This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About qdimclark
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About qdimclark
05-17-2022
14Posts
3Likes
0Solutions
May 17, 2022Last Visited
User
Activity
User
Profile
Latest posts by qdimclark
| Subject | Views | Posted |
|---|---|---|
| 1639 | 10-01-2021 01:32 PM | |
| 2604 | 07-01-2021 11:02 AM | |
| 2769 | 06-24-2021 04:49 AM | |
| 2805 | 06-24-2021 04:03 AM | |
| 2952 | 06-23-2021 12:31 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-01-2021 11:02 AM | |
| 1 Like | 06-23-2021 12:31 PM | |
| 1 Like | 06-24-2021 04:03 AM |
User Badges
Community Statistics
| Member Since | 04-25-2018 03:29 PM |
| Date Last Visited | 05-17-2022 07:37 AM |
| Posts | 14 |
| Total Likes Received | 3 |
10-01-2021
01:32 PM
Hope y'all are well. @CobaltixIT @MickBall Thank you both for your help. In the end we stood up an MS NPS server for RADIUS. Now the portal has the wildcard.domain.com cert and the gateway has an internal PKI certificate. When a computer is joined to the domain they are issued a cert from our PKI. Then using RADIUS to authenticate Pre-Logon then Demand is working and users can change their password before logging in. Since the company is allowing BYOD for remote users I have to configure GP to allow a non-domain computer to authenticate. (BYOD may change soon, but in the meantime...)
... View more
07-01-2021
11:02 AM
1 Kudo
Just a followup. I switched to using a wilcard cert for the portal and internal PKI with machine certs for pre-logon. I've passed this hurdle and now just need to resolve the cookie issue I'm having with pre-login. Thanks for your help!
... View more
06-24-2021
04:49 AM
And your SSL/TLS profile points to your CA?
... View more
06-24-2021
04:03 AM
1 Kudo
Thank you both. I know I have myself confused with this. And now a few more questions. Are you using solely your internal PKI for the portal and gateway? And @MickBall are you using the Cert profile for both portal and gateway? Thank you both again. I'll get out of the weeds soon...
... View more
06-23-2021
12:31 PM
1 Kudo
We're using these versions (Yes, we need to upgrade, but other priorities at the moment) PANos 8.1.14 Global Protect client 5.2.1 We're currently usingOn-Demand, which is working. We used this page with the only difference is we're using AD Authentication. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK Now we want to use pre-logon then on-demand. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM4ACAU We used our internal PKI to create machine certs and those have been deployed using Group Policy. What I'm not getting is how to configure GlobalProtect to use the machine cert for pre-logon. Do I create a new SSL/TLS profile or certificate profile? Can I use the PANos self-signed in conjunction with the PKI machine cert? Would the self-signed be for the portal and the machine cert be for the gateway? I've gone through all the documents, as well as, the GP Admin guide. Any advice or guidance is much appreciated!
... View more
03-03-2021
12:18 PM
That's the solution we're going to implement once I get the config changes to the PA, the Merakis and our Core finalized. Thanks again for your help Tom.
... View more
03-03-2021
12:05 PM
Also, just and FYI Merakis can only use BGP within their AutoVPN (SD-WAN) feature. They can not use it in the scenario shown above.
... View more
03-03-2021
08:11 AM
That's what I suspected. But with limited BGP knowledge I thought I'd ask. Thanks!
... View more
03-02-2021
10:38 AM
We currently have this setup in our datacenter. The Meraki HA pair is the VPN endpoint for our 120+ remote sites. In a DR situation the datacenter has IP mobility, where our current static IPs will failover. This setup uses BGP through the Palo. With BGP enabled on the Palo HA Pair and datacenter’s internet the Meraki HA pair is inaccessible, which means the remote sites have no connectivity to the data center. The BGP config is exporting the 1.1.1.0/27 subnet, which obviously includes the Meraki IPs Can we configure a rule on the Palo to allow traffic destined for the Meraki HA Pair to go to the Merakis without any other cabling or configuration changes? The rule would look like this. Additionally it would allow only specific ports and protocols as needed. To makes any other changes would require re-designing our current topology. We're trying to avoid that scenario for now. Thanks in advance!
... View more
06-17-2020
01:34 PM
With only 4 firewalls, we're not using Panorama. Working with support we ran the command you mentioned. And then ran "commit force." That worked for the passive peer of our HA pair. We're scheduling a window to failover to that for testing. Part of this issue was that the new app-threat updates would break a sec policy. When we reviewed the apps against our policies it didn't match with what broke. A new app-id would only affect security policy A according to the review. When it was enabled it broke policy B. The latest thinking is that content updates are corrupted. But more testing will reveal that. Thanks for replying!
... View more
06-17-2020
08:56 AM
Thanks for replying! We're still in the planning stages, so it'll be some time before we try. But reading these responses, as well as talking with support and our local sales engineer I'm pretty confident we'll have few issues.
... View more
06-05-2020
10:38 AM
Forgot to mention that we ran this on the disabled app-ids and it made no difference for us. request set-application-status-recursive enable-dependent-apps yes application <appplication-name> status enabled
... View more
06-05-2020
10:36 AM
We've had this happening for a bit now. Runing this command in the CLI showed no disabled app-ids. request get-disabled-applications Running this command, however, did show disabled app-ids. show running application disabled According to support this is only a cosmetic issue. They also said that it was fixed in 8.1.14, which we installed and found its still happening now. They suggested this article, which we've not implemented yet. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/app-id-ease-of-use/app-id-characteristic/allow-new-app-ids.html
... View more
06-04-2020
02:35 PM
@Ash2k How did this end up working for you? We're about to do the same thing, so I'm wondering if there were any surprises. Thanks.
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks