Love from India. ❤ Your are doing great contribution for upcoming generation. Please make full course video. It will be helpful if you help me in enabling Google authenticator in GP-VPN❤❤❤
You configured a security policy with zone "lab2" for both src and dst close to 9.50 timeline. Isn't Intra-zone policy is default and allows "all"? Please clarify. Thanks.
You're 100% correct, this rule wouldn't be necessary with standard default rules. But I personally am not a big fan of intra-zone allow as default, so I have in my lab an override with a deny for my intra-zone default rule. So I had to add this rule. But nice caught! :-)
Hallo, I'd like to ask, can I use this way to allow users that already join domain (AD users) to bypass captive portal and non ad users has to go to captive portal?
Sorry to bother you, but I have a question. I have completed the User ID Agent configuration, and I can see the user information under MONITOR > User ID. However, only the user information is currently displayed. How can I configure it to display the group information as well?
Hi. You probably need gouo mapping. Take a look at this video, there is a session there that I show how it can be configured: ua-cam.com/video/PUF1hAF60AY/v-deo.htmlsi=sKaytILFlLi2klYD Let me know later if the video could help you solve the problem. :-)
Thank you, this is very helpful. With this setup, user mapping is working, but server monitoring under User-Identification-user mapping isn't. Do you have any suggestions to get server monitoring to work
Thank you for the comment. You don't need to configure anything in the server monitoring if you have a windows based User-ID agent. If you are trying to configure the PAN-OS User-ID agent, I would suggest you to think about the windows based agent, in my experience it's a lot less problematic to setup.
Answer is to export the CA cert from the originating firewall and then import it on each additional PA and setup the in a Cert Profile and attach that to the UserID Connection Security
Sorry for the late reply. Hard to say, many reasons: - Port 5007 not being allowed - Certificate not bein able to validate (does it work without certificate validation?). Use Packet Capture to debug it - Pre-shared Key not matching... What error messages are you receiving?
@@netsums **excellent** video, worked perfectly. only extra thing related to this fellas question is we needed to add a windows firewall rule to allow the 5007 traffic before it would allow the communication
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](http://i.ytimg.com/vi/Dj-rjuX9I_E/mqdefault.jpg)
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](/img/tr.png)
![Palo Alto GlobalProtect VPN Configuration [2024 IMPROVED!!!]](http://i.ytimg.com/vi/jonUROUSn-U/mqdefault.jpg)
![Palo Alto SSL Inbound Inspection with Let's Encrypt Certificate [2024]](/img/n.gif)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
You are amazing.
Funny to think nobody in this world has provided updated videos on how to do things with Palo Alto.
As usual, Great content! Always looking forward to your new meaningful and informational videos.
Thank you for the comment, I'm glad you liked the video!
Love from India. ❤ Your are doing great contribution for upcoming generation. Please make full course video. It will be helpful if you help me in enabling Google authenticator in GP-VPN❤❤❤
Thank you for the lovely comnent, I will try!
You configured a security policy with zone "lab2" for both src and dst close to 9.50 timeline. Isn't Intra-zone policy is default and allows "all"? Please clarify. Thanks.
You're 100% correct, this rule wouldn't be necessary with standard default rules. But I personally am not a big fan of intra-zone allow as default, so I have in my lab an override with a deny for my intra-zone default rule. So I had to add this rule. But nice caught! :-)
Hallo, I'd like to ask, can I use this way to allow users that already join domain (AD users) to bypass captive portal and non ad users has to go to captive portal?
Excellent video! just a quick question, how did you get rid of the warning message about API Key after committing the changes?
Can you post here the warning message you're getting?
Sorry to bother you, but I have a question. I have completed the User ID Agent configuration, and I can see the user information under MONITOR > User ID. However, only the user information is currently displayed. How can I configure it to display the group information as well?
Hi. You probably need gouo mapping. Take a look at this video, there is a session there that I show how it can be configured:
ua-cam.com/video/PUF1hAF60AY/v-deo.htmlsi=sKaytILFlLi2klYD
Let me know later if the video could help you solve the problem. :-)
Excellent buddy, subbed
Thank you! I'm glad you liked it!
Thank you, this is very helpful. With this setup, user mapping is working, but server monitoring under User-Identification-user mapping isn't. Do you have any suggestions to get server monitoring to work
Thank you for the comment. You don't need to configure anything in the server monitoring if you have a windows based User-ID agent. If you are trying to configure the PAN-OS User-ID agent, I would suggest you to think about the windows based agent, in my experience it's a lot less problematic to setup.
@@netsums Thank you very much for the advice. I will give that a try.
How would I setup multiple firewalls to use the CA generated on one firewall?
Answer is to export the CA cert from the originating firewall and then import it on each additional PA and setup the in a Cert Profile and attach that to the UserID Connection Security
If we use a public cert from globalsign will it be generated on the UserID server or from the Palo?
You need to install the certificate on the User-ID server.
Awesome!!!
Thank you, I'm glad you liked the video. 😊
Please keep making videos on all topics
I will try my best!
Idk what is wrong, for me not working redestribute status is "No"..
Sorry for the late reply.
Hard to say, many reasons:
- Port 5007 not being allowed
- Certificate not bein able to validate (does it work without certificate validation?). Use Packet Capture to debug it
- Pre-shared Key not matching...
What error messages are you receiving?
@@netsums **excellent** video, worked perfectly. only extra thing related to this fellas question is we needed to add a windows firewall rule to allow the 5007 traffic before it would allow the communication
Thank you for the reply!