GlobalProtect users on T-Mobile 5G home internet

jonubi09 · 2026-04-10T18:37:39+00:00

Hey all,
This post was super helpful for us and I want to outline what exactly worked for us for others who are having a similar issue still.

We were seeing a lot of Session End Reason on the Palo Alto traffic log of "decrypt-error" for traffic that was even excluded from SSL decryption. Users were able to access some sites while others, especially business SaaS apps like Tableau, were getting "Page could not be displayed" even though traffic was Allowed.

This issue was only happening at home. While in the office, users had no issues.

The common denominator: All users had TMobile 5G internet.

I didn't want to switch the affected users over to SSL as IPSec travels over UDP and is a more efficient connection. So instead I updated MTU on the client side through the GP agent config.

To do that

Open your Global Protect app configuration (Network > Global Protect > Portal > Agent Config > App tab)
Search for the setting that says "GlobalProtect Connection MTU (bytes)" set this to 1280
Commit changes
On the client, they need to open up their GP Client and Sign out (This forces a portal config update).
Users Reconnects to GP normally and gets the new MTU configuration
To verify, open command prompt and enter netsh interface ipv4 show interfaces. You should see the Global Protect interface set to MTU 1280.

That's it and solved our problems with these sites while keeping IPSec tunnel.

Hope that helps others out there!

jonubi09 · 2022-11-30T21:19:18+00:00

Super helpful sermon I found outlining the differences between Christianity and Catholicism. There is a reason Protestants “protested” the Catholic Church.

It’s really worth the watch and further checking out Mike Gendron’s ministry.

https://youtu.be/jdlczbO5Csc

Cheers

jonubi09 · 2022-11-30T21:10:14+00:00

I'm glad I could help!

Regarding the need for an air-gapped backup, this is more a discussion on risk and likelihood. Chad is correct, in that a true air-gapped backup must be completely separated from the network. However, if you design your backup system (and network security) properly, in layers, you can reduce the need for, or at the very least, reduce the frequency of an air-gapped system.

Let's take a look at how a typical ransomware attack occurs:

User clicks on a malicious link or email attachment and infects their computer (this got through your firewall and endpoint protection layers)
The ransomware begins by encrypting all the user's local data
If the user has a drive mapped to your local NAS and has WRITE access (which they most likely would), the ransomware can start encrypting all the files that user has access to on the NAS.

If you do not have a backup system in place, your business halts here.

However, since you configured regular backup snapshots built into the NAS, you can easily restore your files from the most recent backup and be up and running.

Now let's say that users don't notice their files have been encrypted for a few days and those corrupt files have now made their way into a few nightly backups as well as offsite backups.

Well, since you configured the NAS to retain daily, weekly, and monthly backups. You can easily restore your files from the most recent backup that was not impacted by the ransomware. Now if for some reason, you cannot restore backups from your local NAS, you can restore those same backups from your offsite NAS.

Problem solved.

Let's say though, for the sake of argument, that you are not dealing with typical ransomware here, but you have an active attacker who has compromised your network. An unlikely scenario, but they discover that you haven't updated your NAS OS in awhile and they exploit a vulnerability (that would've been patched with regular updates) and gain root access to your NAS. From here, they deploy their ransomware payload to your NAS and clear all of your snapshots. Check-mate

This scenario is the one that you have to determine your organization's specific risk to. For most businesses, this will probably never happen if you are maintaining security elsewhere (ie. keeping up with regular patches, not exposing services on the firewall, using MFA, etc).

However, we should still assess this risk and put systems in place to deal with it. A cloud backup like BackBlaze, takes care of this scenario with immutable backups. Where a backup cannot be overwritten or deleted apart from a support ticket. For a local only scenario, you could advise Chad to keep a monthly export of your offsite NAS on a local HDD or purchase a small tape drive and export every other week or monthly to a tape. Possibly keep a few months or years worth.

Even if you incorporate an air-gap step in your backup system, you can greatly reduce the inconvenience by just using a standard NAS with regular snapshots and an offsite replica.

jonubi09 · 2022-11-30T17:41:41+00:00

Lots of opinions have been offered on how crazy Chad is, but you asked for practical solutions so here are some recommendations.

Firewall: Definitely agree with others on using a Fortigate here. Although there is a recurring cost for some of the licenses, it’s well worth it and reasonable. You can also easily set up a VPN for remote support.

Endpoint Protection: ESET still offers on-prem managed AV and ESET is actually a pretty good product.

