Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Reply
L1 Bithead

Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

We've been troubleshooting some issues encountered when using the "Enforce GlobalProtect Connection for Network Access" option in our portal agent configuration.  Our TAC engineer mentioned that he had seen a setting called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established" in 8.1, but didn't see it in 9.0.  (The setting should allow certain hosts to be exempted from the enforced use of GP.)  However, today I noticed it in the portal config for the first time (we just updated to 9.0.4 last week).  I tried putting in an IP address for the parameter value, and also using the whole subnet w/ mask.  However, it didn't work to allow access to those hosts.

I can't seem to find documentation for this parameter anywhere!  I've looked in the offline help in Panorama, v 8.1 and v 9.0 GlobalProtect administrator's guide, searching on this forum, and searching Google in general.  The TAC engineer didn't even have documentation for this.  Does anyone know the syntax, or how to get it to work?

Tags (1)
L4 Transporter

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Hello there

 

So I am trying  to work out and understand the issue.

 

I see the option for Enforce GlobalProtect Connection for Network Access, and it is a yes or no.

Yes means that NO network traffic can pass without the machine being connected via GP.

 

I  too, looked at the 8.1 GP admin guide and do not see an exception to the Enforce GlobalProtect Connection setting.

 

So, perhaps the TAC engineer was incorrect in his memory.

 

For now, I would create a configuration that specifically excludes that particular computer from needing to connect.

 

Will this help?

L1 Bithead

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Steve, we are excluding this setting across the board right now, because we unfortunately have a large number of machines which would need an exception.  We're still doing Always On mode, and the login dialog box is pretty "in your face" annoying until you sign in, which should help encourage users to authenticate.  

Here's a screenshot of the parameter.  Want to know the dumber thing?  Once you've set a value, you can't change it back to blank!  The window won't let you save it anymore!  My case engineer escalated it a week ago, and still has no idea how to configure it.  It seems to be some half baked "feature" that does nothing at this point.

 

2019-10-30 22_08_52-PanoramaPWk01.png

 

2019-10-30 22_12_02-PanoramaPWk01.png

L3 Networker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

@OwenFuller Welp, you weren't lying.  I set that up on my test palo and was unable to change it back to blank.  Well, I was but only because a saved a snapshot first.  Otherwise I got the same error.

 

Looks like a bug that needs fixed.

L1 Bithead

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled


@Shawverr wrote:

 

Looks like a bug that needs fixed.


Well, once TAC acknowledges that the "feature" even exists, then maybe we can get a bugfix submitted!

L3 Networker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

@OwenFuller LOL!!!!  That's why I decided to post, not because I could help, but I could at least confirm the issue.  Hopefully that helps.

L2 Linker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!