GlobalProtect agent download from direct URL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect agent download from direct URL

L2 Linker

Hi everyone,

 

Do you know if it's possible to block the download of the globalprotect agent via the direct URL ? 

The goal here is to force users to authenticate in the portal web page to be able to download the agent.

 

Ex. for the 64bit agent :

https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows

 

If yes, could you please share the steps to solve it ?

 

Thanks a lot !

Fabien.

19 REPLIES 19

L1 Bithead

There are couple of steps to achieve this depending on the configuration that already exist on your appliance.

 

1. Go to device > Certificate mgt > ssl/tls service profile > add. It should look like the image (2) below when you are done.

2. Network > GlobalProtect > Portal > Add >On the General Tab > Add > name> external interface > IP Address

 

 

3. Then on the authentication Tab confiigure your PA appliance as shown below in Image 1. This forces the portal to request user credentials before they can access the portal to download the agent. FYI, my environment uses the Local User database for authentication, yours may be different.

 

Screen Shot 2017-07-25 at 9.15.35 AM.pngScreen Shot 2017-07-25 at 9.18.04 AM.png

You will also need to Generate a certificate or upload the certificate for Global protect using the public IP address of your untrust interface. see below

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Generate-a-New-Self-Signed-SSL-Certi...

Cyber Elite
Cyber Elite

@FabienJ,

I'm not positive of a way to actually do this and still allow the download to accomplish on the portal. It's kind of like the ASAs in the point where if you know where to direct it for the file itself you can get the download without authentication. You could put the link itself behind a captive portal if this is a big enough issue for you, but the user experiance if they go through the portal would be pretty bad. 

 

@Oyin-Idowu,

The authentication to the portal itself I'm sure is working perfectly fine, the file however can still be downloaded even if you don't authenticate by going directly to the download link. 

@Oyin-Idowu

I think @FabienJ has already done the steps you describe ... what he wants is to FORCE users to authenticate so nobody should be able to download the GP agent without log in

 

@FabienJ

You probably want to ask your SE for a feature request.

I can think of a possibility to achieve this, but at the moment I don't know if this works and it also contains something that's normally not recommended ... I will first do a little test before I write some sensless stuff here

 

... and once again @BPry was faster 😉 ...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!