About PedroPablo

PedroPablo · ‎05-20-2019

Hi @Chacko42 I just wanted to update the issue. The domain-based split-tunnel feature it worked like a charm! Thank you so much for your help! Hope you have a great day. Kind Regards

PedroPablo · ‎05-16-2019

Okay , thank you so much for your help @Chacko42 Then for sure i have to go with a recent version. I'll keep you updated to see if this will solve my problem. And also for everyone with a similar situation. Kind Regards.

PedroPablo · ‎05-16-2019

Ohh okay, sorry. I was so confused. PAN-OS: 8.0.12 GP: 4.1.0 I guess i need to upgrade the GP version, don't i? 😕

PedroPablo · ‎05-16-2019

In the client settings (GP settings?). Where i define the IP routes is here: I don't follow you, sorry.

PedroPablo · ‎05-16-2019

Hi @Chacko42 First of all, thank you for your help. I tried that before, but i can't include the address object with the target-website-fqdn. It's like the fw just let me include objects with IP addresses because when i'm going to include the object with the fqnd i can't see it

PedroPablo · ‎05-16-2019

I have define some routes of some branch offices that i need my GP clients to access to. I was thinking to define routes to access the servers where the website is hosted at but with dynamic IPs is not gonna work. 😞

PedroPablo · ‎05-14-2019

Hi @Chacko42 I made a little quick diagram to help: So, what i did is: - I defined a nat rule where the source is the object GlobalProtect Clients ( 10.10.10.0/24) and the source translation (dynamic ip and port) the interface wan ( eth1/1 - 222.11.22.11) - I also defined a pbf rule where the source is the object GlobalProtect Clients (10.10.10.0/24) and the next hop is the GW of the IP pool where 222.11.22.11 is included. My problem is that people connected through GlobalProtect client is using the wan that the carrier is giving them so they cannot access to the website i want due to the security rule that my partner company defined only allowing traffic from my interface WAN 222.11.22.11. I was thinking in the globalprotect configuration, in the split tunnel conf, include the IP of my partner server where the website is hosted but that won't work due to the dynamic Ips. I've tried to explain myself the best i can sorry if something does not make sense to you. Kind Regards.

PedroPablo · ‎05-14-2019

Hi @ Chacko42, I defined a pbf rule to route the traffic for the object "globalprotect clients" to one of my interfaces (the one that my partner allowed in his firewall). Also i defined a nat rule doing the same but when i connect the globalprotect client is not routing the traffic where i want. It routes the traffic through my carrier o wherever i'm connected to. I don't know if this is what you meant, if not, i think i didn't understand really well you solution. Thank you for your support though. Kind Regards

PedroPablo · ‎05-13-2019

Hello guys, I'm trying to do something and i'm not really sure if it's possible. Let's get into... I have an url that is for example: "www.myweb.com". Our partner is hosting that web and with his firewall is just allowing us the access through our IP WAN. Everything works fine, we can access, but the problem comes when we tried to do it through our VPN (globalprotect). Our clients going through the VPN are not having the same IP WAN so our partner firewall is blocking it and obviously they cannot allow all traffic. I'm just trying to think in a solution but my mind is blocked. Any suggestions? Thank you!

PedroPablo · ‎02-12-2019

Hello, For everyone with a similar situation, i fixed the problem. So going through the logs i could see that it wasn't a configuration mismatch. (Well actually in one of them it was a configuration mismatch (wrong ipsec crypt configuration) as well) The gateway for the next hop in my static route it was wrong. My ISP gave me a wrong one...¬¬. Once i put the right one it started to work smoothly. Thanks @reaper for your help!

PedroPablo · ‎02-05-2019

Actually a i didn't try that. I will give a try to that and i will let you know how it goes. Thanks for the reply!

PedroPablo · ‎02-05-2019

Thank you so much for reply! I'll try what you said. What i don't understand is that the same and exact configuration is working perfectly but with another IP on my peer so i can't see what is wrong. Like, if i modify my peer IP again and i set the old IP and my remote peer do the same, the tunnel would be UP almost instantly. So i don't get why could be a mismatch if nothings was changed besides the IP 😞 * I tried before to clear the session of ike and ipsec but didn't work.

