Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Reply
L2 Linker

Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Hi all!

 

I'm experimenting with enforcing GlobalProtect Connection for Network Access. When I enable that setting, and put myself in user-logon (always on) things work great, but if I then disable GP, I can still access the network.

 

I had a call with TAC and they said to make this work I needed to make sure I couldn't disable GP, so I set it up so I couldn't disable without a pass code. However, after the call I looked at the docs again which say about enforcing: "Select Yes to force all network traffic to traverse a GlobalProtect tunnel. Select No (default) if GlobalProtect is not required for network access and users can still access the internet even when GlobalProtect is disabled or disconnected. "

 

That documentation langauge makes me think I shouldn't be able to access the network at all without GP, even if I disable it. 

 

The firewalls are at 8.0.10 and I'm running 4.1.2-11 for the GP agent on Windows 10 64 pro.

 

Anyone running enforcing in production that can tell me if I should restart the conversation with TAC to see what is wrong, or if I really do need to remove the disable option?

 

The other question I have is with enforcing on, in user-logon mode, does the machine have any connectivity before the user logs in or is that blocked too?

 

Thank you!

 

L7 Applicator

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Hi @uvdes

 

To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).

Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.

 

Regards,

Remo

L7 Applicator

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Yes it is a bit confusing, i would say that TAC is correct in what they are saying.

GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.

if you disable the service then it cannot perform those tasks.

 

It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.

 

i probably worded that incorrectly... which happens now and again as per this discussion...

 

i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.

 

having said that, i dont use enforce option, causes too many issues with captive portal for our users.

L2 Linker

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Thanks! I think the way we'll start is user-logon without the ability to disable (or needing to enter a comment or similar), but not do enforcement. That should get us most of the way to where we want to be. We're trying to get to a zero-trust environment with a laptop fleet. One way to do that is to make sure that when people are off-prem that GP is on and making them effectively on-prem. 

 

This may or may not work for us. For instance, I'm concerned about performance when people are travelling and on high latency connections, such as airplane wifi, or countries that are distant from our offices. 

 

I should take a closer look at global protect cloud services and see if that is a fit for the mobile users.

Highlighted
L7 Applicator

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Yes we have ours set to user logon, and we do have a zero tolerance also.

we manage this 99.999% of the time with the use of proxy .pac, used it for years and never let us down.

if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy..

not everybodys cup of tea but we used proxies over previous years for just about everything, the proxies have now gone but the pac file remains, 

 

 Im liking your idea that if your in a plane then as the clouds are just outside your window then the connection will be greater if you use PA cloud services...

only if...... eh...

 

Laters...

 

 

 

 

L0 Member

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

"if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy.."

Can you share how were you able to achieve this? I've been struggling to make this work with the enforce mode.

L7 Applicator

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Sure @dvmq27 , NP.

 

you need to set a global proxy and point this to a pac file available from anywhere, are you having issues with this part or the actual pac file enforcement/syntax.

L0 Member

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

@MickBall 

I've given up on enforce mode since it's causing a lot of issues (captive portal, authentication required even on internal / corporate network, etc).

 

you mentioned that the condition is when vpn fails or if the client is disabled. is it something which can be done on the PAC file? not much of an expert on it.

L7 Applicator

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Are we talking ipad or windoze.

L0 Member

Re: Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

@MickBall 

Windows. It's a challenging since we use auto config script in an internal server 

say http://x.x.x.x/proxyconfig.pac

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!