Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About MickBall
About MickBall
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
8 hours ago
1117Posts
206Likes
94Solutions
May 27, 2020Last Visited
User
Activity
User
Profile
Latest posts by MickBall
| Subject | Views | Posted |
|---|---|---|
| 106 | 2 weeks ago | |
| 465 | 4 weeks ago | |
| 420 | 4 weeks ago | |
| 540 | 4 weeks ago | |
| 414 | a month ago |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 12-16-2019 03:31 AM | |
| 1 | 02-25-2019 06:02 AM | |
| 1 | 04-20-2020 10:25 PM | |
| 1 | 03-24-2020 06:11 AM | |
| 1 | 04-10-2020 09:48 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 2 | |||
| 4 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 10-30-2014 12:33 AM |
| Date Last Visited | 8 hours ago |
| Total Messages Posted | 1,129 |
| Total Likes Received | 206 |
2 weeks ago
perhaps i have not understood your question but why not do this via a policy. source users a1,a2,a3 destination 10.1.1.0/24 allow source users b1,b2,b3 destination 10.1.2.0/24 allow source users c1,c2,c3 destination 10.1.3.0/24 allow and just have one ip pool for all users...
... View more
4 weeks ago
Ok but this may still be a nic driver issue. I would still check the windows event log.
... View more
4 weeks ago
This can be done... on the gateway(s) create a client config with no split tunnel and add the single user to this config and place it at the top of the agent configs, the single user will get this config and all others will get the other.
... View more
4 weeks ago
are these users on cable or wifi, I only ask as we had a similar issue with the same socket closed error but it was OK when the user connected to their router via a cable, we installed a different wifi interface driver and this resolved the issue. there was a pointer to this failure in the windows event log, perhaps look there for some other clues.
... View more
a month ago
Is your portal config on the firewall open to any authenticated user. What happens when you connect via a browser. What do you see in the firewall system logs.
... View more
04-22-2020
01:14 PM
you answered yes to this question. are you using PrincipalName or sAMAccountName in your authentication profile? you cannot be using both so which one? and do you have a user domain entry or a username modifier? - How can we check this is set in the authentication profile. perhaps you could print screen and post this profile.
... View more
04-20-2020
10:25 PM
1 Kudo
Why dont you do as @SteveCantwell suggested but create a portal config for yourself. place it at the top of the list with you as a user then all other users will pick up the auto select one below it. if you are not able to do this then just modify your local host file and either give 2 other gateways duff addresses or add all 3 gateways but give them all the same address as the gateway you would like to connect to...
... View more
04-20-2020
02:27 AM
Check the authentication profile. are you using PrincipalName or sAMAccountName in your authentication profile and do you have a user domain entry or a username modifier.
... View more
04-20-2020
02:17 AM
what is the error shown in the system logs on the firewall?
... View more
04-20-2020
01:50 AM
have you tried the CLI for both AD and Local Authentication profiles?
... View more
04-19-2020
11:49 PM
have you tested your authentication profile via CLI. test authentication authentication-profile <authentication-profile-name> username <username>password if this fails you need to check if using userPrincipalName or sAMAccountName in your authentication profile.
... View more
04-16-2020
09:28 AM
From the GUI. In the virtual router, just add a static route destination 0.0.0.0/0. Next hop. (Gateway address)
... View more
04-16-2020
09:23 AM
Probably teaching you to suck eggs here but have you copied and paste group name as syntax is essential here.. also.. do you have any special characters in the group name such as ampersand or comma... do you get the expected output from show user group-mapping state all. Return the expected output. do you only have permissions to see the groups but not the members. is your group mapping correct.... ie- object for both group objects and user objects.
... View more
04-11-2020
10:36 AM
I am not aware of any special parameters .... if this was the case then i would expect all radius auth to fail... perhaps you could go into more detail re the setup. on demand, always on... save user credentials... how many gateways... and can i assume you have tested from cli the test authentication authentication-profile command... from the error it seems like gp is authing to the portal but failing on gateway, this can also be confirmed in the logs...
... View more
04-11-2020
06:29 AM
Look in Monitor-system, this may tell you why it failed. are you using authentication overide, perhaps this is configured incorrectly.
