Drive Mapping with Global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Drive Mapping with Global protect

L2 Linker

Hi Community, 

 

I just needed to run a niggling issue with some of you as we are experienicing with our global protect. 

 

We have global protect to do pre-logon connection to the global protect gateway. Once the user is authenticated we except drives to be mapped. However, we are experiencing an intermitten random issue where sometimes all the drives are mapped fine, sometimes only some of them are mapped. We would like to improve the experience for global protect users. 

 

When the users are connecting during the logon process it is hard to identify the parts of the logs which are relevant only to the drive mapping. The mappings are to integrated DFS servers. 

 

Looking through the logs, once the user has logged in, there does still appear to be a number of connections with no user against them, I believe these connections to be left over from the pre-logon connection before the user logged in (I may just be misreading the logs)

 

 

On the user-id agent would you recommending enabling the client probing would this actually help? Is there any other suggestions on what we can do to improve this experience. 

 

Is delaying the way the drives are mapped should we delay the drive mapping process? Would this help and how can this be achieved?

 

Just putting this out there so we can get some ideas on this. Your help would be greatly appreciated. Please let me know if you need any further info. 

 

Thanks

11 REPLIES 11

L4 Transporter

Inzamam,

 

We do certificate based pre-logon authentication with Global protect.  We allow access to fileshares and Lync / Skype for Business in addition to Domain Controllers, DNS servers, SCCM and SCEP servers.  Not all of our users are allowed internal access but all would have internet access.  By allowing access to the infrastructure components during prelogon we have avoided as lot of user headaches.

 

Hope this helps,

 

Phil

How do you map your drives?

Are you using /persistent parameter?

Like:

net use z: \\server\share /persistent:yes

 

In this case share is persistent and will be visible even before network is connected but has red X on top of it.

When connection comes up then user can just click on it under My Computer and access network share.

 

For example if you use Home drive option under user object in AD then connection has to be up before user logs in (or drive will not be mapped).

With script above you can bypass this issue.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you both for replying.

 

This is for one of our customers so I'm not sure how the drives are being mapped. This was handed down to me.

 

Could you clarify the persistent parameter how is this configured and is there any documentation about this? Is this configured on the firewall ? The USER-ID agent or on the client PC. Sorry for asking these basic questions. I haven't come across this feature before so need the exact details.

There are definately some issues (actually it is behaviour by design of global protect) with the standard authentication / user mapping. Initially the client computer tries to map the drives long before the firewall sees which user it is. But there is a possibility to improve this with user-id-agents (if you are using an active directory). By reading the logs on the domain controller the user is identified almost right after he clicks on the logon-button. So then the firewall is able to get this information an is able to allow the drivemapping.

https://live.paloaltonetworks.com/t5/API-Articles/Using-Pre-Logon-the-secure-way/ta-p/56819

Just to clarify on this, if a site is identifying user-to-IP mappings for the whole site then would having a User ID for GP clients start affecting other users?

So basically, if we only included the VPN IP poorl ranges would this start affecting other users whose mapping is needed on the firewall?

net use is Windows command.

Just paste it into command prompt to see how it works.

 

https://technet.microsoft.com/en-us/library/bb490717.aspx

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Testing this initially the results were looking good, but we have seen instances where things are not quite right. Basically, we have seen that once passed the login screen, at the welcome screen it could take 10 mins plus to get past it. Any ideas on how to improve this ?

 

 The above issue was experienced after following the following link:

 

https://live.paloaltonetworks.com/t5/API-Articles/Using-Pre-Logon-the-secure-way/ta-p/56819

 

Just to make it clear on how the above issues mentioned in this post was experienced.

So does it now workes better as without the user id configuration? I think I remember that in our case these login issues where solved with that.
Anyway, now it could be between simply one missed port towards active directory and something specific in your environment.
What client os are you using?
What version of global protect do you have installed?
What frequency do you have configured on the user-id agent to read the AD logs?
What PAN-OS Version do you have currently running?
Do you have this long waiting time during login every time?

For testing purposes try to wait 1-2 minutes before you enter credentials and press the login button. Befor you log in make sure that you are connected to a network with internet access or even better check on the firewall if your computer is connected with the pre logon user. After thes steps log in. If the issue persists I would reccommend to check the logs for dropped sessions again.

Still does not work quite right yet as the few little niggles are still experienced. 

 

The persistent option is not being used, but old “KIX32" scripts, AD user home drive and AD group policy preferences to see if there is more consistent results using one method over another. The worst problem still expereinced is the "welcome" screen (after logon but before desktop) waiting for ages (this has been longer than 20 mins). Currently assuming a timeout value may be showing me these results not sure where though ?

 

I can generally say that the drive mapping is working better since the change. Although sometimes it could be as bad as it was. 

 

This has been tested with Windows 7 Pro OS. The version of GP is 2.3.4 of the global protect client. 

 

The USER-ID-AGENT Security log Monitor Frequency (sec). is currently 1. The firewall is running version 7.0.5.

 

The long wait does not happen everytime sometimes everything works, sometimes it could take 20 mins plus to get to the desktop and whether fast or slow to the desktop the drive mapping are still very intermitten.

 

We have tried waiting longer than 2 min before logging into the machine, but this is still as intermitten as when I login in as soon as I am able to.

 

We have changed the policy to allow everything from one IP address range to another, no rule restrictions on USER/HIPS etc, but even having this is causing the same intermitten issues. Whilst, I was testing when the rule was allowing everything I saw the "ANY" rule be skipped and a lower down rule be hit, which does not look right. As there be's no reason to skip the "ANY" rule.

 

Any futher ideas to get this working would be greatly appreciated? 

 

 

 

 

Is your any rule really ANY (src/dst zone, src/dst ip, src user, hip, no security profiles ...) or dou you have some filed specified with a value which could be the reason why the firewall is skipping this rule?

L7 Applicator

Did you make any progress with this problem?

Normally windows computer (depending on your setup) also try to contact printservers very eary in the loginprocess or also some IP addresses of microsoft. But also depending on your specific setup there could be also some more services which lead to this long logintime.

  • 13163 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!