05-07-2019 12:06 PM
I was just wondering how other people have their globalprotect clients configured? Who used on-demand vs autologin. Who uses prelogin checks etc and what works the best
05-09-2019 01:46 AM
@jdprovine , long time no post...
difficult one as whats best will really depend on the corporate and user requirements.
we use pretty much all the options as we have a varied user scope from members of staff, IT admin, guests, 3rd party support etc and all vary between on demand, always on, radius OTP, certificate and LDAP...
so...
our main user group of approx 3k are win7/10 laptops.
for this we use always on with certificate authentication.
pre login is not much use as wifi is not enabled until user actually logs in.
The "enforce GlobalProtect" option boosted our service desk calls bt 45 million (approx) so we took it off. mainly because of issues with captive portal etc but we do prevent open browsing by the use of a proxy.pac config.
pretty much got this down to a fine art as we generally only get 1 or 2 calls per week regarding GP. most resolved as users not joining guest networks correctly but hardly ever due to a GP fault.
we also run a couple of pre and post VPN scripts but this is just to enforce a few proxy settings and ipconfig/flushdns as this was not part of the early GP versions.
Hope you are well,
Laterers...
05-09-2019 06:03 AM
Hey there I'm back after my job change and reaper got all my setting migrated wasn't sure people would recognize me.
We only have one VPN configured and every one uses the same one, we don't have nearly as many users as you do though but I really dislike the auto login, I prefer the on demand but I can see why it was setup the way it was to take human error out of the equation. I am just looking to make it work better
05-09-2019 10:28 AM
@Mick_Ball wrote:The "enforce GlobalProtect" option boosted our service desk calls bt 45 million (approx) so we took it off. mainly because of issues with captive portal etc but we do prevent open browsing by the use of a proxy.pac config.
pretty much got this down to a fine art as we generally only get 1 or 2 calls per week regarding GP. most resolved as users not joining guest networks correctly but hardly ever due to a GP fault.
we also run a couple of pre and post VPN scripts but this is just to enforce a few proxy settings and ipconfig/flushdns as this was not part of the early GP versions.
@Mick_Ball you should give 5.0.2 a try. I have spent a lot of time together with Paloalto to report, solve and test fixes for issue you describe here. Of course 5.0.2 will not be bug-free, but right not it runs pretty good with enforce enabled. Captive portals are no longer a problem even with this option and in my setup we even have MFA with RADIUS configured which made the whole situation even more difficult. Anyway, if you do test it with 5.0.2 any maybe also with the enforce option, please write your feedback/issues to this post, where I try to collect informations about 5.0.2: https://live.paloaltonetworks.com/t5/General-Topics/Global-Protect-5-0-2-working-deployments-configu...
05-09-2019 11:03 AM
@jdprovine , where exactly is it failing, we also use on demand for external support, approx 120 users and still have no issues,
@Remo ,yes i have seen how busy you have been, i will of course venture deeper.....
05-09-2019 12:10 PM
Actually its not failing I was just wondering if there was a best practices way to configure it that would make it more efficient
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
