topic Re: GlobalProtect agent download from direct URL in General Topics

GlobalProtect agent download from direct URL

FabienJ — Tue, 25 Jul 2017 09:18:21 GMT

Hi everyone,

Do you know if it's possible to block the download of the globalprotect agent via the direct URL ?

The goal here is to force users to authenticate in the portal web page to be able to download the agent.

Ex. for the 64bit agent :

https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows

If yes, could you please share the steps to solve it ?

Thanks a lot !

Fabien.

Re: GlobalProtect agent download from direct URL

Oyin-Idowu — Tue, 25 Jul 2017 14:30:33 GMT

There are couple of steps to achieve this depending on the configuration that already exist on your appliance.

1. Go to device > Certificate mgt > ssl/tls service profile > add. It should look like the image (2) below when you are done.

2. Network > GlobalProtect > Portal > Add >On the General Tab > Add > name> external interface > IP Address

3. Then on the authentication Tab confiigure your PA appliance as shown below in Image 1. This forces the portal to request user credentials before they can access the portal to download the agent. FYI, my environment uses the Local User database for authentication, yours may be different.

Re: GlobalProtect agent download from direct URL

Oyin-Idowu — Tue, 25 Jul 2017 14:42:02 GMT

You will also need to Generate a certificate or upload the certificate for Global protect using the public IP address of your untrust interface. see below

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Generate-a-New-Self-Signed-SSL-Certificate/ta-p/53215

Re: GlobalProtect agent download from direct URL

BPry — Tue, 25 Jul 2017 15:38:12 GMT

@FabienJ,

I'm not positive of a way to actually do this and still allow the download to accomplish on the portal. It's kind of like the ASAs in the point where if you know where to direct it for the file itself you can get the download without authentication. You could put the link itself behind a captive portal if this is a big enough issue for you, but the user experiance if they go through the portal would be pretty bad.

@Oyin-Idowu,

The authentication to the portal itself I'm sure is working perfectly fine, the file however can still be downloaded even if you don't authenticate by going directly to the download link.

Re: GlobalProtect agent download from direct URL

Remo — Tue, 25 Jul 2017 15:41:46 GMT

@Oyin-Idowu

I think @FabienJ has already done the steps you describe ... what he wants is to FORCE users to authenticate so nobody should be able to download the GP agent without log in

@FabienJ

You probably want to ask your SE for a feature request.

I can think of a possibility to achieve this, but at the moment I don't know if this works and it also contains something that's normally not recommended ... I will first do a little test before I write some sensless stuff here

... and once again @BPry was faster 😉 ...

Re: GlobalProtect agent download from direct URL

FabienJ — Tue, 25 Jul 2017 15:51:43 GMT

@Oyin-Idowu Thanks for your quick answer but yes, all the basic configuration is ok.

@BPry Yes, same as Vsphere client an so on ... I'm agree that there are no "confidentials" infos insinde the GP client, so this is not so armfull but still not really clean from a security point of view.

@Remo I will ask to my SE. I've tried few things using security policies with URL filtering without sucess. I'm waiting for your test result 🙂

Thanks !

Re: GlobalProtect agent download from direct URL

Remo — Tue, 25 Jul 2017 16:28:10 GMT

@FabienJ

What PAN-OS version are you using? I will probably try with 8.0.2 ...

Re: GlobalProtect agent download from direct URL

FabienJ — Tue, 25 Jul 2017 18:52:35 GMT

PAN-OS 7.1.10 and 8.0.x I think it will be the same with all versions

Re: GlobalProtect agent download from direct URL

Remo — Tue, 25 Jul 2017 22:02:43 GMT

first results: Wait for the SE to get this implemented the right way ... I'm not giving up, but it at the moment it looks like there are only two possibilitys: it is really not possible or if there is still a little chance, it will be really ugly ...

Right now it is even worse: I am still able to download the client with the direct url when the Login Page is DISABLED!

