Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About PedroPablo
About PedroPablo
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
05-30-2019
18Posts
4Likes
0Solutions
May 30, 2019Last Visited
User
Activity
User
Profile
Latest posts by PedroPablo
| Subject | Views | Posted |
|---|---|---|
| 1850 | 05-20-2019 03:29 AM | |
| 1859 | 05-16-2019 04:46 AM | |
| 1865 | 05-16-2019 02:53 AM | |
| 1869 | 05-16-2019 02:41 AM | |
| 3007 | 05-16-2019 02:20 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 11-07-2018 04:30 AM | |
| 1 | 05-20-2019 03:29 AM | |
| 1 | 02-12-2019 03:17 AM | |
| 1 | 09-18-2018 06:20 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 08-09-2018 11:46 PM |
| Date Last Visited | 05-30-2019 11:32 AM |
| Total Messages Posted | 18 |
| Total Likes Received | 4 |
05-20-2019
03:29 AM
1 Kudo
Hi @Chacko42 I just wanted to update the issue. The domain-based split-tunnel feature it worked like a charm! Thank you so much for your help! Hope you have a great day. Kind Regards
... View more
05-16-2019
04:46 AM
Okay , thank you so much for your help @Chacko42 Then for sure i have to go with a recent version. I'll keep you updated to see if this will solve my problem. And also for everyone with a similar situation. Kind Regards.
... View more
05-16-2019
02:53 AM
Ohh okay, sorry. I was so confused. PAN-OS: 8.0.12 GP: 4.1.0 I guess i need to upgrade the GP version, don't i? 😕
... View more
05-16-2019
02:41 AM
In the client settings (GP settings?). Where i define the IP routes is here: I don't follow you, sorry.
... View more
- Tags:
- globalprotect
- vpn
05-16-2019
02:20 AM
Hi @Chacko42 First of all, thank you for your help. I tried that before, but i can't include the address object with the target-website-fqdn. It's like the fw just let me include objects with IP addresses because when i'm going to include the object with the fqnd i can't see it
... View more
- Tags:
- @
05-16-2019
02:07 AM
I have define some routes of some branch offices that i need my GP clients to access to. I was thinking to define routes to access the servers where the website is hosted at but with dynamic IPs is not gonna work. 😞
... View more
05-14-2019
03:18 AM
Hi @Chacko42 I made a little quick diagram to help: So, what i did is: - I defined a nat rule where the source is the object GlobalProtect Clients ( 10.10.10.0/24) and the source translation (dynamic ip and port) the interface wan ( eth1/1 - 222.11.22.11) - I also defined a pbf rule where the source is the object GlobalProtect Clients (10.10.10.0/24) and the next hop is the GW of the IP pool where 222.11.22.11 is included. My problem is that people connected through GlobalProtect client is using the wan that the carrier is giving them so they cannot access to the website i want due to the security rule that my partner company defined only allowing traffic from my interface WAN 222.11.22.11. I was thinking in the globalprotect configuration, in the split tunnel conf, include the IP of my partner server where the website is hosted but that won't work due to the dynamic Ips. I've tried to explain myself the best i can sorry if something does not make sense to you. Kind Regards.
... View more
05-14-2019
01:27 AM
Hi @ Chacko42, I defined a pbf rule to route the traffic for the object "globalprotect clients" to one of my interfaces (the one that my partner allowed in his firewall). Also i defined a nat rule doing the same but when i connect the globalprotect client is not routing the traffic where i want. It routes the traffic through my carrier o wherever i'm connected to. I don't know if this is what you meant, if not, i think i didn't understand really well you solution. Thank you for your support though. Kind Regards
... View more
05-13-2019
02:40 AM
Hello guys, I'm trying to do something and i'm not really sure if it's possible. Let's get into... I have an url that is for example: "www.myweb.com". Our partner is hosting that web and with his firewall is just allowing us the access through our IP WAN. Everything works fine, we can access, but the problem comes when we tried to do it through our VPN (globalprotect). Our clients going through the VPN are not having the same IP WAN so our partner firewall is blocking it and obviously they cannot allow all traffic. I'm just trying to think in a solution but my mind is blocked. Any suggestions? Thank you!
... View more
- Tags:
- globalprotect
- vpn
02-12-2019
03:17 AM
1 Kudo
Hello, For everyone with a similar situation, i fixed the problem. So going through the logs i could see that it wasn't a configuration mismatch. (Well actually in one of them it was a configuration mismatch (wrong ipsec crypt configuration) as well) The gateway for the next hop in my static route it was wrong. My ISP gave me a wrong one...¬¬. Once i put the right one it started to work smoothly. Thanks @reaper for your help!
... View more
02-05-2019
09:51 AM
Actually a i didn't try that. I will give a try to that and i will let you know how it goes. Thanks for the reply!
