Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

L2 Linker

Hi all!

 

I'm experimenting with enforcing GlobalProtect Connection for Network Access. When I enable that setting, and put myself in user-logon (always on) things work great, but if I then disable GP, I can still access the network.

 

I had a call with TAC and they said to make this work I needed to make sure I couldn't disable GP, so I set it up so I couldn't disable without a pass code. However, after the call I looked at the docs again which say about enforcing: "Select Yes to force all network traffic to traverse a GlobalProtect tunnel. Select No (default) if GlobalProtect is not required for network access and users can still access the internet even when GlobalProtect is disabled or disconnected. "

 

That documentation langauge makes me think I shouldn't be able to access the network at all without GP, even if I disable it. 

 

The firewalls are at 8.0.10 and I'm running 4.1.2-11 for the GP agent on Windows 10 64 pro.

 

Anyone running enforcing in production that can tell me if I should restart the conversation with TAC to see what is wrong, or if I really do need to remove the disable option?

 

The other question I have is with enforcing on, in user-logon mode, does the machine have any connectivity before the user logs in or is that blocked too?

 

Thank you!

 

2 accepted solutions

Accepted Solutions

L7 Applicator

Hi @uvdes

 

To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).

Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.

 

Regards,

Remo

View solution in original post

L7 Applicator

Yes it is a bit confusing, i would say that TAC is correct in what they are saying.

GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.

if you disable the service then it cannot perform those tasks.

 

It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.

 

i probably worded that incorrectly... which happens now and again as per this discussion...

 

i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.

 

having said that, i dont use enforce option, causes too many issues with captive portal for our users.

View solution in original post

13 REPLIES 13

L7 Applicator

Hi @uvdes

 

To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).

Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.

 

Regards,

Remo

L7 Applicator

Yes it is a bit confusing, i would say that TAC is correct in what they are saying.

GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.

if you disable the service then it cannot perform those tasks.

 

It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.

 

i probably worded that incorrectly... which happens now and again as per this discussion...

 

i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.

 

having said that, i dont use enforce option, causes too many issues with captive portal for our users.

Thanks! I think the way we'll start is user-logon without the ability to disable (or needing to enter a comment or similar), but not do enforcement. That should get us most of the way to where we want to be. We're trying to get to a zero-trust environment with a laptop fleet. One way to do that is to make sure that when people are off-prem that GP is on and making them effectively on-prem. 

 

This may or may not work for us. For instance, I'm concerned about performance when people are travelling and on high latency connections, such as airplane wifi, or countries that are distant from our offices. 

 

I should take a closer look at global protect cloud services and see if that is a fit for the mobile users.

Yes we have ours set to user logon, and we do have a zero tolerance also.

we manage this 99.999% of the time with the use of proxy .pac, used it for years and never let us down.

if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy..

not everybodys cup of tea but we used proxies over previous years for just about everything, the proxies have now gone but the pac file remains, 

 

 Im liking your idea that if your in a plane then as the clouds are just outside your window then the connection will be greater if you use PA cloud services...

only if...... eh...

 

Laters...

 

 

 

 

"if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy.."

Can you share how were you able to achieve this? I've been struggling to make this work with the enforce mode.

Sure @dvmq27 , NP.

 

you need to set a global proxy and point this to a pac file available from anywhere, are you having issues with this part or the actual pac file enforcement/syntax.

@Mick_Ball 

I've given up on enforce mode since it's causing a lot of issues (captive portal, authentication required even on internal / corporate network, etc).

 

you mentioned that the condition is when vpn fails or if the client is disabled. is it something which can be done on the PAC file? not much of an expert on it.

Are we talking ipad or windoze.

@Mick_Ball 

Windows. It's a challenging since we use auto config script in an internal server 

say http://x.x.x.x/proxyconfig.pac

The pac file needs to be available for internal and external users.   With windows i would prefer the enforce option.  This should be ok if you have internal host detection set correctly.  We only opted for pac file as already in place for other stuff and issues with ios. Ipad.

 

so is you pac file available from outside your lan?

Unfortunately, our pac file is only available to internal users 😞

We have tried enforce mode before. But we ran into a lot of issues.

-captive portal

-switch from external to internal network will work for some time but would need to re-authenticate back from external then re-switch to internal

-same issue for those users who click sign out on the GP agent

 

if only internal then pac file option is not really viable. 

I only have external gateways and no captive portal so life is easy for me.

 

however...   the pac file option will work if you only need it internally.

@dvmq27 

What version of GP are you using?

  • 2 accepted solutions
  • 13830 Views
  • 13 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!