Re: GlobalProtect agent download from direct URL

Remo — Thu, 27 Jul 2017 15:34:34 GMT

Ok I failed to get this done. What I tried:

(I know this is really ugly) enable user identification on the Untrust/Internet zone. With this I was hoping that there will be a ip-user-mapping entry after a userlogin to the portal website. Then my plan was to only allow access to the download url for authenticated users. - Result: url filtering is possible but there is no ip-user-mapping
I also tried with captive portal. Then my intention was to prepare the captive portal website to look like the GP Portal. And block the access to the upcoming GP portal URL, so I can place a block response page that looks like the GP portal after login. This way I would have a usermapping which could be used to allow only authenticated users to download the software - Result: if you configure a captive portal rule for accessing the GP portal IP --> GP Portal always comes first, captive portal does not show up

So you eithe wait for this feature request or place the GP software on your own webserver with either doing the authentication completely yourself on the webserver or use a captive portal rule there so your PA firewall at least handles the authentication/authorization part ...

PS: as I already wrote, when you disable the portal login website completely the download is still available with the direct url

Re: GlobalProtect agent download from direct URL

ansharma — Fri, 28 Jul 2017 00:30:24 GMT

Hi FabienJ,

This is possible.

You'd need an external web-server to host the GP software.

Now, if you can configure some sort of authentication there, that's all well and good. If not, you can make use of PAN OS 8.0 for the 'Authentication policy' feature (this is what I'll demonstrate). For authentication policy approach, you should be hosting the file on a http server. Using this method, you can even do MFA for just the download, so I guess that's a plus.

Well, here are the steps:

set global-protect redirect location <path of the external server repository of the file>
set global-protect redirect on

In my case, since I didn't have a http server, I just chose something random like: http://www.ipvoid.com

Run the command - set global-protect redirect show

You should see the output similar to mine:

cfg.global-protect.redirect.flag: True
cfg.global-protect.redirect.location: http://www.ipvoid.com

At this point, you are pretty much done if you are doing authentication on that external server.

Proceed if you want to use the Authentication policy approach.

1. Create a captive portal

Redirect host, in your case, will be the external facing address that can server the authentication page.

Choose an appropriate SSL/TLS profile and authentication profile.

2. Create an authentication policy

Please keep in mind that you'd have to choose the source zone as Outside. I am using Inside because of the way my lab setup is configured. Also, the destination zone would be something depending on where the file hosting server lies and if NAT is required or not. Destination adddress would be whatever address you have entered as the file server. You can choose Authentication Enforcement to use two-factor, if you want. I am just using a simple Web-form (captive portal).

Here's the demo:

Whether I go to the GP-portal, login and then click on the download GP client links or directly enter https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows , I will get an MFA portal page (customizable btw, under Device->Response pages), which will look like this:

I would authenticate and then the firewall would redirect me to the file server (in this case it's just going to ipvoid.com).

Hope that helps.

Regards,

Anurag

Re: GlobalProtect agent download from direct URL

Remo — Fri, 28 Jul 2017 07:05:42 GMT

Hi @ansharma

But if someone knows the download url, he will still be able to go directly there and download the software ...

This is the point in this topic, that the download is available without login - if someone knows the download url - and that the download is still available when the portal is disabled ...

Re: GlobalProtect agent download from direct URL

ansharma — Fri, 28 Jul 2017 11:01:52 GMT

I though the user wanted to know a way to force authentication for people going directly to the download link rather than the portal first. This is what the method above provides.

Honestly, you can't prevent people from knowing the portal link. I mean, most companies use something simple like gp.acme.com or vpn.acme.com. And, besides Geolocation blocking, you could just find many of them accessible. So, what if you did - it's requiring someone to do a portal login to connect and/or using the Authentication policy to download the GP client from their portal.

Additionally, even if someone downloads the GP from the portal link, the only thing being taxed is the firewall's resource providing the download, which again you can enforce authentication using the method described. One can go to cisco's website from any valid (entitled) account and download Anyconnect client. A blank VPN client is just that, blank.

