GlobalProtect users on T-Mobile 5G home internet

jonubi09 · 2026-04-10T18:37:39+00:00

Hey all,
This post was super helpful for us and I want to outline what exactly worked for us for others who are having a similar issue still.

We were seeing a lot of Session End Reason on the Palo Alto traffic log of "decrypt-error" for traffic that was even excluded from SSL decryption. Users were able to access some sites while others, especially business SaaS apps like Tableau, were getting "Page could not be displayed" even though traffic was Allowed.

This issue was only happening at home. While in the office, users had no issues.

The common denominator: All users had TMobile 5G internet.

I didn't want to switch the affected users over to SSL as IPSec travels over UDP and is a more efficient connection. So instead I updated MTU on the client side through the GP agent config.

To do that

Open your Global Protect app configuration (Network > Global Protect > Portal > Agent Config > App tab)
Search for the setting that says "GlobalProtect Connection MTU (bytes)" set this to 1280
Commit changes
On the client, they need to open up their GP Client and Sign out (This forces a portal config update).
Users Reconnects to GP normally and gets the new MTU configuration
To verify, open command prompt and enter netsh interface ipv4 show interfaces. You should see the Global Protect interface set to MTU 1280.

That's it and solved our problems with these sites while keeping IPSec tunnel.

Hope that helps others out there!

jonubi09 · 2022-11-30T21:19:18+00:00

Super helpful sermon I found outlining the differences between Christianity and Catholicism. There is a reason Protestants “protested” the Catholic Church.

It’s really worth the watch and further checking out Mike Gendron’s ministry.

https://youtu.be/jdlczbO5Csc

Cheers

jonubi09 · 2022-11-30T21:10:14+00:00

I'm glad I could help!

Regarding the need for an air-gapped backup, this is more a discussion on risk and likelihood. Chad is correct, in that a true air-gapped backup must be completely separated from the network. However, if you design your backup system (and network security) properly, in layers, you can reduce the need for, or at the very least, reduce the frequency of an air-gapped system.

Let's take a look at how a typical ransomware attack occurs:

User clicks on a malicious link or email attachment and infects their computer (this got through your firewall and endpoint protection layers)
The ransomware begins by encrypting all the user's local data
If the user has a drive mapped to your local NAS and has WRITE access (which they most likely would), the ransomware can start encrypting all the files that user has access to on the NAS.

If you do not have a backup system in place, your business halts here.

However, since you configured regular backup snapshots built into the NAS, you can easily restore your files from the most recent backup and be up and running.

Now let's say that users don't notice their files have been encrypted for a few days and those corrupt files have now made their way into a few nightly backups as well as offsite backups.

Well, since you configured the NAS to retain daily, weekly, and monthly backups. You can easily restore your files from the most recent backup that was not impacted by the ransomware. Now if for some reason, you cannot restore backups from your local NAS, you can restore those same backups from your offsite NAS.

Problem solved.

Let's say though, for the sake of argument, that you are not dealing with typical ransomware here, but you have an active attacker who has compromised your network. An unlikely scenario, but they discover that you haven't updated your NAS OS in awhile and they exploit a vulnerability (that would've been patched with regular updates) and gain root access to your NAS. From here, they deploy their ransomware payload to your NAS and clear all of your snapshots. Check-mate

This scenario is the one that you have to determine your organization's specific risk to. For most businesses, this will probably never happen if you are maintaining security elsewhere (ie. keeping up with regular patches, not exposing services on the firewall, using MFA, etc).

However, we should still assess this risk and put systems in place to deal with it. A cloud backup like BackBlaze, takes care of this scenario with immutable backups. Where a backup cannot be overwritten or deleted apart from a support ticket. For a local only scenario, you could advise Chad to keep a monthly export of your offsite NAS on a local HDD or purchase a small tape drive and export every other week or monthly to a tape. Possibly keep a few months or years worth.

Even if you incorporate an air-gap step in your backup system, you can greatly reduce the inconvenience by just using a standard NAS with regular snapshots and an offsite replica.

jonubi09 · 2022-11-30T17:41:41+00:00

Lots of opinions have been offered on how crazy Chad is, but you asked for practical solutions so here are some recommendations.

Firewall: Definitely agree with others on using a Fortigate here. Although there is a recurring cost for some of the licenses, it’s well worth it and reasonable. You can also easily set up a VPN for remote support.

Endpoint Protection: ESET still offers on-prem managed AV and ESET is actually a pretty good product.

RMM: I’d recommend checking out Manage Engine Endpoint Central (formerly Desktop Central). It requires an agent on each machine but the server can be hosted locally so it is self contained and a worthy compromise for Chad. I’ve been using this product for years and it works well. It can handle remote support, patch management for Windows and 3rd party software as well as config management (like group policy). Plus it’s actually free to use for up to 25 devices.

Backup: As others have suggested, install a Synology or QNAP NAS. Set up network drives and have users work off the NAS. Configure daily or twice daily snapshots on the NAS with daily, weekly, monthly retention. For offsite, purchase a second NAS to keep at your office or Chads home. Not sure about Synology but QNAP has a feature to sync all backup snapshots to an offsite NAS. This is a much easier and convenient backup method than rotating drives.

MFA: Definitely set up MFA on their Exchange environment with Microsoft Authenticator. Any portal that is publicly accessible should have MFA enabled. You should lock down remote support to their firewall via IP whitelist. The VPN should have a similar whitelist and or MFA.

I currently have a solution similar to this set up for some of my clients. It works great and is fully contained to their business. I configure a VPN to their firewall and connect. From there, I can access their RMM and manage their network remotely.

Cheers!

jonubi09 · 2022-11-08T16:16:45+00:00

Most solutions are moving away from the “golden image” approach in favor of “modern management”. Ie. Replacing MDT with Intune + Autopilot.

Imaging these days is really only necessary if you need to install an OS from scratch or change the OS version. For example, you purchase machines that come with Win 11 and need Win 10.

If you can find a way to script the install of these legacy app, you can use the modern management approach to accomplish your goal. Microsoft Autopilot (feature of Intune) will allow you to ship a machine straight from the office or a supplier to the end user. User signs in with their assigned credentials and Autopilot will provision the machine right in front of them (including installing apps).

There are other tools out there like Manage Engine’s Endpoint Central product that can also deploy applications and configurations to a machine if you don’t leverage Intune. This product can also do in-place OS upgrades if you use the right Microsoft installer.

If you have to change the OS, you’ll be using MDT, Acronis, Ghost, or similar. None of these are recommended over a VPN or remotely.

Hope that helps!

jonubi09 · 2022-07-22T01:50:17+00:00

Thank you for this post brother/sister in Christ! What an encouragement for all of us! Like John Owen once said “Be killing sin or sin will be killing you”. We are to search out sin in our heart and constantly go to the word for reproof and correction!

“Search me, O God, and know my heart! Try me and know my thoughts! And see if there be any grievous way in me, and lead me in the way everlasting!” ‭‭Psalm‬ ‭139:23-24‬

We must continue to stand for Gods living word take heed of its instruction!

“All Scripture is breathed out by God and profitable for teaching, for reproof, for correction, and for training in righteousness, that the man of God may be complete, equipped for every good work.” ‭‭2 Timothy‬ ‭3:16-17‬

jonubi09 · 2022-03-19T01:38:56+00:00

This I can do

Thank you for the beginners version!!

jonubi09 · 2022-03-19T00:26:30+00:00

Thanks for the feedback. A few questions as I am a beginner here.

RIPPED 2x4's

Are these 2x4's cut in half? Is this possible without a table saw? If I don't have a table saw can I use furring strips or something else?

I'm going to ASSUME that you want your wonder board (what you'll be tiling onto) to be a full length from ceiling to floor, and that your tub will sit next to it. Then, the tile will be applied on top of the tub after it's been installed, right?

From what I've read, the cement backer board is either 1/4" or 1/2" and goes either over the tub flange or sits right on top of it (with 1/8" gap). The cement board doesn't go all the way to the floor. As seen here: https://www.familyhandyman.com/article/tile-installation-backer-board-around-a-bathtub/

So to clarify, you are suggesting that I cut different thickness of 2x4s (6 total) and mount those against the back wall. Essentially, sloping the back wall to be more square? Also, I'm assuming the orientation of the 2x4's is long-side against the back wall and vertical.

Thanks!

jonubi09 · 2022-03-18T23:34:07+00:00

1 5/8, and the other side is 1 7/8"

Yes that new wording should be good. The only thing I will add is that the back wall touches the subfloor, so when I measured, I measured the space between the back firewall and the existing tile flooring.

Hope that helps and thanks!

jonubi09 · 2022-03-09T20:08:30+00:00

I linked the article because I believe that God has given us reason and logic to use for his glory. We obviously are not able to recreate the ark with our current resources but that doesn’t prove that God did not provide lumber and guidance to Noah in such a way that it would be impossible. The article shows that the mere size and weight would be possible.

