For details on cookie usage on our site, read our Privacy Policy
GlobalProtect agent download from direct URL
- LIVEcommunity
- Discussions
- General Topics
- GlobalProtect agent download from direct URL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
GlobalProtect agent download from direct URL
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2017 02:18 AM
Hi everyone,
Do you know if it's possible to block the download of the globalprotect agent via the direct URL ?
The goal here is to force users to authenticate in the portal web page to be able to download the agent.
Ex. for the 64bit agent :
https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows
If yes, could you please share the steps to solve it ?
Thanks a lot !
Fabien.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2017 07:30 AM
There are couple of steps to achieve this depending on the configuration that already exist on your appliance.
1. Go to device > Certificate mgt > ssl/tls service profile > add. It should look like the image (2) below when you are done.
2. Network > GlobalProtect > Portal > Add >On the General Tab > Add > name> external interface > IP Address
3. Then on the authentication Tab confiigure your PA appliance as shown below in Image 1. This forces the portal to request user credentials before they can access the portal to download the agent. FYI, my environment uses the Local User database for authentication, yours may be different.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2017 07:42 AM
You will also need to Generate a certificate or upload the certificate for Global protect using the public IP address of your untrust interface. see below
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2017 08:38 AM
I'm not positive of a way to actually do this and still allow the download to accomplish on the portal. It's kind of like the ASAs in the point where if you know where to direct it for the file itself you can get the download without authentication. You could put the link itself behind a captive portal if this is a big enough issue for you, but the user experiance if they go through the portal would be pretty bad.
The authentication to the portal itself I'm sure is working perfectly fine, the file however can still be downloaded even if you don't authenticate by going directly to the download link.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-25-2017 08:39 AM - edited 07-25-2017 08:41 AM
I think @FabienJ has already done the steps you describe ... what he wants is to FORCE users to authenticate so nobody should be able to download the GP agent without log in
You probably want to ask your SE for a feature request.
I can think of a possibility to achieve this, but at the moment I don't know if this works and it also contains something that's normally not recommended ... I will first do a little test before I write some sensless stuff here
... and once again @BPry was faster 😉 ...
- Unable to Download GlobalProtect from Firewall in GlobalProtect Discussions
- Suggestion for support in General Topics
- GlobalProtect client cant access internal resources in GlobalProtect Discussions
- Global Protect .exe files ? in GlobalProtect Discussions
- Expedition migration tool download in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