PedroPablo · ‎02-04-2019

Hello guys, I have a problem that i've been the whole day trying to make it work but i can't and i have to solve it asap. I have around 12 vpn connections peer to peer working. I have to change those vpn connections to another IP Public little by little (my peer IP). I tried today with 3 vpn sites modifying: - IKE Gateway: modifying Interface, local ip addres and local identification - Static Routes: i modified the interface and the next hop - Security Rules: I added the new IP Public to the one that already exist. Am i missing something? The ones with the old IP Public are working perfect but i can't make it work with the new one. (The changes in the remote peers were made as well). My remote peer told me that they can ping and traceroute me but i can't, so i guess the problem is on my side. Can someone help me? i don't know what more to look or to change. Also i got different errors in the logs: Site 1: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:6731f1a9f47445d5:0000000000000000 <==== Due to timeout. 2019-02-04 19:44:36.000 +0100 [INFO]: { 2: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:6731f1a9f47445d5:0000000000000000 <==== Site 2: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <==== ====> Initiated SA: my peer[500]-remote peer[500] cookie:81bbd9683095c862:4079c6c2a022dd4d <==== 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: DPD 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: RFC 3947 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2019-02-04 19:44:52.000 +0100 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:de602182338cb9d0:25a62e85bee11834 <==== Due to timeout. 2019-02-04 19:44:52.000 +0100 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:de602182338cb9d0:25a62e85bee11834 <==== 2019-02-04 19:44:52.511 +0100 [PNTF]: { 17: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=5f9a7e21c7c369e9 97a227d4d986d5b5 (size=16). 2019-02-04 19:44:54.349 +0100 [INFO]: the packet is retransmitted from remote peer[500] to my peer[500]. Site 3: [PERR]: Couldn't find configuration for IKE phase-1 request for peer IP remote peer[500]. 2019-02-04 19:50:55.615 +0100 [PNTF]: { 17: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=5f9a7e21c7c369e9 97a227d4d986d5b5 (size=16). 2019-02-04 19:50:56.156 +0100 [PNTF]: { 3: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=54f5845033049f7e cef513a42e864900 (size=16). 2019-02-04 19:50:57.000 +0100 [PNTF]: { 11: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:e3c5714c065682f5:1a1619e7b34a9475 <==== Due to timeout. 2019-02-04 19:50:57.000 +0100 [INFO]: { 11: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:e3c5714c065682f5:1a1619e7b34a9475 <==== received unencrypted Notify payload (AUTHENTICATION-FAILED) from IP remote peer[500] to my peer[500], ignored.

PedroPablo · ‎11-07-2018

Hello guys, I just read a topic from 2011 about this but i don't know if there is a solution. I have working the scheduled log export, but the problem is that i get a ton of small files all about 27Mb and overall 5Gb everyday. Is there a way to change this? and is it possible to reduce the size? Thank you in advance

PedroPablo · ‎09-18-2018

It helped me a lot @kiwi! Thank you so much for your help! @OtakarKlier thank you too! That was my problem. I had configured correctly the Group Mapping but i had to include the group i wanted in the "Group Include List". Have a nice day guys!

Member Since	‎08-09-2018 11:46 PM
Date Last Visited	‎05-30-2019 11:32 AM
Posts	18
Total Likes Received	4

Online Status	Offline
Date Last Visited	‎05-30-2019 11:32 AM

About PedroPablo

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Scheduled Log Export : Path

Re: How to...(VPN globalprotect)

Re: VPN not working (changed IP Public)

Re: SSL Decryption just some users

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: SSL Decryption just some users

Re: SSL Decryption just some users

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

Re: How to...(VPN globalprotect)

How to...(VPN globalprotect)

Re: VPN not working (changed IP Public)

Re: VPN not working (changed IP Public)

Re: VPN not working (changed IP Public)

VPN not working (changed IP Public)

Scheduled Log Export : Path

Re: SSL Decryption just some users

Network Security

Cloud Security

Security Operations

About PedroPablo