Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About MickBall
About MickBall
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Online
1149Posts
213Likes
96Solutions
Nov 30, 2020Last Visited
User
Activity
User
Profile
Latest posts by MickBall
| Subject | Views | Posted |
|---|---|---|
| 17 | 2 hours ago | |
| 49 | Friday | |
| 55 | Thursday | |
| 50 | Thursday | |
| 294 | 2 weeks ago |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 06-19-2020 10:59 AM | |
| 1 | 06-16-2020 06:14 AM | |
| 1 | 07-04-2020 11:09 AM | |
| 1 | 10-27-2017 02:11 AM | |
| 1 | 12-16-2019 03:31 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 10-30-2014 12:33 AM |
| Date Last Visited | 2 hours ago |
| Total Messages Posted | 1,161 |
| Total Likes Received | 213 |
2 hours ago
should be OK, add an auth profile for each domain and either restrict via group membership or just add both to the authentication sequence.
... View more
Friday
would the pr-logon option work for you. any user can connect remotely to the device prior to user logon... save an essay.. take a look here... https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0
... View more
Thursday
Do you have Gateway Subscription, if so then use HIP pop up with the required message.
... View more
Thursday
Block-continue appears in the logs for the first URL that matches a category where the policy requires the user to click the continue button after being presented with the warning page. take a look here,,, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMICA0
... View more
2 weeks ago
so here are the disconnect reasons... (T29364)Info (1249): 11/18/20 16:44:19:928 --Too many outstanding keepalive and no response from GP (T29364)Info (1249): 11/18/20 16:45:16:199 --Too many outstanding keepalive and no response from GP (T29364)Info (1249): 11/18/20 16:46:12:262 --Too many outstanding keepalive and no response from GP but we see no reason for this so must be the router connection. It could be that after the initial ssl negotiation the tunnel used udp on port 4501. perhaps the amplifi lan does not know what to do with this... hence the keepalives are not getting back to you. ask your co if they can disable ipsec for testing... my next test would be to packet capture on both wifi and lan to see if any difference in tunnel traffic. also... if you have access to the amplifi firewall (never used one) then try blocking outgoing udp 4501. this will then force the tunnel to use ssl..
... View more
2 weeks ago
The local logs will probably tell you why it's disconnecting. go to the troubleshooting tab and collect logs. The pangps file will be a good starting point.
... View more
3 weeks ago
are you sure this is because of users not disconnecting, we also have transparent but some devices just refuse to upgrade. when you disconnect the gateway session, do you see them getting a portal config in the system monitor?
... View more
3 weeks ago
what version of GP are you using, there was a bug in earlier versions of 4 with domain split tunnel. we use IP's instead of domains, works well for both teams and outlook..
... View more
09-29-2020
10:04 PM
@Sec101 . Hi. they are never internal. Our office based users (ipad) just connect to our public wifi service. The outgoing wifi palo has a link to GP palo save hairpin/trombone across isp. Sorry not much help for you. There are some options for ios to auth on a domain for file share but was not for us.
... View more
09-04-2020
09:19 AM
Hi @Sec101 . for ios it needs to be on interweb. http:\\yourserver.com\nameofpacfile.pac on windoze you can use local file location, but that may have recently changed but you would be better using file on web as any change will be picked up by all clients immediately. hth. mick.
... View more
09-03-2020
10:09 AM
does the certificate have a cn= in the subject field. i'm sure that although you set the cert profile to none, the GP client will still look for this within the machine cert to class as valid.
... View more
07-07-2020
10:56 AM
Sorry cant advise as use cert auth but don't you get a password change when you login to AD after password expiry. I suppose this will depend on sso or ldap auth... is this not what pre-logon is used for...
... View more
07-04-2020
11:09 AM
1 Kudo
Yes this is possible but outside of the palo’s capabilities... all our devices log to syslog on linux OS. You can then run scripts to determine pretty much anything you want. failed logins never logged in log in frequency top 100 Etc etc.
... View more
06-23-2020
06:34 AM
ok so override the two default policies and log session start, don't bother forwarding logs. then on the firewall you will see what is happening to the pings.
