topic Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection in General Topics

GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Wed, 25 Oct 2017 18:26:20 GMT

Hi,

We are using global protect with the following agent features :

GlobalProtect Enforce Connection for Network Access enable and Captive Portal detection enable with timeout of 3600 seconds.

Howver we can see many cases at some hotels, and airports where the actual portal detection is not being recognised by Global Protect agent.

Hence user cannot access any ressources.

Does anybody knows how the global protect agent captive portal detection actually works (cannot find any docs)?

Thank you

Kind regards

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

Mick_Ball — Thu, 26 Oct 2017 19:46:15 GMT

I may be wrong but its my understanding that the grace period gives the user, not global protect, a limited time to activate a captive portal.

the user should try to open a website within the time limit and if a captive portal is available it will intercept the web connection.

so.... in your case... users have 3600 seconds to browse to a website manually before enforcement kicks in.

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Fri, 27 Oct 2017 07:41:14 GMT

Hi Mick,

Thank you for your reply, yes you are right in this case a user will have 3600 seconds to browse the internet.

What we found is that you have many hotels (Marriott for exemple), that do not rely on the HTTP redirect to send a splash page.

The issue is that Global protect agent captive portal detection is waiting for the HTTP redirect type 302 message ...which is never coming,

Kind regards

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

Mick_Ball — Fri, 27 Oct 2017 08:47:50 GMT

Sorry i never realised the expected behaviour of CP detection.

we did have issues when we first used this option but decided to use a proxy.pac file to restrict internet access until GP connected.

most of our usage is via corporate or home wifi. For the occasional times a hotel connection is made the users have a desktop icon “connect to public wifi”. This bypasses proxy settings and opens IE to our corporate web page, the captive portal kicks in, users authenticate, GP detects route change an connects. Probably no use to you but it is another option to enforce connection only traffic.

please update if you find a solution.

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Fri, 27 Oct 2017 08:59:47 GMT

Hi Mick,

This is interesting, thank you for this, indeed it could be a potential solution, but will need to investigate further the .pac file option since it will require a change to the original design.

will keep the post updated as soon as i got more feedback from PA .

Kind regards

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

Mick_Ball — Fri, 27 Oct 2017 09:09:54 GMT

Ok the pac option was easy for us as used it prior to using GP to restrict access.

its a basic setup..

proxy = 1.2.3.4 (obviously non exist)

allow = globalportal and gateways direct

if internal host is detected = send all traffic direct. (This part sends all traffic when GP has connected).

obviously not the correct syntax and not everyones cup of tea but works for us on both windows and ipad.

To be honest... i would rather let GP do all the work and would be happy to see the pac file go as its a workaround and somewhat dated.

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Mon, 30 Oct 2017 10:19:55 GMT

Hi Mick,

Thank you for these details, technically using a .pac could be a workaround, eventhough it looks to be an old approach, i need to see as well how i could make use of it in our environment.

Agree would be much more better if Palo Atlo could efficiently support global protect behind hotel proxies.

Kind regards,

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Fri, 03 Nov 2017 13:48:31 GMT

Hi,

Just to let you know that Palo Alto TAC is still looking on this issue/limitation..

Kind regards,

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

Mick_Ball — Fri, 03 Nov 2017 14:04:50 GMT

many thanks for the update.

do you have any good links on how this actually works. I know what it's meant to do but the best description on how it actually works came from you...

i would like to understand the process from start to fininsh and also was wondering if the page was returned via https so GP could not see what was needed...

you may guess by my previous statement that i really do need to understand the enforce connection process.

many thanks.

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Fri, 03 Nov 2017 14:16:57 GMT

Hi Mick,

Based on current PANGPS.log and Wiresharks trace, we can see that the Global Protect agent is waiting for an HTTP redirect message type 302 coming from the Proxy.

As soon as the agent receive the 'HTTP redirect' message then local network ressource is enable and you can reach the captive portal.

What i believe is that this agent function is not supported behind any transparent proxy.

Some hotels rely on transparent proxies to provide internet access for their customers.

I hope Palo Alto would be able to provide more information on weither this function is fully supported behind hotel/airport proxies, or any other alternative.

Kind regards,

Pierrick L

Re: GlobalProtect Enforce Connection for Network Access Captive Portal detection

plevesque — Mon, 04 Dec 2017 09:59:12 GMT

This case has ben escalated to Palo Alto TAC 3 weeks ago and now closed with no resolution/solution.

So far, Palo Alto TAC has not been able to provide any valuable feedback nor to solve the connectivity issue related to the use the Global Protect agent with the enforce connection option enable behind any transparent hotel/airports...proxies.

They simply point the issue to the hotel or airport providers which is of course not an acceptable answer.

Until Palo Alto can provide a fix on the usability of the global protect 'enforce connection for network access' feature i will not implement this option.

Kind regards,

Pierrick L