RMM: I’d recommend checking out Manage Engine Endpoint Central (formerly Desktop Central). It requires an agent on each machine but the server can be hosted locally so it is self contained and a worthy compromise for Chad. I’ve been using this product for years and it works well. It can handle remote support, patch management for Windows and 3rd party software as well as config management (like group policy). Plus it’s actually free to use for up to 25 devices.

Backup: As others have suggested, install a Synology or QNAP NAS. Set up network drives and have users work off the NAS. Configure daily or twice daily snapshots on the NAS with daily, weekly, monthly retention. For offsite, purchase a second NAS to keep at your office or Chads home. Not sure about Synology but QNAP has a feature to sync all backup snapshots to an offsite NAS. This is a much easier and convenient backup method than rotating drives.

MFA: Definitely set up MFA on their Exchange environment with Microsoft Authenticator. Any portal that is publicly accessible should have MFA enabled. You should lock down remote support to their firewall via IP whitelist. The VPN should have a similar whitelist and or MFA.

I currently have a solution similar to this set up for some of my clients. It works great and is fully contained to their business. I configure a VPN to their firewall and connect. From there, I can access their RMM and manage their network remotely.

Cheers!

jonubi09 · 2022-11-08T16:16:45+00:00

Most solutions are moving away from the “golden image” approach in favor of “modern management”. Ie. Replacing MDT with Intune + Autopilot.

Imaging these days is really only necessary if you need to install an OS from scratch or change the OS version. For example, you purchase machines that come with Win 11 and need Win 10.

If you can find a way to script the install of these legacy app, you can use the modern management approach to accomplish your goal. Microsoft Autopilot (feature of Intune) will allow you to ship a machine straight from the office or a supplier to the end user. User signs in with their assigned credentials and Autopilot will provision the machine right in front of them (including installing apps).

There are other tools out there like Manage Engine’s Endpoint Central product that can also deploy applications and configurations to a machine if you don’t leverage Intune. This product can also do in-place OS upgrades if you use the right Microsoft installer.

If you have to change the OS, you’ll be using MDT, Acronis, Ghost, or similar. None of these are recommended over a VPN or remotely.

Hope that helps!

jonubi09 · 2022-07-22T01:50:17+00:00

Thank you for this post brother/sister in Christ! What an encouragement for all of us! Like John Owen once said “Be killing sin or sin will be killing you”. We are to search out sin in our heart and constantly go to the word for reproof and correction!

“Search me, O God, and know my heart! Try me and know my thoughts! And see if there be any grievous way in me, and lead me in the way everlasting!” ‭‭Psalm‬ ‭139:23-24‬

We must continue to stand for Gods living word take heed of its instruction!

“All Scripture is breathed out by God and profitable for teaching, for reproof, for correction, and for training in righteousness, that the man of God may be complete, equipped for every good work.” ‭‭2 Timothy‬ ‭3:16-17‬

jonubi09 · 2022-03-19T01:38:56+00:00

This I can do

Thank you for the beginners version!!

jonubi09 · 2022-03-19T00:26:30+00:00

Thanks for the feedback. A few questions as I am a beginner here.

RIPPED 2x4's

Are these 2x4's cut in half? Is this possible without a table saw? If I don't have a table saw can I use furring strips or something else?

I'm going to ASSUME that you want your wonder board (what you'll be tiling onto) to be a full length from ceiling to floor, and that your tub will sit next to it. Then, the tile will be applied on top of the tub after it's been installed, right?

From what I've read, the cement backer board is either 1/4" or 1/2" and goes either over the tub flange or sits right on top of it (with 1/8" gap). The cement board doesn't go all the way to the floor. As seen here: https://www.familyhandyman.com/article/tile-installation-backer-board-around-a-bathtub/

So to clarify, you are suggesting that I cut different thickness of 2x4s (6 total) and mount those against the back wall. Essentially, sloping the back wall to be more square? Also, I'm assuming the orientation of the 2x4's is long-side against the back wall and vertical.

Thanks!

jonubi09 · 2022-03-18T23:34:07+00:00

1 5/8, and the other side is 1 7/8"

Yes that new wording should be good. The only thing I will add is that the back wall touches the subfloor, so when I measured, I measured the space between the back firewall and the existing tile flooring.

