This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enforce GlobalProtect Connection for Network Access not enforcing when GP disabled?

Go to solution
uvdes
L2 Linker

‎07-20-2018 03:26 PM - edited ‎07-20-2018 03:43 PM

Hi all!

 

I'm experimenting with enforcing GlobalProtect Connection for Network Access. When I enable that setting, and put myself in user-logon (always on) things work great, but if I then disable GP, I can still access the network.

 

I had a call with TAC and they said to make this work I needed to make sure I couldn't disable GP, so I set it up so I couldn't disable without a pass code. However, after the call I looked at the docs again which say about enforcing: "Select Yes to force all network traffic to traverse a GlobalProtect tunnel. Select No (default) if GlobalProtect is not required for network access and users can still access the internet even when GlobalProtect is disabled or disconnected. "

 

That documentation langauge makes me think I shouldn't be able to access the network at all without GP, even if I disable it. 

 

The firewalls are at 8.0.10 and I'm running 4.1.2-11 for the GP agent on Windows 10 64 pro.

 

Anyone running enforcing in production that can tell me if I should restart the conversation with TAC to see what is wrong, or if I really do need to remove the disable option?

 

The other question I have is with enforcing on, in user-logon mode, does the machine have any connectivity before the user logs in or is that blocked too?

 

Thank you!

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
vsys_remo
Cyber Elite
Cyber Elite

‎07-21-2018 02:52 AM

Hi @uvdes

 

To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).

Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.

 

Regards,

Remo

View solution in original post

Go to solution
MickBall
L7 Applicator

‎07-21-2018 03:41 AM

Yes it is a bit confusing, i would say that TAC is correct in what they are saying.

GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.

if you disable the service then it cannot perform those tasks.

 

It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.

 

i probably worded that incorrectly... which happens now and again as per this discussion...

 

i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.

 

having said that, i dont use enforce option, causes too many issues with captive portal for our users.

View solution in original post

13 REPLIES 13

Go to solution
vsys_remo
Cyber Elite
Cyber Elite

‎07-21-2018 02:52 AM

Hi @uvdes

 

To force all traffic into the vpn tunnel you have do make sure that global protect cannot be disabled. When GP is disabled network access is possible. This wording in the documentation isn't correct (or there is a bug in the gp agent).

Regarding your other question: In always-on user-logon mode network access is possible until the user is logged in to the computer. To force connections over vpn even before successful logon you have to configure pre-logon mode.

 

Regards,

Remo

Go to solution
MickBall
L7 Applicator

‎07-21-2018 03:41 AM

Yes it is a bit confusing, i would say that TAC is correct in what they are saying.

GP after all is a sevice that runs locally to perform all the tasks that you set in the agent.

if you disable the service then it cannot perform those tasks.

 

It does not actually state in the docs that when GP enforcement is enabled it prevents local traffic even if the user disables it.

 

i probably worded that incorrectly... which happens now and again as per this discussion...

 

i would be a bit dubious regarding not being able to control this with a last resort “Kill” option.

 

having said that, i dont use enforce option, causes too many issues with captive portal for our users.

Go to solution
uvdes
L2 Linker
In response to MickBall

‎07-21-2018 09:19 AM

Thanks! I think the way we'll start is user-logon without the ability to disable (or needing to enter a comment or similar), but not do enforcement. That should get us most of the way to where we want to be. We're trying to get to a zero-trust environment with a laptop fleet. One way to do that is to make sure that when people are off-prem that GP is on and making them effectively on-prem. 

 

This may or may not work for us. For instance, I'm concerned about performance when people are travelling and on high latency connections, such as airplane wifi, or countries that are distant from our offices. 

 

I should take a closer look at global protect cloud services and see if that is a fit for the mobile users.

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to uvdes

‎07-21-2018 11:25 AM

Yes we have ours set to user logon, and we do have a zero tolerance also.

we manage this 99.999% of the time with the use of proxy .pac, used it for years and never let us down.

if the vpn fails or if the user manages to disable it (unpreventable on IPads) then all traffic is forwarded to a non existent proxy..

not everybodys cup of tea but we used proxies over previous years for just about everything, the proxies have now gone but the pac file remains, 

 

 Im liking your idea that if your in a plane then as the clouds are just outside your window then the connection will be greater if you use PA cloud services...

only if...... eh...

 

Laters...

 

 

 

 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks