04-18-2018 04:20 PM - edited 04-18-2018 04:22 PM
Does anyone know if anything is logged on the firewall side when someone disables the GP client? We require a password to be entered when the client is disabled but I am not finding anything in the system logs that can be related to the event.
Obviously we dont want to allow users to just bypass all fo the security provided by the firewall by disabling the client on a corporate device but it is causing quite an uproar with the high salaried individuals that they cannot disable the client.
Closest thing I can find is event globalprotectgateway-agent-msg containing Override(s) = 1 or = 2 but not sure if that is it because in a test I didnt see one of these entries for a user that disabled the client while I was watching the log
04-19-2018 08:13 AM
yes, above the default...
logging will be local to device... (if any)
i agree with you re security but if I do as I'm told then as far as I'm concerned my ass is coverd...
have you looked at the option of allow user to disable with ticket... it's not for me but may help with frequency of use...
also... do you use HIP, if so then you could find the reg setting for client disabled and add a custom check.
BTW, our users are still limited to what they can do when disconnected. they are still unable to browse the internet. we just allow the disable option to allow local printing. It's better than allowing split tunneling...
04-19-2018 07:15 AM
not sure what you are asking but i have a similar issue with a group of users that are allowed to disconnect VPN.
I simply placed them in an AD group "Disable-GP" and now they get a different config to the default users.
no password needed really...
04-19-2018 08:00 AM - edited 04-19-2018 08:00 AM
Thanks @Mick_Ball I thought about doing this. If I add a new config (gateway->Agent->Client settings->Add) I assume I just need to have the "exception" config above the "everyone else" config since all users will be in the regular VPN group but only a few would be in the disable exception group..
Honestly I feel so wrong allowing this at all, but sometimes security has no teeth when it comes to what the C or VP level wants 😕
We would still like to be able to report on who/how often/when someone disables the client but I am not sure that is possible at this time
04-19-2018 08:13 AM
yes, above the default...
logging will be local to device... (if any)
i agree with you re security but if I do as I'm told then as far as I'm concerned my ass is coverd...
have you looked at the option of allow user to disable with ticket... it's not for me but may help with frequency of use...
also... do you use HIP, if so then you could find the reg setting for client disabled and add a custom check.
BTW, our users are still limited to what they can do when disconnected. they are still unable to browse the internet. we just allow the disable option to allow local printing. It's better than allowing split tunneling...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
