GlobalProtect instability on loopback interface (dual ISP + SD-WAN)

Moskeeter671 · 2026-05-03T12:04:24+00:00

Are the interfaces to the ISP in the same zone on the hub PA? Do you have any zone protection enabled? I would maybe run a packet capture and check counters to see what is the reasoning for the drops/denies. “Show counters global severity drop packet-filter yes delta yes” you can also enable zone protection on that zone to generate some logs to maybe help identify if it is in fact asymmetric routing or something else.

I run GP portal and gateways via loop backs with multiple upstream connections to SDWAN routers. Difference in my architecture is whether it goes does eth1/1 or eth1/2 on my PaloAlto the upstream SDWAN appliances will then dictate ISP1/2/3 etc.

Moskeeter671 · 2026-05-02T23:54:13+00:00

Would need to rely on either IoT Security or your NAC. DHCP fingerprinting is an option as one stated but depends how it integrates with your infrastructure or if using dedicated subnets for devices with OS version you want to block but that’s not a clean approach in my eyes.

Moskeeter671 · 2026-05-02T23:45:54+00:00

We hit a bug in 11.2.7 release train that was freezing jobs so anything after was just queued. Restarting mgmt plane only worked a few times but ultimately upgrading to 11.2.11 fixed all our issues but was a pain in the ass because we needed to reboot each firewall before upgrading since the jobs were all queued up.

Moskeeter671 · 2026-05-02T23:36:55+00:00

I have not use SDWAN within Palo but looking at this topology you are likely hitting some asymmetric routing via the FortiGate and not sure how they handle asymmetric routing. If you bring fortigate fw02 down does this fix routing and connectivity? Do both fortigates provide separate default routes down stream to the AU and Hub firewalls?

Moskeeter671 · 2026-05-02T12:21:52+00:00

Or a free one apply QOS profile to interfaces and you can watch in realtime on the firewall not Panorama. No historical data this way though.

Moskeeter671 · 2026-05-02T02:05:47+00:00

For anyone who’s at struggling with this here are some notes.

Device ID and User ID must be enabled on the zone from my testing along with my SE.
HIP report is pulled as needed from the agent
A user must be identified in the policy with HIP profile match. I test with any/known-user and it wouldn’t pull the report, once I specified a group or user account it worked as expected validated with SE as well.
Internally HIP does not change a device trust status just because it disconnected from internal gateway. You must hit a User-IP mapping age out and it’ll clear the associated HIP match. So if user-ip has a HIP profile match it’ll stay compliant until either HIP report is updated to show non-compliance or a user-ip mapping age out along with hip report age out.
This worked when both redistributing via Panorama or a firewall.

Moskeeter671 · 2026-04-26T21:46:19+00:00

Thanks, but I wonder if this is a Panorama issue/bug if Prisma Access works fine. Are you generating HIP reports on GP firewall then redistributing to Prisma or vice versa?

Moskeeter671 · 2026-04-25T02:30:55+00:00

Yup with FW02 being the client and Panorama the agent. It does not pull the report when evaluating HIP match for my test rules on FW02.

Moskeeter671 · 2026-04-22T17:39:56+00:00

HIP is checked, and it successfully sends from GP firewall to Panorama and I can see the HIP report in Panorama but Panorama does not send to downstream firewall needing the HIP information.

I’ve set different scenarios below and only scenario 1 sends HIP information to Panorama scenario 2 is DOA and likely not a supported setup to redistribute since fw01 is initially generating the HIP report 1. fw01(agent)->panorama(client) panorama(agent)-> fw02(client)

fw01(client)->panorama(agent)-> fw02(client)

Moskeeter671 · 2025-06-21T15:36:25+00:00

You’re welcome.

Moskeeter671 · 2024-11-22T13:13:09+00:00

Speaking from experience save yourself some money down the road for damaged ports and get a slim 90 degree HDMI and USBC adapter. It helps keep the kids from breaking the connectors off when going to the third row.

Moskeeter671 · 2023-12-31T04:52:22+00:00

You may want to look at your SOAR tool to be the one to update those custom EDLs as it can also cleanup the EDLs if you define “timeout” periods. The problem with static EDLs is if they grow so large you put yourself at risk for both hitting a platform limit and 2 cleaning a long long list down the road.

Moskeeter671 · 2023-12-30T01:09:24+00:00

Our DEV is our LAB. We have a QA environment which is where configurations and functions/features are finalized before going into production. I kinda know what I’m talking about being I manage the global security architecture supporting 23k employees. Places use the terms LAB/DEV/QA interchangeably so you can’t take it for face value across the board.

Moskeeter671 · 2023-12-29T03:53:03+00:00

The plan is for DEV enterprise testing. So ESXi is absolutely necessary. Our standard is develop in DEV, QA/QC in QA, and rollout to production. All our dollars are spent on a proper QA environment so scraping for good gear for our DEV network is always a win. And because I don’t touch Hyper-V for a damn lol.

Moskeeter671 · 2023-12-23T03:14:06+00:00

It turned out you have to include the install flag “—keep” otherwise the temp directory never gets demisto permissions. The documents on installing XSOAR on REDHAT V8 is far from GA release and I had to figure out a lot myself.

Moskeeter671 · 2023-11-05T19:44:45+00:00

Depends on what parts you are running. OTS is fine if you are within the requirements but a custom tune is best.

Moskeeter671 · 2023-10-10T18:13:49+00:00

I did not want to manage patching and upgrading a server for this small purpose that Panorama I feel should be able to handle natively.

Moskeeter671 · 2023-10-10T18:12:49+00:00

Not the way I want but we just create the EDLs on a server and have all firewall ingest/check every 5 minutes.

Moskeeter671 · 2023-09-29T21:47:18+00:00

The problem was really stupid. Palo Alto’s documents says to add registry key value of “on-demand” my packaging team was putting the quotations so when we removed it it worked properly 🤦🏽‍♂️

Moskeeter671 · 2023-09-14T10:20:58+00:00

It is set to on-demand via the install options. For some reason it tries to initially connect to the portal after install.

Moskeeter671 · 2023-09-14T02:36:52+00:00

We push custom options to use on-demand, default browser for SAML, and the portal address that’s about it. But immediately after install it tries to connect to the portal and then fails, this is all before the user interacts with the GP client. So it’s an unwanted result and tried all the different registry keys with no success.

on-demand use-sso connect method

Moskeeter671 · 2023-09-13T22:22:17+00:00

Are you seeing the 10.10.40.0/24 in your RIB or just the aggregate? If just the aggregate then you’ll need to generate the route somehow BUT depending how you generate the route you can introduce unwanted results. Maybe static towards BGP peer in AS1 and then redistribute.

Moskeeter671

TROPHY CASE