GlobalProtect Configuration Opinions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Configuration Opinions

L2 Linker

Greetings!

 

Just to be upfront, I have my configuration working for the most part but I'm interested to hear if there's not a better/safer/quicker way of bending GlobalProtect to my needs. Please feel free to chime in with ideas, opinions or suggestions! Only as much detail as you feel is necessary but I'm happy to hear what you're thinking

 

Scenario

 

Globalprotect prelogon scenario with 2 level of post logon access

 

Process

 

  • All hosts will connect on the pre-logon level with limited access to internal resources (AD, etc) using our internal PKI 
  • After logon all users will automatically stay connected via Globalprotect (the pre-logon tunnel will switch to the username) and retain access to limited internal resources via security policies and LDAP
  • Select users after they logon will have the ability to "reconnect" to the GlobalProtect gateway and have full access to the internal network (again through security policies and LDAP)

 

Other requirements

 

TFA is not in play but may be in the future.

 

Reference

 

Most of the config is based in this article: here

 

Again. I'm not stuck (currently). Just wanted to hear your opinions. Appreciate any feedback.

 

Thanks!

Mike

 

 

 

2 REPLIES 2

L7 Applicator

Sounds like an ok setup but it really depends on your corporate security policies.

 

for us, PKI is a must but not acceptable without some form of hard drive encryption protected by a PIN.

this has nothing to do with certificate exposure but just an additional protection as you are currently relying on a password only policy if device is stolen.

 

we do not use pre-login as users are unable to join wifi until they auth on the device.

 

not sure about the 3rd option in your process section, why would they need to re-connect to obtain different policies.

 

if you move to 2FA then you may need to look at authentication overide especially if using OTP.

 

All of the above will not be everyones cup of tea but works well for us and we need to adhere to strict corp policies.

 

 

Thanks Mickball,

 

Yeah  I definitelty understand everyone's requirements, setup, etc are different. We too are required to use HD encryption as well. We liked the promise of prelogon so users can change passwords, login for the first time, etc. With all the other requirements in the scenario, it just has gotten overly conviluted IMO. I like your question about whether the users need to reconnect to refresh their policies because it makes things easier for the users as well. My experience says that the simplier the config, the easier it is to support and secure so anything that can pare things down, I'm for.

 

Really appreciate your two cents on this one!

  • 2038 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!