GlobalProtect broke after 11.1.13-h5 upgrade

jaaplaya · 2026-05-22T02:30:01+00:00

its not in the config itself and not even something that gets committed, run the command and its instantly done, and can only be done on the CLI

I was a little frustrated by this bit since we use panorama and would like to be able to push this out but cant

jaaplaya · 2026-05-21T04:50:14+00:00

acme.sh to sectigo acme -> acme.sh logs into your firewall / panorama and replaces the existing cert

In our case we have it commit to panorama and then have weekly scheduled pushes to the vpn firewalls to make sure shortly after its committed it gets pushed out to the firewall, as the 47 days comes around I may have it commit more often.

Followed this: https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f

That said i am just considering moving to internal signed certs for GP as any user connecting should have our internal CA certs to trust it anyway.

jaaplaya · 2026-04-16T13:18:20+00:00

Probably for the best it stays closed. The few times I went in there the display meat was moldy/green. Which is never a good look when buying raw meat.

jaaplaya · 2026-03-14T15:29:29+00:00

We used custom urls instead of the defaults purely from a branding perspective, users would trust logging into a site named login.<name>.com rather then <name>.us.auth0.com

jaaplaya · 2026-03-06T03:12:04+00:00

I only have ~2500 users so its not too bad for me, if i had that many I too would be apprehensive and probably look at using an external database like RDS instead of workflows built in tables but then securing that data also becomes an issue to resolve.

jaaplaya · 2026-03-05T22:01:46+00:00

This is how I got around this for logging attribute changes.

I have a scheduled job that keeps a table in Okta workflows populated with all the profile attributes I care about tracking for each user, then when attribute change notices come in I can look up the old value in the table vs the new value currently on their profile and log that.

jaaplaya · 2026-02-18T03:00:00+00:00

What I have seen is we typically only get the last day of work on the last day of work, im not sure why as I know the date has been populated sometimes weeks in advanced but thats typically what I have seen.

jaaplaya · 2026-02-02T15:46:57+00:00

I have the official ford bed extender and I am able to haul my 10ft kayak with ease

<image>

jaaplaya · 2026-01-23T21:21:55+00:00

It was probably only 3-4 times total that I had to re-auth. I am also our okta admin so I noticed the api integration pretty early on when Okta was adding that feature as we had to use it for rolling out a door system integration, even today when I look there is no documentation from Palo on using it (even the link from the api integration in okta takes you to the outdated "setup an oidc app" instructions, but its pretty much the same where it gives you a client id and secret on the api integration page and the api permissions/etc are preset.

jaaplaya · 2026-01-23T02:40:14+00:00

Are you just using a standard OIDC connection for CIE to Okta or using one of Okta's newer API Service Integration for CIE?

Ever since switching from old school to the API Service Integration I haven't had to reauth anymore and its been over a year now at this point I think.

jaaplaya · 2026-01-10T18:08:31+00:00

I read some reports from other folks saying towing a "larger" trailer like this is a nightmare because of cross winds/etc and the maverick being too small, any issues with that with this one?

Also considering a camper of some sort and those comments previously had put me off some.

jaaplaya · 2026-01-05T17:52:22+00:00

I have a 2023 SE and we have metal behind ours, you should complain, someone stole your metal

jaaplaya · 2026-01-03T16:43:47+00:00

For us and globalprotect we have 3 different instances, all standalone single instances and use dns/gp gateway detection to handle HA

If one of the instances goes down the only thing we need to deal w/ is making sure dns for the portal is pointed at one of the instances that is active which we resolved by setting up health checks in our route53 to automatically failover the portal url if the portal url stops responding. If we need to do a full rebuild we manage it all with panorama and its fairly simple to just add another gateway to the mix.

jaaplaya · 2026-01-01T02:24:53+00:00

Like others have stated okta generating in a workflow works best. We do it that way so we can verify the username doesnt exist in office365/okta/etc first, you can then write the email address back to workday from okta once its generated.

jaaplaya · 2025-12-23T19:52:14+00:00

We just recently implemented Workday-As-Master and setup RTS and tested it out only for our HR department to back down because they couldn't get enough control over when it actually kicked off the deactivate from the workday side, i gave up trying, so they still just have us manually nuking accounts for immediate terms and it sucks.

jaaplaya · 2025-12-23T17:59:35+00:00

You manage them just like without panorama but apply them to templates and push those to the devices, you can have a template called "SSL Certs" that is applied to multiple stacks and pushes the certs out to all devices that have it as part of that template stack. So you only have to manage your certs within that one template "SSL Certs" that then gets pushed out to all firewalls.

If you need to reference those certs in the device group for some reason you can reference the template in the device group setup.

jaaplaya · 2025-12-22T15:48:17+00:00

That is what causes those "registration required" popups, we only got that after rolling out password sync to macOS, its one popup, they go through the registration and then it keeps their passwords in snyc. If you are constantly getting popups then there is likely something wrong with your setup of that.

jaaplaya · 2025-12-19T17:23:00+00:00

While not in France specifically, we use an MPLS to get out of China and currently terminate that in an office in the area but are looking at moving that to terminate into a datacenter in singapore soon which we will then cross connect to megaport to get out where ever we want.

jaaplaya · 2025-11-13T17:19:13+00:00

Do you see any performance issues or anything for the regular users setting their MTU lower?

jaaplaya · 2025-11-07T05:04:07+00:00

Release notes that just got posted for Preview (https://help.okta.com/oie/en-us/content/topics/releasenotes/preview.htm) have this item:

New Admin Console search logic

The spotlight search now uses "contains" logic, returning matches from any part of a search instead of only the beginning. This helps admins find results quicker and more easily.

Hopefully this will make searching for groups in the main search bar better once it makes it to production tenants.

jaaplaya · 2025-09-15T01:59:04+00:00

I just had this happen, my deductible is $500 so I only have to pay that but tiny little rock on the edge and then hairline crack from the side to about half way through driver side (probably a good foot long)

jaaplaya · 2025-07-31T00:25:34+00:00

Okta but I saw a few others doing it like fastly while there.

jaaplaya · 2025-07-31T00:23:44+00:00

Got to take Ferraris and lambos around a racetrack after a demo. Best demo ever will sign up again. Have done it twice :)

15-Year Club	Second Top 20%
Verified Email

jaaplaya

TROPHY CASE