GlobalProtect Best Practices Webinar

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Community Team Member

GlobalProtect Best Practices, Tuning, and ResourcesGlobalProtect Best Practices, Tuning, and Resources

 

These are trying times that we are facing. To help keep our workforce protected and secure, there is no better time than now to know exactly how to setup and tune GlobalProtect.

 

When it comes to knowing how to setup GlobalProtect, Best Practices, Tuning, and Resources, there is no better way to learn than by watching a video. Thanks to David Cumbow and Derek Bergman, we now have two great videos to show you all about GlobalProtect. 

 

Below, you will find the two videos that cover not only the Best Practices, Tuning and Resources, but also the Q&A sessions that followed. 

 

 

GlobalProtect Best Practices Webinar Video

Here is the GlobalProtect Webinar that was held last week:

(Actually, there were four different webinars, but since those were the same, I only uploaded one of those sessions.)

 

 

GlobalProtect Best Practices Webinar Q&A

Here is the Q&A session that was held after the webinar. As far as the Q&A sessions, since there were four, I grouped them all together, which is why the video is over an hour long—full of great information, worth a watch.

 

Here is a recap of the questions that were in the Q&A section:


Q: I noticed that GlobalProtect's software lifecycle is end of life for 2021. Does Palo Alto Networks plan to support it beyond 2021?
A: The end of life policies are software version specific. Your question appears to be specific to GlobalProtect agent version 5.1, but by then (2021), newer versions of GlobalProtect will become available, and their corresponding end-of-life date will be farther out. Please see the following page for additional detail: End-of-Life Summary

 

Q: If AnyConnect (Cisco) is installed but not running, will it conflict with GlobalProtect agent?
A: As long as AnyConnect is not running and passing traffic down a separate (in addition to GlobalProtect), there should be no issues with the agents conflicting. Please see the following page for additional detail:

Can GlobalProtect Client Be Running With Another VPN Client?

 

Q: I believe you can use GlobalProtect for Network Segmentation on the internal network; is this something you would recommend? Or recommend all VLANs to just terminate on the firewall.
A: Hi, it definitely depends on your use case and business needs. We do have customers that utilize internal tunneling of traffic for compliance reasons (traffic needs to be over a fully encrypted tunnel). Just be sure that you are sizing your next-generation firewall appropriately for this type of setup. We can always dive deeper into these configurations in a 1-off meeting if you’d like.

 

Q: With Prisma Access, how would DUO MFA be configured?
A: Hi, configuration is pretty much similar to if it was run on premise. More information can be found here:
What Features Does Prisma Access Support?
and here:
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

You can run them both on your client, and they don't conflict.

 

Q: Can I use Entrust Identity Guard for my 2FA?
A: "Hi, Yes, you should be able to use the IdentityGuard RADIUS proxy to complete the integration. More information can be found here:
Multi-Factor Authentication

 

Q: I'd like to learn more about posture assessment for VPN clients coming into the network.
A: Hi, that is referred to as a Host Information Profile (HIP) check. Please see the following page for additional detail:

Configure HIP-Based Policy Enforcement

 

Q: Can I use user- or group-based security policy with SAML authentication using Azure GP app?
A: Yes. Please see the following resources for additional detail:
Prisma Access Discussion: User Mobile - Azure SAML - Wildcard
SSO Login Not Seen During GlobalProtect Client Authentication Using SAML Authentication

 

Q: Is there a method to get a list of all VPN users who connect each day with time connected and length connected?
A: live answered

 

Q: Any tips for a dashboard to show details of GlobalProtect traffic and users? Is the remote user count under the gateway and an ACC tab against the A GlobalProtect zone the best we can look at?
A: live answered

 

Q: Best practices for VoIP over VPN (e.g., soft phones).
A: live answered

 

Q: Any ACC dashboard for GlobalProtect stats?
A: live answered

 

Q: Should the VPN tunnel IP address by in the same subnet as the client IP pool or different subnet?
A: live answered

 

Q: There's no dashboard widget for GlobalProtect stats either. Is there SNMP info we can grab?
A: live answered

 

Q: Is it best practice to place the VPN zone IP on a loopback interface?
A: live answered

 

Q: Some users aren't getting moved from pre-logon gateway settings to the proper settings until I boot their connection and have them log in again. Any ideas?
A: Based on your wording, you may have this resource already, but if not, please start here: Remote Access VPN with Pre-Logon and consider opening a TAC case if you haven’t done so already.

 

Q: We currently do manual connect. How does it work if we move to a persistent connection? I'd like to force all systems to connect on boot. Does GP pre authenticate at the Windows login using credentials and then pass login info once connected?
A: Yes, “always on” + pre-login authentication are both options for Windows: Remote Access VPN with Pre-Logon

 

Q: Is it best practice to "Exclude video traffic from the tunnel (Windows and macOS only)" within agent settings on the GlobalProtect gateway "video traffic" (Tab)?
A: live answered

 

Q: I meant to say, does it connect with certificates—the pass the login info?

 

Q: We connect to GlobalProtect via a SAML provider, which in turn, authenticates us with DUO for MFA. We receive our initial User-ID from our SAML provider and also synchronize with our AD environment and Clearpass (for our wireless users.) All of our GlobalProtect policies are User-ID based. I have seen times where someone’s User-ID does not appear to refresh, and they can no longer access internal resources due to the policies requiring User-ID. Have you seen this issue?
A: live answered

 

Q: When you manually connect to GlobalProtect, how does that affect existing application traffic (e.g., open web pages, streaming video, etc)?
A: live answered

 

Q: I watched the Secure Mobility video on LIVEcommunity. Is it correct to understand from that video that GlobalProtect can be used for onboarding BYOD like Android, iPhone, tablets, and even desktops? Would it be wise to install GlobalProtect on every device in the Enterprise?
A: So, the Prisma Access documentation involves onboarding users, networks, service connections. However, in terms of onboarding the actual endpoints, 3rd party tools—such as Group Policy, or MDM tools like AirWatch and JAMF—will likely still be needed.

 

Q: Can we use a wildcard cert as the main cert?
A: Please see the following resource:

How To Use a Wildcard SSL CERT With Subject Alternative Names For GlobalProtect Portal/Gateway

 

Q: What was the free BPA tool you mentioned?
A: live answered

 

Q: If a user has a home mac and installed the GlobalProtect client successfully and entered the portal address, why won't it connect and give the splash page?
A: live answered

 

Q: Why would 9.1 be released if it's not recommended to upgrade?
A: live answered

 

Q: Is there a way to view bandwidth usage. Basically, how taxed is the GlobalProtect Gateway?
A: live answered

 

Q: We have GlobalProtect set up across two DC. Users connected to Primary DC always connect via IPSec. However, users connect to secondary DC connect via SSL. I have a couple of colleagues and myself connected to both the DCs via IPSec. Where as rest all connect via SSL on the secondary DC?
A: live answered

 

Q: any suggestions on this ?

 

Q: I am using PingID. The display message from GlobalProtect client is not displaying the full message. 
A: We are working with PingIP to improve our options here. Please look back to the following page for updates: https://docs.pingidentity.com/bundle/pingid/page/vxu1575274972878.html

 

Q: Is there a way to generate a custom report of all the users that are connected to GlobalProtect group by hour?
A: live answered

 

Q: In an HA pair configuration, are GlobalProtect connections load balanced between the two PAN devices, or all terminated on the active node?
A: live answered

 

Q: How can we assign out a "fixed IP" to a GlobalProtect client?
A: live answered

 

Q: For the mac issue https://www.reddit.com/r/paloaltonetworks/comments/93t5w1/globalprotect_agent_stuck_at_connecting_st...

"If you run netstat -an and you see that GlobalProtect is not listening on port 4767, restart the mac with command+R to get to recovery mode. Open a terminal from the menus at the top then run "spctl kext-consent add PXPZ95SK77" then reinstall the GlobalProtect client. The cause seems to be OSx disables kernel extensions from untrusted sources." I have had to do this before.
A: live answered

 

Q: Does GlobalProtect support DHCP relay?

A: live answered

 

Q: We split traffic in Active Active, use routing to fail over.
A: live answered

 

Q: To exclude Client Application Process Name for Zoom, would the following Syntax be good? \AppData\Roaming\Zoom\bin\Zoom.exe
A: live answered

 

Q: Will adding an additional IP range to the IP pool under client settings cause disruptions to clients?
A: live answered

 

Q: Trying to improve performance, any tips?
A: live answered

 

Q: Will adding the security zone to an existing NAT policy interrupt service?
A: live answered

 

Q: Do you know if Chromebooks (Andriod and non/Andriod) have the ability to force users to use GlobalProtect?
A: live answered - In addition to David’s answer, please also see the following resource: Always On Security for Chromebooks

 

Q: Following up on the HA load balancing question. Our HA setup is active-passive, but the vast majority of our clients are displaying on the passive pear (8 on active, 29 on passive per remote users screen). Similarly, some of our users are not listed on either node. Have you seen this before or any advice on resolving this beyond reaching out to TAC?
A: live answered

 

Q: "Is a GlobalProtect gateway deployment supported on an active/active (routed) deployment? If so, is there a design guide specific to this design, as I've been unable to get this to work as I would expect."
A: "Hi Thomas, we do not have an active/active HA design guide specific to GlobalProtect, but aside from the complexity that comes with active/active in general, there is no reason it shouldn’t work. Please review the following items that don’t sync between active/active units as well as some corresponding use cases:
Determine Your Active/Active Use Case
What Settings Don’t Sync in Active/Active HA? 

I’ve also seen users that do have A/A utilize a floating IP for the portal and then the interfaces for each next-generation firewall as part of two total gateways they host. There is an article on the LIVEcommunity about this specific issue:
GlobalProtect with Active/Active HA

 

Q: Is Aaron saying the client will avoid a conflict and pick a different IP pool?
A: live answered - When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues.
How Can IP Overlaps Be Prevented With GlobalProtect

 

Q: Is there a simple user end set up doc for the nontechnical users that will be connecting? We're looking to roll ours out to 1500+ users and most are not very technical. (Healthcare field)
A: live answered - Using The GlobalProtect App For Windows and Mac (Customizable Versions)

 

Q: Also, what is the license/feature called for DNS based split tunneling?
A: live answered

 

Q: Is there a recommended GlobalProtect client version?
A: Support PAN-OS Software Release Guidance

 

Q: When it comes to network speed over the VPN back to files or work recourses, is there anything to look at to speed things up? We have a gig connection with a PA-3220 and with 50 people using the VPN, it feels sluggish getting work resources.
A: live answered - Optimized Split Tunneling for GlobalProtect

 

Q: Are we able to share the FQDN for our GlobalProtect portal and the clientless VPN? Are there any resources for setting up clientless VPN that you can recommend?
A: live answered - Configure Clientless VPN

 

Q: Could you use HIP rules to put failing clients on a remediation network in the use case of AOVPN?
A: live answered

 

Q: Can we enforce AOVPN and disable internet access on the client when the VPN fails?
A: live answered - Enforce GlobalProtect for Network Access

 

Q: Do you know how often HIP information is updated from the GlobalProtect client, if this update interval can be configured?
A: live answered - HIP Check Report Interval

 

Q: Is there any support for TOTP for MFA without an external service?
A: live answered

 

Q: Is there API support for updating certificates programmatically? I'm thinking about automated renewals of certificates (e.g., AD Certificate services or Let's Encrypt)?
A: live answered - 

Renew a Certificate
GlobalProtect Certificate Best Practices

 

Q: Do you have a list of supported HIP checks?
A: Please see the following resource: What Data Does the GlobalProtect App Collect?

 

Q: What skill sets are needed to implement custom HIP checks?
A: live answered

 

Q: Would we be able to disallow a user from logging into the GlobalProtect VPN at all if they do not meet a HIP check?
A: live answered

 

Q: Can you use HIP internally without VPN for traffic traversing the firewall?
A: live answered

 

We will be coming out with more webinars soon, so please keep coming back to the LIVEcommunity.

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

9,947 Views
Comments
L3 Networker

@jdelio,

 

Can we also provide a link to live discussions / answers that you have called out for some of the questions? Yes, it might have been answered before, but to a reader is there a livecommunity link to the discussion, it'd be would be helpful.

 

9,900 Views
Community Team Member

@vathreya , I did my best to do that for as many as I could. 

If I have time I can try to link to articles/info that we have available.

 

Thanks for the comment!

9,250 Views
L2 Linker

Good day Joe, 

I truly thank you for writing the script in here, it does save tons of time to scan through the content and get educated on it. Thanks tremendously what you have been doing in the Live Community. 

Cheers!

Ram Bista

8,040 Views
Labels