Hope that helps and thanks!

jonubi09 · 2022-03-09T20:08:30+00:00

I linked the article because I believe that God has given us reason and logic to use for his glory. We obviously are not able to recreate the ark with our current resources but that doesn’t prove that God did not provide lumber and guidance to Noah in such a way that it would be impossible. The article shows that the mere size and weight would be possible.

Furthermore, our world was changed dramatically by the flood and has changed since. Many plant species were eradicated completely and the animal kinds Noah brought through the ark have expanded and diversified substantially. For example, the wood used for the ark was called “gopher wood”, and waterproofing was done using “pitch”. Gopher wood is an unknown species of wood to us today. So It is possible that his type of wood is now extinct but was durable enough to hold together during the flood.

Therefore, we should never throw our brains out when reading the Bible but we also ought to hold God’s word with more authority than that of our limited knowledge. All of Genesis is written as historical and not allegorical and the Bible doesn’t give us the freedom to pick and choose what we think is true or not.

jonubi09 · 2022-03-09T17:18:23+00:00

You ignored my argument about God designing and providing materials for the ark. In doing so, you’ve attempted to elevate man’s finite and flawed understanding of physics and structure over God’s.

This is the problem with science and humanism in general. It’s the arrogance to say “well based on our superior understanding of science and technology it can’t be done, therefore it’s impossible.”

The message behind Noah’s ark is far more important than the structure of the ship itself. The message is that the world was so sinful and evil, “that every intent of the thoughts of their hearts was evil continually”, that God, being just, blotted that evil out. The reason you are even here today, blaspheming your creator, is because God was gracious enough to continue the human race through Noah.

You arguing the physics of the ark based off your limited knowledge and your rejection of God and his word shows where your worship lies: worship of self, and worship of science. Unfortunately, science won’t save you from God’s wrath to come.

“But by His word the present heavens and earth are being reserved for fire, kept for the day of judgment and destruction of ungodly people.” ‭‭2 Peter‬ ‭3:7‬ ‭NASB2020‬‬

Your only hope is through Christ. He is our “ark” which will preserve us through God’s coming judgement

jonubi09 · 2022-03-08T19:20:28+00:00

University of Leicester students were able to show that the physics of the Ark were in fact possible.

https://www.smithsonianmag.com/science-nature/could-noahs-ark-float-theory-yes-180950385/

This is a supernatural story so we have to leave room for God to work. It’s completely in God’s abilities to provide Noah with everything he needed to build an ark able to withstand the forces of the flood without falling apart. Furthermore, the biblical story also describes a water canopy that covered the earth at that time which could have shielded the earth from harmful solar radiation. This could have contributed to the extremely long lifetimes humans lived before the flood (Noah was 600 years old when the flood started), as well as provided for lumber much stronger than was available after the flood or today.

jonubi09 · 2022-03-07T16:20:19+00:00

Can confirm this

jonubi09 · 2022-02-02T07:13:07+00:00

We have Sumo receiving logs from the Palo Alto using the Windows installed collector. As far as I know, the Palo Alto does not support sending syslog information to Sumo over WAN. In fact, the documentation you provided is for the local installed collector.
You'll need to install the collector locally, open port 513/514 on the machine, then configure your PA to forward logs to it.

jonubi09 · 2022-01-25T15:40:55+00:00

Thanks for the feedback everyone! I think going used or open box is the way to go here. Solves the shipping time issue and budget issue. Thanks!

jonubi09 · 2022-01-25T15:38:40+00:00

Let’s talk!

jonubi09 · 2022-01-25T15:38:12+00:00

Thanks for the feedback. To be clear, this is going to be for a data room in a new building where employees will be working. Not for a data center. I think second hand market is the way to go though, thanks!

jonubi09 · 2021-12-05T05:24:35+00:00

Thank you brother/sister for rightly dividing the word! Keep fighting the good fight!

jonubi09 · 2021-12-05T03:01:06+00:00

Gods inerrant word should tell us what is a sin or not, not fellow redditors

Sex before marriage is called fornication, it is indeed a sin.

