Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Clobal Protect VPN auto connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Clobal Protect VPN auto connect

L0 Member

Hi guys,

 

I don't know exactly I must here posted my case or in some other location but sorry in advance. .. My question is follow:

I'm use GP client on Windows environment and I would like to find solution for "auto connect or auto logon" in GP client. How I can do this? Thank you in advance. 

5 REPLIES 5

Cyber Elite
Cyber Elite

@kn0p2021,

What you are looking for is called an Always-On configuration with GlobalProtect.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/...

Hello, the referenced article does not help. It seems to refer to an admin mode of some sort or to a different application than the GlobalProtect client our company is using (version 5.2.110-10). When I go to settings, I do not see any of the menu items described in the article.

 

That said, I would like to have the VPN client auto-connect to our corporate network, as is requested by the original post. Is there a way to do this without admin privileges? On the client-side only?

L6 Presenter

The article is the admin setup of Always-On in the Global Protect VPN Portal configuration. Always-On is an admin-enforced property (pushed to the GP clients along with a lot of other settings) that forces the client to always try to connect to the VPN when starting up and does not allow the client to send traffic outside of the VPN.

 

There are separate admin settings for whether the GP client can save VPN login credentials for reuse or use a Windows/etc. single sign on. All of these are set by the administrator. The GP client can not change or modify the settings sent by the Portal, you can only choose which Portal to connect to. (If your admin wants, they could setup different Portals/different user groups with different login settings for you).

L0 Member

Thank you for your quick reply! So, it appears that the answer to the original question of how to enable the GP client to auto-connect (to a portal) is that it is not possible to do this from the client unless it is enabled by an administrator on the server-side and fully controlled in that manner. Having to do this manually every time I restart the computer is unfortunate. Other VPN clients I have used allow this sort of setting. Some also allow auto-connect based on the current local network (e.g. Home office vs. corporate office network).

 

Again, thanks for the clear reply.

L6 Presenter

Yes, the administrator can set one of 4 methods for the GP client to connect:

  1. Always-On, User-logon - The VPN client is always enforced and traffic is only allowed when connected to the VPN (the admin can bypass certain sites/application from the requirement). The user is prompted to login immediately.
  2. Always-On, Pre-login - The VPN client is always enforced. The client automatically connects with a machine certificate or stored credential without user interaction. But this also means there is no user information about who logged into the PC.
  3. On-demand - The user initiates the VPN connection manually when connecting to a required resource, local/internet may/may not be blocked before connecting, depending on options.
  4. Pre-login then On-demand - The VPN client automatically connects with a machine certificate to allow remote user authentication/management/etc. But then disconnects when the user successfully logs into the PC. The user can manually reconnect the VPN if needed.

Additionally, when using Always-On modes the client can be configured to auto-detect an internal network and automatically disable blocking (i.e. is goes to "Connected Internal" mode and passes traffic without a VPN Gateway). All these options are up to the administrator, the clients have no permission to choose the mode or security enforcement options. Normally it is setup as #1 or #3, sounds like you have been setup as the later.

  • 10582 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!