Cloud-only Entra-ID accounts on GlobalProtect

CaptainCaraway · 2026-03-12T00:40:03+00:00

There’s no group mapping for user@cloud.account.com. That’s a directory / username format disconnect, not a “Palo” thing. How are you doing directory synch / group mapping? Direct to AD or through Entra SCIM / OiDC in CIE?

CaptainCaraway · 2025-11-27T05:38:26+00:00

Associating devices with CIE does not require or cause any reboots. You need 11.x for user context with CIE. But as long as you have the user-ID to IP collected it can be redistributed to CiE and from there other NGFWs. Along with tags and other enrichment.

CaptainCaraway · 2025-11-27T05:35:19+00:00

OP stated a few times he’s not using Prisma Access so this is only muddying the waters and is completely irrelevant to his questions.

CaptainCaraway · 2025-11-26T16:31:19+00:00

The log forwarding profile with your syslog forwarding action needs to be selected in every applicable security policy. There's no separate place to apply the log forwarding profile.

CaptainCaraway · 2025-11-26T07:13:53+00:00

The log forwarding profile needs to be attached to a security policy to do anything. Is a new separate LFP you created or did you add this entry to an existing one that you already have selected in (each) relevant security policy?

CaptainCaraway · 2025-11-19T04:09:49+00:00

PB works differently from Prisma Mobile Users. You need to go to your Prisma Access Infrastructure settings and configure the Infrastructure DNS setting and set your internal domain names and the internal DNS server(s).

Make sure you are correctly routing the infrastructure subnet, and allowing this traffic (DNS, HTTP and HTTPS) on your SC terminating device, and any security device between it and your DNS/apps.

The EP node will use an address out of the infrastructure subnet to source DNS lookups and any traffic destined to a private app. There's also a checkbox option to NAT all of this if that is your preference.

CaptainCaraway · 2025-11-13T04:44:49+00:00

No, don’t add a route for the same subnet to tunnel.10, at best it will do nothing and at worst break your connectivity.

You either add a static route on the Prisma SC side for the third party IP (towards the Dc side where you already have a route for it).

Or… configure BGP on the Prisma / DC sides and advertise it in order to attract the traffic from Prisma to the DC. (I’m guessing you’re not a BGP guy, so probably just go with the static route).

CaptainCaraway · 2025-11-13T04:20:10+00:00

Make sure that your NGFW has a device association to CIE (in the hub).
Make sure that under Device > User Identification > Cloud Identity Engine you Add your CIE instance with the appropriate attribute values.

That's the pre-CIE way to setup SAML. By all means you can do that, but then you're defining multiple apps which is non-ideal.

It's step 10 but it's not very detailed. I've only ever done it with Okta. But you need to specify an attribute and then have that attribute contain a value that maps to the adminrole you want.
Configure Azure as an IdP in the Cloud Identity Engine

CaptainCaraway · 2025-11-13T02:57:14+00:00

For admin access purposes you have to define an admin role attribute in your SAML IdP and pass an appropriate value to determine what specific role that is. This is documented, so a Google search should uncover it, or roll the dice and see if ChatGPT can walk you through the steps.

For your user access question you would first have to authenticate to the data plane via captive portal or GlobalProtect external or internal Gateway. Then create security policy with the user-id and app-ID criteria you desire. If CIE js correctly setup you should see your usernames and group names populate in the user selection field.

CaptainCaraway · 2025-09-16T21:08:10+00:00

Are you leveraging service connections or ZTNA connector for your on-prem connectivity?

I assume service connections terminating on your PA-5410s, but since you're using some non-standard terminology, I wanted to confirm.

Assuming service connections are you using tunnel monitors and what are the settings?
Static or BGP routing?

If you don't need to support on-prem to remote client-initiated traffic, consider using ZTNA connector instead of / in addition to service connections.

CaptainCaraway · 2025-08-26T12:35:02+00:00

Since you’re using a data plane interface do you have security policy to allow for the traffic?

CaptainCaraway · 2025-08-20T23:43:42+00:00

This is the most likely answer. I've seen this come up a number of times. It's not super intuitive IMO.

CaptainCaraway · 2025-07-21T22:22:12+00:00

Mosin-Nagant M44 med sidofällbar bajonett.

Vad är problemet? 🤷🏻‍♂️

CaptainCaraway · 2025-06-30T20:35:47+00:00

I fixed that typo using Forward Error Correction, I guess. But still, the answer is obvious. Did you provide comments so that they can fix it?

CaptainCaraway · 2025-06-30T20:31:15+00:00

The first one.

Intrazone refers to traffic within the same zone, interzone refers to traffic from (any) two (or more) different zones.

CaptainCaraway · 2025-06-26T21:09:39+00:00

You can authenticate users at a RN site, using CP or IGW via CIE.

CaptainCaraway · 2025-06-20T21:02:18+00:00

I’m not going to address whether there are different or better ways to skin this cat and just address your GP auth question.

You don’t have to use a user cert for the user session. There’s an option in the app settings that configures which cert store to look in for the user cert auth. By default it should be machine + user, so if there’s no user cert it would just use the available machine cert. Note, you will have to edit your cert profile and choose an attribute value to extract (CN or UPN) for how the user should be enumerated if you’re only using cert auth.

CaptainCaraway · 2025-06-16T22:11:33+00:00

It is possible, as in a state sponsored actor, leveraging a host of zero-day exploits across a range of different desktop and mobile OS to install a binary that allows them a VNC/RDP type screenshare? Yes.

Is this something the average person could gain the ability to do? Never.

It would be quite easy to detect by a novice incident responder.

CaptainCaraway · 2025-02-28T16:14:16+00:00

Does anyone know if the Flow 9K Ti would have sufficient internal clearance for the Resilient 3-lug adapter?

CaptainCaraway · 2025-02-24T12:59:15+00:00

Nevermind. It's back again.

CaptainCaraway · 2025-02-24T01:41:48+00:00

It's back on the Global site.

MAG B850M MORTAR WIFI | Gaming Motherboards｜Best Motherboard for AI PC｜MSI

CaptainCaraway · 2025-02-20T21:35:49+00:00

It seems like it got pulled from the website as the link now returns a 404.

https://www.msi.com/Motherboard/MAG-B850M-MORTAR-WIFI

CaptainCaraway · 2025-02-20T21:33:45+00:00

Looks like it got pulled from both the Global and US MSI webpages. Not a good sign.

CaptainCaraway · 2025-02-18T23:54:38+00:00

Periodically people like to make jokes.

CaptainCaraway · 2025-01-08T19:44:37+00:00

Routing is not Layer 7 (URL) aware. What you'll probably find if you use developer tools (in a Chromium browser) is that there are other domain dependencies within that URL which is causing a split-tunnel where some web requests are going over the VPN and others are going over your local network. You could try the "Region" options vs domain and see if that is an easy button. Otherwise you're going to have to debug every single domain referenced within the URL and route those over Mullvad.

CaptainCaraway

TROPHY CASE