global protect configuration

L4 Transporter

global protect configuration

I was just wondering how other people have their globalprotect clients configured? Who used on-demand vs autologin. Who uses prelogin checks etc and what works the best

L6 Presenter

Re: global protect configuration

@jdprovine , long time no post...  

 

difficult one as whats best will really depend on the corporate and user requirements.

 

we use pretty much all the options as we have a varied user scope from members of staff, IT admin, guests, 3rd party support etc and all vary between on demand, always on, radius OTP, certificate and LDAP...

 

so...

 

our main user group of approx 3k are win7/10 laptops.

for this we use always on with certificate authentication. 

pre login is not much use as wifi is not enabled until user actually logs in.

The "enforce GlobalProtect" option boosted our service desk calls bt 45 million (approx) so we took it off. mainly because of issues with captive portal etc but we do prevent open browsing by the use of a proxy.pac config.

 

pretty much got this down to a fine art as we generally only get 1 or 2 calls per week regarding GP. most resolved as users not joining guest networks correctly but hardly ever due to a GP fault.

 

we also run a couple of pre and post VPN scripts but this is just to enforce a few proxy settings and ipconfig/flushdns  as this was not part of the early GP versions.

 

Hope you are well,

 

Laterers...

 

 

 

 

 

 

L4 Transporter

Re: global protect configuration

@MickBall 

Hey there I'm back after my job change and reaper got all my setting migrated wasn't sure people would recognize me.

We only have one VPN configured and every one uses the same one, we don't have nearly as many users as you do though but I really dislike the auto login, I prefer the on demand but I can see why it was setup the way it was to take human error out of the equation. I am just looking to make it work better

L7 Applicator

Re: global protect configuration


@MickBall wrote:

The "enforce GlobalProtect" option boosted our service desk calls bt 45 million (approx) so we took it off. mainly because of issues with captive portal etc but we do prevent open browsing by the use of a proxy.pac config.

 

pretty much got this down to a fine art as we generally only get 1 or 2 calls per week regarding GP. most resolved as users not joining guest networks correctly but hardly ever due to a GP fault.

 

we also run a couple of pre and post VPN scripts but this is just to enforce a few proxy settings and ipconfig/flushdns  as this was not part of the early GP versions.


@MickBall you should give 5.0.2 a try. I have spent a lot of time together with Paloalto to report, solve and test fixes for issue you describe here. Of course 5.0.2 will not be bug-free, but right not it runs pretty good with enforce enabled. Captive portals are no longer a problem even with this option and in my setup we even have MFA with RADIUS configured which made the whole situation even more difficult. Anyway, if you do test it with 5.0.2 any maybe also with the enforce option, please write your feedback/issues to this post, where I try to collect informations about 5.0.2: https://live.paloaltonetworks.com/t5/General-Topics/Global-Protect-5-0-2-working-deployments-configu...

 

 

L6 Presenter

Re: global protect configuration

@jdprovine , where exactly is it failing,  we also use on demand for external support, approx 120 users and still have no issues, 

@vsys_remo ,yes i have seen how busy you have been, i will of course venture deeper.....

 

L4 Transporter

Re: global protect configuration

@MickBall 

Actually its not failing I was just wondering if there was a best practices way to configure it that would make it more efficient

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!