https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257917#M73176 <P>that's a great idea, but then we'd need to register a new domain. Then we'd need to buy a new domain in Entrust for the certificate to match the new zone. All doable but sort of not thought of before.</P><P>&nbsp;</P><P>Our 10 year old ASA could do it no dramas.&nbsp;</P><P>&nbsp;</P><P>thank you though. I really do appriciate your replies and help</P> Wed, 17 Apr 2019 22:28:32 GMT au_igs 2019-04-17T22:28:32Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257792#M73133 <P>Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?</P><P>&nbsp;</P><P>thank you in advance for the help</P><P>Regards</P> Wed, 17 Apr 2019 01:35:39 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257792#M73133 au_igs 2019-04-17T01:35:39Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257811#M73137 <P>Not really no.</P><P>&nbsp;</P><P>Generally speaking it would be best practice to use a totally unrelated domain for the company/organization the remote access is for.</P><P>&nbsp;</P><P>For example, it wouldnt be advisable for CompanyA to use...</P><P>eg "remoteaccess.companya.com"</P><P>&nbsp;</P><P>Something generic that could not be traced back to the CompanyA in question would be much more advisable. Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....</P><P>&nbsp;</P><P>eg. "tasty.spacechicken.systems"</P><P>&nbsp;</P><P>Obviously something more appropriate than that, but you get the idea <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 17 Apr 2019 05:28:39 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257811#M73137 El-ahrairah 2019-04-17T05:28:39Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257865#M73153 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58143">@El-ahrairah</a>&nbsp;,</P><P>That is one cool domain ;)!</P> Wed, 17 Apr 2019 14:54:55 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257865#M73153 OtakarKlier 2019-04-17T14:54:55Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257905#M73170 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/111187">@au_igs</a>&nbsp;wrote:<BR /><P>Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?</P><P>&nbsp;</P><P>thank you in advance for the help</P><P>Regards</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>I think this is easier than you think, or perhaps I'm not understanding.&nbsp; I just went through swapping out ~6,000 laptops from AnyConnect to GP.</P><P>&nbsp;</P><P>For GP you define the DNS name so there's not really a common path that an external entity could guess would be your company's GP portal.</P> Wed, 17 Apr 2019 18:24:09 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257905#M73170 Brandon_Wertz 2019-04-17T18:24:09Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257917#M73176 <P>that's a great idea, but then we'd need to register a new domain. Then we'd need to buy a new domain in Entrust for the certificate to match the new zone. All doable but sort of not thought of before.</P><P>&nbsp;</P><P>Our 10 year old ASA could do it no dramas.&nbsp;</P><P>&nbsp;</P><P>thank you though. I really do appriciate your replies and help</P> Wed, 17 Apr 2019 22:28:32 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/257917#M73176 au_igs 2019-04-17T22:28:32Z https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/258010#M73202 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58143">@El-ahrairah</a>&nbsp;wrote:<BR /><P>Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....</P><HR /></BLOCKQUOTE><P>... and don't use anything "better" than a domain validation certificate - self signed would be good too if all the devices that connect are under your control <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 18 Apr 2019 14:51:42 GMT https://live.paloaltonetworks.com/t5/general-topics/new-ng-pa-implementation-path-url/m-p/258010#M73202 Remo 2019-04-18T14:51:42Z