... View more
04-11-2020
01:03 AM
for your clients connected to ports 1/3 & 1/4. where on those 2 subnets is your IP helper? Oh just noticed that this is your question... are the cliients not connected to a switch that could have the helper address? are you also saying that pxe failed on the same lan? If devices are within the same broadcast domain as the image server you do not need a helper... I have never tried this but just trying to work out why it would fail.
... View more
04-11-2020
12:28 AM
Yes I only suggest putting the user cert into the computer store to just make sure all of your GP stuff is set and working correctly. if this proves successful then start looking at the difference between user and computer certs. I'm sure that the default AD template for machine certs do not populate the subject field and although you can set your Palo certificate profile "Username" field to "None" I don't think GP will validate a certificate without the subject field populated.
... View more
04-10-2020
11:10 AM
There is a difference in windows world between machine certs and user certs. We use user certs for GP and computer certs for network access control on our lan switches. the computer cert cannot be used for GP auth. so if you move the user cert into the computer store this will prove my limited theory. i think the app setting means look in both places rather than user or machine actual cert.
... View more
04-10-2020
10:21 AM
1 Kudo
I have never had this issue in both firefox an ie. i did find this cli for scp. scp export certificate to <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> include-key <yes|no> format <pem|der|pkcs12|pkcs10> I have never used it though...... or an API call may help... more here... https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/pan-os-xml-api-request-types/export-files-api/export-certificates-and-keys
... View more
04-10-2020
09:48 AM
1 Kudo
Download and run currports. You can add teams.exe as a filter. Or you can see all applications and what way they are going. it shows all sessions and the source ip. So source ip vpn is tunnelled and source ip lan is direct. HTH.
... View more
04-10-2020
09:45 AM
Certificates in the machine store does work, perhaps its the type of certificate you are using,. You say you have a user cert that works in the user store, try importing this to the machine personal store and see what happens. also... import the machine cert to the user store to see if it accepted. If not then probably wrong type of cert.
... View more
04-10-2020
03:27 AM
no this s is not possible. you should perhaps review your split tunnel policies and decide what is acceptable. we only allow office365 and other trusted services via split tunnel. check on your firewall for the heavy usage sites and then decide if they can be excluded from the tunnel....
... View more
04-10-2020
03:16 AM
Not sure what you mean, do they not connect back into the corp network via GP when working remotely.
... View more
04-10-2020
12:25 AM
What version of client do you have. When device wakes from sleep mode or switches from lan to wifi the client tries to reconnect to the previous gateway and some routing/domain issues seem to take place. the same issue applies when using domain split tunnel exclusions. have you tried a GP refresh before a reboot, are you above V5.1.
... View more
04-09-2020
01:47 AM
could it simply be that the firewalls are trying to catch up with log transfer. we had a similar issue when panorama was out of action for about a week. when it was back up and running the same thing happened but it did catch up eventually.
... View more
04-09-2020
01:13 AM
you will need to add HIP objects or/and HIP profiles under Objects-GlobalProtect. you will need the additional gateway license to use these in a policy but not sure if you need that just to see them under the Monitor-HIP Match.
... View more
04-08-2020
02:27 AM
we have tried all... application directory was unreliable as this is installed under the users profile, also... the use of "%LOCALAPPDATA%\Microsoft\Teams\Teams.exe" is not currently supported by Palo. Domain Split Tunnel was also unreliable as we have a few thousand users under version 5.01. so we now use IP addresses. you can make your own choice about which ones to use from here. https://docs.microsoft.com/en-gb/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams
... View more
04-07-2020
10:52 AM
download and run currports. it can display running processes and show the source address. this will determine if tunnelled or split. screen shot below .. PS I have just added teams as a filter but you can see all or add whatever you like. the 192.168 is my wifi and 172.17 GP address. also... anything local will not be affected by your firewall policies. if you need to block it then don't split it. also2... lots of bugs in domain split tunnelling below 5.0.7... HTH.
... View more
04-02-2020
03:36 AM
@goran.katava Thanks again for your help, I was not in the configure mode when using "?" so I could not find the commands.
... View more
04-01-2020
10:58 AM
@goran.katava Yes that worked for me. Do you know the similar command for domain exclusion. Also when yo use the show gateway command it does not include domain exclusion. thanks for your help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
8 hours ago
|
Likes From
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
