New NG PA implementation path URL

Reply
L1 Bithead

New NG PA implementation path URL

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards

Tags (2)
L2 Linker

Re: New NG PA implementation path URL

Not really no.

 

Generally speaking it would be best practice to use a totally unrelated domain for the company/organization the remote access is for.

 

For example, it wouldnt be advisable for CompanyA to use...

eg "remoteaccess.companya.com"

 

Something generic that could not be traced back to the CompanyA in question would be much more advisable. Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....

 

eg. "tasty.spacechicken.systems"

 

Obviously something more appropriate than that, but you get the idea :-)

L7 Applicator

Re: New NG PA implementation path URL

Hello @El-ahrairah ,

That is one cool domain ;)!

L6 Presenter

Re: New NG PA implementation path URL


@au_igs wrote:

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards


 

I think this is easier than you think, or perhaps I'm not understanding.  I just went through swapping out ~6,000 laptops from AnyConnect to GP.

 

For GP you define the DNS name so there's not really a common path that an external entity could guess would be your company's GP portal.

L1 Bithead

Re: New NG PA implementation path URL

that's a great idea, but then we'd need to register a new domain. Then we'd need to buy a new domain in Entrust for the certificate to match the new zone. All doable but sort of not thought of before.

 

Our 10 year old ASA could do it no dramas. 

 

thank you though. I really do appriciate your replies and help

L7 Applicator

Re: New NG PA implementation path URL


@El-ahrairah wrote:

Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....


... and don't use anything "better" than a domain validation certificate - self signed would be good too if all the devices that connect are under your control ;)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!