Filter traffic from mobile devices

mgusta · ‎12-18-2014

Hi,

I was wondering if anyone has an idea on how to filter traffic coming from mobile devices. My scenario is that on our (open) guest wifi I would like to enable our users to do pretty much what they like from their mobile phones etc. but not let them have the same freedom just by undocking their laptops. Since we don´t pre-authenticate them to our Global Protect Portal I am aware that on any other network they are free to roam around as they please. Any ideas?

Thank you,

Mikael Gustafsson

jonas.engblom · ‎12-18-2014

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.

/Jonas

mgusta · ‎12-19-2014

Thank you, I will try this. A bit complicated perhaps but I feel it will give me what I was asking for.

Best Regards,

Mikael

mgusta · ‎12-19-2014

Hi again,

I was thinking a bit more on your solution and doesn´t it mean that they will automatically connect to the external portal when not on our network or wifi? Or can an add a new client config at the bottom of the list of configs (I have both split and full tunneling depending on AD group) with only an internal gateway configured (no external) and internal host check enabled?

Thanks,

Mikael

jonas.engblom · ‎12-29-2014

If you wan´t you can force the laptops to connect with GP both if they are in(guest wifi) or outside the network(Internet). If you you just want the laptops to auto connect to portal if there are connected to the guest wifi you just add a new portal(new IP) with an internal IP and an internal host that must be reachable for the laptop to connect to the internal GP. So 1 portal with the external gw for Internet usage and 1 portal with internal gw for wifi guest usage.

mgusta · ‎12-29-2014

But that would require the end user to manually change the portal adress in the client?. Or maybe I could NAT them to the correct portal depending on the zone they connect from. I will try different methods to achieve this and find the best solution our environment. Thanks for your input.

Filter traffic from mobile devices

Filter traffic from mobile devices

Show your appreciation!