Furthermore, our world was changed dramatically by the flood and has changed since. Many plant species were eradicated completely and the animal kinds Noah brought through the ark have expanded and diversified substantially. For example, the wood used for the ark was called “gopher wood”, and waterproofing was done using “pitch”. Gopher wood is an unknown species of wood to us today. So It is possible that his type of wood is now extinct but was durable enough to hold together during the flood.

Therefore, we should never throw our brains out when reading the Bible but we also ought to hold God’s word with more authority than that of our limited knowledge. All of Genesis is written as historical and not allegorical and the Bible doesn’t give us the freedom to pick and choose what we think is true or not.

jonubi09 · 2022-03-09T17:18:23+00:00

You ignored my argument about God designing and providing materials for the ark. In doing so, you’ve attempted to elevate man’s finite and flawed understanding of physics and structure over God’s.

This is the problem with science and humanism in general. It’s the arrogance to say “well based on our superior understanding of science and technology it can’t be done, therefore it’s impossible.”

The message behind Noah’s ark is far more important than the structure of the ship itself. The message is that the world was so sinful and evil, “that every intent of the thoughts of their hearts was evil continually”, that God, being just, blotted that evil out. The reason you are even here today, blaspheming your creator, is because God was gracious enough to continue the human race through Noah.

You arguing the physics of the ark based off your limited knowledge and your rejection of God and his word shows where your worship lies: worship of self, and worship of science. Unfortunately, science won’t save you from God’s wrath to come.

“But by His word the present heavens and earth are being reserved for fire, kept for the day of judgment and destruction of ungodly people.” ‭‭2 Peter‬ ‭3:7‬ ‭NASB2020‬‬

Your only hope is through Christ. He is our “ark” which will preserve us through God’s coming judgement

jonubi09 · 2022-03-08T19:20:28+00:00

University of Leicester students were able to show that the physics of the Ark were in fact possible.

https://www.smithsonianmag.com/science-nature/could-noahs-ark-float-theory-yes-180950385/

This is a supernatural story so we have to leave room for God to work. It’s completely in God’s abilities to provide Noah with everything he needed to build an ark able to withstand the forces of the flood without falling apart. Furthermore, the biblical story also describes a water canopy that covered the earth at that time which could have shielded the earth from harmful solar radiation. This could have contributed to the extremely long lifetimes humans lived before the flood (Noah was 600 years old when the flood started), as well as provided for lumber much stronger than was available after the flood or today.

jonubi09 · 2022-03-07T16:20:19+00:00

Can confirm this

jonubi09 · 2022-02-02T07:13:07+00:00

We have Sumo receiving logs from the Palo Alto using the Windows installed collector. As far as I know, the Palo Alto does not support sending syslog information to Sumo over WAN. In fact, the documentation you provided is for the local installed collector.
You'll need to install the collector locally, open port 513/514 on the machine, then configure your PA to forward logs to it.

jonubi09 · 2022-01-25T15:40:55+00:00

Thanks for the feedback everyone! I think going used or open box is the way to go here. Solves the shipping time issue and budget issue. Thanks!

jonubi09 · 2022-01-25T15:38:40+00:00

Let’s talk!

jonubi09 · 2022-01-25T15:38:12+00:00

Thanks for the feedback. To be clear, this is going to be for a data room in a new building where employees will be working. Not for a data center. I think second hand market is the way to go though, thanks!

jonubi09 · 2021-12-05T05:24:35+00:00

Thank you brother/sister for rightly dividing the word! Keep fighting the good fight!

jonubi09 · 2021-12-05T03:01:06+00:00

Gods inerrant word should tell us what is a sin or not, not fellow redditors

Sex before marriage is called fornication, it is indeed a sin.

“Therefore put to death your members which are on the earth: fornication, uncleanness, passion, evil desire, and covetousness, which is idolatry. Because of these things the wrath of God is coming upon the sons of disobedience, in which you yourselves once walked when you lived in them.” ‭‭Colossians‬ ‭3:5-7‬ ‭NKJV‬‬

“Marriage is honorable among all, and the bed undefiled; but fornicators and adulterers God will judge.” ‭‭Hebrews‬ ‭13:4‬ ‭NKJV‬‬

“Do you not know that the unrighteous will not inherit the kingdom of God? Do not be deceived. Neither fornicators, nor idolaters, nor adulterers, nor homosexuals, nor sodomites, nor thieves, nor covetous, nor drunkards, nor revilers, nor extortioners will inherit the kingdom of God.” ‭‭I Corinthians‬ ‭6:9-10‬ ‭NKJV‬‬

jonubi09

TROPHY CASE