We are using GlobalProtect for VPN connection to our internal network along with an on-prem PA Firewall. We want to be able to block traffic from regions we wouldn't normally do business in, but occasionally have the ability to make a USER-BASED exception to the block so that if USER A is traveling abroad to China, we can allow USER A to connect to GlobalProtect from China while maintaining a block on all other traffic from China.
I thought this would be as simple as setting a rule above our GeoLocation block allowing traffic for USER A from Source China with Destination application being GlobalProtect. Unfortunately that rule doesn't work and my understanding from discussing with TAC is that this is because the user is not able to authenticate to the Firewall prior to being blocked by the GeoLocation rule (essentially the allowance has no way of knowing USER A is USER A before he connects through GlobalProtect, and USER A can't connect through GlobalProtect because the GelLocation block prevents him). We've been going back and forth with TAC as well as an SE, but as yet do not have a solution.
I can't imagine this is an uncommon scenario, so wondering what others may have done to address this. We have been able to bypass the GeoBlock by putting in an IP Based allowance, but this is problematic as the IP changes frequently.
Anyone else had this scenario and found a way to resolve?
This actually is an uncommon problem, because you're trying to fundamentally break how geoblocking actually works. Trying to have your cake and eat it too if you will.
Fundamentally you can't allow BPry to access your GlobalProtect portal because the firewall is told to block all traffic from China. The firewall can't know that BPry is associated with that source IP in China unless I have a way to authenticate to the firewall (authenticate policy, GlobalProtect, ect.), but you're telling it to not allow any traffic from China to even perform that process.
If we have employees abroad all of my clients have a process of notifying us of the dates they will be abroad in which country. We can then setup a security rulebase entry allow GlobalProtect connections from that country with a schedule so that traffic is allowed exactly as needed. We then configure GlobalProtect so that only that one single user/machine can connect from that country and is allocated a dedicated IP Pool used solely for international travel that gives them extremely limited access to resources and lock it down as much as possible.
You can bring this a step further by demanding they bring a loaner issued laptop with them while traveling (bonus points for certificate authentication) that can be freshly imaged prior to them leaving the country and immediately re-imaged upon their return. We don't allow any BYOD endpoint to connect abroad and we don't let them take their regular equipment with them.
I am prefacing my post with the statement that I am an InfoSec analyst and not a firewall admin. So I apologize in advance for any lack of knowledge as to detailed inner workings of how PA firewalls are managed.
I am in the same boat as JLeever. We have started allowing employees to travel to foreign countries, but we geoblock any connections outside of the US. Right now we use an EDL to manage the user's ip address for GP access or our Citrix storefront (depending on business needs or if they are traveling to certain "risky" countries").
The problem is that we can't lock down their access to limit risk. They are either able to work normally or not at all and the mandate from management is to give them the ability to work normally if possible. The problem is similar to what JLeever indicated, where the user's ip will change almost daily (India is a frequent offender in this case). And scheduling to allow access from the entire country during the time of travel doesn't strike me as being very secure as (in the case of India) we would be allowing access from any IP address in India for months on end, as there has been a lot of overlap between one user's trip to another.
I understand the User-based strategy wouldn't work, but is there any other unique identifier that could be used to allow access to someone over the course of their trip? Like the mac address for their machine? And just so I understand fully, there is no way for the firewall to use an AD group or some other method to verify a user, correct? Like the connection request comes into the firewall and it compares the Username provided to an AD group object with that username in it? Or is the firewall not able to talk to AD in that way when managing connections? What about an EDL with the username entries? Or do the EDLs have to be a domain or IP address to work properly?
Thanks again for any help that can be provided.
Here are a few thoughts:
Its not a simple answer I'm afraid. However come up with a few options that are manageable and sustainable and present it to management with their drawbacks. Let management take the risk, its their call anyway.
Just my thoughts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!