Love from India. ❤ Your are doing great contribution for upcoming generation. Please make full course video. It will be helpful if you help me in enabling Google authenticator in GP-VPN❤❤❤
Thank you great content! If you use the default management interface for communications then no need for rules to allow communications between windows user ID agent server and Palo firewall right?
Thank you for your feedback. That's correct, if you use the management interface, you only need to activate User ID in the management profile. But if the traffic leaving the management interface goes through a firewall (as in my case), this firewall obviously needs to allow the communication.
You configured a security policy with zone "lab2" for both src and dst close to 9.50 timeline. Isn't Intra-zone policy is default and allows "all"? Please clarify. Thanks.
You're 100% correct, this rule wouldn't be necessary with standard default rules. But I personally am not a big fan of intra-zone allow as default, so I have in my lab an override with a deny for my intra-zone default rule. So I had to add this rule. But nice caught! :-)
Thank you, this is very helpful. With this setup, user mapping is working, but server monitoring under User-Identification-user mapping isn't. Do you have any suggestions to get server monitoring to work
Thank you for the comment. You don't need to configure anything in the server monitoring if you have a windows based User-ID agent. If you are trying to configure the PAN-OS User-ID agent, I would suggest you to think about the windows based agent, in my experience it's a lot less problematic to setup.
Hallo, I'd like to ask, can I use this way to allow users that already join domain (AD users) to bypass captive portal and non ad users has to go to captive portal?
Answer is to export the CA cert from the originating firewall and then import it on each additional PA and setup the in a Cert Profile and attach that to the UserID Connection Security
Sorry to bother you, but I have a question. I have completed the User ID Agent configuration, and I can see the user information under MONITOR > User ID. However, only the user information is currently displayed. How can I configure it to display the group information as well?
Hi. You probably need gouo mapping. Take a look at this video, there is a session there that I show how it can be configured: ruclips.net/video/PUF1hAF60AY/видео.htmlsi=sKaytILFlLi2klYD Let me know later if the video could help you solve the problem. :-)
Sorry for the late reply. Hard to say, many reasons: - Port 5007 not being allowed - Certificate not bein able to validate (does it work without certificate validation?). Use Packet Capture to debug it - Pre-shared Key not matching... What error messages are you receiving?
@@netsums **excellent** video, worked perfectly. only extra thing related to this fellas question is we needed to add a windows firewall rule to allow the 5007 traffic before it would allow the communication
![Palo Alto VPN - Site to Site step by step configuration [2024]](http://i.ytimg.com/vi/GPANrMczTz4/mqdefault.jpg)
![Palo Alto VPN - Site to Site step by step configuration [2024]](/img/tr.png)
![Palo Alto GlobalProtect - Must-Know Portal Settings & Tips [2024]](http://i.ytimg.com/vi/ZyZ95QHGGWY/mqdefault.jpg)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
You are amazing.
Funny to think nobody in this world has provided updated videos on how to do things with Palo Alto.
Thank you for the comment, I'm glad you like the videos!
As usual, Great content! Always looking forward to your new meaningful and informational videos.
Thank you for the comment, I'm glad you liked the video!
Love from India. ❤ Your are doing great contribution for upcoming generation. Please make full course video. It will be helpful if you help me in enabling Google authenticator in GP-VPN❤❤❤
Thank you for the lovely comnent, I will try!
Excellent buddy, subbed
Thank you! I'm glad you liked it!
Please keep making videos on all topics
I will try my best!
Awesome!!!
Thank you, I'm glad you liked the video. 😊
Excellent video! just a quick question, how did you get rid of the warning message about API Key after committing the changes?
Can you post here the warning message you're getting?
Thank you great content! If you use the default management interface for communications then no need for rules to allow communications between windows user ID agent server and Palo firewall right?
Thank you for your feedback. That's correct, if you use the management interface, you only need to activate User ID in the management profile. But if the traffic leaving the management interface goes through a firewall (as in my case), this firewall obviously needs to allow the communication.
You configured a security policy with zone "lab2" for both src and dst close to 9.50 timeline. Isn't Intra-zone policy is default and allows "all"? Please clarify. Thanks.
You're 100% correct, this rule wouldn't be necessary with standard default rules. But I personally am not a big fan of intra-zone allow as default, so I have in my lab an override with a deny for my intra-zone default rule. So I had to add this rule. But nice caught! :-)
Would be useful to have link for all pre-requisites etc.
You're right. I'll take a look at it soon. Thank you!
Thank you, this is very helpful. With this setup, user mapping is working, but server monitoring under User-Identification-user mapping isn't. Do you have any suggestions to get server monitoring to work
Thank you for the comment. You don't need to configure anything in the server monitoring if you have a windows based User-ID agent. If you are trying to configure the PAN-OS User-ID agent, I would suggest you to think about the windows based agent, in my experience it's a lot less problematic to setup.
@@netsums Thank you very much for the advice. I will give that a try.
Hallo, I'd like to ask, can I use this way to allow users that already join domain (AD users) to bypass captive portal and non ad users has to go to captive portal?
How would I setup multiple firewalls to use the CA generated on one firewall?
Answer is to export the CA cert from the originating firewall and then import it on each additional PA and setup the in a Cert Profile and attach that to the UserID Connection Security
If we use a public cert from globalsign will it be generated on the UserID server or from the Palo?
You need to install the certificate on the User-ID server.
Sorry to bother you, but I have a question. I have completed the User ID Agent configuration, and I can see the user information under MONITOR > User ID. However, only the user information is currently displayed. How can I configure it to display the group information as well?
Hi. You probably need gouo mapping. Take a look at this video, there is a session there that I show how it can be configured:
ruclips.net/video/PUF1hAF60AY/видео.htmlsi=sKaytILFlLi2klYD
Let me know later if the video could help you solve the problem. :-)
Idk what is wrong, for me not working redestribute status is "No"..
Sorry for the late reply.
Hard to say, many reasons:
- Port 5007 not being allowed
- Certificate not bein able to validate (does it work without certificate validation?). Use Packet Capture to debug it
- Pre-shared Key not matching...
What error messages are you receiving?
@@netsums **excellent** video, worked perfectly. only extra thing related to this fellas question is we needed to add a windows firewall rule to allow the 5007 traffic before it would allow the communication
Thank you for the reply!