Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

Reply
Highlighted
L4 Transporter

Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

What I mean by the title of this discussion is that when the GlobalProtect client goes to initiate an SSL VPN session, instead of prompting the user to "cancel or continue," can the client respond to the user with something like "Invalid certificate detected. Due to security concerns your connection cannot be established at this time. Please call the Security Operations Center at 888-555-1212 for assistance with remote VPN connectivity or with any questions."

I'd rather not ask the user to choose, because it's highly likely they'll just click "Continue," opening themselves up for a Man-in-the-Middle attack.

It's trivially easy to do SSL man in the middle nowadays (http://mitmproxy.org/ is one example) so I'd rather them not connect then possibly have their entire VPN session captured by a 'bad guy.'

L4 Transporter

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

Also this kind of plugs into another issue with GlobalProtect, in that policy is completely reset when the user reboots. When they reboot, even if there was a way to push this setting to the GP client, the setting would be turned back off on reboot until the user VPNs back in. Not good.

L4 Transporter

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

This is essentially what I mean... this is Cisco's AnyConnect and the dialog it presents when there's an invalid certificate:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect...

http://www.cisco.com/en/US/i/200001-300000/240001-250000/244001-245000/244293.jpg

L4 Transporter

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

Also the dialog can be disabled, and the AnyConnect client can be configured to simply not connect after throwing an error:

Improved Security Behavior

When the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates.

There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user's local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt.

L7 Applicator

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

GlobalProtect does not have a way to enforce strict checking. While it will throw an error as you mention, the user is free to make the decision about it.

This seems to me like a useful feature, and I would recommend working with your account team to submit a feature request to see if this can be added.

Best regards,

Greg

L4 Transporter

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

Honestly Greg at this point we're looking to buy a pair of ASAs and go the AnyConnect route for remote user VPN access.

If you guys ("you guys" being PA) feel it's useful and a feature that makes sense, I'd ask that you guys go ahead and put in an FR/bug report/whatever for it.

I hate to sound so negative or sour, but GlobalProtect didn't live up to our expectations.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!