topic Re: How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2 in GlobalProtect Discussions

How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2

Michaeleddinger — Wed, 24 Jul 2024 18:28:34 GMT

How do I Block MUs that have a back level version of the Global Protect client - in this case 6.2.2(windows and Mac) but not effect the Linux users

Re: How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2

aleksandar.astardzhiev — Wed, 21 Aug 2024 14:43:43 GMT

Hi @Michaeleddinger ,

Apologies but your question is not clear. Can you provide some clarification? What is "MUs"? And what do you mean by "back level version"?

Re: How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2

Michaeleddinger — Wed, 21 Aug 2024 16:11:49 GMT

MU = Mobile Users and back level version is any person using the global protect client < 6.2.2 version (in the case of the service I provide)

Re: How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2

aleksandar.astardzhiev — Thu, 22 Aug 2024 06:32:27 GMT

Hey @Michaeleddinger ,

Unfortunately GlobalProtect does not really provide a way to block users to connect to the VPN based on host compliancy check.

However you can use the HIP profiles to define host compliancy check, including the version of the GlobalProtect app - HIP Objects General Tab (paloaltonetworks.com)

As mentioned, using HIP user will still be allowed to establish tunnel (after successfull authentication), but once connected GP client will submit a HIP report with host information. With HIP object and HIP profiles, you can create firewall rules matching these users with older version and restrict or completely block their access.