topic Re: What can I do with a Global proect subscription? in General Topics

What can I do with a Global proect subscription?

darren_g — Fri, 03 Jul 2020 02:12:26 GMT

(posted this in the global protect forum, but this seems to get more traffic, and maybe more suggestions, so I moved it here)

So I'm about due to retire my old 3050's and upgrade to 3250's - and this time I've convinced management to buy me the global protect subscription by pointing out that the changes in the way it operates after software version 8.1 remove the ability to split-tunnel for remotes, and would add load to the edge - so I win. Previously, I've just run with no license, and run the portal/gateway on the one box without any of the bells and whistles.

But what can I do with the subscription license? Things I want to consider.

1. Run two gateways - one for company PC's with pre-login enabled, and one for non-company PC's which just uses the old fashioned way of logging in. Can I do this on the same physical hardware by creating two portals (I have multiple external IP's I can bind to the outside interface of the firewall), or won't that work?

2. Create some kind of jump page or remote access page for users to login to selected apps/services without using the VPN client. Is that what Palo Alto call "clientless VPN"?

What other nifty stuff can I do with this new found power? Can someone point me to decent how-to's for making this kind of stuff work?

Thanks

Re: What can I do with a Global proect subscription?

pawelzwierz — Fri, 03 Jul 2020 10:03:27 GMT

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly

Re: What can I do with a Global proect subscription?

BPry — Sat, 04 Jul 2020 13:06:05 GMT

@darren_g,

Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.

This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly.

Re: What can I do with a Global proect subscription?

Brandon_Wertz — Mon, 06 Jul 2020 15:54:12 GMT

@pawelzwierz wrote:

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly

To add to what @pawelzwierz and @BPry mentioned. Palo in the "unlicensed" version of GP provides a robust client based VPN. There's really not anything lacking in this posture. In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness.

HIP enforcement however comes in the licensed version. The clientless VPN portal also needs a license which is something you said you're looking for. I think these two features alone should be able to help you justify the license purchase.

Re: What can I do with a Global proect subscription?

darren_g — Fri, 17 Jul 2020 02:18:59 GMT

@BPry wrote:
@darren_g,
Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.
This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly.

Hi @BPry

I've already got that on my radar, definitely. That's one of the major reasons (along with client-less VPN) I purchased the subscription when I got the new firewalls.

Re: What can I do with a Global proect subscription?

darren_g — Fri, 17 Jul 2020 02:20:33 GMT

@pawelzwierz wrote:
Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly

In regard to point 1 - what if I bind a second IP address to the interface - can I run one portal on one IP address, and another on he second?

Thanks

Re: What can I do with a Global proect subscription?

darren_g — Fri, 17 Jul 2020 02:24:44 GMT

@Brandon_Wertz wrote:
@pawelzwierz wrote:
Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
To add to what @pawelzwierz and @BPry mentioned. Palo in the "unlicensed" version of GP provides a robust client based VPN. There's really not anything lacking in this posture. In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness.

HIP enforcement however comes in the licensed version. The clientless VPN portal also needs a license which is something you said you're looking for. I think these two features alone should be able to help you justify the license purchase.

There is, actually, in unlicensed - once you install software above the 8.0 series on the firewall, you lose the ability to split-tunnel in the unlicensed version of global protect - something which is critical to my installation.

I've already got the license - I don't need to justify it - I just want to get the most out of it when I get the firewalls actually installed. HIP enforcement is the first thing on my list, for sure.

Thanks for your input