Found on palo alto we can't config seconds 86400 (max value allowed was 65xxx). Have to use 1 day but my P1 still wasn't coming up. Changed to seconds and dropped to 28800 on both sides and VPN came up
3600 - 1 hr
28800 - 8 hr
43200 - 12 hr
86400 - 24 hr
Download / install docker
Docker "WAS" image gets downloaded and install
https://www.youtube.com/watch?v=c4mkTh7fx4o&list=PLOMx6Layn69hnaUx9iD6FzecX5DQoCn48&index=7
Identify VMNICs
VMware names them as they boot up so not always in the order you might thing.
Easiest way is plug in the port and watch the VMware interface to see if it shows as up.
Also a good idea to enable CDP on the VMware and the switch on the other side.
We want to run at least 2 high bandwidth (10gig plus) cables from switch to VMwrae.
Config as trunk on switch
VCenter config
Network virtual siwtches
Go to VMhost
Configurte
Virtual switches
Add networking
Virtual machine port or for standard switch
select vswitch
Give a name DMZ
Fill in vlan number
Finish
VLAN modes
vlan - pick 250
vlan trunking - pass the trunk onto the VM (won't use it often)
Private vlan - for Pvlans (won't use often either(
https://en.wikipedia.org/wiki/Punycode
Scammers using non English characters to make phishing URLs look more legit, some are harder to spot than others.
Urls will have a xn-- in them, some plantforms auto block, some will render the real URL and some will show the punycode which can trick users into clicking it.
The usual fix is to put
portal auth > AD
gateway auth > MFA server
However we found with some OTP/fob code users it wasn't working well
Fix was
Upgrade GP to preferred release (6.2.3 a time of writing)
Enable the authentication cookie settings on GP
Portal - Generate cookie for auth override
Choose the same cert you use for the GP
Gateway - Accept cookie for auth override
Choose the same cert you used in portal
Push policy
Watch out for any AD changes may take 15 mins to update on the palo so if you move a user into another group for testing it might not work for 15 minutes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MACCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
You may see SSL Block but not sure of the reason
Pick out a blocked connection
Search for src and dst IP
Go into table view
Click "x" on a column (remember to recheck it)
Add the columns "SSL Flow error" and "SSL Flow Messages"
Apply
