This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About qdimclark
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About qdimclark
08-17-2023
15Posts
3Likes
0Solutions
Aug 17, 2023Last Visited
User
Activity
User
Profile
Latest posts by qdimclark
| Subject | Views | Posted |
|---|---|---|
| 1057 | 07-14-2022 09:22 AM | |
| 4070 | 10-01-2021 01:32 PM | |
| 5035 | 07-01-2021 11:02 AM | |
| 5200 | 06-24-2021 04:49 AM | |
| 5662 | 06-24-2021 04:03 AM | |
| 5921 | 06-23-2021 12:31 PM | |
| 2704 | 03-03-2021 12:18 PM | |
| 2997 | 03-03-2021 12:05 PM | |
| 3017 | 03-03-2021 08:11 AM | |
| 3129 | 03-02-2021 10:38 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-01-2021 11:02 AM | |
| 1 Like | 06-23-2021 12:31 PM | |
| 1 Like | 06-24-2021 04:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 9 Likes |
User Badges
Community Statistics
| Member Since | 04-25-2018 03:29 PM |
| Date Last Visited | 08-17-2023 04:02 PM |
| Posts | 15 |
| Total Likes Received | 3 |
07-14-2022
09:22 AM
I built a site-to-site VPN between GCP and a PA3250, which is not working. Surely, I'm missing something.
The GCP vpn points to the same interface and IP that other VPNs successfully use on the Palo.
I added a Sec policy to allow the GCP IP and the Palo IP to set up Phase 1. However, the Palo drops the inbound IKE-SA-INIT packets. They are getting caught by the INTRAZONE Default rule.
I've verified the IP addresses, the IKE paramters, the PSK, and the Sec policy. In fact I've rebuilt this a few times by completely deleting everything on the GCP side and the related configs in the Palo.
To test I set up a VPN from the same GCP project to a different PA3250 with a different IP address and that tunnel works flawlessly.
Everytime I've rebuilt the VPNs I get a different public IP from GCP. So, it's not an issue with their IP addresses.
What appears to be happening, but I can't verify is that the PA3250 with the issue Policy Denies the packets and just drops all subsequent packets from that address. Like it's cached somewhere. As a test I deleted the VPN config from both sides before leaving yesterday. I created them from scratch this morning, about 14 hours later, with the same results. The first packet gets denied and nothing else.
When I run test vpn ike-sa gateway ******** from the cli, a packet capture shows that the outbound packet from the Palo gets dropped.
I've scoured both PA3250s for the difference, but only come up with the Palo IP address.
Suggestions?
... View more
10-01-2021
01:32 PM
Hope y'all are well. @CobaltixIT @Mick_Ball Thank you both for your help. In the end we stood up an MS NPS server for RADIUS. Now the portal has the wildcard.domain.com cert and the gateway has an internal PKI certificate. When a computer is joined to the domain they are issued a cert from our PKI. Then using RADIUS to authenticate Pre-Logon then Demand is working and users can change their password before logging in. Since the company is allowing BYOD for remote users I have to configure GP to allow a non-domain computer to authenticate. (BYOD may change soon, but in the meantime...)
... View more
07-01-2021
11:02 AM
1 Kudo
Just a followup. I switched to using a wilcard cert for the portal and internal PKI with machine certs for pre-logon. I've passed this hurdle and now just need to resolve the cookie issue I'm having with pre-login. Thanks for your help!
... View more
06-24-2021
04:49 AM
And your SSL/TLS profile points to your CA?
... View more
06-24-2021
04:03 AM
1 Kudo
Thank you both. I know I have myself confused with this. And now a few more questions. Are you using solely your internal PKI for the portal and gateway? And @Mick_Ball are you using the Cert profile for both portal and gateway? Thank you both again. I'll get out of the weeds soon...
... View more
06-23-2021
12:31 PM
1 Kudo
We're using these versions (Yes, we need to upgrade, but other priorities at the moment) PANos 8.1.14 Global Protect client 5.2.1 We're currently usingOn-Demand, which is working. We used this page with the only difference is we're using AD Authentication. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK Now we want to use pre-logon then on-demand. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU We used our internal PKI to create machine certs and those have been deployed using Group Policy. What I'm not getting is how to configure GlobalProtect to use the machine cert for pre-logon. Do I create a new SSL/TLS profile or certificate profile? Can I use the PANos self-signed in conjunction with the PKI machine cert? Would the self-signed be for the portal and the machine cert be for the gateway? I've gone through all the documents, as well as, the GP Admin guide. Any advice or guidance is much appreciated!
... View more
03-03-2021
12:18 PM
That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized. Thanks again for your help Tom.
... View more
03-03-2021
12:05 PM
Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.
... View more
03-03-2021
08:11 AM
That's what I suspected. But with limited BGP knowledge I thought I'd ask. Thanks!
... View more
03-02-2021
10:38 AM
We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites. In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo. With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes? The rule would look like this. Additionally it would allow only specific ports and protocols as needed. To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now. Thanks in advance!
... View more
06-17-2020
01:34 PM
With only 4 firewalls, we're not using Panorama. Working with support we ran the command you mentioned. And then ran "commit force." That worked for the passive peer of our HA pair. We're scheduling a window to failover to that for testing. Part of this issue was that the new app-threat updates would break a sec policy. When we reviewed the apps against our policies it didn't match with what broke. A new app-id would only affect security policy A according to the review. When it was enabled it broke policy B. The latest thinking is that content updates are corrupted. But more testing will reveal that. Thanks for replying!
... View more
06-17-2020
08:56 AM
Thanks for replying! We're still in the planning stages, so it'll be some time before we try. But reading these responses, as well as talking with support and our local sales engineer I'm pretty confident we'll have few issues.
... View more
06-05-2020
10:38 AM
Forgot to mention that we ran this on the disabled app-ids and it made no difference for us. request set-application-status-recursive enable-dependent-apps yes application <appplication-name> status enabled
... View more
06-05-2020
10:36 AM
We've had this happening for a bit now. Runing this command in the CLI showed no disabled app-ids. request get-disabled-applications Running this command, however, did show disabled app-ids. show running application disabled According to support this is only a cosmetic issue. They also said that it was fixed in 8.1.14, which we installed and found its still happening now. They suggested this article, which we've not implemented yet. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/app-id-ease-of-use/app-id-characteristic/allow-new-app-ids.html
... View more
06-04-2020
02:35 PM
@Ash2k How did this end up working for you? We're about to do the same thing, so I'm wondering if there were any surprises. Thanks.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks