GlobalProtect agent download from direct URL

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Hi FabienJ,

 

This is possible.

 

You'd need an external web-server to host the GP software.

Now, if you can configure some sort of authentication there, that's all well and good. If not, you can make use of PAN OS 8.0 for the 'Authentication policy' feature (this is what I'll demonstrate). For authentication policy approach, you should be hosting the file on a http server. Using this method, you can even do MFA for just the download, so I guess that's a plus.

 

Well, here are the steps:

 

Login to the command line and issue the following commands:

  • set global-protect redirect location <path of the external server repository of the file>
  • set global-protect redirect on

In my case, since I didn't have a http server, I just chose something random like: http://www.ipvoid.com

Run the command - set global-protect redirect show

You should see the output similar to mine:

 

cfg.global-protect.redirect.flag: True
cfg.global-protect.redirect.location: http://www.ipvoid.com

 

At this point, you are pretty much done if you are doing authentication on that external server.

 

Proceed if you want to use the Authentication policy approach.

 

1. Create a captive portal

captive-portal.JPG

Redirect host, in your case, will be the external facing address that can server the authentication page.

Choose an appropriate SSL/TLS profile and authentication profile.

 

2. Create an authentication policy

authpolicy.JPG

 

Please keep in mind that you'd have to choose the source zone as Outside. I am using Inside because of the way my lab setup is configured. Also, the destination zone would be something depending on where the file hosting server lies and if NAT is required or not. Destination adddress would be whatever address you have entered as the file server. You can choose Authentication Enforcement to use two-factor, if you want. I am just using a simple Web-form (captive portal).

 

Here's the demo:

 

Whether I go to the GP-portal, login and then click on the download GP client links or directly enter https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows , I will get an MFA portal page (customizable btw, under Device->Response pages), which will look like this:

 

pre-MFA.JPG

 

I would authenticate and then the firewall would redirect me to the file server (in this case it's just going to ipvoid.com).

 

post-MFA.JPG

 

Hope that helps.

 

Regards,

Anurag

 

 

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
Cyber Elite

Hi @ansharma

 

But if someone knows the download url, he will still be able to go directly there and download the software ...

This is the point in this topic, that the download is available without login - if someone knows the download url - and that the download is still available when the portal is disabled ...

Highlighted
L4 Transporter

I though the user wanted to know a way to force authentication for people going directly to the download link rather than the portal first. This is what the method above provides.

 

Honestly, you can't prevent people from knowing the portal link. I mean, most companies use something simple like gp.acme.com or vpn.acme.com. And, besides Geolocation blocking, you could just find many of them accessible. So, what if you did - it's requiring someone to do a portal login to connect and/or using the Authentication policy to download the GP client from their portal.

 

Additionally, even if someone downloads the GP from the portal link, the only thing being taxed is the firewall's resource providing the download, which again you can enforce authentication using the method described. One can go to cisco's website from any valid (entitled) account and download Anyconnect client. A blank VPN client is just that, blank.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
Cyber Elite

@vsys_remo,

Since you are setting the GlobalProtect redirect flag you won't be able to actually get to the client download package, that redirect will force you over to the server that you set and that's where the Captive Portal piece comes in to actually get this to work. 

Highlighted
Cyber Elite

@FabienJ,

Out of curiosity and because I don't think it's been asked yet, what is your industry that you actually have to worry about people using the direct URL link? I can't get my users to remember the portal address itself, let alone the package URL. 

Highlighted
L2 Linker

Hi Guys,

 

First, many thanks to @vsys_remo and @ansharma for your time.

 

@vsys_remo using your first ugly method, it sounds like it's working at the end ? You have an URL blocking page when you try to reach the downnload URL ?

You just can't get user mapping info ? Can't we tune the User-ID ACL on the zone to make this less ugly :) ?

 

@ansharma it's a pretty interesting workaround, I need to try this one after my holidays :)

As you said, all vendors are using this way to delivers agents (Vsphere, AnyConnect and so on ...) but I think it's not a good thing to imitate.

 

My SE also suggested something that should work with hardware models, using vsys, one hosting the captive portal, then another vsys hosting the global protect portal and the agent.

...A feature request should happen soon :)

 

Thanks again !

Highlighted
L2 Linker

@BPry researchers :)

Highlighted
Cyber Elite


@BPry wrote:

@vsys_remo,

Since you are setting the GlobalProtect redirect flag you won't be able to actually get to the client download package, that redirect will force you over to the server that you set and that's where the Captive Portal piece comes in to actually get this to work. 


True, I somehow missed this point :P

But this solution will force users, who connect first to the GP Portal, to log in twice - because the ip-user-mapping is not created when a user logs in to the GP Portal ...

 

I think we see it all in the same way: it is not really a really a problem and definately not a security issue...

... but with the GP Portal login I think that the login should be also required for downloading the software or is there another reason for a GP Portal with login form?

 

Highlighted
L4 Transporter

@vsys_remo Yes, using my method the user would have to login again but it's not because of the user-ip mapping. Authentication policy is a new feature (starting 8.0) and works slightly different from the former captive portal, although it uses captive portal as one of the pieces of configuration. 

 

The user would be logging in again because there are 2 independent set of authentications happening. One at the portal login page and another using the Authentication policy.

 

In congruence with you and @BPry, receiving GP agent directly (without having to login) does not really post a security risk. The portal authentication's real job is not to deliver GP agent, instead it's focus is during the actual VPN connection.

 

 

Regards,

Anurag

 

================================================================
ACE 7.0, 8.0, PCNSE 7
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!