... View more
06-22-2020
10:34 AM
This is showing policy 17. The count is zero. Do you have a policy before this that is denying gp Traffic.
... View more
06-19-2020
12:00 PM
Have a look here... https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC Not had chance myself as the wine doth floweth at a somewhat rapid pace... a bit of scripting or api call may be required for automation.
... View more
06-19-2020
11:45 AM
Domyou mean the user id or the actual device... i was not aware that a device could connect to 2 gateways at the same time...
... View more
06-19-2020
10:59 AM
1 Kudo
You will need a security policy to allow rdp from your office zone to your GlobalProtect zone. Then rdp to the ip address given by the gateway client config.
... View more
06-17-2020
07:23 AM
did you not take a snapshot... perhaps look in device, setup, operations to see if you have an earlier autosave. here is cli to remove licenses, not sure if it will help,,, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldmCAC
... View more
06-16-2020
06:14 AM
1 Kudo
K a chopped file and some notes below... function FindProxyForURL(url, host) { var proxy="PROXY 1.2.3.9:9354"; if (isInNet(host, "x.x.x.x", "255.255.248.0") || isInNet(host, "x.x.x.x", "255.255.255.192") || isInNet(host, "x.x.x.x", "255.255.255.128") || isInNet(host, "x.x.x.x", "255.255.255.224") || shExpMatch(host, "*.manage.microsoft.com") || isInNet(dnsResolve("any.internal.web.server"), "10.250.1.56", "255.255.255.255")) { return "DIRECT"; } return proxy } we do not use proxy for GP when connected so proxy address is duff.... if you have internal proxies then can include. the x.x.x.x subnets are all of our ISP addresses as we use most of these for portals, gateways and some basic web help files ava to the outside world. the dns resolve, when connected is a good way of removing proxy settings but you may prefer to use subnets as in your example. HTH. Edit. and the match host is for InTune as this is how we manage IOS profiles. so if it blows up we can still download a new profile to device,
... View more
06-15-2020
11:28 AM
Yes of course but it may be easier understood if you postvwhat you have, and inwill edit for the purpose, youbwill then better understand the process. if not then i will just send an example...
... View more
06-15-2020
10:24 AM
Hi @brianjreed . of course ... no problemo.... the pac file needs to be available to ipads outside the vpn tunnel. So a website somewhere... the pac file just says,,,, in laymans terms,,, Send all traffic to a duff proxy apart from the global protect connection traffic, and if connected to the private network, cancel the duff proxy... this blocks all browser traffic by sending it to a proxy that does not exist. But it allows gp connection. When gp is connected it drops the proxy settings so all traffic goes down tunnel. it reverts if tunnel fails. You actually dont need a proxy, just a pac file of a few lines of text.
... View more
06-15-2020
10:13 AM
Is it worth dropping this back to 389 just to ensure comms an bind is all ok.
... View more
06-05-2020
09:19 AM
what service route is LDAP using, if default. are you sure the AD server can be reached from this port. perhaps run wireshark on the AD server to see if packets on 389 are being received.
... View more
06-03-2020
10:11 PM
Does your security policy allow port 8080. It may just be that particular url cannot be rewritten.
... View more
06-03-2020
10:00 PM
To test this i would remove 2 servers from user id and see what happens, then add a second, monitor, then add the third.... it should not cause any issues as you seem not to be using id’s for policies.
... View more
06-03-2020
01:33 PM
@mwunder , hi. No problem... i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings. i use... login lifetime 12 hours inactivity timeout 2 hours disconnect on idle 180 minutes we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate. not sure why it would be set to 5 days, ... perhaps ok for a branch office but do your users never sleep... the help file is not much use...
... View more
06-03-2020
12:25 PM
Yes i can now see that in your original post. How many servers are you monitoring. Could it be that one of them is not reading the security logs correctly and overwriting the correct information.
... View more
06-03-2020
05:06 AM
Do you have port 8080 allowed for the connection to the trusted network. It may be best to capture 8080 packets on the trusted interface to see if the request is being forwarded.
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
2 hours ago
|
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
