couple of questions relevant to global protection feature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

couple of questions relevant to global protection feature

L3 Networker

Hello all.

I have a couple of questions about Global Protection feature.

1. If I configured Global Protection for external users, is it possible to block for network access for specific user who doesn't has latest patch or latest anti-virus?

2. if it is possible, can i configure redirection to warning msg for those specific user?

3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.

5. If I configured Global Protection, is it able to apply for internal users of firewall (paloalto L3 mode) without SSL VPN Connection?

Thanks,

Eugene.

3 REPLIES 3

L4 Transporter

Hi Eugene,

Answers as below:

1. If I configured Global Protection for external users, is it possible to block for network access for specific user who doesn't has latest patch or latest anti-virus?

Global Protect is not NAC solution. You can control what access users can have when the traffic pass through the firewall, but not before it passess through the firewall.

2. if it is possible, can i configure redirection to warning msg for those specific user?

No. But youcan have some message from the agent.

3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

Yes.

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.

Yes

5. If I configured Global Protection, is it able to apply for internal users of firewall (paloalto L3 mode) without SSL VPN Connection?

Yes

L3 Networker

While the Global Protect config guide will help you with your initial setup, it will not be your final solution.  There are many things that are missing in the guide.

L3 Networker

I have done extensive setup and testing for GP in my environment.  I have answered your questions below, per my experience and testing.

1. If I configured Global  Protection for external users, is it possible to block for network  access for specific user who doesn't has latest patch or latest  anti-virus?

-Yes.  I just want to clarify though, when you say 'external users' do u mean members of your domain but connecting externally?  If yes, then create a HIP Profile with objects defined with the match that you want.  You then need to apply that HIP profile to a security policy to 'deny' access to http and https, if you want to block them from surfing. Creating the HIP is tricky though for a Deny Policy, make sure that you configure it the way you want it to be configed.  I.E. the Virus definition timeframe. I would suggest configuring the product version rather than the virus definition timeframe, this provides a little more of a solid check.

2. if it is possible, can i configure redirection to warning msg for those specific user?

- Kind of.  If you have a user that receives a HIP message stating that they are not compliant, you can have the message say anything you want.  For instance, if I have a user in my environment that is not compliant, the message says "Your client is not compliant because "enter reason here".  Please contect your systems administrator for assistance."  This will allow you to know what is wrong and why they are not able to connect to resources.  But test to ensure that the HIP is setup exactly how you want to save headache from people calling you all the time to fix it.  Furthermore, there needs to be a deny rule in place to not allow them access to resources if they are not compliant. 

For instance:

In my environment...currently we only want clients that are part of our domain to have access to resources whether they access through the internal or external gateway.  This is so any Joe Schmo laptop cannot come inside and access our network.  Or if a client that is not part of our domain tries to access through the external gateway they are denied access to everything.  So we have a HIP profile in place that checks if they are or are not part of our domain.  If they are part, they are 'allowed' access, if they are not part of our domain they are 'denied'.  When the deny rule is matched, the client cannot surf the internet or have access to internal resources. 


3. Does global protection must connect with SSL VPN?? Is it impossible without SS LVPN Connection?

-Yes.  Absolutlely!  We run GP all the time with single sign on without VPN. 

4. if it is possible to apply global protection without SSL VPN, I’d like to apply to internal users of firewall.


-Yes.  We do this also.  You just have to configure an internal gateway and an external gateway.  Keep in mind that GP will always try to connect to the internal gateway first after it authenticates through the portal.  But, in my opinion, best practice to to just configure 2 serperate gateways...internal and external.  Make sure that the internal gateway has an internal IP address.

5.  If I configured Global Protection, is it able to apply for internal  users of firewall (paloalto L3 mode) without SSL VPN Connection?


-Yes. See answer to #4.

Side notes.  Make sure that you test all angles of global protect before implementing.  It works great once everything is configured properly.  And in my testing and config, it takes some time to learn everything that needs to be done to ensure that it works right.

  • 2548 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!