About ajbool

Sure, of 65535 addresses from 10.1.0.0 through to 10.1.255.255 - these two are the only ones you can't use as the gateway.  Was bad luck choosing one of them. 😉 Did you get some suitable NAT sorted out with the PA SE? ... View more

HI, 10.1.0.0/16 is not a legal IP address to apply to your firewall - that's actually the subnet address. Update your firewall to use 10.1.1.1/16 and place your hosts with 10.1.1.x (where x > 1!) addresses with a net mask of 255.255.0.0 and a default gateway of 10.1.1.1. Good luck aid ... View more

Hi Jo, many thanks for the info! ... View more

Hi Ssharma, Do you know if this issue has now been resolved in any released code? Thanks! ... View more

Try "show running security-policy". ... View more

We don't use our Palo Altos in L2 mode; but in L3 mode we need to place a static ARP entry mapping the NLB IP address through to the NLB MAC address on the firewalls. This obviously isn't going to apply to an L2 firewall - but do you have a static ARP entry defined on whichever L3 router/devices that are on the same subnet as the NLB address and communicating with it? ... View more

What version of Global Protect are your clients using? ... View more

A workaround of disabling HA session synchronisation  between my Active/Active firewall pair has stopped useridd dying for me. Are you both running Global Protect on these firewalls? ... View more

You may well be OK running 1.2.10 - but we just decided to go straight to 2.0.4.  Many of our clients are running XP; so version 2 isn't hitting issues with this older OS. Here's an example of the log output we were getting, 2014-09-05 08:37:12.655 +0000 Error:  pan_hip_update_report(pan_hip_handler.c:1653): ha_cfg_file_update('/opt/panlogs/global-protect/hip_report_base/250/5b1074f600c942093d84b3a26ec68199_vsys1_10.a.b.c.xml') failed: Transaction in progress 2014-09-05 08:37:12.737 +0000 Error:  ha_lib_trans_file_unique_update(ha_lib_trans_file.c:445): usr.tran.hip-report unable to update unique with transaction in progress If you can update a test box to PANOS 6 and then you can check for these log entries with the command  "less mp-log useridd.log". If you're not getting any of these errors; you shouldn't hit the issue I did. Oh, also seems we only suffer the issue if HA session synchronisation is enabled; we've disabled that whilst we move all users to GP 2.0.4. ... View more

We failed to update our Global Protect Client from 1.2.6 in advance of an upgrade from 5.0.10 to 6.0.4.  This seems to have caused the useridd deamon to suffer a memory leak and repeated reset due to over-usage of virtual memory - impacting Global Protect sessions.    Don't follow my lead 😉 ... View more

I think he means; how can a user logging into Global Protect cause the last-logged-in timestamp held in Active Directory to be updated. ... View more

Is the far end of the VPN a Cisco device? Ciscos do advertise their vendor in the IKE exchange, you can se this in the 'less mp-log ikemgr.log' output: 2014-09-04 03:16:56 [INFO]: received Vendor ID: CISCO-UNITY I think is is due to this that ciscovpn is selected as the application within the Palo Alto firewall. ... View more

ON TAGS: We manage our firewalls with Panorama.  We upgraded Panorama first (to 6.0.3) and then the firewalls after.   We found that the initial commit to Panorama post-upgrade to many of the firewalls failed - with Panorama complaining about tags. Although most of our security/NAT rules are defined in Panorama; some rules were local to the firewalls.  Those rules that had tags caused this issue. Separately, on each of the two firewalls in a HA pair, I removed the tags from the local rules; removed the tag object from the new Tags page in Objects, and then hit save.  I could then do a commit from Panorama (with the "merge with candidate configuration" option set). Perhaps I could have done a force on the Panorama commit; but that sort of thing scares me 😉 ... View more

Could try something of the form, * Configure your security policies such that only outgoing VPN connections are accepted. * Configure the VPN as passive. When you need the VPN, on the CLI use the 'test vpn ipsec-sa tunnel <name>' command to bring the session up. It may not work; but it would be what I'd try to achieve that... ... View more