Global Protect Enforcing VPN

Reply
Highlighted
L1 Bithead

Global Protect Enforcing VPN

Hello, 

I need to enforce VPN so users will not be able to access Internet unless tunnel is establish or wired corporate network is connected. Users should also be required to supply credentials and MFA every time the tunnel is built when accessing from external networks.

 Once the laptop is inside on the corporate network the connection should not require to establish vpn tunnel.

It should  also require that users are always asked for password and MFA is prompting them for acceptance even when computer is set to sleep instead of Reboot/ Shutdown.

Please let me know if anyone was able to accomplish the above succesfully. 

 

Thanks!

 

Marcin

 

Tags (2)
Highlighted
L7 Applicator

Marcin, Hi.

 

seems similar to what i have...   

 

portal app  will be

connect method "user logon always on"

allow user to disable globalprotect "no"

enforce globalprotect "yes"

 

use authentication overide for gateways  but not portals. and set cookie lifetime to 1 min

 

when adding gateways, include the "Internal host Detection" option, this will prevent  GP from establishing a tunnel when connected to your LAN. it will display a little house thing "Home"

 

i think thats about it... see how you get on but please ask if you need any further advice.

 

Highlighted
L1 Bithead

Thank you for your reply. 

I was able to to configure it and it seems to be working as intended. 

 

There is however an issue with Automatic Restoration of the tunnel. 

Scenario: 

The issue i have now is with the automatic reconnection to the VPN.

The problem occures when user puts the laptop to sleep, drives home or other location then connects to different Wifi, Global Protect will not ask for any credentials or at least the MFA to re-create the tunnel. 

I have found the the Global Protect client caches creds and when computer wakes up it reconnects. 

User is asked for credentials only with a reboot or log off. 

 

A lot of users nowadays just close the lid or put laptops/ tablets to sleep instead. 

 

Now, do you think it is an issue or a feature?

 

Thanks!

 

Marcin Wiadrowski

Highlighted
L7 Applicator

Hmmm....

 

you could check the app setting...     "Automatic Restoration of VPN connection"

 

I think the default is 30 mins... try dropping this down to 2 mins. 

 

 

if you look on the palo, monitor/system, do you see the user disconnecting or re connecting when they go in and out of sleep mode.

Highlighted
Cyber Elite

@mwiadrowski which GP version do you use? If you are on 4.1.x, I strongly recommend to stop further troubleshooting before you have installed 5.0.0. Over the last year I was in the same troubles as you now ... do you have a RADIUS server for MFA or are you using SAML and I assume you have an active directory where the users are stored? I am askong this questions to hopefully give you the correct answer, because now with globalprotect 5.0.0 I finally hive this setup up and running

 

@MickBall in your setup proposal isn't MFA required also from the internal network? I think I remember this was the reason why I did not use this configurationa

Highlighted
L7 Applicator

yes of course....   thanks for the reminder, we use cert authentication not MFA so not an issue.......

 

internal host detection could still be possible (i think) if you use cert auth for portal and MFA for gateways.

 

you could then turn off authentication overide. from my tests it seems that the cookie is being used for the gateway reauthentication when device wakes up. (unless it has timed out).

 

Highlighted
L1 Bithead

@vsys_remo  I am using RADIUS for MFA, and the user is stored in AD.  I have upgraded to GP version 5.0.0  and the behavior is the same as when 4.1.

 

 

Highlighted
L4 Transporter

What are you guys doing for expired passwords here?    If password expires, and enforce connection is enabled, how does that work?

 

Highlighted
L7 Applicator

Sorry cant advise as use cert auth but don't you get a password change when you login to AD after password expiry.  I suppose this will depend on sso or ldap auth...  is this not what pre-logon is used for... 

Highlighted
L4 Transporter

Your spot on.   Didn't know if password if you can only password reset while using pre-logon or Radius.   Looking to be so.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!