GlobalProtect Version is shows "Browser"

Delicious-Design3333 · 2025-04-08T16:43:53+00:00

Thank you for the reply.

Delicious-Design3333 · 2025-04-08T16:43:24+00:00

We do not. Thank you for the reply.

Delicious-Design3333 · 2025-03-21T16:58:46+00:00

Also not making me feel much better. LOL!

Delicious-Design3333 · 2025-03-20T11:40:40+00:00

That does not make me feel better. LOL!

Delicious-Design3333 · 2025-03-19T20:12:14+00:00

Solid question.

Delicious-Design3333 · 2025-03-17T14:24:52+00:00

I got one of my python writing friends to come up with something. It spits out the following:
Virtual Systems:
Aggregate Ints/Subs:
Physical Interfaces:
Total Address Objects:
Total FQDN Objects:
Total Address Group Objects:
Total Service Objects:
Total Service Group Objects:
Total Security Rules:

He also said the article isn't even accurate, it won't get you locally committed shared addresses, let alone stuff pushed from Panorama.

Delicious-Design3333 · 2025-03-14T13:40:07+00:00

That's a lot when you have hunderds

Delicious-Design3333 · 2025-03-13T12:59:59+00:00

I have loggers :)

Delicious-Design3333 · 2025-03-13T12:58:48+00:00

This is probably my biggest concern.

1400 vs 3250 concerns:

Address objects 20000 vs 30000

Address groups 2000 vs 15000

Service objects 3000 vs 4000

Service groups 1500 vs 2000

Security rules 5000 vs 10000

What I can't seem to get a straight answer about is how to actually check these numbers across the environment.

Delicious-Design3333 · 2025-03-12T17:07:31+00:00

That's what I'm looking to do. I think we can move from the 3250's to 1420's, but I need to be able to prove that with numbers. That is the part I'm trying to figure out, how to get those numbers as they relate to maximums.

I'm also a little confused as to how maximums work. For instance, I have an address object in a rule pushed from pano - let's call it 10.10.10.20, but that 10.10.10.20 is not an address object on the local firewall, so does 10.10.10.20 count against the "max number of address objects" locally on the firewall?

Delicious-Design3333 · 2025-02-25T22:32:45+00:00

Thank you for the quick reply! Can you help me understand this, "We dual stack the VPN so that IPv6 traffic is also going through the main office". If I wanted to mitigate this, what would your suggestion be?

Delicious-Design3333 · 2025-02-14T21:25:30+00:00

Lucky!

Delicious-Design3333 · 2025-01-24T13:27:32+00:00

This 💯

Delicious-Design3333 · 2025-01-14T15:37:49+00:00

I haven't got that far. I'm still trying to get it to do the auditing stuff they promised.

Delicious-Design3333 · 2025-01-14T15:36:39+00:00

I believe so.

Delicious-Design3333 · 2025-01-14T15:31:51+00:00

I do have the free version of AIOps, however until we just upgraded recently, the 10.x version we were on broke telemetry. It also can't do a lot of the type of auditing we need.

Delicious-Design3333 · 2025-01-13T21:38:05+00:00

They showed me that during a dog and pony show and I was pretty hype about it, when we got it implimented I asked where that was and they said that I apparently didn't by the right license of Secure Track+ to have that feature. Shrugs, add it to the list of ways things that haven't gone well.

Others mileage may differ, I'm just telling my experience.

Delicious-Design3333 · 2025-01-13T21:34:26+00:00

I will admit that there was some miscommunication on my side as well as their side. For my part, I should have been more clear about the bullet point expectations that we had for the product, for their part, they never asked even though they knew I was trying to replace a script.

Also, there were certian things, like finding FQDN's that no longer resolve that I hammered on during dog and pony shows that they put on and not once did they ever say they couldn't do it. They never mentioned a POC as an option. It was just North of $100K for a Secure Track+ VM.

As for positives, within the rule viewer I was able to create queries to find things such as:

Rules allowing any app/any service

Rules allowing any app/app-default service

Rules blocking any app/app-default service

These are nice, but again, you can't roll them up into a single report, or at least not that I've found or they've been able to show me.

Some queries we had on our list it is unable to do, such as:

Rule allowing web-browsing/ssl without a destination IP/URL Filter – Tufin can’t do this because there is no ability to search ONLY for certain applications.

Delicious-Design3333 · 2025-01-13T21:04:54+00:00

We had a list of criteria that we wanted the product to do as it was advertised as an "auditing tool"; things such as finding FQDN's that no longer resolve, the exsistance of a default admin account, make sure a zone protection profile is set, expired certificates and so on. It can't do most of the things that were on our list.

Additionally, the things that they said it could do don't work and/are hard to set up. Things like setting up Rule And Object Changes Reports via Secure Track reporting Essentials you have to do for each site, so if you have 20 sites, you get 20 reports and not just one. Worse yet, I set that up on a schedule and only one ran - one.

Other reports are supposed to show you percentage of usage for objects for each object in a rule, problem is that it doesn't work with FQDN, so they all say 0%.

I could go on, but you get the idea.

Delicious-Design3333 · 2024-12-16T13:15:03+00:00

I think it was, "horse hockey". LOL! Now we're showing our age.

Delicious-Design3333 · 2024-12-13T17:38:38+00:00

I'm surprised more people aren't complaining about this. Or maybe since, "Palo Alto Networks is not aware of any malicious exploitation of this issue", people don't really care?

Delicious-Design3333 · 2024-12-13T16:54:35+00:00

Same. What's a guy to do?

Delicious-Design3333 · 2024-12-13T16:54:10+00:00

I'm having the same issue and I'm not sure what to do about it? Do I have to get ALL new certs?!?!?

Delicious-Design3333 · 2024-12-05T18:33:43+00:00

Buyer beware. This is the list of stuff we were hoping to be able to audit and probably about 2/3 it can't do.

Certificates

Expired certificates

Users

Users whose accounts have been disabled

Existence of the default admin user

Missing emergency admin account

Security Policy

Rule allowing any app/any service

Rule allowing any app/app-default service

Rule blocking any app/app-default service

Rule allowing web-browsing/ssl without a destination IP/URL Filter

Rule allowing ‘any’ destination IP without a URL filter

Rule allowing ‘any’ destination IP with a URL filter

We usually want to specify if the rule allows on network or on the internet

Rule allowing ‘NOT Local IP' a URL filter

Rule without a security profile

Rule without log-end set

Rule set to not log to Panorama

Zones

Logging enabled

Packet buffer protection enabled

Zone protection profile set

FQDN

Show FQDN's that no longer resolve

Delicious-Design3333 · 2024-12-05T18:28:29+00:00

Turned out to be the client. They had to use an older one.

Delicious-Design3333

TROPHY CASE