topic Re: GlobalProtect Configuration Opinions in General Topics

GlobalProtect Configuration Opinions

mbahen — Fri, 04 Jan 2019 21:20:11 GMT

Greetings!

Just to be upfront, I have my configuration working for the most part but I'm interested to hear if there's not a better/safer/quicker way of bending GlobalProtect to my needs. Please feel free to chime in with ideas, opinions or suggestions! Only as much detail as you feel is necessary but I'm happy to hear what you're thinking

Scenario

Globalprotect prelogon scenario with 2 level of post logon access

Process

All hosts will connect on the pre-logon level with limited access to internal resources (AD, etc) using our internal PKI
After logon all users will automatically stay connected via Globalprotect (the pre-logon tunnel will switch to the username) and retain access to limited internal resources via security policies and LDAP
Select users after they logon will have the ability to "reconnect" to the GlobalProtect gateway and have full access to the internal network (again through security policies and LDAP)

Other requirements

TFA is not in play but may be in the future.

Reference

Most of the config is based in this article: here

Again. I'm not stuck (currently). Just wanted to hear your opinions. Appreciate any feedback.

Thanks!

Mike

Re: GlobalProtect Configuration Opinions

Mick_Ball — Mon, 07 Jan 2019 12:26:16 GMT

Sounds like an ok setup but it really depends on your corporate security policies.

for us, PKI is a must but not acceptable without some form of hard drive encryption protected by a PIN.

this has nothing to do with certificate exposure but just an additional protection as you are currently relying on a password only policy if device is stolen.

we do not use pre-login as users are unable to join wifi until they auth on the device.

not sure about the 3rd option in your process section, why would they need to re-connect to obtain different policies.

if you move to 2FA then you may need to look at authentication overide especially if using OTP.

All of the above will not be everyones cup of tea but works well for us and we need to adhere to strict corp policies.

Re: GlobalProtect Configuration Opinions

mbahen — Mon, 07 Jan 2019 13:19:03 GMT

Thanks Mickball,

Yeah I definitelty understand everyone's requirements, setup, etc are different. We too are required to use HD encryption as well. We liked the promise of prelogon so users can change passwords, login for the first time, etc. With all the other requirements in the scenario, it just has gotten overly conviluted IMO. I like your question about whether the users need to reconnect to refresh their policies because it makes things easier for the users as well. My experience says that the simplier the config, the easier it is to support and secure so anything that can pare things down, I'm for.

Really appreciate your two cents on this one!