"Negate" for Registry Value in Custom Checks Does Not Work

"Negate" for Registry Value in Custom Checks Does Not Work

7256
Created On 03/18/20 00:45 AM - Last Modified 03/18/20 00:51 AM


Symptom


"Negate" is enabled for a Registry Value in Custom Checks in GlobalProtect Portal in order to only allow connection from GlobalProtect client that does not have the specified Value Data for the Registry Value.
However, GlobalProtect client fails to connect even though the client does not have the Value Data.

Network > GlobalProtect > Portals > (Portal Name) > Agent > (Agent Config Name) > Config Selection Criteria tab > Custom Checks tab > Registry Key tab > (Registry Key)

Network > GlobalProtect > Portals > (Portal Name) > Agent > (Agent Config Name) > Config Selection Criteria tab > Custom Checks tab > Registry Key tab > (Registry Key)

Environment


- PAN-OS 9.0+
- Palo Alto Firewall

 

Cause


Negate works on the Registry Key or Registry Value, not the Value Data. There is no Negate option for the Value Data.

 

Resolution


Remove the Value Data as Negate won't work if the Value Data is configured. Basically, the Value Data and Negate can't be configured together.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP5nCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail