topic Re: GlobalProtect VPN "Always On" in General Topics

GlobalProtect VPN "Always On"

inclusa-admin — Thu, 10 Jan 2019 12:57:29 GMT

Hello,

We are currently migrating from Cisco AnyConnect to a GlobalProtect solution that is hosted on an Azure cloud VM and really like the "Always On" feature. The only set back we have noticed is there is no way to manipulate it to only connect when not on an internal LAN. We had manipulated DNS in the past to disable internal users from connecting to our VPN, but with the GlobalProtect client it will display an error message. We are trying to avoid having our end users notice this.

Thank you any assistance is appreciated.

Re: GlobalProtect VPN "Always On"

Chacko42 — Thu, 10 Jan 2019 13:33:40 GMT

you can set an external gateway in the agent config.

A tunnel will be only established, if you are outside of your lan.

As an internal gateway you can configure Globalprotect to act as an user-id collector

Re: GlobalProtect VPN "Always On"

inclusa-admin — Thu, 10 Jan 2019 13:41:06 GMT

The tunnel will always establish if the gateway is reachable, which it is since the host sits in Azure. We have modified DNS to not resolve the gateway when on the LAN, but the client will display an error message stating it cannot connect. I am not seeing anything within the configuration to state only connect if not on the domain/local network. Am I missing something? Again any help is appreciated.

Re: GlobalProtect VPN "Always On"

Chacko42 — Thu, 10 Jan 2019 13:44:55 GMT

can you post/describe your agent config on the portal?

Do you tried to define the internal host detection to connect to an internal gateway instead?

Re: GlobalProtect VPN "Always On"

inclusa-admin — Thu, 10 Jan 2019 13:59:11 GMT

Thank you for your replies, it is much appreciated.

As of right now we have done nothing to tweak the agent configuration and is using the default setup with SSO authentication.

We do not actually have any PaloAlto gateways internally at the moment. As of right now we only have the 1 Azure VM firewall. From what I understand we would need an interface from a PaloAlto internally to achieve this correct?

Forgive me for any ignorance on this. My past experience has been mainly with Pulse and Cisco and am a bit green with GlobalProtect.

Re: GlobalProtect VPN "Always On"

Chacko42 — Thu, 10 Jan 2019 14:22:21 GMT

Right, you can enable internal host detection (e.g. your domain controller).

If your client is connected to your internal network, you can tell him to connect to an internal global protect gateway.

There you can define e.g. user id and no tunnel configuration.

That is more secure than doing WMI probing or AD logs

Re: GlobalProtect VPN "Always On"

inclusa-admin — Thu, 10 Jan 2019 14:25:48 GMT

I think I understand now. I really appreciate your responses on this and pointing me to the correct path.