About Walt

We began a step migration from 9.1.13 to eventually 10.2.2. We usually pause at each major update and make sure everything is working before taking the next jump.  I got to 10.1 and hit a roadblock.  We have our laptops check in with DNS and do a dynamic update so that DNS has the correct IP when people are bouncing between working in the office and working from home.  This update suddenly started failing when we upgraded from 10.0 to 10.1. Actually it isn't failing but is being rejected by the DNS server because the request is now coming unsecure and we have our DNS servers set to only all secure dynamic updates. We know they are suddenly coming this way because if we change the setting to allow secure and unsecure on the DNS server it will work. So either the secure must be getting altered or blocked by Global Protect now then it tries unsecure and works.  These DNS servers have been set this way for years to only allow secure dynamic updates and nothing was changed on them the night it stopped working, only the firewall update.  Anyone else experience this or have any ideas? ... View more

I'm trying to change my rules for allowing outgoing SFTP connections from using IP's to using URL's as more and more vendors are going to AWS and such and locking into an IP address doesn't work.  I cloned my current working rule which says server x.x.x.10 can connect to IP's z.z.z.1, z.z.z.2, etc using the applications SSH and enhanced file transfer. I then got rid of the destination IP's setting it to "Any" and added URL Category "SFTP Safe" under "Service/URL Category".  I made sure the URL's I needed to connect to were listed in the "SFTP Safe" URL Category. Committed and when I test it passes right through that rule and hits my "Deny All" rule at the end. Yet if I adjust that same rule from "Allow" to "Deny" and run the test again it is still denied but when I look at the monitor it shows it is now denied by the new rule as I would expect.  To test additionally I set up a rule the denied web traffic to my URL Category "test", set it at the top of the rules and added cnn.com to that url category. Bang it worked, but when I set the rule to allow it will work but when I check the monitor it shows my standard outgoing web traffic rule way down the stack is allowing it. Why does URL Filtering in a Policy only seem to work for a Deny? ... View more

I'm switching our user over to the Always On VPN via the Portal App Config that auto connects the vpn and requires it for network access. The issue is I want to prevent my users from connecting via  personal PC. I've set the Client Authentication to require User Credentials and Certificate. When I delete the certificate that I set up I get the warning message I created which says this is not a company owned machine but it allows you to just click by it an connect anyway. What am I missing ? ... View more

I have a PA500 offsite that I manage remotely by connecting to the outside interface IP address, let's call it 188.1.1.1. My issue is I want to also set up a Global Protect SSL VPN gateway and the only IP choice it gives me is the outside interface 188.1.1.1/28. If I configure that then I can no longer reach the Management GUI remotely. Is there a way to change the GUI to another port or move it to another IP address I have available ? ... View more

We have a secondary ISP connection coming in and would like to route high bandwidth traffic out that egress to get it off our main connection, things like YouTube and Pandora.  Pandora was pretty simple as they only have a couple ranges of IP's so I could set up a PBF rule to direct it. YouTube on the other hand has way too many ranges and I was surprised to not see it as an option in the Application list when creating a PBF rule. Anyone else doing this or have suggestions on the best way to do it ? ... View more