About FarzanaMustafa

FarzanaMustafa

Thank you so much for your guidance. I checked the GP GW config and removed the cert from Certificate Profile. It worked! May I ask what was the problem?

FarzanaMustafa

We are told that the clientless apps only works with HTTP/HTTPS based apps, and therefore we cannot use it to allow MS remote desktop. This is the problem I am trying to solve. Our users currently use their own computers at home. They connect to the corporate network using Global Protect, but of course this could be a security risk if one of the home PCs has a virus. Buying everyone a corporate machine for home is one option, but costly. Therefore I was hoping we could use the firewall to allow them to connect using remote desktop, without allowing any data to be transferred from their office PC to their home PC.

FarzanaMustafa

We recently got shipped 2 new PAN-PA-3220 and both of them were DOA. ing PAN Software: 2021-03-10 21:02:39.170 -0800 Error: sysd_construct_sync_importer(sysd_sync.c:358): sysd_sync_register() failed: (111) Unknown error code 2021-03-10 21:02:40.170 -0800 Error: sysd_construct_sync_importer(sysd_sync.c:358): sysd_sync_register() failed: (111) Unknown error code 2021-03-10 21:02:41.171 -0800 Error: sysd_construct_sync_importer(sysd_sync.c:358): sysd_sync_register() failed: (111) Unknown error code 2021-03-10 21:02:42.171 -0800 Error: sysd_construct_sync_importer(sysd_sync.c:358): sysd_sync_register() failed: (111) Unknown error code 2021-03-10 21:02:43.172 -0800 Error: sysd_construct_sync_importer(sysd_sync.c:358): sysd_sync_register() failed: (111) Unknown error code Error: unable to connect to Sysd I had to perform 2 factory resets to get the devices to work properly however am I a bit hesitant to start rolling it out to production as the devices were not in a good state when they arrived. Are there any health checks I can do to ensure that the devices will perform fine under production type workloads?

FarzanaMustafa

Hi @MickBall Sorry for the delayed response and thank you once again for your great inputs. When I'm logged out from the workstation the pre-logon user is not showing in the gateway. I can see it in the Previous User tab. However, on the KB article of PA it says: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0 Could you please endorse my concern with the relevant PA Team?

FarzanaMustafa · ‎03-02-2021

Thank you @MickBall and @BPry Strangely, VPN group is working fine after clearing cache. No nested groups in use.

FarzanaMustafa · ‎03-02-2021

@MickBall Thank you so much for your guidance. The Gateway is now working. Any idea how to check evidence of client cert checks being performed? ie. How can I validate if the user is authenticated with the pre-logon feature?

FarzanaMustafa · ‎02-25-2021

Hi @bwadmin Please check the Traffic logs if the security policy is denying the traffic to LDAP server.

FarzanaMustafa · ‎02-24-2021

Hi @AlexanderAstardzhiev Thank you for your response. 'Better way is to create route for the GP pool to point back to the FW.' This option does not work, in AWS you cannot create routes which are more specific than the local default and the default route is the VPC size so a /16. As such you cannot route to the interface. I have asked my client to check with their PA SEs. I am closing this thread now.

FarzanaMustafa · ‎02-24-2021

I encountered a problem installing the machine certificate. I followed the article below: https://live.paloaltonetworks.com/t5/news/globalprotect-pre-logon-authentication/ta-p/322237 We are using a self-signed root ca that is in the cert profile for auth, then generated the server cert and machine cert and signed them with the same root. Then export as pks12. In the Certificate Profile, I changed the Username Field type from 'None' to 'Subj'. Made sure I selected the Computer account (default is user account) and cert is in folder "Personal" there. Tried the MS fix but no luck. https://social.technet.microsoft.com/Forums/en-US/50bd9c7c-faaa-46e3-b9a4-a2bb885b180d/unable-to-import-certificate-p12-or-pfx-file?forum=winserver8gen Please help!

FarzanaMustafa · ‎02-23-2021

We are having difficulty with our Active/Passive pair of PA_820’s where they are setup to allow auth to GlobalProtect based on AD group membership. If we create a new OU in AD and move a user to the newly created AD OU whilst still having the same group membership, they can no longer auth to connect to global protect from internal nor external networks. If we then move them back to the original OU, auth works again. We have tried the reset, refresh and clear commands ( debug user-id reset group-mapping all, debug user-id refresh group-mapping all, clear user-cache all) We have also tried to drop the bind one level down. Any further ideas how to resolve this? PANOS version – 9.1.3 GlobalProtect version – 5.1.1

FarzanaMustafa · ‎02-22-2021

We have deployed a PA-VM into AWS running 10.0.4 and are currently trying to configure Global Protect to secure our developer connections to our AWS environment. We have a Global Protect Gateway deployed and are able to establish a VPN connection. The issue we have is with the IP Pool assignment. Each IP in the pool which is distributed to a GP Client needs to be added to the private interface as a secondary IP address, whilst this is fine for one or two connections, there is a limit in AWS of 10 secondary IP addresses, when we exceed 10 clients connecting the traffic from, for example a web server, cannot route back to the appliance correctly to be returned to the GP Client. I have reviewed numerous documents around the configuration and setup of PA-VM in AWS and none of the Global Protect documentation seems to address cloud deployments, it all references on-premise. There are detailed steps on GP in AWS which properly addresses this problem. Is there any best practice or previous solutions for deploying Global Protect in AWS on how to handle this IP Pool routing issues and AWS private IP limitation?

