Filter traffic from mobile devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Filter traffic from mobile devices

L2 Linker

Hi,

I was wondering if anyone has an idea on how to filter traffic coming from mobile devices. My scenario is that on our (open) guest wifi I would like to enable our users to do pretty much what they like from their mobile phones etc. but not let them have the same freedom just by undocking their laptops. Since we don´t pre-authenticate them to our Global Protect Portal I am aware that on any other network they are free to roam around as they please. Any ideas?

Thank you,

Mikael Gustafsson

1 accepted solution

Accepted Solutions

L1 Bithead

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.

/Jonas

View solution in original post

12 REPLIES 12

L1 Bithead

Hi!

I don´t know how your guest wifi is connected to the Palo fw but can´t you add a specific zone for the guest wifi, then you can restrict there traffic as you like? Or maybe just specify the guest wifi client networks as source in the fw? You can also enable the captive portal to authenticate the users before entering the Palo fw.

/Jonas

Hi,

Tack för ditt svar. Yes, I have a specific zone for wifi but I would like to apply different policies to that zone based on what kind of client´s being used. If the client is a Corporate owned laptop I wan´t the same restrictions (facebook, dropbox etc.) to apply as if they were inside our network. The only way I know of is using a HIP-profile but that requires the users to authenticate to our portal first, which I don´t want. Captive portal might be one way to go about it. I guess I could identify the type of device then?

//Mikael

Det var så lite så.

* Ahh OK, yes HIP profiles is a way to go but then you need a license.

*Another way to go is to use an internal Globalprotect gw which you can force the corporate owned laptops to use if they have a specific computer certificate. But that requires an internal CA and a GP license so you can use the internal GP gw.

*If you use the captive portal you still can´t be sure that the employees don´t use there corporate owned laptop on the open "unrestricted" wifi. And if they can, they do... 🙂

...so i don´t think that there is a easy and cheap way to restrict your employees corporate owned laptops to use the unrestricted wifi.

/Jonas

Well I do have an internal CA and a GP licence plus the GW subscription. So I can set it up that way. Can I force the laptops to pre-authenticate using the computer cert when, and only when, connected to our local wifi? I don´t want to force them through our portal when they´re on the road since it´s a full tunnel set up so there could be bandwidth issues.

L1 Bithead

If you have a portal license you will be able to use an internal gateway. You could do it this way:

Your corporate laptops have the Globalprotect client installed, internal gw is configured in the fw portal, internal host detection is enabled in the fw portal(the computer connects automatic to the internal gw IF the specific internal host is reachable), set connection method in the fw portal to user-logon or pre-logon(the GlobalProtect agent will automatically establish a connection after users log in to their computers. If you select Use single sign-on, the username and password used to log in to Windows is captured by the GlobalProtect agent and used to authenticate.) or select pre-logon(Allows the agent to authenticate and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in to the machine.)

With this method the corporate laptops(which have GP installed) checking if an internal host is reachable(maybe the guest wifi interface adress on Pan fw?) and if so it will establish an automagic vpn connection to the internal GP gateway with the users login credentials.-All the corporate laptops who connects to the guest wifi will connect to the internal GP gw and using same sec policys as when there are connected at the office with a cable. IF they connect whith there corporate laptops to another wifi or broadband the laptop will not connect to the internal GP gateway(because the internal host is not detected).

...and if you wan´t to secure even more you can force the users to always connect to Globalprotect.

/Jonas

Thank you, I will try this. A bit complicated perhaps but I feel it will give me what I was asking for.

Best Regards,

Mikael

Hi again,

I was thinking a bit more on your solution and doesn´t it mean that they will automatically connect to the external portal when not on our network or wifi? Or can an add a new client config at the bottom of the list of configs (I have both split and full tunneling depending on AD group) with only an internal gateway configured (no external) and internal host check enabled?

Thanks,

Mikael

If you wan´t you can force the laptops to connect with GP both if they are in(guest wifi) or outside the network(Internet). If you you just want the laptops to auto connect to portal if there are connected to the guest wifi you just add a new portal(new IP) with an internal IP and an internal host that must be reachable for the laptop to connect to the internal GP. So 1 portal with the external gw for Internet usage and 1 portal with internal gw for wifi guest usage.

But that would require the end user to manually change the portal adress in the client?. Or maybe I could NAT them to the correct portal depending on the zone they connect from. I will try different methods to achieve this and find the best solution our environment. Thanks for your input.

Ok, now I´ve managed to get the agent to automatically connect at logon when the client is on our wifi. I created a new Agent Configuration under the portal. I left external GW blank and added our usual GW address under internal GW. As internal host check I had to use a DNS address reachable both from the wifi and our lan (I don´t have any dns server, local to the wifi, that can respond to the nslookup PA performs for internal host detection). This means that the agent connects and creates a tunnel even when connected by wire. I´m not sure if this will prove to be an issue or not. This far I haven´t found any downsides, but I guess since all traffic now flows through the PA device there could be bandwidth problems when more users are included in the setup.

Well it depends on several things if it´s a good idea to tunnel corporate laptop Lan traffic, not just from guest wifi. Maybe you wan´t to "see" the traffic within your network, now it´s just the Pan hw that can see the traffic unencrypted. But a benefit is that the GP logged in user is shown in the Pan logs(maybe you already using UserID).

If you just wan´t the corporate laptops to connect to the internal gw if they are connected to the guest wifi, not the lan i have a solution for you:

1. If it´s possible, set a security rule that only allow guest wifi clients to reach the "internal host detection IP" OR

2. Use the internal gw IP for internal host detection. Set a interface mgmt profile to the internal gw interface and add the guest wifi network to the permitted ip-adresses section. Now only guest wifi connected hosts are able to reach the internal gw(internal host detection) and the Lan connected computers is not allowed to reach the internal host detection IP why GP will not connect.

/Jonas

When I got home last night I discovered that the setup didn´t work as I expected. When there is no external GW present in the agent configuration it doesn´t try the next agent config for that user. So I couldn´t log in at all from home (next agent config was set to on demand and I expected to be able to use it). Now I´m leaning at forcing all traffic, always, through our firewall. But I don´t like the idea of our local network being accessible by default when a user logs in when out of the office so I created a new security zone for the automatic external gw without acces to lan resources. Then I added another gw for full access and ticked it as manual. Now all surf traffic gets routed through PA by default and the users has to make a manual choice to connect to the local resources. To further strenghten the security I would like to force the users to enter their credentials when switching to the full gw but I don´t think thats possible since portal config is set to SSO. I´ll try to uncheck SSO and see what happens but my prediction is that they´ll have to authorize them twice (first windows then GP) and that won´t be happily accepted.

Your solution would work but the problem is that when the agent can´t reach the gw to connect you get a baloon notification every 5 sec saying "not connected" which I haven´t found a way to disable. Well you can disable it by not showing icon in taskbar but then the users has no way to temporarily disable the client which sometimes is necessary because they need to connect to printers on the road or they´re on a network which isn´t letting vpn traffic through.

//Mikael

  • 1 accepted solution
  • 6547 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!