GlobalProtect Agent Settings and CIS Controls

GlobalProtect Agent Settings and CIS Controls Webinar Q&A

Palo Alto Networks explores the settings in GlobalProtect Agent while providing some great tips about the CIS controls. Learn more about configuration, best practices, and how to keep security Top of Mind in this webinar video.

If you use GlobalProtect and want to know more about Agent settings and CIS controls, then you have come to the right place.

David Cumbow has hosted yet another great GlobalProtect webinar all about GlobalProtect Agent Settings and CIS Controls, along with a great Q&A session that happened after the webinar. 

This time around, David has help from Aaron McAllister, Shane Markley, and Dan Smith whom all play key parts in this great webinar.

Here's a quick overview of the subjects covered in this webinar:

• Keeping Security Top of Mind
• GlobalProtect Agent configurations and Best Practices
• CIS controls mapping to GlobalProtect and for remote workers

At the end of the webinar, there were actually two different Q&A sessions that I put together to make one video. Here's the Q&A session

GlobalProtect Agent Settings and CIS Controls Webinar Q&A session questions

Q: Why are we using Zoom given all the security vulnerabilities published about it recently?

A: Hi J. Noble, a few reasons. We make sure to utilize all security controls provided by Zoom, including webinar passwords, encrypted sessions, and we have moderators during the webinar. I think many of the security concerns for Zoom come from the free version and misconfigurations. Thanks for your question!

Q: Can the Next-Generation Firewall perform OCSP check for the cert?

A: Yes. Please see the following resources for additional detail: 

Controlling GlobalProtect VPN Access With OCSP

Q: Is it possible to choose who sees HIP notifications based on group membership?

A: So, as it sits today, HIP notification match on a HIP profile and corresponding HIP Object(s). Within each HIP object you can optionally set checks for things like Domain, OS, registry keys, certificates, etc. Although this approach doesn’t directly map to group memberships, it could potentially provide a similar result. Please see the following resource for additional detail:

Configure HIP-Based Policy Enforcement

Since HIP notifications are a gateway level setting, another option you have is to have another gateway configured for groups that you do want to have HIP notifications and another for those that you don’t. A bit more involved, but it’s an option.

Q: Pre-logon is important if your endpoints have their windows profiles stored on the server instead of the endpoint. With pre-logon, the DC is already connected when the user logs in so the profile can be found on the server. Without pre-logon, the server is not present until the user connects via the client, so the user's profile is not available when she logs in.

A: Great point, Gene! Thanks for sharing.

Q: Is there a way to reserve IPs for MAC addresses from the client pool you specify in GlobalProtect?

A: Not directly from the GlobalProtect client pool, but assuming the firewall is also acting as the DHCP server, the desired outcome can be accomplished as described here:

Configure DHCP Reserved Addresses on a Palo Alto Networks Firewall

Q: Current recommended version of GP agent to use?

A: 5.1.1 is currently "eTac preferred." Here's more information (customer sign-in required):

Support PAN-OS Software Release Guidance

Q: Pre-Login also allows new users to login to a laptop out in the field for the first time (i.e., cached credentials aren't needed, catches password updates, etc.)

A: Another great point! Thanks, Carl!

Q: I have opened a TAC case for HIP Notification being triggered on Windows FW. However, I do not have that as one of the checks. Currently, I am checking anti-malware for one HIP Profile and the other is checking for Disk Encryption. What I am seeing is the one HIP object in AV is checking Windows Defender and seems to be linking to Vendor Microsoft in the Firewall. Causing a False Notification. I am version 9.06. Thoughts?

A: Hi Eric, I have some thoughts on this, but no corresponding resource or artifact to provide so I will follow up with you offline after this if that is ok.

Q: Can you please elaborate on 'include 0.0.0.0/0 & ::/0 access routes in split tunnel configuration? What does this do and why are you recommending it be added?

A: LIVEcommunity answered

Q: Sorry, may be a dumb question, but why is it important to enable the IPSec on a the VPN versus just the tunnel mode?

A: LIVEcommunity answered

Q: Do you have resources for common issues with GlobalProtect and various Operating Systems. The majority of our users are working but we have a few Windows 10 users who get spinning wheel of connecting, etc.

A: LIVEcommunity answered. Just noticed this LIVEcommunity discussion, but let me know if this does not resolve the issue:

GlobalProtect client issues with Windows Hello login - Windows 10

Q: If you wish to update the version of GlobalProtect, is local admin access required for that? Or does the version update without any user intervention?

A: "When initially installing the GlobalProtect agent software on the endpoint, the end user must be logged in to the system using an account that has administrative privileges. Subsequent agent software updates do not require administrative privileges."

Test the Agent Installation

Q: What are the main differences between the included GlobalProtect app for connecting to VPN and the licensedGlobalProtect app?

A: Hi Cody, please see the table on the following page for a feature breakdown with and without theGlobalProtect license:

About GlobalProtect Licenses

Q: We currently are using Pulse Secure for our Remote VPN and one of the problems we have is the speed on the remote user is highly decreased. Does Global Protect have the same issue?

A: Hi Stephen, as with any great question the answer is it depends. Typically, any noticeable difference in performance from an end user experience perspective is driven by latency associated with traffic needing to traverse the tunnel, hairpin through the firewall, and get back out to the Internet. However, depending upon the configuration that you have in place with Pulse testing IPSec if you are using SSL or vice versa may improve performance as well. If you find that the bottleneck is in fact the speed of your company’s internet connection you might consider evaluating Prisma Access, which is GlobalProtect with a cloud hosted infrastructure:

https://www.paloaltonetworks.com/prisma/access

Q: Where is the BPA found?

A: Run a Best Practice Assessment at your convenience from the Customer Support Portal

Q: How does a client certificate offer multi-factor authentication security if it is deployed by the portal? If a user had compromised credentials and an attacker logged in to GlobalProtect, wouldn't the attacker just receive the client cert as well?

A: LIVEcommunity answered

Q: Can you please connect me with Stephen Brown directly? I would like to discuss the Pulse Secure issue with him. I believe we have a common problem. We are not able to move to Palo Alto Networks GlobalProtect as of right now.

A: LIVEcommunity answered

More Information

GlobalProtect Quick Configs and Architectures (in Admin Guide)

PAN-OS 8.1 – GlobalProtect Quick Configs

PAN-OS 9.0 – GlobalProtect Quick Configs

PAN-OS 9.1 – GlobalProtect Quick Configs

GP Resource List (Holy Grail of GlobalProtect articles)

GlobalProtect Resource List on Configuring And Troubleshooting

The Rapid Response team is here to help if you need implementation help. Reach out to rapid-response@paloaltonetworks.com if you don't know who your team is.

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

As always, we welcome all comments and feedback in the comments section below.

Stay Secure,
Joe Delio
End of line