Regards,

Anurag

Re: GlobalProtect agent download from direct URL

BPry — Fri, 28 Jul 2017 13:08:46 GMT

@Remo,

Since you are setting the GlobalProtect redirect flag you won't be able to actually get to the client download package, that redirect will force you over to the server that you set and that's where the Captive Portal piece comes in to actually get this to work.

Re: GlobalProtect agent download from direct URL

BPry — Fri, 28 Jul 2017 13:12:18 GMT

@FabienJ,

Out of curiosity and because I don't think it's been asked yet, what is your industry that you actually have to worry about people using the direct URL link? I can't get my users to remember the portal address itself, let alone the package URL.

Re: GlobalProtect agent download from direct URL

FabienJ — Fri, 28 Jul 2017 13:20:45 GMT

Hi Guys,

First, many thanks to @Remo and @ansharma for your time.

@Remo using your first ugly method, it sounds like it's working at the end ? You have an URL blocking page when you try to reach the downnload URL ?

You just can't get user mapping info ? Can't we tune the User-ID ACL on the zone to make this less ugly 🙂 ?

@ansharma it's a pretty interesting workaround, I need to try this one after my holidays 🙂

As you said, all vendors are using this way to delivers agents (Vsphere, AnyConnect and so on ...) but I think it's not a good thing to imitate.

My SE also suggested something that should work with hardware models, using vsys, one hosting the captive portal, then another vsys hosting the global protect portal and the agent.

...A feature request should happen soon 🙂

Thanks again !

Re: GlobalProtect agent download from direct URL

FabienJ — Fri, 28 Jul 2017 13:25:56 GMT

@BPry researchers 🙂

Re: GlobalProtect agent download from direct URL

Remo — Sat, 29 Jul 2017 22:50:39 GMT

@BPry wrote:
@Remo,
Since you are setting the GlobalProtect redirect flag you won't be able to actually get to the client download package, that redirect will force you over to the server that you set and that's where the Captive Portal piece comes in to actually get this to work.

True, I somehow missed this point 😛

But this solution will force users, who connect first to the GP Portal, to log in twice - because the ip-user-mapping is not created when a user logs in to the GP Portal ...

I think we see it all in the same way: it is not really a really a problem and definately not a security issue...

... but with the GP Portal login I think that the login should be also required for downloading the software or is there another reason for a GP Portal with login form?

Re: GlobalProtect agent download from direct URL

ansharma — Sun, 30 Jul 2017 00:41:37 GMT

@Remo Yes, using my method the user would have to login again but it's not because of the user-ip mapping. Authentication policy is a new feature (starting 8.0) and works slightly different from the former captive portal, although it uses captive portal as one of the pieces of configuration.

The user would be logging in again because there are 2 independent set of authentications happening. One at the portal login page and another using the Authentication policy.

In congruence with you and @BPry, receiving GP agent directly (without having to login) does not really post a security risk. The portal authentication's real job is not to deliver GP agent, instead it's focus is during the actual VPN connection.

Regards,

Anurag

Re: GlobalProtect agent download from direct URL

ksauer507 — Sat, 16 Jul 2022 13:32:12 GMT

Wow thanks this thread saved my bacon this morning.

Had a user who called and said they were kicked out of the VPN this morning. So I walked them through Windows Quck Assist to get connected. Oddly when clicking connect in GlobalProtect nothing happened. I noticed in services.msc there was no PanGPS service at all!!!! Like how was she ever working to begin with in the last few weeks?

So in appwiz.cpl I go to "change" to repair Global Protect and sure enough it cant because its not connected in the first place to find our DFS file share!

So your link saved my bacon and I was able to throw it into chrome to download it, use my LAPS UI and get them a local admin password and walk them through the install. They connected immediately and then I instructed LAPS to recycle the local admin password.

Awesome link, I'd never want to block it.