- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-16-2019 02:15 PM
We've been troubleshooting some issues encountered when using the "Enforce GlobalProtect Connection for Network Access" option in our portal agent configuration. Our TAC engineer mentioned that he had seen a setting called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established" in 8.1, but didn't see it in 9.0. (The setting should allow certain hosts to be exempted from the enforced use of GP.) However, today I noticed it in the portal config for the first time (we just updated to 9.0.4 last week). I tried putting in an IP address for the parameter value, and also using the whole subnet w/ mask. However, it didn't work to allow access to those hosts.
I can't seem to find documentation for this parameter anywhere! I've looked in the offline help in Panorama, v 8.1 and v 9.0 GlobalProtect administrator's guide, searching on this forum, and searching Google in general. The TAC engineer didn't even have documentation for this. Does anyone know the syntax, or how to get it to work?
11-22-2019 09:33 AM
This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.
10-30-2019 03:01 PM
Hello there
So I am trying to work out and understand the issue.
I see the option for Enforce GlobalProtect Connection for Network Access, and it is a yes or no.
Yes means that NO network traffic can pass without the machine being connected via GP.
I too, looked at the 8.1 GP admin guide and do not see an exception to the Enforce GlobalProtect Connection setting.
So, perhaps the TAC engineer was incorrect in his memory.
For now, I would create a configuration that specifically excludes that particular computer from needing to connect.
Will this help?
10-30-2019 08:13 PM
Steve, we are excluding this setting across the board right now, because we unfortunately have a large number of machines which would need an exception. We're still doing Always On mode, and the login dialog box is pretty "in your face" annoying until you sign in, which should help encourage users to authenticate.
Here's a screenshot of the parameter. Want to know the dumber thing? Once you've set a value, you can't change it back to blank! The window won't let you save it anymore! My case engineer escalated it a week ago, and still has no idea how to configure it. It seems to be some half baked "feature" that does nothing at this point.
10-31-2019 06:56 AM - edited 10-31-2019 07:34 AM
@OwenFuller Welp, you weren't lying. I set that up on my test palo and was unable to change it back to blank. Well, I was but only because a saved a snapshot first. Otherwise I got the same error.
Looks like a bug that needs fixed.
10-31-2019 07:47 AM
@Shawverr wrote:
Looks like a bug that needs fixed.
Well, once TAC acknowledges that the "feature" even exists, then maybe we can get a bugfix submitted! 😄
10-31-2019 07:53 AM
@OwenFuller LOL!!!! That's why I decided to post, not because I could help, but I could at least confirm the issue. Hopefully that helps.
11-07-2019 06:07 AM
value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8
11-19-2019 08:34 AM
For anyone following, or who finds this in the future, here's the latest from TAC:
Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.
11-19-2019 08:37 AM
@RichColeman wrote:value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8
Thanks for the tip, Rich. We'll give this a try.
11-20-2019 01:53 AM
I've had confirmation from TAC this option also "currently" only works with GP client version 5.1.0 (which is in beta), my portal is running 8.1.4 and as soon as I upgraded to 5.1.0 the option (after configuring) worked.
Think there's a disconnect, I will assume the fix will remove the need for the client to be on an un-released version
11-20-2019 03:35 AM
Thanks for updating with this information.
11-20-2019 06:22 AM
Oh, great find! Maybe I'll try this out w/ the beta client.
11-22-2019 09:33 AM
This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.
11-25-2019 12:16 AM
Turns out there are a number of features running in 8.1 which isn't available until your running client version 5.1 would be handy of Plao documented them.
I've reached out to my TAM a requested this info, once I have I'll post it on here.
11-26-2019 11:35 AM
I have confirmed that the exception list works when using GlobalProtect agent 5.1 beta in accordance with information in the release notes, and the info from @cyurekli. With a little experimenting, I was able to determine the following details, which I'm sharing since documentation is still scant:
As a reminder, my TAC engineer also had this to say:
Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.
Thank you all for the help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!