topic Re: Disabling GP client but where are the logs kept? in General Topics

Disabling GP client but where are the logs kept?

hshawn — Wed, 18 Apr 2018 23:22:16 GMT

Does anyone know if anything is logged on the firewall side when someone disables the GP client? We require a password to be entered when the client is disabled but I am not finding anything in the system logs that can be related to the event.

Obviously we dont want to allow users to just bypass all fo the security provided by the firewall by disabling the client on a corporate device but it is causing quite an uproar with the high salaried individuals that they cannot disable the client.

Closest thing I can find is event globalprotectgateway-agent-msg containing Override(s) = 1 or = 2 but not sure if that is it because in a test I didnt see one of these entries for a user that disabled the client while I was watching the log

Re: Disabling GP client but where are the logs kept?

Mick_Ball — Thu, 19 Apr 2018 14:15:06 GMT

not sure what you are asking but i have a similar issue with a group of users that are allowed to disconnect VPN.

I simply placed them in an AD group "Disable-GP" and now they get a different config to the default users.

no password needed really...

Re: Disabling GP client but where are the logs kept?

hshawn — Thu, 19 Apr 2018 15:00:45 GMT

Thanks @Mick_Ball I thought about doing this. If I add a new config (gateway->Agent->Client settings->Add) I assume I just need to have the "exception" config above the "everyone else" config since all users will be in the regular VPN group but only a few would be in the disable exception group..

Honestly I feel so wrong allowing this at all, but sometimes security has no teeth when it comes to what the C or VP level wants 😕

We would still like to be able to report on who/how often/when someone disables the client but I am not sure that is possible at this time

Re: Disabling GP client but where are the logs kept?

Mick_Ball — Thu, 19 Apr 2018 15:13:51 GMT

yes, above the default...

logging will be local to device... (if any)

i agree with you re security but if I do as I'm told then as far as I'm concerned my ass is coverd...

have you looked at the option of allow user to disable with ticket... it's not for me but may help with frequency of use...

also... do you use HIP, if so then you could find the reg setting for client disabled and add a custom check.

BTW, our users are still limited to what they can do when disconnected. they are still unable to browse the internet. we just allow the disable option to allow local printing. It's better than allowing split tunneling...