About thatguy

thatguy · ‎01-20-2016

Thank you, both.. I'll probably go with the cold-spare until I can figure out the sub-interface config. These PA's are pretty neat! Always learning... 😄

thatguy · ‎01-20-2016

I haven't palyed with subinterfaces before... after a brief read, I'm guessing I could combine the trust (192.168.1.0/24) and the voip vlan (192.168.100.0/24) into the eth0 port, as long as the cxn from the switch is config'd as a trunk? which would even save an additional switch port, yeah? Sidenote: in case the boss does want the spare stored in another building, would the swap-out idea work as well? Thanks

thatguy · ‎01-20-2016

Hi all -- I curently have one PA200 with all four eth ports taken (internal/trust network, internet/untrust, dmz, voip vlan), as well as the mgmt port connected to the internal network. I'm looking to get a disaster recovery plan in place, but, as far as I understand (from about here to here |--| ), I would need one of the eth interfaces to connect to a second PA200 to utilize HA-Lite. Since I can't spare a port, would another option be to: get a second PA200, import the current running config on the production PA, then just put the spare PA in the closet; then if the production PA ever dies, just replace it with the spare PA and *poof* no one sees a difference? Is that a sound plan? I would think another benefit to this would be in case of a fire, etc, the spare PA could be stored in our other building.. but that could just be me trying to convince meself... Thoughts? Thanks -- michael~

thatguy · ‎11-19-2015

much appreciated. thank you

thatguy · ‎11-19-2015

Hi all -- Lately, with the Win10 release, I'm finding many of my VPN users are downloading gigs of updates over my meager 10mbps company internet cxn. I'm wondering if there is any way to block specific services/applications (ie.- ms-update) over a GlobalProtect connection.. I can't find anywhere to specify a URL filtering profile in the Gateway config.. Would I apply a profile to the VPN IP Pool in the Security Policies? Thanks -- michael~ edit: Running on PA200, wth PanOS 6.1.5.

thatguy · ‎07-31-2014

Apparently, this was a non-issue. I had to do a hard reboot of the PA200 and suddenly the IPSec tunnel was fine. Just weird. Thanks for the replies anyway.

thatguy · ‎07-31-2014

Here is the same set of msgs that get logged for every user now. Prior to yesterday, we would get the same set of msgs, except for the switch to SSL. Since that started, users are immediately logged out.

thatguy · ‎07-30-2014

Hi all -- I just noticed an odd behavior affecting all GP clients (running on PA200, PANOS 6.0.3, GP Client 2.0.3), but I haven't changed anything recently. In looking at the System log, I see users connecting successfully ('portal user auth succ', 'portal client config gen', 'gateway user auth succ', 'gateway user login succ', 'gateway client config gen').. But then there's a 'gateway client switch to SSL tunnel mode', and 30secs later, there's a 'gateway client config release', and 'user logout succeeded'. All connections up until today have used IPSec, and for whatever reason, SSL sessions logout immediately (because we don't have a certificate?).. Could this be a network issue? We've been having issues with out internet provider lately, and pings are averaging around 60ms from the public side, tho that doesn't seem slow. Is there anything I could check internally? Any help is much appreciated. Thanks

thatguy · ‎03-06-2014

Hi all.. I'm sure this will be a simple question to answer, but I can't find any explanation. In the following snip from our GlobalProtect traffic log on a PA200: 1 2/23/2014 17:14 2/23/2014 17:14 GlobalProtect gateway user login succeeded. Login from: 75.89.141.221, User name: w__0. 1 2/23/2014 17:14 2/23/2014 17:14 GlobalProtect gateway user logout succeeded. User name: w__0, Reason: remove previous login. 1 2/23/2014 17:14 2/23/2014 17:14 GlobalProtect gateway user login failed. Login from: 75.89.141.221, User name: w__0, error: Existing user session found. 1 2/23/2014 17:14 2/23/2014 17:14 GlobalProtect gateway user login succeeded. Login from: 75.89.141.221, User name: w__0. 1 2/23/2014 5:29 2/23/2014 5:29 GlobalProtect gateway user logout succeeded. User name: w__0, Reason: user session expired. 1 2/23/2014 2:28 2/23/2014 2:28 GlobalProtect gateway user login succeeded. Login from: 75.89.141.221, User name: w__0. I have the inactivity timeout set to 3hrs, so the user was inactive and the session expired at 5:29. Then they reconnected at 17:14, but how/why was there an existing session? There are other timeouts where the session disappeared after an expiration. Everything seems to be working correctly, this question is just for curiosity's sake. Thanks -- michael~

thatguy · ‎01-15-2014

Thank you for the reply.. and that seems to work.. should I be concerned about the commit warning that the "Non-domainUsers shadows LimitedInternet"? The policies are ordered as: OpenInternet sourceuser: domain\openinternetgroup LooseFiltering Non-domainUsers sourceuser: unknown LooseFiltering LimitedInternet sourceuser: any StrictFiltering And is there any way to include both the domain group and unknown user in the same policy? Thanks!

thatguy · ‎01-14-2014

Hey there -- So this is an odd thing that's probably it simple fix.. hoping anyway. We have 99% of our PCs on the same subnet and domain, however several of these machines are owned by an outside company and are "borrowing" our internet link. They are in their own workgroup (not on our domain), but share our address space (192.168.1.x/24). I have an OpenInternet policy that allows users in a specific domain security group full access to the internet; and I have another policy (LimitedInternet) that has strict URL filtering for users not in that group. My question -- is there a way to allow those workgroup computers (either by workgroup or machine name) access to the OpenInternet policy? Thanks! -- michael~

thatguy · ‎12-30-2013

GOT IT!!! It turns out that I originally misconfigured the LDAP settings.. In the LDAP Server Profile, I had our domain as "ptc.loc" instead of simply "ptc", so the users in the group-mapping were listed as "ptc.loc\username", while the user-mapping listed the users as "ptc\username", so they didn't match up. Thank you Phoenix and knarra1!

thatguy · ‎12-30-2013

Thank you Phoenix -- I checked the logs and, indeed, the LimitedInternet security rule is being applied to everyone. From my original image, the OpenInternet rule should apply only to users in the ptc\OpenInternet domain group, and has the default URL filtering profile attached. The second rule applies to all other users, and has the LimitedInternet URL filtering profile attached.. The logs show every user is getting blocked by the LimitedInternet rule. Does that tell anything? Thanks again for the reply.

thatguy · ‎12-30-2013

Hi all -- So I was asked by mgmt to block social networking, streaming, etc for all users except administration. I created a custom URL Filtering profile that blocks those categories, as well as several specific sites. Under Policies -> Security, I created a new policy called "LimitedInternet", applied to all users, from the trust to untrust zones, and applied the custom, limited URL Filter. I have another security policy that is only applied to users in our domain's OpenInternet group, which uses the default URL Filter profile. Here's how it looks -- As I understand, the rules are applied top-down, and once a rule matches, it stops searching. So the first rule should apply to anyone in the OpenInternet group; if the user is not in that group, they should use the second, limited rule and have sites blocked. As it is, the LimitedInternet rule is applied to everyone, regardless of their group membership. Can anyone tell me what I'm missing here? (I apologize if this has been covered elsewhere, I tried searching, honest!) Thanks -- michael~

Member Since	‎09-14-2013 11:15 AM
Date Last Visited	‎12-29-2017 09:56 AM
Posts	15
Total Likes Received	2

Online Status	Offline
Date Last Visited	‎12-29-2017 09:56 AM

About thatguy

Re: PA200 disaster recovery option...?

Re: PA200 disaster recovery option...?

PA200 disaster recovery option...?

Re: Block ms-update for GlobalProtect sessions?

Block ms-update for GlobalProtect sessions?

Re: GP gateway drops to SSL and client gets disconnected..?

Re: GP gateway drops to SSL and client gets disconnected..?

GP gateway drops to SSL and client gets disconnected..?

GlobalProtect: Existing user session..?

Re: Specify policy by machine name/workgroup?

Re: PA200 disaster recovery option...?

Re: Block ms-update for GlobalProtect sessions?

Re: PA200 disaster recovery option...?

Re: PA200 disaster recovery option...?

Re: GlobalProtect: Existing user session..?

Re: PA200 disaster recovery option...?

Re: PA200 disaster recovery option...?

PA200 disaster recovery option...?

Re: Block ms-update for GlobalProtect sessions?

Block ms-update for GlobalProtect sessions?

Re: GP gateway drops to SSL and client gets disconnected..?

Re: GP gateway drops to SSL and client gets disconnected..?

GP gateway drops to SSL and client gets disconnected..?

GlobalProtect: Existing user session..?

Re: Specify policy by machine name/workgroup?

Specify policy by machine name/workgroup?

Re: Newbie setting up URL Filtering... can't find an answer by searching.. :-/

Re: Newbie setting up URL Filtering... can't find an answer by searching.. :-/

Newbie setting up URL Filtering... can't find an answer by searching.. :-/

Unlock your full community experience!

About thatguy