topic Re: Enforcing Global Protect only on remote sessions in General Topics

Enforcing Global Protect only on remote sessions

dahoove — Fri, 24 Feb 2023 14:42:36 GMT

My company only allows company issued laptops (Windows only) to remotely connect to our network via VPN. Since these are company devices I feel they should always be restricted to company internet usage polices that only allow access to approved sites and categories. My users are all in office based but do need to remote in for those few work at home days (weather, kid issues, blah blah) or if they are on the road. Out of my 120 devices, only 15 of them even use VPN now so small group.

We are only 2 months into using PA and I have Global Protect configure and working for single tunnel access, AD authentication, with the GP Portal set to user log in (always on). Portal and gateway are on the same device and pointed to the external interface. We do not have HIP licensing or requirements (yet).

I have been playing with the Enforce Global Protect option. I discovered that if I turn that option on I can not log in when I am in the office. I wasn't surprised by this result, and I am having issues finding any documentation on what the correct config is for this scenario and wanted to make sure I wasn't missing some easy setting or config change.

What it looks like I have to do is create a 2nd gateway attached to the internal interface if I want the Enforce option on. Is that correct or is there a setting or something I can make?

Re: Enforcing Global Protect only on remote sessions

OtakarKlier — Fri, 24 Feb 2023 18:05:51 GMT

Hello,

I believe you would either need to setup an install portal/gateway or the following:

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PNid

Regards,

Re: Enforcing Global Protect only on remote sessions

dahoove — Fri, 24 Feb 2023 19:37:51 GMT

That might be needed but didn't fix the issue. I creates an internal gateway went into portal config under internal and add the internal info to that. When I try to connect the GP client from an internal network it seems to see the portal and then tries to get a configuration but then throws a Network connection is unreachable or portal is unresponsive.

Re: Enforcing Global Protect only on remote sessions

OtakarKlier — Fri, 24 Feb 2023 19:42:23 GMT

If its using an external IP/interface, you might need a u-turn NAT and policies to accomplish.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

Regards,