Welcome! This channel is focused on creating tutorials and walkthroughs for Network Professionals. I hope I will be able to help you configure and manage your Palo Alto Firewalls and boost your networking career!
- ABOUT -
Ricardo has been a network professional for over 20 years. For the last 7 years he has been daily working with the Palo Alto Firewalls. He comes originally from Brazil, and has been living in Germany since 2004.
Hello, I have already made the configuration that you explain in your video and when I connect to the GP portal I have no problem but when I try to connect through the VPN client that is, when I connect to the gateway it gives me the following error: AADSTS700016 Do you know how it can be solved?
This was great and informative. I am hoping to deploy this very soon. Does the Palo encrypt the data once it has inspected it and sends it to the final destination? I'll search the PA KBs in support but I'm just wondering how the last leg of data is handled. For topics I would like to see a video on HA Active / Active with shared resources and converged NAT table to eliminate the need for Source NAT when a resource is available via two external gateways.
Answer is to export the CA cert from the originating firewall and then import it on each additional PA and setup the in a Cert Profile and attach that to the UserID Connection Security
Hi Ricardo, it's amazing video. Its help me to achieve my goal which I was searching same solution since last few months. Even Palo Alto Tac Engineer was not able to support. Only one advise to achieve 100% that is it possible to restart PANGPS service for all GlobalProtect users remotely and is it possible? Other issue is while testing found that first time needs to login with External gateway and then it is working next time login with Internal gateway with on premise dns server successfully authentication.
Please also make a video of the Palo Alto EDL (External dynamic List) feature. I am curious about how to connect to the EDL server in https mode instead of http.
I'm not sure I understand your question. It doesn't matter if the routes to the gateways are configured on the same VR or not, the important thing is that the clients are able to reach the gateways.
If a client cannot connect to the first gateway, it tries the second one. So with dual ISP, it would be no problem. The only problem there is the GlobalProtect Portal. Usually a client saves the last configuration it downloaded from the portal. But if a client is connecting for the first time, and the portal is not available, the client won't be able to connect. For a portal redundancy you would probably need to setup DNS with some sort of monitoring, if you want an automatic solution.
Can we configure prelogin while using EnrtaID SSO for authentication to Global protect? How it will work? First it will use machine cert, to connect VPN, and the relogin with EntraID user creds?
@@netsums Can you please share with me more details? Have you used EntraID certificate based authentication for this? If yes, what kind of CA you used and should machines be hybrid joined? Should cert be issued for each machine?
Hi. You can either have one certificate for all your clients (which I wouldn't recommend) or one different certificate for each PC. On the Palo Alto you would upload the Root CA from the PKI. I cannot go over Microsoft Group Policies or how you roll out the certificates on hundreds of PCs, because it's not my field. :-)
Thanks for sharing another next great content, can you please demystify the packet capture via cli to analyze the traffic ? There is no plain instructions on internet about it.
I have been working with PA firewalls since 2009. I find your videos very helpful for my team to get proficient with our current PA environment. I see that you share the same the joy I feel when working with technology! Thank you for your work!
I'm curious how to have the certificate verification enabled. When I import the federation metadata XML a certificate is created on the firewall. However I'm unable to modify that certificate--for example, to set it as a CA certificate, which appears to be required for this setup. When attempting to create the Authentication Profile, the add fails because there is no Certificate Profile (the exact error is that "Validate Identity Provider Certificate is checked but no Certificate Profile is provided"). I'm unable to create a certificate profile with the auto-added certificate since it isn't marked as a CA.
I think the best way is to have a second certificate just for the requests validation, separate from the one you receive with the Metadata. I think you can even use an internal (self-signed) certificate, but I'm not 100% sure how your IdP will handle that. Let me know if it worked for you, I would be interested. :-)
Thanks for blessing us with this video. I do have 1 doubt. Im using standalone firewalls which are active-passive mode. In the identifier do i have to add both my fqdns and i can import the same metadata on both the firewall? Is that the correct step?
I'm almost sure the URLs are not in the Metadata, because you can change them and you don't need to upload a new Metadata. So in your case, you should import the same Metadata to both firewalls and configure 2 URLs on your IdP, as you mentioned. But how does your active/passive work? Do you use DNS for that?
