Disabling GP client but where are the logs kept?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disabling GP client but where are the logs kept?

L4 Transporter

Does anyone know if anything is logged on the firewall side when someone disables the GP client? We require a password to be entered when the client is disabled but I am not finding anything in the system logs that can be related to the event. 

 

Obviously we dont want to allow users to just bypass all fo the security provided by the firewall by disabling the client on a corporate device but it is causing quite an uproar with the high salaried individuals that they cannot disable the client.

 

Closest thing I can find is event globalprotectgateway-agent-msg containing Override(s) = 1 or = 2 but not sure if that is it because in a test I didnt see one of these entries for a user that disabled the client while I was watching the log

1 accepted solution

Accepted Solutions

yes, above the default...

 

logging will be local to device... (if any)

 

i agree with you re security but if I do as I'm told then as far as I'm concerned my ass is coverd...

 

have you looked at the option of allow user to disable with ticket...   it's not for me but may help with frequency of use...

 

also...   do you use HIP, if so then you could find the reg setting for client disabled and add a custom check.

 

 

BTW, our users are still limited to what they can do when disconnected. they are still unable to browse the internet. we just allow the disable option to allow local printing. It's better than allowing split tunneling...

View solution in original post

3 REPLIES 3

L7 Applicator

not sure what you are asking but i have a similar issue with a group of users that are allowed to disconnect VPN.

 

I simply placed them in an AD group "Disable-GP" and now they get a different config to the default users.

 

no password needed really...

Thanks @Mick_Ball I thought about doing this. If I add a new config (gateway->Agent->Client settings->Add) I assume I just need to have the "exception" config above the "everyone else" config since all users will be in the regular VPN group but only a few would be in the disable exception group..

 

Honestly I feel so wrong allowing this at all, but sometimes security has no teeth when it comes to what the C or VP level wants 😕

 

We would still like to be able to report on who/how often/when someone disables the client but I am not sure that is possible at this time

yes, above the default...

 

logging will be local to device... (if any)

 

i agree with you re security but if I do as I'm told then as far as I'm concerned my ass is coverd...

 

have you looked at the option of allow user to disable with ticket...   it's not for me but may help with frequency of use...

 

also...   do you use HIP, if so then you could find the reg setting for client disabled and add a custom check.

 

 

BTW, our users are still limited to what they can do when disconnected. they are still unable to browse the internet. we just allow the disable option to allow local printing. It's better than allowing split tunneling...

  • 1 accepted solution
  • 2510 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!