GP - Connect with SSL Only

thompso104 — Tue, 06 Aug 2024 13:24:36 GMT

I am running panorama 11.1.3 and using prisma access (Mobile_User_Template). I have read that there is a Connect with SSL Only option but I can not find this. I'm looking in Portal->Agent->App.

What am I missing?

Here is every setting I have pasted directly from Panorama:

Connect Method
Pre-logon (Always On)
GlobalProtect App Config Refresh Interval (hours)
24 [1 - 168]
Allow user to disconnect GlobalProtect App (Always-on mode)
Allow
Display the following reasons to disconnect GlobalProtect (Always-on mode)
Allow User to Uninstall GlobalProtect App (Windows Only)
Allow
Allow User to Upgrade GlobalProtect App
Allow with Prompt
Allow user to Sign Out from GlobalProtect App
Yes
Allow user to extend GlobalProtect User Session
No
Use Single Sign-on (Windows)
No
Use Single Sign-on for Smart card PIN (Windows)
No
Use Single Sign-on (macOS)
No
Clear Single Sign-On Credentials on Logout (Windows Only)
Yes
Use Default Authentication on Kerberos Authentication Failure
Yes
Use Default Browser for SAML Authentication
No
Automatic Restoration of VPN Connection Timeout (min)
30 [0 - 180]
Wait Time Between VPN Connection Restore Attempts (sec)
5 [1 - 60]
Endpoint Traffic Policy Enforcement
No
Enforce GlobalProtect Connection for Network Access
No
Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established

Allow traffic to specified fqdn when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established

Captive Portal Exception Timeout (sec)
0 [0 - 3600]
Automatically Launch Webpage in Default Browser Upon Captive Portal Detection
Traffic Blocking Notification Delay (sec)
15 [5 - 120]
Display Traffic Blocking Notification Message
Yes
Traffic Blocking Notification Message
<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first connect to GlobalProtect.</p></div>
Allow User to Dismiss Traffic Blocking Notifications
Yes
Display Captive Portal Detection Message
No
Captive Portal Detection Message
<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and click Connect to try again.</p></div>
Captive Portal Notification Delay (sec)
5 [1 - 120]
Client Certificate Store Lookup
User and Machine
SCEP Certificate Renewal Period (days)
7 [0 - 30]
Extended Key Usage OID for Client Certificate
Retain Connection on Smart Card Removal (Windows Only)
Yes
Enable Advanced View
Yes
Allow User to Dismiss Welcome Page
Yes
Have User Accept Terms Of Use before Creating Tunnel
No
Enable Rediscover Network Option
Yes
Enable Resubmit Host Profile Option
Yes
Enable Intelligent Portal Selection
No
Allow User to Change Portal Address
Yes
Allow User to Continue with Invalid Portal Server Certificate
No
Display GlobalProtect Icon
Yes
User Switch Tunnel Rename Timeout (sec)
0 [0 - 7200]
Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)
-1 [-1 - 7200]
Preserve Tunnel on User Logoff Timeout (sec)
0 [0 - 600]
Custom Password Expiration Message (LDAP Authentication Only)
Automatically Use SSL When IPSec Is Unreliable (hours)
0 [0 - 168]
Display IPSec to SSL Fallback Notification
Yes
Advanced Control for Tunnel Mode Behavior
No
GlobalProtect Connection MTU (bytes)
1300
Maximum Internal Gateway Connection Attempts
0 [0 - 100]
Enable Advanced Internal Host Detection
No
Portal Connection Timeout (sec)
5 [1 - 600]
TCP Connection Timeout (sec)
5 [1 - 600]
TCP Receive Timeout (sec)
30 [1 - 600]
Split-Tunnel Option
Both Network Traffic and DNS
Enhanced Split-Tunnel Client Certificate Public Key
Empty
Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)
Yes
Append Local Search Domains to Tunnel DNS Suffixes (Mac Only)
No
Update DNS Settings at Connect (Windows Only) (Deprecated)
No
Local Proxy Port
9999 [1024 - 65534]
Agent Mode for Prisma Access
Tunnel
Proxy Auto-Configuration (PAC) File URL
Detect Proxy for Each Connection (Windows only)
No
Set Up Tunnel Over Proxy (Windows & Mac Only)
Yes
HIP Process Remediation Timeout (sec)
0 [0 - 300]
HIP Process Remediation Retry
0 [0 - 3]
HIP Process Remediation integrity Check
Send HIP Report Immediately if Windows Security Center (WSC) State Changes (Windows Only)
Yes
Enable Inbound Authentication Prompts from MFA Gateways
No
Network Port for Inbound Authentication Prompts (UDP)
4501 [1 - 65535]
Trusted MFA Gateways

