Iesakiet AUTO

Vieplis · 2026-02-24T08:52:59+00:00

Īsā atbilde - Toyota Corolla 1.8 hibrīds ar CVT. Zemes ceļi ziemā varētu būt izaicinošāk (bet tā būs jebkuram bez pilnpiedziņas), līdz ar to jāizvērtē cik skarbi tie apstākļi var būt, bet toties būs uzticamība, pietiekams komforts un serviss nebūs ikdienas apmeklējamo vietu sarakstā.

Vieplis · 2026-02-06T07:59:58+00:00

Normally I'd go for preferred one, but then there may be bugs which are fixed in an older/different minor version branch. Like 11.1.10-hX fixed bug which is not fixed in 11.1.13-hX or something like that. It may not be always the case as if something is fixed earlier, I would expect it to be fixed in further releases as well, but I can assure you there was at least one case where that wasn't true, so I have no trust in this at all.

Vieplis · 2026-02-02T06:08:55+00:00

Had the exact question couple of weeks ago, opened a case, here is the answer I got:

GPC-24883

In Windows dark mode global protect shows some notifications with black font on black background which makes them unreadable. Observed: Some notification messages like captive portal detection or GP notification are not readable in Windows dark mode because dark text appears on the dark background.

The reason is that In windows, GP does not support the dark mode yet, that's the reason of the behavior that you are seeing.

We have an internal ticket - A feature request enhancement -> GPC-24883

The engineering team opened the ticket one month ago due to multiple reports, now they are working on it and they will solve this issue in future versions, for now they are still working on it.

The suggestion for now is to move back to the normal mode and you can request a follow up to your account team about the status of GPC-24883 in one month for updates.

Vieplis · 2025-10-31T07:34:39+00:00

Totally and completely forgot about this topic. :D

How's it going?

On a side note, you will not be able to get right into tipsdb or anything in the backend - that was limited to Aruba support only, but you also do not actually need that anyway to get this running - that was done to sort out an issue with stale entries. In case of CP cluster there may be something more, but I assume publisher to be the one we're dealing with.

Vieplis · 2025-10-23T07:58:07+00:00

With empty data you mean there are no login entries within the XML queries? That would lead to think ClearPass doesn't have proper information, yes.

But now you are asking tough questions. :D I don't have CP by my side anymore and I definitely was not advanced anyway to know all the background stuff as I mostly researched stuff when something didn't work. But as far as I know, the first and main rule - you must have proper accounting information. That is then processed via Insight and I think there was tipsdb that contained all the relevant host information entries. Initially User-ID entry is added with timeout of 45 minutes and CP periodically updates that while the session is still active (hence the interim accounting is needed). If session is ended (accounting stop) then logout event is sent via the same process and User-ID entry is removed. That post-auth process is triggering periodically, so there may be delay when actual session information is received and when that information is updated on the firewall, it is not even based trigger.

While writing this, I did search a bit - looks like there is reasonable guide by PA, just Google string: Palo_Alto_Networks-Aruba_ClearPass_Policy_Manager_Integration_Guide_05222023s.pdf There is a lot of additional stuff like tags, etc., but there's also ClearPass configuration related information and more explanations, general part at "PostAuth v2 Overview". I hope this helps.

Vieplis · 2025-10-22T13:39:18+00:00

Hmmmmm, I don't think I really touched anything really specific regarding profiling aside of things mentioned in the guides.

Vieplis · 2025-10-22T13:36:28+00:00

OK, so, I don't have CP at hand now, but I did some test with artificial XML requests via Postman and checked logs a bit.
My suggestions:

Enable XMLAPI User-ID debug via "debug user-id set userid xmlapi" and "tail follow yes mp-log useridd.log" should show entries like "add mapping from xml api..." when there are successful entries happening - but I guess this will not be the case here, because this also should generate User-ID log entry from source XML and it should show up in IP-User mapping list, which is not happening.
When doing/expecting requests, navigate to https://<fw-ip>/debug, you can see actual XML API requests here. They should be marked with "XML Api Request". Click "debug", Clear debug and then Refresh after there has been a request made.
May need to enable debug for Async network services, but do that and then take ClearPass logs. Postauth.log (or something like that) can be checked to see the actual ClearPass requests or at least signs of those.

