https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561132#M4492 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37852">@RMikalauskas</a> ,</P> <P>&nbsp;</P> <P>Wow!&nbsp; I did not know this.&nbsp; I tested this, and you are correct!&nbsp; This concerns me not because of bandwidth as you mentioned, but that unauthenticated users can access a small, supposedly protected portion of the NGFW file system.</P> <P>&nbsp;</P> <P>Thankfully, there IS a solution.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VieCAE&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VieCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <OL> <LI>PANW does NOT consider it a security vulnerability as mentioned in the article <EM>above</EM>.</LI> <LI>You can block the web via a custom URL category. <OL class="lia-list-style-type-lower-alpha"> <LI>I would not block it with a URL Filtering Security Profile as the article <EM>above</EM> details, but I would create a security policy rule as the article <EM>below</EM> details.</LI> </OL> </LI> <LI>You can have your SE vote for FR ID: 3205 to only allow authenticated users to access the GlobalProtect download page as mentioned in the article <EM>above</EM>.</LI> <LI>Blocking the download web page will break GP automatic upgrades as mentioned in the article <EM>below</EM>.</LI> </OL> <P><A href="https://packetpassers.com/how-to-disable-the-globalprotect-download-page/" target="_blank" rel="noopener">https://packetpassers.com/how-to-disable-the-globalprotect-download-page/</A></P> <P>&nbsp;</P> <P>Thanks to PacketPassers for the awesome article!</P> <P>&nbsp;</P> <P>I tried to see if I could block it via application.&nbsp; I created a security policy rule to only allow panos-global-protect and ipsec-esp-udp to my NGFWs, and that did not stop ssl and web-browsing (b/c the NGFW is decrypting it) from being allowed and working.&nbsp; I guess ssl is an integral part of panos-global-protect.&nbsp; (Yes, I created a block rule before the intrazone-default rule.&nbsp; The allowed ssl and web-browsing hit my rule that only allowed panos-global-protect.)&nbsp; So, you cannot block it by application.</P> <P>&nbsp;</P> <P>I also tried to delete the activated file via the CLI with delete global-protect-client version &lt;value&gt;.&nbsp; That deletes the file, but there is still a check mark under Currently Installed and you can still download the files from the web page.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 10 Oct 2023 15:10:56 GMT TomYoung 2023-10-10T15:10:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561080#M4490 <P>Hello. It is known that GP Portal landing page in the browser can be easily bypassed by replacing login.esp with getsoftwarepage.esp</P> <P>&nbsp;</P> <P>PAN knows this, they do not see it as a security risk, which is nuts if you ask me. Don't mind the ability for someone to run a download loop and eat the bandwith downloading 200MB file infinitelly from multiple sources...</P> <P>&nbsp;</P> <P>So we do not want to host a file "free for all" on the Internet, and completelly remove it from the Firewall. Problem is that even when you delete all the GP packages from the CLI - one still remains "activated", and download page still works. Yes, even with Portal landing page Disabled.</P> <P>&nbsp;</P> <P>Thoughts?</P> Tue, 10 Oct 2023 09:24:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561080#M4490 RMikalauskas 2023-10-10T09:24:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561132#M4492 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37852">@RMikalauskas</a> ,</P> <P>&nbsp;</P> <P>Wow!&nbsp; I did not know this.&nbsp; I tested this, and you are correct!&nbsp; This concerns me not because of bandwidth as you mentioned, but that unauthenticated users can access a small, supposedly protected portion of the NGFW file system.</P> <P>&nbsp;</P> <P>Thankfully, there IS a solution.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VieCAE&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VieCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <OL> <LI>PANW does NOT consider it a security vulnerability as mentioned in the article <EM>above</EM>.</LI> <LI>You can block the web via a custom URL category. <OL class="lia-list-style-type-lower-alpha"> <LI>I would not block it with a URL Filtering Security Profile as the article <EM>above</EM> details, but I would create a security policy rule as the article <EM>below</EM> details.</LI> </OL> </LI> <LI>You can have your SE vote for FR ID: 3205 to only allow authenticated users to access the GlobalProtect download page as mentioned in the article <EM>above</EM>.</LI> <LI>Blocking the download web page will break GP automatic upgrades as mentioned in the article <EM>below</EM>.</LI> </OL> <P><A href="https://packetpassers.com/how-to-disable-the-globalprotect-download-page/" target="_blank" rel="noopener">https://packetpassers.com/how-to-disable-the-globalprotect-download-page/</A></P> <P>&nbsp;</P> <P>Thanks to PacketPassers for the awesome article!</P> <P>&nbsp;</P> <P>I tried to see if I could block it via application.&nbsp; I created a security policy rule to only allow panos-global-protect and ipsec-esp-udp to my NGFWs, and that did not stop ssl and web-browsing (b/c the NGFW is decrypting it) from being allowed and working.&nbsp; I guess ssl is an integral part of panos-global-protect.&nbsp; (Yes, I created a block rule before the intrazone-default rule.&nbsp; The allowed ssl and web-browsing hit my rule that only allowed panos-global-protect.)&nbsp; So, you cannot block it by application.</P> <P>&nbsp;</P> <P>I also tried to delete the activated file via the CLI with delete global-protect-client version &lt;value&gt;.&nbsp; That deletes the file, but there is still a check mark under Currently Installed and you can still download the files from the web page.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 10 Oct 2023 15:10:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561132#M4492 TomYoung 2023-10-10T15:10:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561214#M4495 <P>Thanks, Tom. <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Wed, 11 Oct 2023 06:08:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-deactivate-gp-package-on-the-firewall/m-p/561214#M4495 RMikalauskas 2023-10-11T06:08:48Z