I'm experimenting with enforcing GlobalProtect Connection for Network Access. When I enable that setting, and put myself in user-logon (always on) things work great, but if I then disable GP, I can still access the network.
I had a call with TAC and they said to make this work I needed to make sure I couldn't disable GP, so I set it up so I couldn't disable without a pass code. However, after the call I looked at the docs again which say about enforcing: "Select Yes to force all network traffic to traverse a GlobalProtect tunnel. Select No (default) if GlobalProtect is not required for network access and users can still access the internet even when GlobalProtect is disabled or disconnected. "
That documentation langauge makes me think I shouldn't be able to access the network at all without GP, even if I disable it.
The firewalls are at 8.0.10 and I'm running 4.1.2-11 for the GP agent on Windows 10 64 pro.
Anyone running enforcing in production that can tell me if I should restart the conversation with TAC to see what is wrong, or if I really do need to remove the disable option?
The other question I have is with enforcing on, in user-logon mode, does the machine have any connectivity before the user logs in or is that blocked too?
Solved! Go to Solution.
To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).
Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.
Yes it is a bit confusing, i would say that TAC is correct in what they are saying.
GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.
if you disable the service then it cannot perform those tasks.
It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.
i probably worded that incorrectly... which happens now and again as per this discussion...
i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.
having said that, i dont use enforce option, causes too many issues with captive portal for our users.
Thanks! I think the way we'll start is user-logon without the ability to disable (or needing to enter a comment or similar), but not do enforcement. That should get us most of the way to where we want to be. We're trying to get to a zero-trust environment with a laptop fleet. One way to do that is to make sure that when people are off-prem that GP is on and making them effectively on-prem.
This may or may not work for us. For instance, I'm concerned about performance when people are travelling and on high latency connections, such as airplane wifi, or countries that are distant from our offices.
I should take a closer look at global protect cloud services and see if that is a fit for the mobile users.
Yes we have ours set to user logon, and we do have a zero tolerance also.
we manage this 99.999% of the time with the use of proxy .pac, used it for years and never let us down.
if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy..
not everybodys cup of tea but we used proxies over previous years for just about everything, the proxies have now gone but the pac file remains,
Im liking your idea that if your in a plane then as the clouds are just outside your window then the connection will be greater if you use PA cloud services...
only if...... eh...
"if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy.."
Can you share how were you able to achieve this? I've been struggling to make this work with the enforce mode.
Sure @dvmq27 , NP.
you need to set a global proxy and point this to a pac file available from anywhere, are you having issues with this part or the actual pac file enforcement/syntax.
I've given up on enforce mode since it's causing a lot of issues (captive portal, authentication required even on internal / corporate network, etc).
you mentioned that the condition is when vpn fails or if the client is disabled. is it something which can be done on the PAC file? not much of an expert on it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!