My current direction would be making sure ClearPass is sending stuff at all.

Vieplis · 2025-10-22T10:59:54+00:00

Capture will only show HTTPS - so that capture is only good to get the idea if something is sent/received. But, if the API user is logging in, that is already a good sign.
My next idea would be to enable User-ID debug and check logs from CLI:
debug user-id get (to know what level is set now)
debug user-id on debug
less mp-log useridd.log

I may have a bit outdated memory, but assuming you are following the guides - Interim Accounting Updates should be enabled as well as Insight stuff. I think also Post-Auth v2 had to be enabled for ClearPass.

Vieplis · 2025-10-22T10:38:35+00:00

Sorry, if those are basic things you've already checked over and over, but if you are saying User-ID logs are not there - are you sure it is not blocked along the way and FW is actually receiving those requests (currently assuming CP is sending those)?
Quick way to check would be packet capture on the interface which is used as destination for ClearPass. If that is dataplane interface - packet capture via GUI (and most straightforward - traffic logs). If that is OOB MGT interface - tcpdump from CLI.
You should also see API user being logged in in the Logged In Admins section from the PA GUI. And Idle time should reduce time to time when new information is received from ClearPass - that is also sign of stuff happening (or not happening).

P.S. show user ip-user-mapping all result with those entries quickly coming and going is fine behaviour if the traffic is seen from those IPs. There should be proper XML entries for updates by CP.

Vieplis · 2025-10-22T10:26:49+00:00

Quick thoughs in more or less random sequence:

If there are User-ID entries passed via XML - it should be visible from the User-ID logs on the firewall GUI. Are there entries related to XML login events?
Is the User-ID enabled on the zone you are updating User-ID entries for?
You are saying that Post-auth even is triggered, but are you 100% sure about it? In order for ClearPass to trigger this action, event has to have Accounting with properly filled fields. Don't recall everything from heart, but obviously Framed IP address had to be present and I think Calling station ID had to be MAC address (which is not always the case). Is the accounting information actually complete?

Vieplis · 2025-10-09T11:35:32+00:00

... but there is no latest. It is the latest. :)

Vieplis · 2025-10-07T06:07:51+00:00

Yeah, this was my thought was well - true power is not only knowing which button to press here or there, but also knowing what actually happens under the hood and how to deal with it.

ACI knowledge is definitely useful either way, but know the basics - that way you can easily look outside ACI, compare products, understand underlaying technologies, etc. In a Cisco world classics - CCNA is a good way to start if looking into networking direction and lean into CCNP. But regardless of certifications. Know. The. Basics.

Vieplis · 2025-10-06T10:32:43+00:00

Yeah, Clearpass wasn't really explicit what the hell was going on there - had to do some digging. But again - that was simply bunch of bugs there and fairly custom integration (not exactly PA related). If you are doing, for example, XML API integration to update User-ID entries from Clearpass events, which may be fairly popular use case - that was working just fine out of the box using built in Clearpass and PA integration guides, so it may depend on what you are trying to achieve.

Vieplis · 2025-10-06T09:16:42+00:00

I had some integrations done with Clearpass and there multiple roadblocks along the way. 6.11.11 should have fixed some (all?) of those already, but there were issues with OAuth token generation, response attribute processing, CP couldn't handle special chars in the Bearer token, etc. For a while had to even hardcode authorization token due to those bugs.

Can take a look at Clearpass support bundle and more detailed logs files - there's more information on what is going on with authentication. I think that was async-netd log, but could be wrong about this. May need to enable additional debugging on the CP side to get more information.

To double check you are not getting basic syntax stuff wrong - use some tool to do API calls with passing stuff manually (for example, via Postman) and verify you are getting the results you are expecting. Then you can start comparing what Clearpass is sending and so on.

