* )   Thanks, Eric ... View more

Below are the instructions that I have cobbled together to install GlobalProtect on a Mac and not have the system ask for authentication of an administrator at each connection.  Full document with pictures is available on my GitHub. https://github.com/scriptingcaveman/PaloAlto-Documents   The use case that led me to these directions is a non-administrator user on a Mac with Always on VPN with computer certificate.  The user will not have access to the administrator password for the authentication prompt.   Installation and Configuration of Global Protect on Mac OSx Installation of GlobalProtect Client for Mac: 1. Log into the GlobalProtect Portal, download and run the installer for Mac OSx. 2. On the Introduction Screen, press “Continue”. 3. On the Destination Select screen choose the default by pressing “Continue” 4. On the Installation Type screen, ensure GlobalProtect Package Name is selected with the checkbox. Press “Continue”. 5. Confirm the Installation by pressing “Install”. 6. Enter the computer Administrator’s name and password to begin installation and press “Install Software”. 7. System Extension Blocked: Click on “Open Security Preferences” to allow the GlobalProtect installation to proceed. 8. On the Security & Privacy screen, Press “Allow” to continue the installation. 9. Once the installation is complete, click “Close” on the Summary screen. Certificate Configuration for GlobalProtect 1. Configure the Certificate Template a. From the CA console, right-click Certificate Templates and select “Manage” b. Right-click the “Workstation Authentication” template, then select “Duplicate Template”. c. On the “General” Tab, enter a template name that is recognizable. d. On the “Request Handling” tab, make sure the “Allow private key to be exported” is selected. e. Click the “Subject Name” tab and select “Supply in the request”. Press “OK” in the warning dialog to acknowledge the security risk. f. Click the “Security” tab and remove the “Enroll” permission from the security groups Domain Admins and Enterprise Admins. g. Click “Add”. In the “Select Users, Computers, Service Accounts, or Groups” dialog box, click “Object Types”, then “Computers”, then click “OK”. Specify the name of a Windows computer that will request the certificate on behalf of the Mac Computers (it can be the CA itself), click “Check Name” to verify, finally click “OK”. h. Select Enroll permission for this computer. **DO NOT CLEAR READ PERMISSIONS** i. Click “OK” and close the Certificate Templates Console. 2. Issue Certificate to Mac Workstation a. From the computer that was configured in step 1 above, click “Start”, click “Run”, type mmc.exe. b. Click “File”, then “Add/Remove Snap-In” c. In the dialog box that appears, select Certificates, and press “Add” d. In the “Certificate Snap-In” dialog box, select Computer Account and press “Next” e. In the “Select Computer” dialog box, ensure Local Computer is selected and press “Finish”. f. Click “OK” g. Expand “Certificates (Local Computer)”, then click “Personal”. h. Right-click Certificates; click All Tasks; and click Request New Certificate. i. On the Before You Begin screen, press “Next” j. Press “Next” on the Certificate Enrollment Screen k. Select the Certificate template created in the previous steps. i. Click the hyperlink under the Certificate l. On the Certificate Properties dialog box, enter the value in the Subject name box. Use the FQDN (hostname.domain.com). m. Press the “Add” button and press “OK”. n. Press the “Enroll” button. 3. Export the needed certificates a. Both the newly added certificate and root certificates need to be exported. b. Right-click on the certificate, select “All Tasks”, then click “Export”. c. On the Export Certificate Wizard Welcome page, press “Next” d. Select “Yes, export the private key” and press “Next”. e. On the Export File Format screen, make sure the file format is “PKCS #12 (.PFX)” and press “Next”. f. On the Security screen, give the file a secure password. This will be used when importing the certificate into the Mac. g. On the File to Export page, give the certificate a file name and press “Next”. h. Finally, click “Finish” to close the wizard, and “OK” in any dialog boxes that appear. i. Copy the certificate(s) to the Mac. 4. Import the certificates into the System Keychain a. As an administrator, open the KeyChain application on the Mac. i. Press Command + Space bar and type Keychain b. Browse to the System keychain. c. Go to File -> Import Items d. Select the .pfx file from the previous step and press “Open” e. On the Keychain Access popup, allow access to modify the System keychain by entering the administrator’s password. f. The next pop up window will be the password for the certificate. Enter the password used in the previous step here. g. Once the certificate(s) are loaded ensure they are trusted by all users and processes. Right-click on the certificate and select “Get Info”. h. Expand “Trust” and change “When using this certificate:” to “Always Trust”. 5. Ensure GlobalProtect has access a. Expand the computer certificate and right-click on the private key. b. Click “Get Info” c. Go to the “Access Control” tab. d. Press the “+” key. e. On the Pop up, press “Command + Shift + G” to enter the path directly. f. Enter the path of /Applications/GlobalProtect.app/Contents/Resources and press “Go”. g. In the right pane, scroll to the end and find PanGPS in the list of resources. h. Click “Save Changes” and enter the Administrator’s password in the popup.     ... View more

What are the implications of using Internal gateways in Tunnel mode? I have 3 Palos on-prem at my datacenters. I have 7 total locations connected via MPLS.  I am thinking about using the Internal Gateways in Tunnel mode to prevent cross talk within subnets and force all communications to go through the firewalls.  Thoughts? ... View more

Has anyone upgraded to PAN-OS 9.0 in their Azure environment?  I have 2 sets of Azure firewalls sitting behind multiple load balancers.  I saw where HA is now supported in Azure with Pan-OS 9.  I am debating if I want to be an early adopter and migrate, or wait 6 months for bugs to be addressed. ... View more

I am seeing issues with inbound decryption and ADFS.  Through investigation, I found that the EC Curve 25519 is not supported, but is the default for Windows 10 and Server 2016.  Per tech support, this will be available in the latter half of 2019 as a supported encryption standard.   After moving off of the prevously mentioned curve, I am seeing the following on Windows 10 only. Works as expected on Windows 7:   I verified that the new SSL encryption is supported by PA.   Microsoft IE - I get an HTTP 400 Bad Request error.     Microsoft IE (In-Private) - Works as expected   Chrome / Firefox - Works as expected.   I have opened a case with Palo Alto and will update with results. ... View more