topic Re: Global Protect Agent and SSID in General Topics

Global Protect Agent and SSID

killboxalpha — Fri, 05 Oct 2018 08:28:40 GMT

I have configured GP agent with internal and external adresse to seamlessly work w/ always on for my endpoints and this works great. And users can not connect to other networks w/coppper cable without the internal GW. And SSID has to be punched in manually.

But one challange;

How do i protect new endpoints when its getting windows image from sccm if we have pre-defined the ssid and password in windows, the endpoint could get a unsecure connection before the script installs GlobalProtect Agent.

Can i create a HIP rule/profile on the policy settings that require a GlobalProtect Agent installation (reg key) before wifi acccess is granted ?

Thank you

Re: Global Protect Agent and SSID

Mick_Ball — Fri, 05 Oct 2018 16:10:10 GMT

HIP rules and profiles are applied to policies on the firewall itself, not on the client....

can you not have GP as part of your image from SCCM.

could you not apply a duff proxy to your devices and then remove the duff proxy settings as part of the installation script for GP.

Re: Global Protect Agent and SSID

Mick_Ball — Fri, 05 Oct 2018 16:12:36 GMT

hmmm perhaps not, the proxy settings will only restrict browsing , not general network access.

perhaps including GP as part of the image may be a better idea.

Re: Global Protect Agent and SSID

LukeBullimore — Fri, 05 Oct 2018 21:31:45 GMT

Hey @killboxalpha

Edit: I may have misread your post - HIP information and policy enforcement would only be after the client has connected to GlobalProtect so may not apply to this situation.

Thinking off the top of my head, you could use a PowerShell script to look if the reg key is present, if it's not use the XMLAPI to send a tag to the firewall that update a dynamic address group, then use a policy to block access with SRC address as the dynamic address group.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/register-ip-addresses-and-tags-dynamically

---

You can certainly block machines that connect to GlobalProtect from accessing resources (internet/internal resources etc) if they don't have a reg key present, this is done via HIP Based Policy Enforcement.

1. Create a new HIP object (Objects -> GlobalProtect -> HIP Objects), enable a "Custom Check" and create your custom check in the Registry Key tab.

2. Add your HIP object to a HIP profile (Objects -> GlobalProtect -> HIP Profiles), set the match to "NOT" so only people WITHOUT the reg key will hit this profile.

3. Create a security policy and add the HIP profile under the "User Tab"

; with the action of deny in the security policy you can then block access for anyone that doesn't have the reg key present.

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-guide/host-information/configure-hip-based-policy-enforcement

Cheers,

Luke.

Re: Global Protect Agent and SSID

killboxalpha — Thu, 11 Oct 2018 14:34:08 GMT

Hi LukeBullimore.

yupp, could not reply fast enough sorry, the problem as you mention is that everything would hit after the GP agent was installed and not before, the solution was to create a script w/ssid+pass that would not activate before GP script install was done. This works now, after some tinkering.

thx for your input. Not sure who deserves the solved button.

Re: Global Protect Agent and SSID

Mick_Ball — Thu, 11 Oct 2018 15:33:28 GMT

Luke gets my vote, helpful link and a registry drop to finish off......

Laters