@@netsums Thanks for your reply. Yes I do have an internal dns server and the i have pointed my firewall urls to my local firewall ip's. 1 more query: Regarding the roles, Is it possible to configure 2 roles. Because In my setup i require both read only and write permission.
Thank you for the super well explained tutorial, I used it for a Palo Alto Firewall in standalone, now I have a doubt if this in HA should be a meta file for each FW (Active and Passive management IP), thanks for your help!🙏
Great way of explaining it but would be better if you could do a tutorial step by step on configuring this option. For example, how to assign a gateway to a dual ISP.
Amazing video. Thank you! I think, after watching it I was able to figure out why I am getting connected to portal but the connection fails at finding the best available gateway. I misconfigured the Agent External part which is crucial to connect to the gateway
Hi , I was trying Verizon home internet and noticed whenever i connect my machine to work via global protec the speed goes really down. Why is that? Is there anything I can do to fix?
Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.
@@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?
On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.
Thank you, this is very helpful. With this setup, user mapping is working, but server monitoring under User-Identification-user mapping isn't. Do you have any suggestions to get server monitoring to work
Thank you for the comment. You don't need to configure anything in the server monitoring if you have a windows based User-ID agent. If you are trying to configure the PAN-OS User-ID agent, I would suggest you to think about the windows based agent, in my experience it's a lot less problematic to setup.
Hallo, I'd like to ask, can I use this way to allow users that already join domain (AD users) to bypass captive portal and non ad users has to go to captive portal?
Hi, your video is very helpful. We have successfully enabled MFA with Azure SAML auth with Palo alto. But we have one query, as we have multi tenant on Azure and in SAML Authentication we can apply only one auth profile so how can we enable MFA with Azure SAML for our different tenant for Global Protect.
Hi, thank you, and sorry for the late reply. I think what you need is an authentication sequence. You configure a SAML authentication for each tenant and add them to a sequence. I haven't tried before a sequence with SAML, but it should work for SAML as well. Let me know later if it worked! :)
Thanks. Great video. Could you please explain how the NAT is applied by firewall and how to configure it for particularly clientless VPN. In my case the GP-clientless interface has public IP, I want it to be Natted somehow. And is there any way we can assign an IP pool similar to what we assign for client/agent-based VPN? Any help here is much appreciated.
Hi, sorry for my late reply. The firewall uses its "closest" interface to the target as the source interface (take a look at minute 16:18). So the firewall does NAT using it's own IP addresses. In your case the connection will be natted, since I suppose your application (target) is not in your outside zone. 🙂 I don't think it's possible to assign an IP pool to clientless VPN, since the firewall uses its own interfaces as source.
Is has been a while since I did this video, but it should be the same process, yes. I didn't try it with Panorama, though. Let me know later if it worked! :)
Great video, it helped a lot to clarify how to set up. I'm reproducing the steps with PrivacyIdea with version 3.9.3, but the challenge response of type email doesn't appear in the list of available responses. Is there another configuration to make?
Hi, sorry for the late reply. I showed in the video the whole configuration I needed to make in my lab to make it work. I cannot tell you why the email challenge response doesn't get shown.
Finally! I found a detailed procedure in implementing GlobalProtect Prelogon! Amazing! Great video! Thank you for creating such educational and highly informative content!
Hi. Sorry for the late reply. An URL without the forward slash in the end can match more than you want. for example, if you have a URL "example.com" without the slash in the end, it will also match "example.com.badserver.com". From the Palo Alto documentation: The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain.
Thanks for publishing such a tutorial videos. 21:30 Doesn't Intrazone already allow kinda traffic ?, Because Thoese interfaces is in same zone I mean "Outside" that intrazone already allow kind of traffic. Is there a need to write this security policy?
Hi, sorry for the late reply. You're right if you don't change the default rules, there would be no reason to add such a rule. Since I like to change the interzone default rule to deny, so I have more control on what is being allowed, I need to do it in my case. :-) I would recommend you also to change the default rule to deny and to declare the interzone rules manually, so you can control which apps you allow, specially on your outside zone.
Great Video! Could you help me with a problem? I configured all these steps like in the video but when i try to login the application redirects me to internal ip off my panorama and i cannot access my application because it is on a private environment. I tried to change my identity url but the error occurs anyway.
Sorry for the late reply. You should be able to access your Panorama, even if it's on a private environment. Your IdP doesn't need to access your Panorama, only the client trying to authenticate.
