This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About TheBest

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

TheBest
‎11-08-2021
since ‎05-08-2012
L1 Bithead
User Activity
User Profile
Latest posts by TheBest
View All
User Badges
Community Statistics
Member Since ‎05-08-2012 07:13 AM
Date Last Visited ‎11-08-2021 07:50 AM
Posts 3

Re: GlobalProtect authentication problem

by in General Topics
‎07-15-2014 02:01 AM
‎07-15-2014 02:01 AM
Hello, Yes, we needed to associate the tunnel interface with its own zone rather than the trusted zone.  As you stated, this modification now allows additional and needed granularity.  There are still two comments/questions, though not critical: 1.  I was obliged to add a Client Configuration in the GlobalProtect portal, citing an AD group and external gateway IP.  Without this, I was getting this error after compiling:  Config commit phase 1 aboreted (Module: device) missing both client config and satellite config (Module: sslvpn) Commit failed 2. I can still connect to the portal FQDN and authenticate with ANY account in the AD to download the GlobalProtect client.  Thanks to the new rules, it is now not possible to authenticate with ANY account in the AD from GlobalProtect - it is necessary to have an account in the designated allowed group.  In any case, shouldn't the authentication be denied when connecting to the portal FQDN and before being able to download the globalprotect MSI? Best regards ... View more

Re: GlobalProtect authentication problem

by in General Topics
‎07-07-2014 11:46 PM
‎07-07-2014 11:46 PM
Hi, OK, so it appears that the AD group in the agent configuration would be mainly to target a group for a specific configuration of the agent.  Therefore, this parameter has nothing to do with security and access filtering.  Still, using this method, I don't think its possible to target a specific group for a newer version of GP client.  I think the only way may be to deploy the MSI via GPO. Your idea is a good one but won't work currently with my configuration.  The security zone for the VPN tunnel is already "Trust".  This explains why we have no granularity and clearly reduces security.  However, the physical interface connection to the internet is in the zone "Untrust".  It looks like there is a 1:1 relationship between the physical interface and a zone.  So, it looks like I would have to change the VPN tunnel zone from "Trust" to "Untrust" and then add the policy as you suggested, right?  Otherwise, is it possible to have multiple zones linked to one physical interface?  In that case the interface to the outside would include "Untrust" and a new zone "GP-VPN"? Thanks for your valuable help! ... View more

GlobalProtect authentication problem

by in General Topics
‎07-07-2014 08:18 AM
‎07-07-2014 08:18 AM
Hello, The group I use to authenticate GP connections doesn't work properly. I followed the advice on this thread:  https://live.paloaltonetworks.com/thread/8661 It was necessary to place the NETBIOS domain name in the LDAP server profile.  Output from the CLI now clearly displays the logon format with domain\user, unlike before, for GP clients. The GP Portal specifically sites the group allowing VPN connections in the Agent COnfiguration section.  Yet, I can still logon with an account that is in the AD but not in that group. Why is this happening?  What is the best practice to limit who can connect via GP? Follow-up question:  Is it possible to deploy new GP clients to a group of test users? Thanks for your help! ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎11-08-2021 07:50 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks