Solving Remote Access Challenges in the COVID-19 Era

Enabling 100% uptime and seamless secure access to business applications is a critical necessity for businesses today. COVID-19 has only accentuated this need with more working remotely through the pandemic. Yet IT organizations struggle on a daily basis to support a seamless digital experience for their remote users.

Various challenges plague the IT supportability of remote access solutions in the industry today.

1. When a remote user runs into connection issues, the IT Admin has no visibility on what is happening on the endpoint and has to involve the user in a complex and time-taking troubleshooting process.
2. When a remote user complains their connection is slow or a business application is not working reliably, the IT admin has no ability to quickly diagnose the performance issues resulting in a frustrating user experience and impacting business productivity.
3. When a remote user has issues accessing specific applications, the IT administrator has to engage in a time-consuming end-to-end troubleshooting processes to trace and resolve issues.

What stands out amongst the above pain points is the elongated admin-end user troubleshooting sessions hindering workforce productivity. With more of the general workforce being remote and supporting 100% seamless access for these end-users becoming a top priority for IT teams, Palo Alto Networks is proud to present the GlobalProtect App Log Collection capability geared towards superior IT supportability.

Starting GlobalProtect 5.2.5 App and above, and the Prisma Access 1.8 Plugin and above, administrators can enable GlobalProtect App Log Collection from Panorama to troubleshoot a range of issues including connectivity, performance, and authentication. End-users no longer have to resort to manually collecting logs and use an out-of-band channel like cloud drive to share the logs with their administrator. At the click of a button, end-users can send logs on-demand in an easy-to-read format to the customer’s Cortex Data Lake instance. These logs will be made available on the Explore App. Flexible Framework enables end-users to send logs when they are facing connectivity or authentication error scenarios on GlobalProtect or finding it difficult to load an application on the browser. Logs available on the Explore App will contain a combination of troubleshooting and diagnostics data, when stitched together empower the administrator to easily root cause the issue.

1. Administrator makes a request to obtain certificate required for establishing mTLS between Cortex Data Lake and GlobalProtect on employee’s endpoint
2. Prisma Access fetches the certificate and stores in Mobile User Template
3. GlobalProtect successfully authenticates with Prisma Access portal 
4. GlobalProtect downloads the certificate required for mTLS session between Cortex Data Lake and itself
5. When user reports an issue, GlobalProtect sends troubleshooting and/or diagnostic logs to a Cortex Data Lake instance
6. Administrator can view the logs using Explore App

On the Explore App, Troubleshooting logs give the administrator access to the following sections: Portal, Gateway, and the Network State the endpoint is connected to. For a full list of key-value pairs, visit the following link. When an end-user wants to report an issue, troubleshooting logs are sent by default. Some of the questions that troubleshooting logs answer are the following: 

1. What authentication profile was used to  authenticate against the portal/gateway?
2. What is the split-tunnel configuration on the endpoint: Access Route/App/Domain?
3. Is the SSL Certificate for portal/gateway valid?
4. What protocol was used for the tunnel? Why was there a fallback from IPSec to SSL?

If needed, in addition, end-users can run GlobalProtect built-in diagnostics and share the logs with the administrator. 

Employee productivity and user experience are central to the design of this feature. Access to applications in an Internal DC or in the cloud are essential to making sure employees stay productive and have a good overall digital experience. GlobalProtect can be configured to  conduct diagnostic tests against Internal and/or cloud applications deemed critical to employee productivity by the IT team. As an administrator, you’d like to not only know what the network latency measurements look like when GlobalProtect is turned on but compare and contrast it against the physical adapter network measurements. Following are the network measurement diagnostic tests conducted on these applications that are essential to providing a comprehensive picture about your employee’s digital experience.

Apart from the network diagnostics, GlobalProtect can run a whole slew of tests and provide necessary information like GlobalProtect App Health, Gateway Network Impairments, and Endpoint State. This adds a layer of clarity helping administrator zero in on the issue as quickly as possible.

Once these logs are sent by end-user, administrators can take advantage of easy on the eye Explore App to:

1. search issues by column names like username or reportID etc
2. find patterns around common issues reported by end-users
3. download debug log bundle per issue
   

GlobalProtect App Log Collection will co-exist with the manual collection of logs, a troubleshooting feature that’s supported on GlobalProtect since 4.1. Since GlobalProtect App Log Collection can be enabled at a user group level, administrators during a PoC, can make this available to a small group of users before rolling it out to production. With this, it is possible for administrators to easily zero in on connection, authentication, and performance issues and ensure employees stay productive during any stage of the deployment. 

The inclusion of GlobalProtect App Log Collection to bolster IT supportability and user experience makes GlobalProtect, a core component of Palo Alto Networks’ offering an even more compelling, industry-leading, ZTNA product.

For a list of prerequisites, click here.