Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
10-16-2019 02:15 PM
We've been troubleshooting some issues encountered when using the "Enforce GlobalProtect Connection for Network Access" option in our portal agent configuration. Our TAC engineer mentioned that he had seen a setting called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established" in 8.1, but didn't see it in 9.0. (The setting should allow certain hosts to be exempted from the enforced use of GP.) However, today I noticed it in the portal config for the first time (we just updated to 9.0.4 last week). I tried putting in an IP address for the parameter value, and also using the whole subnet w/ mask. However, it didn't work to allow access to those hosts.
I can't seem to find documentation for this parameter anywhere! I've looked in the offline help in Panorama, v 8.1 and v 9.0 GlobalProtect administrator's guide, searching on this forum, and searching Google in general. The TAC engineer didn't even have documentation for this. Does anyone know the syntax, or how to get it to work?
05-13-2020 10:27 AM
0.0.0.0/0 is too large and it is the opposite of GP enforcement. I would expect that 0.0.0.0/0 is ignored. Can you try with a smaller subnet?
05-14-2020 07:50 AM
@mdensley I'm not sure exactly what you're trying to accomplish. Could you elaborate?
If you don't actually want to enforce GP for network access, I'd disable that option in your portal config. The "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access and GlobalProtect Connection is not established" is really intended for making limited exceptions when you want to lock down all network access if you user isn't on VPN. If your main goal is just to notify users when they've lost their VPN connection due to a poor network connection for example, I'd suggest a different approach. You might want to start with enabling cookies on your portal/gateway which allow the user to reconnect withing a specified amount of time (whatever makes sense with your security/operational requirements) without re-authenticating. Then, use the "Automatic Restoration of VPN Connection Timeout (min)" and the "Wait Time Between VPN Connection Restore Attempts (sec)" settings to enable GlobalProtect to automatically try to reconnect if it briefly loses connection. This is seamless to your end user, and requires no prompt or interaction. If you want the VPN to generally be connected for the user all the time, but not "enforced" for network access, then you can set the "Connect Method" to User-Logon (Always On).
06-02-2020 03:55 PM
I think the closest you will get is doing the cookies with the auto-reconnect option. I believe this should still work just fine. It’s not going to do quite what you want in terms of a specific message, but it should still pop up the GP window from the system tray as it tries to reestablish the connection. Beyond that, you might be right to go the feature request route.
07-01-2020 11:16 AM
If you fill in the FQDN area and then delete the value, the firewall will complain too. Seems like either one of these fields, once completed, is enough to make you have to trash your Agent config for that entry, or force you to enter a value in it. This should be fixed.
05-13-2021 07:52 AM
This issue is still with GP Agent 5.1.x
12-07-2021 06:59 PM
The issue (error when reverting back to empty value) still exists in GP app version 5.2.8-23.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
