Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L7 Applicator

Thanks for updating with this information.

Highlighted
L4 Transporter

Oh, great find!  Maybe I'll try this out w/ the beta client.

Highlighted
L0 Member

This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.

View solution in original post

Highlighted
L2 Linker

Turns out there are a number of features running in 8.1 which isn't available until your running client version 5.1 would be handy of Plao documented them.

 

I've reached out to my TAM a requested this info, once I have I'll post it on here.

Highlighted
L4 Transporter

I have confirmed that the exception list works when using GlobalProtect agent 5.1 beta in accordance with information in the release notes, and the info from @cyurekli. With a little experimenting, I was able to determine the following details, which I'm sharing since documentation is still scant:

 

  • A single address in the exception list can be entered with no subnet mask (e.g. 192.168.223.1)
  • Multiple addresses must be entered with a mask (thanks @RichColeman), and separated by a comma (e.g. 192.168.223.1/32,10.0.0.1/32)
  • Once the GP client connects to the gateway, access to the exception list addresses no longer applies

As a reminder, my TAC engineer also had this to say:
Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.

Thank you all for the help!

 

Highlighted
L4 Transporter

I tried using 0.0.0.0/0 to see if I could just get the notification when disconnected but not block user traffic, but it was still blocked. any idea's?

Highlighted
L0 Member

0.0.0.0/0 is too large and it is the opposite of GP enforcement. I would expect that 0.0.0.0/0 is ignored. Can you try with a smaller subnet?

Highlighted
L4 Transporter

@mdensley I'm not sure exactly what you're trying to accomplish.  Could you elaborate?

If you don't actually want to enforce GP for network access, I'd disable that option in your portal config.  The "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access and GlobalProtect Connection is not established" is really intended for making limited exceptions when you want to lock down all network access if you user isn't on VPN.  If your main goal is just to notify users when they've lost their VPN connection due to a poor network connection for example, I'd suggest a different approach.  You might want to start with enabling cookies on your portal/gateway which allow the user to reconnect withing a specified amount of time (whatever makes sense with your security/operational requirements) without re-authenticating.  Then, use the "Automatic Restoration of VPN Connection Timeout (min)" and the "Wait Time Between VPN Connection Restore Attempts (sec)" settings to enable GlobalProtect to automatically try to reconnect if it briefly loses connection.  This is seamless to your end user, and requires no prompt or interaction.  If you want the VPN to generally be connected for the user all the time, but not "enforced" for network access, then you can set the "Connect Method" to User-Logon (Always On).

Highlighted
L4 Transporter

Thanks, Yea we've done that and the situation improved. But we are still seeing occasional P-Access disconnects forcing the user to manually reconnect. Our connect method isn't user-login, but intended to be on-demand. The essential goal is to keep the tunnel up until the user disconnects. if the tunnel drops and doesn't return within 90s, we want to notify the user the tunnel is down. We display the icon on toolbar, but thats not enough notification. If this isn't possible with GP today, I'll submit a feature request.

Highlighted
L4 Transporter

I think the closest you will get is doing the cookies with the auto-reconnect option. I believe this should still work just fine. It’s not going to do quite what you want in terms of a specific message, but it should still pop up the GP window from the system tray as it tries to reestablish the connection. Beyond that, you might be right to go the feature request route. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!