Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

L4 Transporter

We've been troubleshooting some issues encountered when using the "Enforce GlobalProtect Connection for Network Access" option in our portal agent configuration.  Our TAC engineer mentioned that he had seen a setting called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established" in 8.1, but didn't see it in 9.0.  (The setting should allow certain hosts to be exempted from the enforced use of GP.)  However, today I noticed it in the portal config for the first time (we just updated to 9.0.4 last week).  I tried putting in an IP address for the parameter value, and also using the whole subnet w/ mask.  However, it didn't work to allow access to those hosts.

I can't seem to find documentation for this parameter anywhere!  I've looked in the offline help in Panorama, v 8.1 and v 9.0 GlobalProtect administrator's guide, searching on this forum, and searching Google in general.  The TAC engineer didn't even have documentation for this.  Does anyone know the syntax, or how to get it to work?

2 accepted solutions

Accepted Solutions

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8

View solution in original post

L0 Member

This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.

View solution in original post

22 REPLIES 22

Cyber Elite
Cyber Elite

Hello there

 

So I am trying  to work out and understand the issue.

 

I see the option for Enforce GlobalProtect Connection for Network Access, and it is a yes or no.

Yes means that NO network traffic can pass without the machine being connected via GP.

 

I  too, looked at the 8.1 GP admin guide and do not see an exception to the Enforce GlobalProtect Connection setting.

 

So, perhaps the TAC engineer was incorrect in his memory.

 

For now, I would create a configuration that specifically excludes that particular computer from needing to connect.

 

Will this help?

Help the community: Like helpful comments and mark solutions

Steve, we are excluding this setting across the board right now, because we unfortunately have a large number of machines which would need an exception.  We're still doing Always On mode, and the login dialog box is pretty "in your face" annoying until you sign in, which should help encourage users to authenticate.  

Here's a screenshot of the parameter.  Want to know the dumber thing?  Once you've set a value, you can't change it back to blank!  The window won't let you save it anymore!  My case engineer escalated it a week ago, and still has no idea how to configure it.  It seems to be some half baked "feature" that does nothing at this point.

 

2019-10-30 22_08_52-PanoramaPWk01.png

 

2019-10-30 22_12_02-PanoramaPWk01.png

@OwenFuller Welp, you weren't lying.  I set that up on my test palo and was unable to change it back to blank.  Well, I was but only because a saved a snapshot first.  Otherwise I got the same error.

 

Looks like a bug that needs fixed.


@Shawverr wrote:

 

Looks like a bug that needs fixed.


Well, once TAC acknowledges that the "feature" even exists, then maybe we can get a bugfix submitted! 😄

@OwenFuller LOL!!!!  That's why I decided to post, not because I could help, but I could at least confirm the issue.  Hopefully that helps.

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8

For anyone following, or who finds this in the future, here's the latest from TAC:


Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.


@RichColeman wrote:

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8


Thanks for the tip, Rich.  We'll give this a try.

I've had confirmation from TAC this option also "currently" only works with GP client version 5.1.0 (which is in beta), my portal is running 8.1.4 and as soon as I upgraded to 5.1.0 the option (after configuring) worked.

 

Think there's a disconnect, I will assume the fix will remove the need for the client to be on an un-released version

Thanks for updating with this information.

Oh, great find!  Maybe I'll try this out w/ the beta client.

L0 Member

This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.

Turns out there are a number of features running in 8.1 which isn't available until your running client version 5.1 would be handy of Plao documented them.

 

I've reached out to my TAM a requested this info, once I have I'll post it on here.

L4 Transporter

I have confirmed that the exception list works when using GlobalProtect agent 5.1 beta in accordance with information in the release notes, and the info from @cyurekli. With a little experimenting, I was able to determine the following details, which I'm sharing since documentation is still scant:

 

  • A single address in the exception list can be entered with no subnet mask (e.g. 192.168.223.1)
  • Multiple addresses must be entered with a mask (thanks @RichColeman), and separated by a comma (e.g. 192.168.223.1/32,10.0.0.1/32)
  • Once the GP client connects to the gateway, access to the exception list addresses no longer applies

As a reminder, my TAC engineer also had this to say:
Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.

Thank you all for the help!

 

  • 2 accepted solutions
  • 16930 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!