Couple of questions about GlobalProtect client and AppStore through PA500

Reply
Highlighted
L1 Bithead

Couple of questions about GlobalProtect client and AppStore through PA500

        Hi, I've recently upgraded our PA-500 to 4.1.3 and found that this version has significantly improved over the previous 4.0.X.

But now I have few quirks that the new version brought up or didn't solve as I expected.

     First, after upgrading the NetConnect on one PC (outside of company and not in our domain, Windows 7 Ultimate SP1) to GlobalProtect 1.1.3 VPN client, the PC started to do auto login to the first local user (accidently without password) and every time I do Log Off or Switch User I get back to this user's desktop. To clarify, on this PC, I have two users, one Power User account without password (the one that does auto login) and one other Administrator account with password. I'm sure that GlobalProtect is the cause of the problem because every time I remove the client, login process goes back to normal.

     Second, I’ve been experiencing some dificulty with using the Apple AppStore from iOS devices when there is URL filtering enabled. Can anyone suggest which URL categories should be allowed/passed or some speciffic URLs added to exclude list for this Apple service to work properly?

Thanks for any kind of help in advance!

L4 Transporter

Re: Couple of questions about GlobalProtect client and AppStore through PA500

Hi,

I think you might have enabled "single sign on" under the global protect setting on PAN firewall. With Single Sign on, the Client will use the windows credentials of the user to authenticate to the GlobalProtect Portal. This method is completely transparent to the end users. This might be causing your login issue, try disabling it on PAN then uninstall the GP client from the end user's machine. Download the client again and re-install it. Let us know if you have the same issue.

Regarding your second query, you need to find which URLs does App Store tries to connect, based on that URL you can figure out the category, which can be done with the help of the following command on the CLI:

PAN> test url <website>

Allow those categories and see if you can access the App store without any issues.

Thanks,

Khubaib

L1 Bithead

Re: Couple of questions about GlobalProtect client and AppStore through PA500

When a user accessess the "iTunes Store" feature, iTunes accesses the following URLs:

ax.itunes.apple.com

ax.init.itunes.apple.com

These are actually CNAMEs to edgesuite and akamai, so you should also allow the "content-delivery-networks" URL category.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!