FarzanaMustafa · ‎02-18-2021

Thank you @MP18 We have been told by Palo Alto that we need to run the 10.0.4 for some security related reasons. I realized that 'Enable HA in Passive State' box is not ticked. I am planning to test the failover again by using the settings below. ae1 Mode Passive Transmission rate Fast Enable in HA Passive state Selected ae2 Mode Passive Transmission rate Fast Enable in HA Passive state Selected Is there any logs (pls provide the commands) I need to collect during failover if it doesn't work? I will get the Tech Support file after the change.

FarzanaMustafa · ‎02-15-2021

We recently had a failover event during a normal upgrade of the firewall (10.0.1 -> 10.0.4). The LACP aggregate interface on the Cisco switch / Firewall did not come up during this time, which resulted in a longer than expected outage. Powered down firewall to restore original firewall connection. We are using Active/Passive pair with PA-820. Passive state link set to Auto. Preemptive and Link Monitoring enabled. Just to confirm that the switch should also be set to passive LACP in this instance as well? It is interesting that this was the same configuration we had on the PA220 and it seemed to work. > show lacp aggregate-ethernet all LACP: ********************************************************************************** AE group: ae1 Members: Bndl Rx state Mux state Sel state ethernet1/1 no Port Disabled Detached Unselected(Link down) ethernet1/3 no Port Disabled Detached Unselected(Link down) Status: Enabled Mode: Passive Rate: Slow Max-port: 2 Fast-failover: Enabled Pre-negotiation: Disabled Local: System Priority: 32768 System MAC: 84:d4:12:f8:89:01 Key: 48 Partner: System Priority: 0 System MAC: 00:00:00:00:00:00 Key: 0 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/1 16 32768 Passive Slow 48 0x44 Partner 0 0 Passive Slow 0 0x00 ethernet1/3 18 32768 Passive Slow 48 0x44 Partner 0 0 Passive Slow 0 0x00 Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/1 0 0 0 0 0 0 0 0 ethernet1/3 0 0 0 0 0 0 0 0 ********************************************************************************** AE group: ae2 Members: Bndl Rx state Mux state Sel state ethernet1/2 no Port Disabled Detached Unselected(Link down) ethernet1/4 no Port Disabled Detached Unselected(Link down) Status: Enabled Mode: Passive Rate: Slow Max-port: 8 Fast-failover: Enabled Pre-negotiation: Disabled Local: System Priority: 32768 System MAC: 84:d4:12:f8:89:01 Key: 49 Partner: System Priority: 0 System MAC: 00:00:00:00:00:00 Key: 0 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/2 17 32768 Passive Slow 49 0x44 Partner 0 0 Passive Slow 0 0x00 ethernet1/4 19 32768 Passive Slow 49 0x44 Partner 0 0 Passive Slow 0 0x00 Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/2 0 0 0 0 0 0 0 0 ethernet1/4 0 0 0 0 0 0 0 0

FarzanaMustafa · ‎02-10-2021

Hi @BPry I need your suggestion please for this one.

FarzanaMustafa · ‎02-09-2021

Error message: gateway external server cert is invalid Only for Android users who are using GP version 5.1 or 5.2. No issues with 5.0. Using PANOS 9.1.3 Using Public Certificate and we only received 1 PEM file from the client. The server cert (SSL1_Networkscomms) is standalone. Not sure how to add it to the cert chain. Added the Root CA and Intermediate CA : Do I need to install the server cert on the Android device to make GP work?

Date Registered	‎10-01-2018 12:02 AM
Date Last Visited	4 hours ago
Total Messages Posted	190
Total Likes Received	21

Online Status	Offline
Date Last Visited	4 hours ago

About FarzanaMustafa

Re: Cannot install Machine Certificate for GP Pre-logon

Query on clientless VPN

Query on health check of new PA

Re: Cannot install Machine Certificate for GP Pre-logon

Re: Authentication issue with Global Protect

Re: Cannot install Machine Certificate for GP Pre-logon

GlobalProtect issue on Android device

How to connect users to their domain via GlobalProtect

Unable to logon to the firewalls using the AD account

Server Monitoring Not Connected

Re: SSL Certificate renewal query

Re: Query on Path monitoring

Re: Query on Path monitoring

Re: Query on latest GP download

Re: Device Certificate - Where to find OTP?

Re: Cannot install Machine Certificate for GP Pre-logon

Query on clientless VPN

Query on health check of new PA

Re: Cannot install Machine Certificate for GP Pre-logon

Re: Authentication issue with Global Protect

Re: Cannot install Machine Certificate for GP Pre-logon

Re: Getting LDAP Error

Re: IP Pool Assignment

Cannot install Machine Certificate for GP Pre-logon

Authentication issue with Global Protect

IP Pool Assignment

Re: AE Interface down during failover

AE Interface down during failover

Re: GlobalProtect issue on Android device

GlobalProtect issue on Android device

Network Security

Cloud Security

Security Operations

About FarzanaMustafa