Filter traffic from mobile devices

cancel
Showing results for 
Search instead for 
Did you mean: 

Filter traffic from mobile devices

L2 Linker

Hi,

I was wondering if anyone has an idea on how to filter traffic coming from mobile devices. My scenario is that on our (open) guest wifi I would like to enable our users to do pretty much what they like from their mobile phones etc. but not let them have the same freedom just by undocking their laptops. Since we don´t pre-authenticate them to our Global Protect Portal I am aware that on any other network they are free to roam around as they please. Any ideas?

Thank you,

Mikael Gustafsson

1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.

/Jonas

View solution in original post

12 REPLIES 12

L1 Bithead

Hi!

I don´t know how your guest wifi is connected to the Palo fw but can´t you add a specific zone for the guest wifi, then you can restrict there traffic as you like? Or maybe just specify the guest wifi client networks as source in the fw? You can also enable the captive portal to authenticate the users before entering the Palo fw.

/Jonas

Hi,

Tack för ditt svar. Yes, I have a specific zone for wifi but I would like to apply different policies to that zone based on what kind of client´s being used. If the client is a Corporate owned laptop I wan´t the same restrictions (facebook, dropbox etc.) to apply as if they were inside our network. The only way I know of is using a HIP-profile but that requires the users to authenticate to our portal first, which I don´t want. Captive portal might be one way to go about it. I guess I could identify the type of device then?

//Mikael

Det var så lite så.

* Ahh OK, yes HIP profiles is a way to go but then you need a license.

*Another way to go is to use an internal Globalprotect gw which you can force the corporate owned laptops to use if they have a specific computer certificate. But that requires an internal CA and a GP license so you can use the internal GP gw.

*If you use the captive portal you still can´t be sure that the employees don´t use there corporate owned laptop on the open "unrestricted" wifi. And if they can, they do... 🙂

...so i don´t think that there is a easy and cheap way to restrict your employees corporate owned laptops to use the unrestricted wifi.

/Jonas

Well I do have an internal CA and a GP licence plus the GW subscription. So I can set it up that way. Can I force the laptops to pre-authenticate using the computer cert when, and only when, connected to our local wifi? I don´t want to force them through our portal when they´re on the road since it´s a full tunnel set up so there could be bandwidth issues.

L1 Bithead

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.

/Jonas

View solution in original post

Thank you, I will try this. A bit complicated perhaps but I feel it will give me what I was asking for.

Best Regards,

Mikael

Hi again,

I was thinking a bit more on your solution and doesn´t it mean that they will automatically connect to the external portal when not on our network or wifi? Or can an add a new client config at the bottom of the list of configs (I have both split and full tunneling depending on AD group) with only an internal gateway configured (no external) and internal host check enabled?

Thanks,

Mikael

If you wan´t you can force the laptops to connect with GP both if they are in(guest wifi) or outside the network(Internet). If you you just want the laptops to auto connect to portal if there are connected to the guest wifi you just add a new portal(new IP) with an internal IP and an internal host that must be reachable for the laptop to connect to the internal GP. So 1 portal with the external gw for Internet usage and 1 portal with internal gw for wifi guest usage.

But that would require the end user to manually change the portal adress in the client?. Or maybe I could NAT them to the correct portal depending on the zone they connect from. I will try different methods to achieve this and find the best solution our environment. Thanks for your input.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!