We are using GlobalProtect for VPN connection to our internal network along with an on-prem PA Firewall. We want to be able to block traffic from regions we wouldn't normally do business in, but occasionally have the ability to make a USER-BASED exception to the block so that if USER A is traveling abroad to China, we can allow USER A to connect to GlobalProtect from China while maintaining a block on all other traffic from China.
I thought this would be as simple as setting a rule above our GeoLocation block allowing traffic for USER A from Source China with Destination application being GlobalProtect. Unfortunately that rule doesn't work and my understanding from discussing with TAC is that this is because the user is not able to authenticate to the Firewall prior to being blocked by the GeoLocation rule (essentially the allowance has no way of knowing USER A is USER A before he connects through GlobalProtect, and USER A can't connect through GlobalProtect because the GelLocation block prevents him). We've been going back and forth with TAC as well as an SE, but as yet do not have a solution.
I can't imagine this is an uncommon scenario, so wondering what others may have done to address this. We have been able to bypass the GeoBlock by putting in an IP Based allowance, but this is problematic as the IP changes frequently.
Anyone else had this scenario and found a way to resolve?
This actually is an uncommon problem, because you're trying to fundamentally break how geoblocking actually works. Trying to have your cake and eat it too if you will.
Fundamentally you can't allow BPry to access your GlobalProtect portal because the firewall is told to block all traffic from China. The firewall can't know that BPry is associated with that source IP in China unless I have a way to authenticate to the firewall (authenticate policy, GlobalProtect, ect.), but you're telling it to not allow any traffic from China to even perform that process.
If we have employees abroad all of my clients have a process of notifying us of the dates they will be abroad in which country. We can then setup a security rulebase entry allow GlobalProtect connections from that country with a schedule so that traffic is allowed exactly as needed. We then configure GlobalProtect so that only that one single user/machine can connect from that country and is allocated a dedicated IP Pool used solely for international travel that gives them extremely limited access to resources and lock it down as much as possible.
You can bring this a step further by demanding they bring a loaner issued laptop with them while traveling (bonus points for certificate authentication) that can be freshly imaged prior to them leaving the country and immediately re-imaged upon their return. We don't allow any BYOD endpoint to connect abroad and we don't let them take their regular equipment with them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!