... View more
02-05-2019
06:41 AM
Thank you so much for reply! I'll try what you said. What i don't understand is that the same and exact configuration is working perfectly but with another IP on my peer so i can't see what is wrong. Like, if i modify my peer IP again and i set the old IP and my remote peer do the same, the tunnel would be UP almost instantly. So i don't get why could be a mismatch if nothings was changed besides the IP 😞 * I tried before to clear the session of ike and ipsec but didn't work.
... View more
02-04-2019
10:56 AM
Hello guys, I have a problem that i've been the whole day trying to make it work but i can't and i have to solve it asap. I have around 12 vpn connections peer to peer working. I have to change those vpn connections to another IP Public little by little (my peer IP). I tried today with 3 vpn sites modifying: - IKE Gateway: modifying Interface, local ip addres and local identification - Static Routes: i modified the interface and the next hop - Security Rules: I added the new IP Public to the one that already exist. Am i missing something? The ones with the old IP Public are working perfect but i can't make it work with the new one. (The changes in the remote peers were made as well). My remote peer told me that they can ping and traceroute me but i can't, so i guess the problem is on my side. Can someone help me? i don't know what more to look or to change. Also i got different errors in the logs: Site 1: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:6731f1a9f47445d5:0000000000000000 <==== Due to timeout. 2019-02-04 19:44:36.000 +0100 [INFO]: { 2: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:6731f1a9f47445d5:0000000000000000 <==== Site 2: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <==== ====> Initiated SA: my peer[500]-remote peer[500] cookie:81bbd9683095c862:4079c6c2a022dd4d <==== 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: DPD 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: RFC 3947 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2019-02-04 19:44:51.349 +0100 [INFO]: { 1: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2019-02-04 19:44:52.000 +0100 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:de602182338cb9d0:25a62e85bee11834 <==== Due to timeout. 2019-02-04 19:44:52.000 +0100 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:de602182338cb9d0:25a62e85bee11834 <==== 2019-02-04 19:44:52.511 +0100 [PNTF]: { 17: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=5f9a7e21c7c369e9 97a227d4d986d5b5 (size=16). 2019-02-04 19:44:54.349 +0100 [INFO]: the packet is retransmitted from remote peer[500] to my peer[500]. Site 3: [PERR]: Couldn't find configuration for IKE phase-1 request for peer IP remote peer[500]. 2019-02-04 19:50:55.615 +0100 [PNTF]: { 17: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=5f9a7e21c7c369e9 97a227d4d986d5b5 (size=16). 2019-02-04 19:50:56.156 +0100 [PNTF]: { 3: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=54f5845033049f7e cef513a42e864900 (size=16). 2019-02-04 19:50:57.000 +0100 [PNTF]: { 11: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <==== ====> Failed SA: my peer[500]-remote peer[500] cookie:e3c5714c065682f5:1a1619e7b34a9475 <==== Due to timeout. 2019-02-04 19:50:57.000 +0100 [INFO]: { 11: }: ====> PHASE-1 SA DELETED <==== ====> Deleted SA: my peer[500]-remote peer[500] cookie:e3c5714c065682f5:1a1619e7b34a9475 <==== received unencrypted Notify payload (AUTHENTICATION-FAILED) from IP remote peer[500] to my peer[500], ignored.
... View more
11-07-2018
04:30 AM
1 Kudo
Hello guys, I just read a topic from 2011 about this but i don't know if there is a solution. I have working the scheduled log export, but the problem is that i get a ton of small files all about 27Mb and overall 5Gb everyday. Is there a way to change this? and is it possible to reduce the size? Thank you in advance
... View more
09-18-2018
06:20 AM
1 Kudo
It helped me a lot @kiwi! Thank you so much for your help! @OtakarKlier thank you too! That was my problem. I had configured correctly the Group Mapping but i had to include the group i wanted in the "Group Include List". Have a nice day guys!
... View more
09-18-2018
12:49 AM
Thank you guys for your help. For example, could i use the group of domain users? The thing is when i want for example to use an user in that decryption policy, i go to "Source User" and i type the first two letters of the user name and i get a list of a bunch of users with those letters. But i've never seen the name of a group. So i don't know if just putting the name of the group is gonna work. Sorry if i'm not explaining myself really well. Thank you for your patience!
... View more
09-17-2018
08:06 AM
Thank you Kiwi. I think i didn't explain myself well haha. I know i can define some source users, i already have some of then. My question is: If for example i want the users of an OU of my AD and they are 200 users, ¿Do i have to put those 200 users manually? Because i think i can't use groups from my domain. And in the future i would like to open it for the rest of users of my company and the problem is that if i do it with subnets, i'll have devices without the CA cert and those will have problems probably. Anyway, thank you for help!!
... View more
09-17-2018
07:07 AM
Hello everybody, I'm struggling thinking how i can do this. I've implemented SSL Decryption in the Palo Alto FW and i just tried with two IP's with a succesful result. Now i would like to open the range. I want to apply that decryption rule to an OU of my domain but i don't know how to do it. Well, actually, i don't know if it's possible. So, the thing is just to apply that rule to a group of users that i want to keep doing tests and i can't do it with IP addresses because we have DHCP deployed. Can someone help me? Thank you in advance.
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