Inbound Authentication Message
You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at
Suppress Multiple Inbound MFA Prompts (sec)
0 [0 - 180]
IPv6 Preferred
No
Change Password Message
Log Gateway Selection Criteria
No
Enable Autonomous DEM and GlobalProtect App Log Collection for Troubleshooting
Yes
Display Autonomous DEM Updates Notification
No
Run Diagnostics Tests for These Destination Web Servers

Autonomous DEM endpoint agent for Prisma Access for GP version 6.2 and below (Windows & MAC only)
Install and user can enable/disable agent from GlobalProtect
Access Experience (ADEM, App Acceleration, End user coaching) for GP 6.3 and above (Windows & MAC only)
No Action (The Agent state remains as is)
Device Added to Quarantine Message
Your security policy has restricted access to the network from this device. If the issue persists, contact your administrator.
Device Removed from Quarantine Message
Your security policy has restored access to the network from this device. If you still cannot access the network, contact your administrator.
Display Status Panel at Startup (Windows Only)
No
Allow GlobalProtect UI to Persist for User Input

Re: GP - Connect with SSL Only

Claw4609 — Tue, 06 Aug 2024 14:58:30 GMT

Hello,

Are you managing prisma via Panorama? You can disable IPSec under the GP Gateway. What are you looking to disable IPsec for as IPsec is more secure and more efficient than SSL.

Re: GP - Connect with SSL Only

thompso104 — Tue, 06 Aug 2024 16:31:35 GMT

Yes managing prisma access with panorama. I want to make an agent profile for users that have frequent disconnects and give them a lower MTU. I was asked by TAC at one point to enable the SSL Only option but I can't find it.

Re: GP - Connect with SSL Only

Brandon_Wertz — Wed, 07 Aug 2024 13:01:18 GMT

@thompso104 wrote:

Yes managing prisma access with panorama. I want to make an agent profile for users that have frequent disconnects and give them a lower MTU. I was asked by TAC at one point to enable the SSL Only option but I can't find it.

@thompso104 The screenshot that @Claw4609 shared with you above will accomplish what you're saying you want to do. By having the "Enable IPsec" box unchecked GP VPN connections will only be established via SSL.

Re: GP - Connect with SSL Only

thompso104 — Wed, 07 Aug 2024 13:27:45 GMT

That would affect every user at the gateway. My requirement is per user at the portal or app level just like how MTU is set. It's explained in this doc. Sounds like this doc should be updated since the setting is no longer an option and it can only be done per gateway. @Claw4609 @Brandon_Wertz https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-portals/customize-the-globalprotect-app

Re: GP - Connect with SSL Only

Claw4609 — Wed, 07 Aug 2024 13:37:48 GMT

Which version are you using? Its looks like that setting was renamed to "Advanced Control for Tunnel Mode Behavior"

Re: GP - Connect with SSL Only

Claw4609 — Wed, 07 Aug 2024 13:44:00 GMT

Yeah then it looks like you should be looking for Advanced Control for Tunnel Mode Behavior and then under that, selecting ssl only.

Customize the GlobalProtect App (paloaltonetworks.com)

Re: GP - Connect with SSL Only

thompso104 — Wed, 07 Aug 2024 14:31:54 GMT

I found it and it's working. Thank you @Claw4609 !

topic Re: GP - Connect with SSL Only in General Topics

GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only

Re: GP - Connect with SSL Only