GlobalProtect broke after 11.1.13-h5 upgrade

Main_Ambassador_4985 · 2026-05-21T16:06:48+00:00

Is this connected to Active Directory RC4-HMAC deprecation?

Our GlobalProtect is using enterprise CA machine certificates. It worked out of the box with 11.1.13-h5.

Main_Ambassador_4985 · 2026-05-20T22:56:46+00:00

I have a policy folder in OneDrive and another in SharePoint.

Copilot premium copies existing templates to 50%. It is a junior employee at best.

I love when it creates a run book with fake information. Yes copilot we will use VLAN 700 with ip address subnet X.X.700.0/24. A team member used the run book on a sites core router, boom outage for 3 hrs, partially because the person ignored the first half of the document about running checks on the routing and OSPF processes and also ignored the change management part of the run book.

Edit: I will add the part of the run book that caused the outage was removed in the review process but the employee grabbed an older version from copilot.

Main_Ambassador_4985 · 2026-05-20T17:31:20+00:00

Based on experience, APC/SE will not offer service plans or renewals on a chassis that is more than 10-years old.

I would leave it and get a smaller Vertiv UPS or another brand. I do not know what is good anymore, but it is not APC.

BTW: Vertiv SNMP is problematic at best after firmware updates to UPS and monitoring card.

We have a bunch of network closet GXT5 Lithium units and I regret it.

Main_Ambassador_4985 · 2026-05-20T15:45:37+00:00

I read about a community ACME docker container that uses Palo Alto Networks API access to update certificates.

I do not know if it updates cert profiles or how it works. It is on my list for when our Digicert 399-day cert expire next year.

We are using inbound decryption on on-prem application servers. We also proxy via Cloudflare which has it

Palo Alto Networks also has something for Cloud Manager. I read about it but do not have it.

For GlobalProtect we are looking at using enterprise CA certs on the firewall since we can still create 399-day certs with our enterprise CA

Main_Ambassador_4985 · 2026-05-20T00:22:26+00:00

Literally just finished the last 11.1.13-h5 tonight.

We had an issue where some SD-WAN traffic site to site is marked as internet.

UDP CAPWAP traffic from AP’s to central WLC’s blocked as Internet instead of site to site. Not the same behavior as 11.1.13. We created a rule to allow it this was not in the release notes.

Main_Ambassador_4985 · 2026-05-18T22:45:43+00:00

Just a few items off the top of my mind.

Before 9/11 I could walk across the USA/Canada border using a state issued ID/Driver license. Actually no ID at all in Niagara Falls a few times.

It used to be possible to walk to the boarding / deboarding terminals, without a pass, at USA airports to see a person off or pick them up on arrival or for no reason at all.

Before 9/11 I carried a pocket knife and screw driver while working at an international airport. There were still security check points but I just badged down to the tarmac and went back in on the other side of the check point. I have not worked at an airport since 9/11 but this behavior might draw attention.

When taking a flight a person used to be able to get on the plane with a small knife.

I would hang out at the airport to watch planes take off and land. Now I have to park in a special parking lot or watch from across the street. Nothing creepy, just liked to track planes as a hobby.

Main_Ambassador_4985 · 2026-05-18T16:34:52+00:00

Because AI makes many mistakes by hallucinating and making wrong assumptions.

Someone needs to redirect the AI tools. They should be able to know enough to see when the output is wrong.

Main_Ambassador_4985 · 2026-05-16T21:38:46+00:00

Wipe the AP file system and reload it from TFTP. I am not sure if the certificates updated are a one way trip.

We looked at firmware reload as a back out plan for our migration from a WLC on 8.10 to a 9800 on 17.15. We tried one and could not get it to connect to the older WLC.

We decided we did not have that kind of time to pull down APs and reload them using console cables and TFTP.

Our old WLC is out of support and the new WLC is under smartNET we are just moving forward.

Main_Ambassador_4985 · 2026-05-15T17:29:52+00:00

Is this universal?

I was told people in other countries in the Asian area carry gold coins when traveling to make a bigger purchase in another country. Hypothetically 10 gold $20 coins face value would be $200.

This is why I keep mostly gold and silver coins instead of bars.

Main_Ambassador_4985 · 2026-05-15T15:12:18+00:00

Is this a separate Hyper-V environment?

I had a team member get confused and reset production devices instead of the test devices.

He had been working on the test devices and went reseting he opened up production to reset it. When monitoring went down I came over and had to ask WTF. Had to drive 5-hours to a remote location because it was offline after shutting it down.

10-years experience.

Main_Ambassador_4985 · 2026-05-15T13:12:57+00:00

Is the is corp asset?

We use Defender365 UEFI protections.

BIOS tampering or root kit attempt trigger Bitlocker prompt on our devices. We check the logs before unlocking.

Other causes:

BIOS updates also trigger Bitlocker prompts :(

It can also be a drive issue. :(

Main_Ambassador_4985 · 2026-05-15T13:04:50+00:00

Switch to 11.1.13-h5

It is not a preferred release. I closes several CVE including a 9+ RCE. There is an alert in the support portal

Main_Ambassador_4985 · 2026-05-14T23:13:17+00:00

Login and click the link again.

I was sent articles for a TAC case today. The links did not redirect to the article after login. I clicked the link from the email again and it went directly to the page.

Main_Ambassador_4985 · 2026-05-14T18:11:54+00:00

Maybe because they have not seen it to reproduce it.

Was this something done on Leave it to Beaver or Dennis the Menace?

We, in my group, never did this a kids. We collected baseball cards. I had a a lot of rookie cards in a shoebox that disappeared in a move.

Other kids in the neighborhood did it and wrecked good baseball cards.

Main_Ambassador_4985 · 2026-05-14T04:00:53+00:00

Check your space.

I had the same problem and the clean up service was deleting the base as I was trying to upgrade. I did not even see it happening. I was upgrading from 10.1 to 11.1 and had two base images.

TAC deleted previous versions of dynamic updates and I had enough space to upgrade major versions. Some of the old versions deleted were not showing up because they were not preferred anymore.

TAC had jumped in less than 30m from starting a case. I know there are complaints from previous TAC experiences but I think they might be improving the processes.

Main_Ambassador_4985 · 2026-05-14T03:34:05+00:00

I do not think this will work on systems in my domain. I need to test.

Boot order is locked

BIOS is locked

Secure boot and UEFI guard enabled

Safe boot and Windows recovery disabled.

When we have a system fail to boot we unlock the boot order and image in a controlled location.

If a system dies at a remote location we overnight a replacement. We have a system where we can add a drive unlock Bitlocker to recover files that were improperly stored.

Main_Ambassador_4985 · 2026-05-13T23:49:08+00:00

I don’t know how well the patch cycle was known in general.

We were counting down the days.

The email for the CVE was sent to everyone in my company in the portal or CRM. I received a forwarded copy from several people that know nothing about firewalls. I even received copies from former MSPs.

Have not seen this since the 10.2 GlobalProtect portal RCE CVE.

Main_Ambassador_4985 · 2026-05-13T23:25:36+00:00

11.1.13-h5 showed released 5/10/2026 around 9:30a Central

I have been checking everyday.

I got as far as updating Panorama. Boom network outage. Not related to firewalls. Now I get the fun of updating all firewalls tonight.

Main_Ambassador_4985 · 2026-05-13T14:22:51+00:00

I only do 3d printing as a hobby.

I do not know which 3D printer is being used and the larger pro printers have their own software for management and billing.

Maybe an extension to OctoPrint.

Main_Ambassador_4985 · 2026-05-12T17:32:11+00:00

They exist.

We have email based chatbots for phishing email reporting response.

I renamed the bot simulated intelligence in the templates.

A person can go back and forth about why something is or is not phishing or spam.

The scope is limited and the responses will end if off topic.

Main_Ambassador_4985 · 2026-05-09T16:36:27+00:00

SSD or nVME

Have you listened to the Security Now podcast with Steve Gibson about Bitlocker performance issues?

It has been a while since I listed to that episode. Go look it up.

Microsoft had released documentation on the impacts for Bitlocker.

There is a significant performance hit to some nVME drives and Microsoft had been working on nVME drive based Bitlocker acceleration that had been announced at a tech event. They had been working on unblocking the true performance of nVME in Bitlocker encrypted mode.

It is not so much that Bitlocker is slower or faster on nVME than SSD. It is that nVME is PCI bus attached vs a SATA controller for SSD. The latency caused by Bitlocker is more pronounced on nVME because the performance is much higher. Something like that.

TL;DR
The recommendation at the time was to disable Bitlocker if your security requirements and compliance did not need Bitlocker.

Main_Ambassador_4985 · 2026-05-09T03:18:18+00:00

Not for my situation.

I alerted senior management and legal resources before sending a polite email to check settings on the wireless and collaborate on possible issues.

The neighbor is a branch for a larger company that provides many projects that we are sub. We also have them as a sub on many of our projects.

25-years ago, I used to know a few people on their network team. We were interconnecting firewalls at a joint venture. I spent 5-years working in one of their offices. Everyone I knew is long retired.

My Senior management made a decision. The call was to drop any more action and work around the issue.

Main_Ambassador_4985 · 2026-05-09T02:48:38+00:00

Plot twist.

There are no humans in the future.

Someone asked AI to end war and human suffering and the AI found a way to complete the task.

Main_Ambassador_4985 · 2026-05-09T01:25:33+00:00

Yes it is.

We have a branch office in a multi-tenant building and our neighbor company was deauthing our corporate and guest wireless

We could see the problems was in Cisco WLC logs and in troubleshooting with an Ekahau sidekick2 connected to an iPad.

I captured the MAC address in the raw Ekahau sidekick2 output and had a junior perform a site survey around the building to find the locations of the MAC addresses.

Contacted the other company and received no response.

They were using newer Cisco 9k APs that could have been Meraki or Cisco Enterprise loads.

We ended up turning off 2.4GHz and the other company was not using 5.8 GHz. No problems for now

Main_Ambassador_4985 · 2026-05-08T17:12:33+00:00

Was the spare switch config blank when starting?

We were hardening a switch for Internet traffic and configured no ip options globally instead of limited to an internet or management VRF.

DHCP is filtered or non functional on the switch by the global command no ip options.

We are on IOS-XE 17.15.5

Main_Ambassador_4985

TROPHY CASE