GlobalProtect - How Are you Using?

Reply
L0 Member

GlobalProtect - How Are you Using?

We have had our Palo 3020 along with GlobalProtect for about a year now, and we continue to struggle with all sorts of GP issues. I'm curious to know how are you all using GlobalProtect?

 

One Issue - Our strategy was to use GlobalProtect as an Always-On connection, as we've invested in Palo's URL filtering and solely use that for URL inspection. Because of this, we do not use split tunneling and send all traffic, including inordinate amounts of DNS requests through the Palo. This has proved to be cumbersome at best, and ensuring GP is always connected using SSO and Windows 10 machines is a challenge which translates in to security concerns because user's may not always be connected for a variety of reasons.

 

Are any of you using GlobalProtect and URL filtering in this way?

L6 Presenter

Re: GlobalProtect - How Are you Using?

We use gp always on. Sso was troublesome. Have switched to cert auth.

our AD issues user certs to all domain members

we have a copy of the AD root cert on the palo. 

 

1 portal and 6 gateways. 4500 users... No problem whatsoever..

 

However.. this is only permitted for us with disk encryption. (Pin to unlock).

L0 Member

Re: GlobalProtect - How Are you Using?

Hmm... I need to look into this. Yes, SSO is a mess. We've personally reported 2 issues recently that have warrented bug ID's from Palo.

 

We use machine certs for pre-logon strictly so users can change their domain passwords when they expire. Thsi has also proved to be a nightmare from a management standpoint.

 

Are you routing all traffic from your Always On clients through GP?

L6 Presenter

Re: GlobalProtect - How Are you Using?

Yes, we do not allow split tunnels.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!