We have had our Palo 3020 along with GlobalProtect for about a year now, and we continue to struggle with all sorts of GP issues. I'm curious to know how are you all using GlobalProtect?
One Issue - Our strategy was to use GlobalProtect as an Always-On connection, as we've invested in Palo's URL filtering and solely use that for URL inspection. Because of this, we do not use split tunneling and send all traffic, including inordinate amounts of DNS requests through the Palo. This has proved to be cumbersome at best, and ensuring GP is always connected using SSO and Windows 10 machines is a challenge which translates in to security concerns because user's may not always be connected for a variety of reasons.
Are any of you using GlobalProtect and URL filtering in this way?
We use gp always on. Sso was troublesome. Have switched to cert auth.
our AD issues user certs to all domain members
we have a copy of the AD root cert on the palo.
1 portal and 6 gateways. 4500 users... No problem whatsoever..
However.. this is only permitted for us with disk encryption. (Pin to unlock).
Hmm... I need to look into this. Yes, SSO is a mess. We've personally reported 2 issues recently that have warrented bug ID's from Palo.
We use machine certs for pre-logon strictly so users can change their domain passwords when they expire. Thsi has also proved to be a nightmare from a management standpoint.
Are you routing all traffic from your Always On clients through GP?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!