GlobalProtect Best Practices, Tuning, and Resources
These are trying times that we are facing. To help keep our workforce protected and secure, there is no better time than now to know exactly how to setup and tune GlobalProtect.
When it comes to knowing how to setup GlobalProtect, Best Practices, Tuning, and Resources, there is no better way to learn than by watching a video. Thanks to David Cumbow and Derek Bergman, we now have two great videos to show you all about GlobalProtect.
Below, you will find the two videos that cover not only the Best Practices, Tuning and Resources, but also the Q&A sessions that followed.
GlobalProtect Best Practices Webinar Video
Here is the GlobalProtect Webinar that was held last week:
(Actually, there were four different webinars, but since those were the same, I only uploaded one of those sessions.)
GlobalProtect Best Practices Webinar Q&A
Here is the Q&A session that was held after the webinar. As far as the Q&A sessions, since there were four, I grouped them all together, which is why the video is over an hour long—full of great information, worth a watch.
Here is a recap of the questions that were in the Q&A section:
Q: I noticed that GlobalProtect's software lifecycle is end of life for 2021. Does Palo Alto Networks plan to support it beyond 2021? A: The end of life policies are software version specific. Your question appears to be specific to GlobalProtect agent version 5.1, but by then (2021), newer versions of GlobalProtect will become available, and their corresponding end-of-life date will be farther out. Please see the following page for additional detail: End-of-Life Summary
Q: If AnyConnect (Cisco) is installed but not running, will it conflict with GlobalProtect agent? A: As long as AnyConnect is not running and passing traffic down a separate (in addition to GlobalProtect), there should be no issues with the agents conflicting. Please see the following page for additional detail:
Q: I believe you can use GlobalProtect for Network Segmentation on the internal network; is this something you would recommend? Or recommend all VLANs to just terminate on the firewall. A: Hi, it definitely depends on your use case and business needs. We do have customers that utilize internal tunneling of traffic for compliance reasons (traffic needs to be over a fully encrypted tunnel). Just be sure that you are sizing your next-generation firewall appropriately for this type of setup. We can always dive deeper into these configurations in a 1-off meeting if you’d like.
You can run them both on your client, and they don't conflict.
Q: Can I use Entrust Identity Guard for my 2FA? A: "Hi, Yes, you should be able to use the IdentityGuard RADIUS proxy to complete the integration. More information can be found here: Multi-Factor Authentication
Q: I'd like to learn more about posture assessment for VPN clients coming into the network. A: Hi, that is referred to as a Host Information Profile (HIP) check. Please see the following page for additional detail:
Q: Is there a method to get a list of all VPN users who connect each day with time connected and length connected? A: live answered
Q: Any tips for a dashboard to show details of GlobalProtect traffic and users? Is the remote user count under the gateway and an ACC tab against the A GlobalProtect zone the best we can look at? A: live answered
Q: Best practices for VoIP over VPN (e.g., soft phones). A: live answered
Q: Any ACC dashboard for GlobalProtect stats? A: live answered
Q: Should the VPN tunnel IP address by in the same subnet as the client IP pool or different subnet? A: live answered
Q: There's no dashboard widget for GlobalProtect stats either. Is there SNMP info we can grab? A: live answered
Q: Is it best practice to place the VPN zone IP on a loopback interface? A: live answered
Q: Some users aren't getting moved from pre-logon gateway settings to the proper settings until I boot their connection and have them log in again. Any ideas? A: Based on your wording, you may have this resource already, but if not, please start here: Remote Access VPN with Pre-Logon and consider opening a TAC case if you haven’t done so already.
Q: We currently do manual connect. How does it work if we move to a persistent connection? I'd like to force all systems to connect on boot. Does GP pre authenticate at the Windows login using credentials and then pass login info once connected? A: Yes, “always on” + pre-login authentication are both options for Windows: Remote Access VPN with Pre-Logon
Q: Is it best practice to "Exclude video traffic from the tunnel (Windows and macOS only)" within agent settings on the GlobalProtect gateway "video traffic" (Tab)? A: live answered
Q: I meant to say, does it connect with certificates—the pass the login info?
Q: We connect to GlobalProtect via a SAML provider, which in turn, authenticates us with DUO for MFA. We receive our initial User-ID from our SAML provider and also synchronize with our AD environment and Clearpass (for our wireless users.) All of our GlobalProtect policies are User-ID based. I have seen times where someone’s User-ID does not appear to refresh, and they can no longer access internal resources due to the policies requiring User-ID. Have you seen this issue? A: live answered
Q: When you manually connect to GlobalProtect, how does that affect existing application traffic (e.g., open web pages, streaming video, etc)? A: live answered
Q: I watched the Secure Mobility video on LIVEcommunity. Is it correct to understand from that video that GlobalProtect can be used for onboarding BYOD like Android, iPhone, tablets, and even desktops? Would it be wise to install GlobalProtect on every device in the Enterprise? A: So, the Prisma Access documentation involves onboarding users, networks, service connections. However, in terms of onboarding the actual endpoints, 3rd party tools—such as Group Policy, or MDM tools like AirWatch and JAMF—will likely still be needed.
Q: Can we use a wildcard cert as the main cert? A: Please see the following resource:
Q: What was the free BPA tool you mentioned? A: live answered
Q: If a user has a home mac and installed the GlobalProtect client successfully and entered the portal address, why won't it connect and give the splash page? A: live answered
Q: Why would 9.1 be released if it's not recommended to upgrade? A: live answered
Q: Is there a way to view bandwidth usage. Basically, how taxed is the GlobalProtect Gateway? A: live answered
Q: We have GlobalProtect set up across two DC. Users connected to Primary DC always connect via IPSec. However, users connect to secondary DC connect via SSL. I have a couple of colleagues and myself connected to both the DCs via IPSec. Where as rest all connect via SSL on the secondary DC? A: live answered
"If you run netstat -an and you see that GlobalProtect is not listening on port 4767, restart the mac with command+R to get to recovery mode. Open a terminal from the menus at the top then run "spctl kext-consent add PXPZ95SK77" then reinstall the GlobalProtect client. The cause seems to be OSx disables kernel extensions from untrusted sources." I have had to do this before. A: live answered
Q: Does GlobalProtect support DHCP relay?
A: live answered
Q: We split traffic in Active Active, use routing to fail over. A: live answered
Q: To exclude Client Application Process Name for Zoom, would the following Syntax be good? \AppData\Roaming\Zoom\bin\Zoom.exe A: live answered
Q: Will adding an additional IP range to the IP pool under client settings cause disruptions to clients? A: live answered
Q: Trying to improve performance, any tips? A: live answered
Q: Will adding the security zone to an existing NAT policy interrupt service? A: live answered
Q: Do you know if Chromebooks (Andriod and non/Andriod) have the ability to force users to use GlobalProtect? A: live answered - In addition to David’s answer, please also see the following resource: Always On Security for Chromebooks
Q: Following up on the HA load balancing question. Our HA setup is active-passive, but the vast majority of our clients are displaying on the passive pear (8 on active, 29 on passive per remote users screen). Similarly, some of our users are not listed on either node. Have you seen this before or any advice on resolving this beyond reaching out to TAC? A: live answered
Q: "Is a GlobalProtect gateway deployment supported on an active/active (routed) deployment? If so, is there a design guide specific to this design, as I've been unable to get this to work as I would expect." A: "Hi Thomas, we do not have an active/active HA design guide specific to GlobalProtect, but aside from the complexity that comes with active/active in general, there is no reason it shouldn’t work. Please review the following items that don’t sync between active/active units as well as some corresponding use cases: Determine Your Active/Active Use Case What Settings Don’t Sync in Active/Active HA?
I’ve also seen users that do have A/A utilize a floating IP for the portal and then the interfaces for each next-generation firewall as part of two total gateways they host. There is an article on the LIVEcommunity about this specific issue: GlobalProtect with Active/Active HA
Q: Is Aaron saying the client will avoid a conflict and pick a different IP pool? A: live answered - When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues. How Can IP Overlaps Be Prevented With GlobalProtect
Q: When it comes to network speed over the VPN back to files or work recourses, is there anything to look at to speed things up? We have a gig connection with a PA-3220 and with 50 people using the VPN, it feels sluggish getting work resources. A: live answered - Optimized Split Tunneling for GlobalProtect
Q: Are we able to share the FQDN for our GlobalProtect portal and the clientless VPN? Are there any resources for setting up clientless VPN that you can recommend? A: live answered - Configure Clientless VPN
Q: Could you use HIP rules to put failing clients on a remediation network in the use case of AOVPN? A: live answered