Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Reply
Highlighted
L4 Transporter

Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

We've been troubleshooting some issues encountered when using the "Enforce GlobalProtect Connection for Network Access" option in our portal agent configuration.  Our TAC engineer mentioned that he had seen a setting called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established" in 8.1, but didn't see it in 9.0.  (The setting should allow certain hosts to be exempted from the enforced use of GP.)  However, today I noticed it in the portal config for the first time (we just updated to 9.0.4 last week).  I tried putting in an IP address for the parameter value, and also using the whole subnet w/ mask.  However, it didn't work to allow access to those hosts.

I can't seem to find documentation for this parameter anywhere!  I've looked in the offline help in Panorama, v 8.1 and v 9.0 GlobalProtect administrator's guide, searching on this forum, and searching Google in general.  The TAC engineer didn't even have documentation for this.  Does anyone know the syntax, or how to get it to work?

Tags (1)

Accepted Solutions
Highlighted
L2 Linker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8

View solution in original post

Highlighted
L0 Member

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

This feature will be supported with GP Agent 5.1.0. Existing agent is not supporting this option.

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Hello there

 

So I am trying  to work out and understand the issue.

 

I see the option for Enforce GlobalProtect Connection for Network Access, and it is a yes or no.

Yes means that NO network traffic can pass without the machine being connected via GP.

 

I  too, looked at the 8.1 GP admin guide and do not see an exception to the Enforce GlobalProtect Connection setting.

 

So, perhaps the TAC engineer was incorrect in his memory.

 

For now, I would create a configuration that specifically excludes that particular computer from needing to connect.

 

Will this help?

Help the community: Like helpful comments and mark solutions
Highlighted
L4 Transporter

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

Steve, we are excluding this setting across the board right now, because we unfortunately have a large number of machines which would need an exception.  We're still doing Always On mode, and the login dialog box is pretty "in your face" annoying until you sign in, which should help encourage users to authenticate.  

Here's a screenshot of the parameter.  Want to know the dumber thing?  Once you've set a value, you can't change it back to blank!  The window won't let you save it anymore!  My case engineer escalated it a week ago, and still has no idea how to configure it.  It seems to be some half baked "feature" that does nothing at this point.

 

2019-10-30 22_08_52-PanoramaPWk01.png

 

2019-10-30 22_12_02-PanoramaPWk01.png

Highlighted
L3 Networker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

@OwenFuller Welp, you weren't lying.  I set that up on my test palo and was unable to change it back to blank.  Well, I was but only because a saved a snapshot first.  Otherwise I got the same error.

 

Looks like a bug that needs fixed.

Highlighted
L4 Transporter

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled


@Shawverr wrote:

 

Looks like a bug that needs fixed.


Well, once TAC acknowledges that the "feature" even exists, then maybe we can get a bugfix submitted!

Highlighted
L3 Networker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

@OwenFuller LOL!!!!  That's why I decided to post, not because I could help, but I could at least confirm the issue.  Hopefully that helps.

Highlighted
L2 Linker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8

View solution in original post

Highlighted
L4 Transporter

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

For anyone following, or who finds this in the future, here's the latest from TAC:


Seems like the issue with the enforcer exception list will be fixed 8.1.14 and 9.0.8. there are no release dates for these firmware yet, so it might be a while.
Highlighted
L4 Transporter

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled


@RichColeman wrote:

value must contain the mask i.e 8.8.8.8/32 or 10.0.0.0/8


Thanks for the tip, Rich.  We'll give this a try.

Highlighted
L2 Linker

Re: Allow traffic to specified hosts/networks when Enforce GlobalProtect for Network Access Enabled

I've had confirmation from TAC this option also "currently" only works with GP client version 5.1.0 (which is in beta), my portal is running 8.1.4 and as soon as I upgraded to 5.1.0 the option (after configuring) worked.

 

Think there's a disconnect, I will assume the fix will remove the need for the client to be on an un-released version

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!