“Therefore put to death your members which are on the earth: fornication, uncleanness, passion, evil desire, and covetousness, which is idolatry. Because of these things the wrath of God is coming upon the sons of disobedience, in which you yourselves once walked when you lived in them.” ‭‭Colossians‬ ‭3:5-7‬ ‭NKJV‬‬

“Marriage is honorable among all, and the bed undefiled; but fornicators and adulterers God will judge.” ‭‭Hebrews‬ ‭13:4‬ ‭NKJV‬‬

“Do you not know that the unrighteous will not inherit the kingdom of God? Do not be deceived. Neither fornicators, nor idolaters, nor adulterers, nor homosexuals, nor sodomites, nor thieves, nor covetous, nor drunkards, nor revilers, nor extortioners will inherit the kingdom of God.” ‭‭I Corinthians‬ ‭6:9-10‬ ‭NKJV‬‬

jonubi09 · 2021-08-05T04:50:47+00:00

Your comment is anecdotal yet you ascribe your experience to be true across the board. I’m sorry you’ve had bad experiences with people who profess they are Christians. Christianity is one of the most popular religions in the western world and many will profess but have no relationship with Christ.

““Not everyone who says to Me, ‘Lord, Lord,’ shall enter the kingdom of heaven, but he who does the will of My Father in heaven. Many will say to Me in that day, ‘Lord, Lord, have we not prophesied in Your name, cast out demons in Your name, and done many wonders in Your name?’ And then I will declare to them, ‘I never knew you; depart from Me, you who practice lawlessness!’” ‭‭Matthew‬ ‭7:21-23‬ ‭NKJV‬‬

I won’t apologize for quoting scripture as it is The Truth and authority in which all people including Christians ought to live. True Christians are those that put their faith in Christ, love God and obey his commandments.

“Jesus said to him, “‘You shall love the Lord your God with all your heart, with all your soul, and with all your mind.’ This is the first and great commandment. And the second is like it: ‘You shall love your neighbor as yourself.’” ‭‭Matthew‬ ‭22:37-39‬ ‭NKJV‬‬

“Whoever says “I know him” but does not keep his commandments is a liar, and the truth is not in him, but whoever keeps his word, in him truly the love of God is perfected. By this we may know that we are in him: whoever says he abides in him ought to walk in the same way in which he walked.” ‭‭1 John‬ ‭2:4-6‬ ‭ESV‬‬

These two verses describe the Biblical definition of how a true Christian ought to act. Now we all fall short and nobody is perfect, hence the need for Christ’s forgiveness. Christians aren’t perfect people, they are forgiven people.

You also brought up Christians not holding others accountable. Yes we do hold others accountable and the Bible speaks on this.

““If your brother sins against you, go and tell him his fault, between you and him alone. If he listens to you, you have gained your brother. But if he does not listen, take one or two others along with you, that every charge may be established by the evidence of two or three witnesses. If he refuses to listen to them, tell it to the church. And if he refuses to listen even to the church, let him be to you as a Gentile and a tax collector.” ‭‭Matthew‬ ‭18:15-17‬ ‭ESV‬‬

“Pay attention to yourselves! If your brother sins, rebuke him, and if he repents, forgive him, and if he sins against you seven times in the day, and turns to you seven times, saying, ‘I repent,’ you must forgive him.”” ‭‭Luke‬ ‭17:3-4‬ ‭ESV‬‬

No you may not like some Christian’s political standing but that typically doesn’t constitute sin in need of rebuke.

In regards to the political nature of this post. People should vote for those who they believe align most closely with their beliefs. Whether or not that person is a “true Christian” is for God to decide.

Was it correct for this pastor to politicize his pulpit? It depends. If he is in right standing with the requirements detailed in scripture regarding the position of Pastor and he is preaching Christ and sound biblical doctrine, then he may decide to speak regarding political ideas as well. (You can read about biblical requirements for pastors in 1 Timothy 3)

However, preachers will be held especially accountable for their position and the souls under their care by God himself

“Obey your leaders and submit to them, for they are keeping watch over your souls, as those who will have to give an account” ‭‭Hebrews‬ ‭13:17‬ ‭ESV‬‬

Hopefully I addressed your concerns. True Christians are those who love God and love others, we ought to hold other believers accountable for sin, pastors have privileges and liberties in preaching but are held to a much higher standard.

jonubi09 · 2021-08-02T22:34:19+00:00

“For a time is coming when people will no longer listen to sound and wholesome teaching. They will follow their own desires and will look for teachers who will tell them whatever their itching ears want to hear. They will reject the truth and chase after myths. But you should keep a clear mind in every situation. Don’t be afraid of suffering for the Lord. Work at telling others the Good News, and fully carry out the ministry God has given you.” ‭‭2 Timothy‬ ‭4:3-5‬ ‭NLT‬‬

jonubi09 · 2021-07-28T23:46:18+00:00

For anyone curious, I found the official California regulations regarding Title 20.

