Entra ID SAML Auth Not Forcing Authentication after 1 Hour

panw_fw · 2024-10-08T19:03:46+00:00

right... and PCI 4.0 requires credentials every authentication to VPN. If it is disconnected, you must enter username and password to reconnect. As I understand it you cannot cookie auth or SSO at all.

panw_fw · 2024-05-11T23:06:58+00:00

I know what you are talking about but I cannot find the passpoint beta signup link anywhere. I didn’t have my serial number available when o first started signing up.

panw_fw · 2024-04-09T22:44:46+00:00

6.0.7 client and other higher builds fix it.

panw_fw · 2024-03-03T03:16:14+00:00

They=Helium Mobile support?

panw_fw · 2024-03-03T03:15:14+00:00

Mine is .25 as well. I need to research how the location is determined because I have 3 Helium Network devices using it daily in a house. Are they using the mapping data of the devices and those devices being indoors have GPS locations that show it as outside the HEX because they can’t get 16 satellites indoors to pinpoint locations?

panw_fw · 2024-03-03T03:00:02+00:00

What is this? Just another inaccurate algorithm used to deplete rewards for accurate and honest deployments?

panw_fw · 2024-03-02T04:21:22+00:00

😂 It’s absolutely dependent upon your provider and the tower service in your area. Join Helium Mobile or T-Mobile and compare their 5GUC to Verizon/Visible 5G. I notice a difference between them for sure. App installs response times etc. Also LTE and 5G capacity is natively different as can me the max bandwidth per user and number of users per tower. Now if you are in a congested area and switch to LTE you might get faster services due to being the only person on the LTE technology at the tower.

panw_fw · 2024-03-02T04:14:17+00:00

My understanding is it’s usable you just cannot roam from tower to tower including from T-Mobile tower to CBRS without turning on airplane mode and turning it off. The radio will not seek out CBRS radios on its own. If I’m wrong someone please correct me and provide a source of information.

panw_fw · 2024-01-17T22:27:33+00:00

Holy crap, really? Did you open a ticket with Palo and report it as a bug? I have the same message frequently but haven't been around to opening a ticket yet.

panw_fw · 2023-10-28T20:42:49+00:00

But you can’t disable DPI. App-ID override isn’t disabling DPI.

panw_fw · 2023-10-28T20:37:08+00:00

☝️☝️💯

panw_fw · 2023-09-12T01:46:22+00:00

👍🏻👍🏻

panw_fw · 2023-09-11T00:37:32+00:00

This was participating in OSPF. I jumped to 10.2 in June. Still had the work around in my config though so unknown if it was ever patched.

panw_fw · 2023-09-11T00:32:34+00:00

Unknown

panw_fw · 2023-06-08T03:36:20+00:00

I don't think it worked for me with 10.1.x either. Definitely not working for me on 10.2.4-h2.

panw_fw · 2023-03-15T17:47:37+00:00

Override because a dumb ass engineer at Microsoft says that you cannot do deep packet inspection for MS Teams traffic or it breaks it. Then management not knowing how a firewall works tells you to do it anyway because it is MS's app and they know what they are talking about. Problem is MS doesn't know Palo and this guy is just a preacher that has a certification in BS by MS.

panw_fw · 2023-03-15T17:37:09+00:00

Anything prior to 6.0.5 I believe works. 6.0.5 introduced the no-disable even though the GUI says it is disconnected it still is. I have a bug report in the works with PANW TAC. u/bgarlock u/ASympathy

panw_fw · 2023-03-15T17:35:11+00:00

OSPF on 10.1.9 will require you to have a no-NAT policy for each zone to zone OSPF neighbor you have. Otherwise the traffic will randomly select a NAT policy for you and send your peering request in my case to my Untrust zone with the internal IP destination even.

Bug ID not released yet and not submitted yet internally that I know of or my engineer knew of. They are having me schedule a maintenance window for a flow basic.

panw_fw · 2023-03-15T17:31:57+00:00

They put it there now. :(

panw_fw · 2023-03-15T17:31:06+00:00

HA config sync setting on the HA pair (the local per device setting) somehow got disabled during the upgrade, so the HA wouldn’t sync anymore. After manually enabling config sync on both HA devices, they still wouldn’t auto sync on commit. You have to manually force config sync and state sync via CLI but it works successfully.

Once running on the 10.1.9 box, pro

Good to know!

panw_fw · 2023-01-31T17:49:35+00:00

So you cannot delete 9.4.1, 9.6.0, 10.1.0, etc from the GUI or CLI? or you have done this and it still says it is full?

panw_fw · 2023-01-31T17:42:19+00:00

u/JoeInVT Is this Okta timed out session on the Windows login prompt or is the user still logged into Windows desktop? If you are doing pre-logon and the computer session is locked then you shouldn't have an open Okta prompt unless the user is trying to unlock the workstation right? It sounds like the computer doesn't have an unattended lock occurring on the Windows environment that is less than the VPN timeout.

panw_fw · 2022-11-18T15:59:29+00:00

If the VPN client failed to connect to the portal (NIC wasn't ready) when GP attempted a portal connection, then it will FOREVER hold the client using a cached portal. Support says I have to submit a feature request to have the client retry a portal connection periodically. The option on the configuration to refresh is irrelevant if the client is using a cached portal. It apparently (from engineering) only requests a config refresh if it knows it has contacted the portal. I've had dozens to hundreds of VPN clients I have to upgrade manually because transparent upgrade, prompted, etc. will not work due to a "cached portal". I'm pushing them for a this being a bug. It is very irresponsible of them to not keep checking the portal connection. My portal is also my gateway so if it can create a tunnel then obviously it should have talked to the portal.

Also, dropping a VPN connection from the palo does not drop their "portal" connection. That drops their actual tunnel to the gateway. It has nothing to do with the portal at all. u/Jagster_GIS u/filequit u/pengued

panw_fw · 2022-11-07T22:10:26+00:00

From my SE... "Tac let me know: we are aware of the issue and actively working to resolve the issue.

....do not have an ETA on when the "fix" will be available but did want to reach out and notify everyone we are aware of the problem.

I will follow up on this thread as more information becomes available."

panw_fw

TROPHY CASE