Turns out there are a number of features running in 8.1 which isn't available until your running client version 5.1 would be handy of Plao documented them.
I've reached out to my TAM a requested this info, once I have I'll post it on here.
I have confirmed that the exception list works when using GlobalProtect agent 5.1 beta in accordance with information in the release notes, and the info from @cyurekli. With a little experimenting, I was able to determine the following details, which I'm sharing since documentation is still scant:
As a reminder, my TAC engineer also had this to say:
Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.
Thank you all for the help!
@mdensley I'm not sure exactly what you're trying to accomplish. Could you elaborate?
If you don't actually want to enforce GP for network access, I'd disable that option in your portal config. The "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access and GlobalProtect Connection is not established" is really intended for making limited exceptions when you want to lock down all network access if you user isn't on VPN. If your main goal is just to notify users when they've lost their VPN connection due to a poor network connection for example, I'd suggest a different approach. You might want to start with enabling cookies on your portal/gateway which allow the user to reconnect withing a specified amount of time (whatever makes sense with your security/operational requirements) without re-authenticating. Then, use the "Automatic Restoration of VPN Connection Timeout (min)" and the "Wait Time Between VPN Connection Restore Attempts (sec)" settings to enable GlobalProtect to automatically try to reconnect if it briefly loses connection. This is seamless to your end user, and requires no prompt or interaction. If you want the VPN to generally be connected for the user all the time, but not "enforced" for network access, then you can set the "Connect Method" to User-Logon (Always On).
Thanks, Yea we've done that and the situation improved. But we are still seeing occasional P-Access disconnects forcing the user to manually reconnect. Our connect method isn't user-login, but intended to be on-demand. The essential goal is to keep the tunnel up until the user disconnects. if the tunnel drops and doesn't return within 90s, we want to notify the user the tunnel is down. We display the icon on toolbar, but thats not enough notification. If this isn't possible with GP today, I'll submit a feature request.
I think the closest you will get is doing the cookies with the auto-reconnect option. I believe this should still work just fine. It’s not going to do quite what you want in terms of a specific message, but it should still pop up the GP window from the system tray as it tries to reestablish the connection. Beyond that, you might be right to go the feature request route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!