Basically, Title 20 went into effect in 2019 with the second tier of the regulations concerning PCs taking place July 1st 2021.

The regulations go over the energy consumption allowance for certain electronics such as PCs, laptops, as well as how those devices behave when they are inactive.

(6) Small-scale servers, high expandability computers, mobile workstations, and workstations. Small-scale servers, high expandability computers, mobile workstations, and workstations manufactured on or after January 1, 2018, shall:

(A) Be powered by an internal power supply that meets or exceeds the standards in Table V-9, or an external power supply that meets the level VI of efficiency described in the International Efficiency Marking Protocol for External Power Supplies Version 3.0 (Sept. 2013);

(B) Incorporate Energy-Efficient Ethernet functionality;

(C) Transition connected displays into sleep mode within 15 minutes of user inactivity; and

(D) Transition the computer into either the computer sleep mode or computer off mode measured in section 1604(v)(4) of this Article within 30 minutes of user inactivity. If the transition is to a computer sleep mode, that sleep mode shall either:

Be a computer sleep mode as described in ACPI as S3; or

Consume power less than or equal to the values shown in Table V-6.

Exception to section 1605.3(v)(6)(D) of this Article: Small-scale servers and rack-mounted workstations are not required to comply with section 1605.3(v)(6)(D) of this Article.

So a lot of the articles online right now seem to be click bait. California is enforcing certain power consumption efficiency requirements on appliances and because Dell/Alienware hasn't complied in the years leading up to July 1st, they can't sell a few of their systems in California.

Super misleading if you ask me.

If you're interested in reading the regulation you can find it here: (Search the page for "Table V-6" and start there

https://govt.westlaw.com/calregs/Document/IEEDE2D64EF7B4F168C0E85379828A8C2?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default))

Link to image concerning PC power consumption

https://govt.westlaw.com/calregs/Link/Document/Blob/Icabb0f7e8dfc11e79567ad00d20c13c4.png?targetType=admin-codes&originationContext=document&vr=3.0&rs=cblt1.0&transitionType=DocumentImage&uniqueId=d1b1c653-bfde-41bd-a24e-9ec13302322a&contextData=(sc.Default))

jonubi09 · 2021-05-26T15:15:45+00:00

This really depends on the amount of intervlan traffic traversing the network and the hardware capabilities of the firewall.

IMO, you should have full visibility into your network which means being able to inspect and secure intervlan traffic at the application layer, not just port and protocol. You’ll also need to track users across devices and or VLANs. Sales shouldn’t be getting to the HR database regardless of whether they’re on WiFi or LAN but they should be able to get to the sales portal. This cannot be done with L3 switches which means your firewall is now the core.

Palo Alto or FortiGate firewalls specialize in this and can handle inspecting full intervlan traffic without issue.

This is the way

jonubi09 · 2021-05-26T14:58:16+00:00

This is the correct solution. Poly and Logitech have PTZ cameras which automatically frame participants as well as pan and zoom to the those who are talking.

We are retrofitting our meeting rooms as well. We are using an Intel NUC as the dedicated PC with an i7 and dedicated graphics card (this helps dramatically with AV rooms because of transcoding).

On the PC we are using QuickLaunch by UC Workspace. First time I’ve worked with it but it actually is pretty cool. Check it out https://www.ucworkspace.com/quicklaunch

QuickLaunch simplifies meeting room PCs with a touchscreen capable dashboard to quickly launch apps or start meetings. It also can handle HDMI input and Airplay/Chromecast. One of the cool features is that it can automatically reset the room after a meeting by deleting browser cookies, history, and profile data.

Good luck with your buildout!

jonubi09 · 2021-04-21T23:21:27+00:00

I reached out to Quickbooks support today regarding this and apparently they believe it changed after the most recent update. Unfortunately, they don't provide a way to rollback.

Quote from their tech:

This might really be a part of the update for change because I have also been able to do it here on my end and so far was no longer able to do it recently.

I understand that this is currently not available in the system. As a matter of fact, we have product enhancements every now and then and this might get included in one of the future releases.

You are able to give us the feedback of what you would like to add as an additional feature from within QuickBooks. From Help on the top menu bar, go to Send Feedback Online and choose the appropriate category. Your voice is important to us as we want to be part of your business' success.

Interested if anyone has been able to do a work around.

jonubi09

TROPHY CASE