topic Re: Users adding Portals in General Topics

Users adding Portals

RobertShawver — Fri, 16 Jun 2023 13:43:40 GMT

Hello -

Is there anyway to get visibility if someone adds a Portal Address to the Managed Portals within GlobalProtect?

Re: Users adding Portals

BPry — Fri, 16 Jun 2023 13:47:43 GMT

On a Windows endpoint it'll show up in the registry under HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings with each portal having it's own key. On a Mac endpoint it'll show up in the plist file, but I forget where it's located off hand.

Re: Users adding Portals

RobertShawver — Fri, 16 Jun 2023 13:57:22 GMT

@BPry Thanks for the quick reply. I was hoping there would be some way via Panorama I could find any Portal not authorized, if that makes sense. Otherwise, I'm at the mercy of the Windows team or some other method of crawling the devices registry for any Portal not intended.

Re: Users adding Portals

BPry — Fri, 16 Jun 2023 14:06:40 GMT

@RobertShawver,

You won't have that capability directly built into the firewall. I think the best way you could accomplish this on the firewall would be using a custom check against HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings and pulling the value of LastUrl with your expected portal(s).

This would allow you to build out a hip-profile that checks for devices that don't match one of those hip-objects, as this would denote that the endpoint in question is using a non-approved address. If you simply just don't want to allow a user to change the portal address however, you could just set the 'Allow User to Change Portal Address' app setting to No.

Re: Users adding Portals

RobertShawver — Fri, 16 Jun 2023 14:11:20 GMT

@BPry Or is there a way to limit the number of Portals to predefined ones?

Re: Users adding Portals

BPry — Fri, 16 Jun 2023 14:22:32 GMT

@RobertShawver,

I'm not aware of a way to pre-specify portal addresses while also not allowing someone to add another portal address. You can pre-specify multiple portal addresses by GPO and updating the registry keys that I specified above, but I don't think you could allow them to change between portal addresses without also giving them the option to specify a new one completely without restricting registry key creation for a normal user account.

Re: Users adding Portals

RobertShawver — Fri, 16 Jun 2023 14:36:01 GMT

@BPry I just tested and that only populates on a successful connection.

Re: Users adding Portals

BPry — Fri, 16 Jun 2023 14:51:28 GMT

@RobertShawver,

Correct. That value is just the last portal address utilized. When you add a new portal the associated registry add would be a new key under \HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings, however I can't think of an easy way to utilize a HIP check to validate that there isn't an unexpected key present. That's why I'd use the LastUrl value.