topic Re: Forced VPN Connection with GlobalProtect in General Topics

Forced VPN Connection with GlobalProtect

gsteiner — Mon, 05 Aug 2013 12:34:05 GMT

Is it possible to force a VPN Connection so the client can only use wifi or ethernet if he is in the office or has a active VPN Connection?

Re: Forced VPN Connection with GlobalProtect

Gregoux — Mon, 05 Aug 2013 12:42:44 GMT

It's base on the gateway lookup resolution and you have to configure an internal gateway to do that.

and if the client is connected to the internal gateway no ipsec or vpn tunnel is mounted but you can use HIP information or login information to create your secuty rule that limit the accessible ressource for this device.

https://live.paloaltonetworks.com/docs/DOC-3930

Re: Forced VPN Connection with GlobalProtect

kprakash — Mon, 05 Aug 2013 12:48:53 GMT

Good Morning,

If you are talking about a user who wants to connect to an internal gateway, we can configure the PANFW gateway on a VPN tunnel with in the office as well. By default the PANFW supports the SSL connection to the GP users ( whether connected internally or externally), and we have to manually configure the gateways to accept a VPN connection.

You can find the information on the below thread:

https://live.paloaltonetworks.com/message/29549#29549

Hope it helps,

BR,

Karthik

Re: Forced VPN Connection with GlobalProtect

gsteiner — Mon, 05 Aug 2013 13:14:34 GMT

Really important for my customer is that the client can never connect directly to the internet.

That is possible?

Sorry if I have to ask it again for my understanding, but that is absolutly important, else i need to buy a other vpn solution.

Re: Forced VPN Connection with GlobalProtect

kprakash — Mon, 05 Aug 2013 13:35:42 GMT

Can you elaborate more upon the requirement. Your question isn't very clear.

BR,

Karthik

Re: Forced VPN Connection with GlobalProtect

gsteiner — Mon, 05 Aug 2013 14:00:47 GMT

The Requirement from the Customer say that the Laptop are not allowed to be exposed to the internet.

As soon the Laptop is connected to a network it has to establish a vpn or disable the connection.

Re: Forced VPN Connection with GlobalProtect

kprakash — Mon, 05 Aug 2013 14:50:34 GMT

You can leverage the single sign on feature, so when the laptop having the agent on it, connects within the network and has been successfully authenticated, a VPN tunnel gets established and he can go out to the internet via the tunnel. If he fails to get authenticated, the user will get identified as an unknown user, and we can configure a rule to block all unknown users. That way he cannot get access to the internet, although he is connected internally in the network. Like Gregoux mentioned as well, you can use the hip checks to deny access to the machines if they do not match a config criteria.

BR,

Karthik RP

Re: Forced VPN Connection with GlobalProtect

mbutt — Tue, 06 Aug 2013 06:11:37 GMT

You can create split tunnel by configuring access routes in the global protect gateway.

This way with security policy you can only allow access to ip address that you want and block access to the rest with the security policy.

Hope this helps.

Thanks

Re: Forced VPN Connection with GlobalProtect

gsteiner — Mon, 12 Aug 2013 06:29:51 GMT

Where can I configure a rule on the client side that if he is a unknows user traffic is blocked? On the Firewall of course...but on the laptop??

At home there is no PA to configure such things.

Re: Forced VPN Connection with GlobalProtect

gsteiner — Wed, 14 Aug 2013 06:39:24 GMT

I got a test licesne for globalprotect HIP.

Well I'm pretty sure now there is no way I can force a laptop user that he has to be connected to the vpn to be able to use the internet. In HIP I can't check if he can reach a public ip adress and there is also no way to place a firewall rule that would block his traffic if the vpn is not connected.

I need to buy now a Cisco VPN....

Re: Forced VPN Connection with GlobalProtect

VinceM — Wed, 14 Aug 2013 07:58:07 GMT

Hi,

I think that with Global protect pre logon connexion + internal detection gateway detection, it should work.

If user is at home, GP agent will try to contact corp portal and create VPN connexion as soon as the laptop is started.

block the split tunneling (route 0.0.0.0/0 through VPN)

after that, on corp PA, create rule based on user, group, app ....

Mean all traffic have to go through vpn.

Hope help

Re: Forced VPN Connection with GlobalProtect

${userLoginName} — Wed, 14 Aug 2013 08:06:40 GMT

If a user is at home, and for some reason, the VPN with HQ does NOT come up (for whatever reason), there is no way to prevent him to access the internet using his local internet line.

(The GlobalProtect client does not enforce a security policy on the local PC)

Re: Forced VPN Connection with GlobalProtect

Quinton — Mon, 18 Nov 2013 12:52:54 GMT

What happens in the following situation:

1) Client goes home and connects via wireless to his wifi network at home

2) GP automatically establishes a VPN to the office and sets the GP tunnel as the default route (0.0.0.0/0 -> GP tunnel)

3) Client now connects a 3G dongle to his laptop and establishes a 3G connection. The 3G connection now installs a 0.0.0.0/0 -> 3G

This would allow the client to access the internet without going via GP?

Re: Forced VPN Connection with GlobalProtect

segap — Tue, 25 Feb 2025 10:36:06 GMT

Yes, it is possible. Here is the link:

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/enforce-globalprotect-for-network-access

BR, Peter