topic couple of questions relevant to global protection feature in General Topics

couple of questions relevant to global protection feature

willstech — Wed, 05 Oct 2011 09:29:31 GMT

Hello all.

I have a couple of questions about Global Protection feature.

1. If I configured Global Protection for external users, is it possible to block for network access for specific user who doesn't has latest patch or latest anti-virus?

2. if it is possible, can i configure redirection to warning msg for those specific user?

3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.

5. If I configured Global Protection, is it able to apply for internal users of firewall (paloalto L3 mode) without SSL VPN Connection?

Thanks,

Eugene.

Re: couple of questions relevant to global protection feature

jleung — Mon, 10 Oct 2011 11:43:45 GMT

Hi Eugene,

Answers as below:

1. If I configured Global Protection for external users, is it possible to block for network access for specific user who doesn't has latest patch or latest anti-virus?

Global Protect is not NAC solution. You can control what access users can have when the traffic pass through the firewall, but not before it passess through the firewall.

2. if it is possible, can i configure redirection to warning msg for those specific user?

No. But youcan have some message from the agent.

3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

Yes.

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.

Yes

5. If I configured Global Protection, is it able to apply for internal users of firewall (paloalto L3 mode) without SSL VPN Connection?

Yes

Re: couple of questions relevant to global protection feature

kamish — Tue, 11 Oct 2011 13:52:11 GMT

While the Global Protect config guide will help you with your initial setup, it will not be your final solution. There are many things that are missing in the guide.

Re: couple of questions relevant to global protection feature

kamish — Tue, 11 Oct 2011 15:14:46 GMT

I have done extensive setup and testing for GP in my environment. I have answered your questions below, per my experience and testing.

1. If I configured Global Protection for external users, is it possible to block for network access for specific user who doesn't has latest patch or latest anti-virus?

-Yes. I just want to clarify though, when you say 'external users' do u mean members of your domain but connecting externally? If yes, then create a HIP Profile with objects defined with the match that you want. You then need to apply that HIP profile to a security policy to 'deny' access to http and https, if you want to block them from surfing. Creating the HIP is tricky though for a Deny Policy, make sure that you configure it the way you want it to be configed. I.E. the Virus definition timeframe. I would suggest configuring the product version rather than the virus definition timeframe, this provides a little more of a solid check.

2. if it is possible, can i configure redirection to warning msg for those specific user?

- Kind of. If you have a user that receives a HIP message stating that they are not compliant, you can have the message say anything you want. For instance, if I have a user in my environment that is not compliant, the message says "Your client is not compliant because "enter reason here". Please contect your systems administrator for assistance." This will allow you to know what is wrong and why they are not able to connect to resources. But test to ensure that the HIP is setup exactly how you want to save headache from people calling you all the time to fix it. Furthermore, there needs to be a deny rule in place to not allow them access to resources if they are not compliant.

For instance:

In my environment...currently we only want clients that are part of our domain to have access to resources whether they access through the internal or external gateway. This is so any Joe Schmo laptop cannot come inside and access our network. Or if a client that is not part of our domain tries to access through the external gateway they are denied access to everything. So we have a HIP profile in place that checks if they are or are not part of our domain. If they are part, they are 'allowed' access, if they are not part of our domain they are 'denied'. When the deny rule is matched, the client cannot surf the internet or have access to internal resources.

3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

-Yes. Absolutlely! We run GP all the time with single sign on without VPN.

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.

-Yes. We do this also. You just have to configure an internal gateway and an external gateway. Keep in mind that GP will always try to connect to the internal gateway first after it authenticates through the portal. But, in my opinion, best practice to to just configure 2 serperate gateways...internal and external. Make sure that the internal gateway has an internal IP address.

5. If I configured Global Protection, is it able to apply for internal users of firewall (paloalto L3 mode) without SSL VPN Connection?

-Yes. See answer to #4.

Side notes. Make sure that you test all angles of global protect before implementing. It works great once everything is configured properly. And in my testing and config, it takes some time to learn everything that needs to be done to ensure that it works right.