Global Protect Agent and SSID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Agent and SSID

L1 Bithead

Hi 

 

I have configured GP agent with internal and external adresse to seamlessly work w/ always on for my endpoints and this works great. And users can not connect to other networks w/coppper cable without the internal GW. And SSID has to be punched in manually.

 

But one challange;

How do i protect new endpoints when its getting windows image from sccm if we have pre-defined the ssid and password in windows, the endpoint could get a unsecure connection before the script installs GlobalProtect Agent.

 

Can i create a HIP rule/profile on the policy settings that require a GlobalProtect Agent installation (reg key) before wifi acccess is granted ?

 

Thank you

 

 

 

 

 

5 REPLIES 5

L7 Applicator

HIP rules and profiles are applied to policies on the firewall itself, not on the client....

 

can you not have GP as part of your image from SCCM.

 

could you not apply a duff proxy to your devices and then remove the duff proxy settings as part of the installation script for GP.

hmmm perhaps not, the proxy settings will only restrict browsing , not general network access.

 

perhaps including GP as part of the image may be a better idea.

L5 Sessionator

Hey @killboxalpha

 

Edit: I may have misread your post - HIP information and policy enforcement would only be after the client has connected to GlobalProtect so may not apply to this situation.

 

Thinking off the top of my head, you could use a PowerShell script to look if the reg key is present, if it's not use the XMLAPI to send a tag to the firewall that update a dynamic address group, then use a policy to block access with SRC address as the dynamic address group.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/register-ip-addresses-and-tag...

 

---

 

You can certainly block machines that connect to GlobalProtect from accessing resources (internet/internal resources etc) if they don't have a reg key present, this is done via HIP Based Policy Enforcement.

 

1. Create a new HIP object (Objects -> GlobalProtect -> HIP Objects), enable a "Custom Check" and create your custom check in the Registry Key tab.

 

2. Add your HIP object to a HIP profile (Objects -> GlobalProtect -> HIP Profiles), set the match to "NOT" so only people WITHOUT the reg key will hit this profile.

 

3. Create a security policy and add the HIP profile under the "User Tab"

; with the action of deny in the security policy you can then block access for anyone that doesn't have the reg key present.

 

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-guide/host-infor...

 

Cheers,

Luke.

Hi LukeBullimore.

 

 

yupp, could not reply fast enough sorry, the problem as you mention is that everything would hit after the GP agent was installed and not before, the solution was to create a script w/ssid+pass that would not activate before GP script install was done. This works now, after some tinkering.

 

thx for your input. Not sure who deserves the solved button.

Luke gets my vote, helpful link and a registry drop to finish off......

 

Laters

  • 3334 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!