topic Re: Block user from connecting with Global Connect in GlobalProtect Discussions

Block user from connecting with Global Connect

thoffman — Mon, 24 Jan 2022 18:47:17 GMT

Hello,

I have tried searching and must be missing something.

I am trying to block a user from attaching Global Protect. From what I have read you should be able to go to Network>GlobalProtect>Device Block List and add the device\user to the list. The issue I am running into is that I do not see this list when I go there.

I am running PANOS 10.1.3, does this list need to be created? Does someone have a link to the directions on how to create\find this list?

Thank you,

Tom

Re: Block user from connecting with Global Connect

BPry — Mon, 24 Jan 2022 19:10:18 GMT

@thoffman,

Whatever you were looking at must have been older. If you wish to block the device from connecting you would simply add it under Device -> Device Quarantine, and at that point the device won't be able to connect to GlobalProtect anymore. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-device-quarantine.html

If you're looking to block an individual user, regardless of device, there's a few ways you can do so:

* Remove the user from the Gateway Agent configuration so they don't have a configuration to hand out. This would allow them to authenticate technically, but GlobalProtect won't connect as they don't have an assigned agent config.

* Remove the user from the AD groups (assuming active directory) that actually power authentication. So as an example you might have a Authorized-VPN-Users security group that is attached to the Authentication Profile in the Allow List, simply remove that user from the associated groups.

* Create a specific Agent configuration for this user, above all other configs in the list, that gives them a blocked IP Pool. Anyone assigned this agent config could be allocated an IP Pool that simply has a deny entry at the begining of your security rulebase as that while they'll be allowed to "connect", they can't process any network traffic.

* Setup a deny rule and just target their User-ID entry as the source-user and deny all of the traffic from that User-ID coming across your GlobalProtect security zones.

Removing them from the authentication profile so they simply can't authenticate is the "correct" answer for this, but any of these will technically work perfectly fine.

Re: Block user from connecting with Global Connect

thoffman — Mon, 24 Jan 2022 22:23:35 GMT

First off that you for your reply. I am very new to managing firewalls and it is appreciated.

From reading your post I think the best way to proceed is to block the device in the Device Quarantine list. I looked up the Host ID but when I go and click on add and put the Host ID in and click apply not errors pop up but the device never shows up in the list.

So will try to figure that one out. 🙂
Thank you again,

Tom

Re: Block user from connecting with Global Connect

thoffman — Wed, 26 Jan 2022 17:23:15 GMT

Just an update that I did add the Host ID to the Device Quarantine list and it does show the device and being Quarantined in the Global Protect logs.

The funny thing is that there is nothing in the Device>Device Quarantine list in the firewall?

Thank you,

Tom

Re: Block user from connecting with Global Connect

thoffman — Mon, 31 Jan 2022 13:57:57 GMT

Just a follow up that the reason the Device Quarantine list is that there is a bug in 10.1.3 that causes this. We were told to roll back to 10.0.8-h8 and all the issues cleared up.

Thank you,

Tom