About gwesson

You might have an exception for Threat ID 40006 in one or more of your security profiles. A simple way to check your whole config for that can be done in CLI: > show config running hit / (forward slash) to begin searching, and enter:  40006 You'll have to scroll up (using the "J" key, may also work with arrow keys) to the top of that entry to find the profile name, and there may be multiple profiles that have it. ... View more

There are some debugs, but they can be dangerous to turn on because of the volume of logs it generates (flow basic + proxy basic). I highly recommend opening a case with support to go through the policy and config to see if they can help with a review of your system before diving in to the debugs. ... View more

I apologize, I completely missed that in your original post.    No, if you see policy deny, then that session was definitely denied. What is the user experience when this happens? Can the site be browsed as normal if you proceed past the certificate warning? If you can browse normally then the denied session is likely not all that important.   I hate leaving something like that unknown, but it all depends on how much time you want to put into research if the user experience is fine. ... View more

Is it actually being blocked and you're getting a firewall block page? Or are you saying that your browser shows the certificate as expired even though the firewall is decrypting it?   If it's the latter, that is expected. The firewall copies values from the server's certificate to create the decryption certificate. It takes the Subject and the Validity Period values, so if the server's cert or common name/sni are "bad" then the decrypted version will be "bad" as well. ... View more

Are you actually experiencing a problem or are you just curious about the logs?   When the keys expire, a new one is received (ike-recv-notify), the old ones expire (ipsec-key-expire), and the old ones are deleted (ike-send-p2-delete).   My recommendation would be to set up a single firewall with a single VPN connection and watch the logs as it goes through its normal functions. When you have lots of tunnels, you'll see lots of messaging. ... View more

Not directly as an LDAP group, but it can be done with RADIUS:   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-radius-authentication.html   Essentially, you're creating a Vendor Specific Attribute for the users that you want to assign as a device admin, superuser, super reader, etc. It's definitely more work than being able to specify a group, so a filing a feature request with your account team would still be a good idea. ... View more

Sorry @Venkatesan_radhakrishnan , I don't know all that much about iOS to be honest. The only experience I had was when I was testing the iOS integration for GP 5.0, and it was limited to what I previously provided in the thread you're likely referencing.   That really does sound like a better question to ask Apple, since you're doing MDM+iOS actions. I would recommend getting their support involved to see if they can iron out the issue you're seeing. ... View more

I have to get this out of the way first: Please upgrade to a more current code version. 8.0.9 was released over a year ago and has several vulnerabilities at medium or high priority. Unpatched devices are the most common vectors for attacks. Also, 8.0 has six months before it is End of Life as well, so that might be a good opportunity to begin upgrading to 8.1, which is supported on the PA-5000 series until 2024.   PAN-SA-2019-0002 (High). Cross site scripting (XSS) vulnerability in the management interface. Fixed in 8.0.15. PAN-SA-2018-0008 (High). Denial of Service (DoS) in the management interface. Fixed in 8.0.10. PAN-SA-2018-0009 (medium). XSS in the GP login page. Fixed in 8.0.11. PAN-SA-2018-0015 (medium). OpenSSL vulnerabilities. Fixed in 8.0.13. PAN-SA-2018-0012 (medium). FragmentSmack vulnerability. Fixed in 8.0.13. PAN-SA-2019-0001 (medium). XSS in external dynamic lists. Fixed in 8.0.15. PAN-SA-2019-0007 (medium). DoS in the management interface. Fixed in 8.0.16.   With that said, it depends on how much logging you are doing. Check your logging rate (debug log-receiver statistics) to see where you're at for logs/second. Even with aggressive cleaning the system may simply be getting so many logs it cannot keep up.    You may be able to reduce that as well. Make sure you're not logging at session start, don't log on the default deny rule (logging is disabled by default on it). You may also want to exclude logging for things like NTP, DNS, Ping, etc. by disabling the 'log at session end' in a rule dedicated just to that type of traffic. ... View more

No, not on Windows. Only the GlobalProtect client is officially supported. See X-Auth IPSec Client Support.   You might be able to get it to work using X-Auth, but you won't be able to get tech support if you run into trouble since it's not on the official list of supported clients.   Instead, I would recommend including GP as part of your initial image, or push the software via group policy.  ... View more

You can run these CLI commands, depending on what you want to show   > show user ip-user-mapping all > show user ip-user-mapping-mp all > show user ip-user-mapping ip 192.0.2.1 > show user ip-user-mapping ip 192.0.2.1/24 The first shows the mapping on the dataplane, the second on the management plane. The 3rd and 4th are for specific IPs or subnets.   Since you already have the mapping configured, captive portal should work for any web traffic. Even if the CP doesn't trigger, the policy is still checking the user and so it should fail to match the rule if it's user/group based.   You may want to review the traffic logs for one of those sessions to see what user it did show up as. If the log shows no user and the policy that it shows is only user-based it should not match. If your policy is group-based, then the user-id part is likely working, which would explain the lack of a CP. If this is the case, you'll want to make sure your group-mapping (Device tab > User Identification > Group Mapping Settings tab) has the correct mappings configured and that the number of groups you're using there does not exceed the device maximum.  ... View more

Captive Portal is strictly for authenticating users, it isn't something that can be used like an acceptable use policy. If there are users who have already authenticated, meaning you have a user-ip-mapping for them, then that user will not get the captive portal.   Ideally all your users should be authenticated by having the firewall (or dedicated User-ID Agent) scan the logs on the domain controller to map the users' IPs.   I'm not sure how you're leveraging CP to do this, because generally if you want to restrict users or groups, you can do that with a security policy. ... View more