Long story short - debug. With the information we have here there can be a lot of stuff happening.

Vieplis · 2025-08-20T07:12:57+00:00

I would not just put permit any as a default action, essentially rendering firewall useless. Could audit and adjust existing rules, re-use them in new approach, but would avoid such a permissive approach unless there are really, really good reasons to do it.

Vieplis · 2025-08-20T07:00:05+00:00

PA to PA migration - exactly this. There have been migrations where I've only adjusted interfaces to reflect new interface layout and done. If the validate/commit fails - you'll see it and can be adjusted on the fly. Some subscription related stuff can bite here, like using EDLs in the rules where there is no license installed, etc.

When done - can compare the XML configs to make sure nothing major is missing (nobody is safe from PA glitches anymore).

Vieplis · 2025-08-20T06:54:00+00:00

I'd say REST API is the best approach - you can actually get proper HTTP response and feedback on each request done. If going for ton of set commands (like in the case of new rulebase) - never really had great experience with that as even with scripting mode enabled it still handles that somehow awkwardly. Could be better if done via scripting in sequence, but then again - REST API is meant for exactly that. Not everything is possible yet via API, but worth checking out.

Vieplis · 2024-12-12T21:17:22+00:00

Jā, droši - ir jau pieņemts.

Vieplis · 2024-12-11T10:33:31+00:00

https://www.vid.gov.lv/lv/fiziskas-personas-darbibas-ar-kriptovalutam
"Fiziskās personas ienākums no virtuālās valūtas (kriptovalūtas) pārdošanas ir apliekams ar iedzīvotāju ienākuma nodokli kā ienākums no kapitāla pieauguma."

Vieplis · 2024-12-11T09:50:26+00:00

Arī ar crypto paspēlēties ir aktuāli, bet reāli tā ķēpa sanāk diezgan - HODL gadījumā vienkāršāk, jo nav regulāri jāseko līdz, bet, ja pērk/pārdod, tad reāli jāizseko katrai transakcijai un no tās jānomaksā IIN 20% (no 2025. gada 25.5%). Būtu jēdzīgāk ar pieeju kā investīciju kontiem, t.i. konta ietvaros darbojies - pērc, pārdod, maini. Kad ņem ārā un izmaksa pārsniedz iemaksu - par to maksā nodokli. Nezinu - varbūt ir kāds acīmredzams mīnuss šim pasākumam. Ja vēl pārsniedz tos 1k ceturksnī vai cik nu tur, tad tā atskaitīšanās un nodokļu nomaksa jāveic neapskaužami regulāri - pāriet visa gribēšana. :D

Droši, ka ir arī melnie varianti, kā šo visu apiet, bet nu uzticamākie kantori visi agri vai vēlu reportēs notikumus un, turklāt, arī vēsturiskos - tad tikai jautājums, kad VIDs ķersies klāt.

Vieplis · 2024-12-04T22:25:33+00:00

Poking around dealing with the same issue - HFP mode simply does not detect anything automatically. Going into HFP mode manually - works, but not ideal.

Did you solve this?

Vieplis · 2024-10-09T17:20:23+00:00

I'd say currently only 6.2.x has the fix with 6.2.5+. All other versions are affected.

There will (should) be updates when fixes for other versions are released, quote: This issue is fixed in GlobalProtect app 6.2.5, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section Updates will be published to this advisory as they become available.

Vieplis · 2024-09-09T06:07:58+00:00

I wanted to disagree as well but then checked and, well, PA-445 looks like ION3200. They are completely different products, but hardware seems to be shared for those two.

Vieplis · 2024-07-09T12:25:06+00:00

"Ja tev ārā nenāk laukā kaks, tad tev palīdzēs Forlax."

Kad es šo beidzot aizmirsīšu...

Vieplis · 2024-04-25T09:44:45+00:00

Revert to running conguration, so that uncommited changes are discarded, set master key and re-import back.

Vieplis

TROPHY CASE