Always on Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Always on Global Protect

Cyber Elite
Cyber Elite

Hello All,

Looking to get advice on this topic. The idea is to have the users connect via a VPN tunnel regardless of their location, internal LAN or working from home, etc. I need to make it easy on the users so its to a burden, e.g. having to authenticate to the vpn after logging into heir workstations with similar creds.

I'm thinking of something like username, password, and MFA token for external and just MFA token for internal.

What have you done and what has worked well without too much burden onto the end user?

 

Cheers!

1 ACCEPTED SOLUTION

Accepted Solutions

@OtakarKlier,

Depending on how you generate them and import them if need be you can make them non-exportable to prevent that. Either way I would still recommend using HIP checks to verify that it's actually an issued endpoint. I always try to make our "Issued Device" profile as detailed as possible. Is it joined to the proper domain, does it have the proper EDR tool installed, does it have any custom applications we install, ect. 

You won't ever get to the point where someone with the proper permissions couldn't generate a valid certificate, install the proper applications, and join it to your domain. We've taken the mindset that if you make it pass all of our security checks and have the permission to actually install everything, generate the certificates, join it to the domain, and get everything setup properly you likely wouldn't risk your job to do so. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@OtakarKlier,

These machines are all managed right, nothing BYOD (or at least if it's BYOD it's enrolled)? If they're all managed and you have an internal PKI I would just use certificates for authentication. It's the easiest way from an end-user aspect because they don't have to do anything special from a machine aspect, just sign in like they do normally and the certificates will take care of everything else. 

Cyber Elite
Cyber Elite

Hello,

Yeah I have been thinking about certificates, however they can be exported and used on a non-corp machine. Guess we can use posture validation to verify. Yes this will be only corp owned machines, no byod.

 

Just seeing what else others have done.

 

Regards,

@OtakarKlier,

Depending on how you generate them and import them if need be you can make them non-exportable to prevent that. Either way I would still recommend using HIP checks to verify that it's actually an issued endpoint. I always try to make our "Issued Device" profile as detailed as possible. Is it joined to the proper domain, does it have the proper EDR tool installed, does it have any custom applications we install, ect. 

You won't ever get to the point where someone with the proper permissions couldn't generate a valid certificate, install the proper applications, and join it to your domain. We've taken the mindset that if you make it pass all of our security checks and have the permission to actually install everything, generate the certificates, join it to the domain, and get everything setup properly you likely wouldn't risk your job to do so. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!