GlobalProtect Always On Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Always On Issue

L1 Bithead

I am currently testing GlobalProtect Always on, I have configured to operate at user logon. The issue I am having is that on start-up of my laptop, on my corporate network I am prevented from any network access. If I connect to my public WIFI and connect GlobalProtect and can access my network ok. Reverting back to my corporate network and it then detects I am on my internal network and allows access to the network ok.

If I restart my laptop I faced with the same problem. If the laptop starts on the corporate network GlobalProtect fails to detect its on internal network.

I have configured Internal Host Detection (which is working if GP has connected previously.

It's not usable in this form, am I missing something?

7 REPLIES 7

L1 Bithead

And to follow on, if I can check the PANGPS.log after start up of the laptop there is no attempt to look at the internal host detection? Does this only work after globalprotect has connected to an endpoint first?

Also on my last restart I am not getting blocked to network access, GlobalProtect has a connection failed message!!!!! 

L6 Presenter

Yes... I had this same problem. So the GP client says it caches the previous configuration, including the internal host detect, but that only seems to work on network switches and it does not work reliably after long disconnects or rebooting the PC. Instead the GP client always tries to connect back to the portal to get an updated client config before it will attempt to do internal host detection. This make the user have to log into the portal, even when internally connected.

 

So in order to make it useable in an always-on scenario, where you want internal corporate/Wifi networks to just work without user interaction, you need to make the portal login automatic (the gateway login, where you actually pass VPN traffic through, can remain with required user-supplied credentials). There are a couple ways to do this. You could make the external portal not require any authentication, though that isn't ideal for obvious reasons. You could also make a separate internal portal without auth and set your internal DNS to point to it instead of the external portal (which remains with auth required).

 

The solution I chose was to use certificate-based authentication on the external portal, instead of user-based. The GP client connects to the portal address and uses an internal CA signed certificate (user or machine) to log into the portal and download the GP config without any user interaction. This means only corporate assets can connect to the portal, download GP client updates and configs. The GP client can then run the internal host detection in the config and if found it goes directly to "Internally Connected" without user interaction. If the internal host detection fails then the GP client goes to the gateways listed in the config (which required user/pass/MFA credentials).

 

Note: If you do use certificate authentication on the portal and user authentication on the gateway, the portal and gateway must be on different IPs, otherwise the gateway authentication config partially overwrites the portal config on the TCP/443, resulting in the portal cert-only authentication not working...

Thanks for tips Adrian,

Quick question though, how do you configure a portal for no authentication. I have setup an internal portal however i still get prompted for username and password. If i configure a client authentication on the portal i can then login ok.

But I need to to just not prompt for username and just detect its on an internal network.

Cyber Elite
Cyber Elite

@rossm,

When going for an always-on connection, I'd highly recommend using certificate authentication on at least the portal. 

L6 Presenter

 

@rossm 

You are required to use an authentication profile on the Portal (user and/or cert). There are a couple was to fudge no authentication after an initial connection (using saved creds/cookies/etc.), but it is a bad idea for obvious reasons. So I haven't put much work into it.

 

Ideally you want to use a machine or user certificate for the Portal login. That will allow your clients to be transparent in the connecting to the Portal, while protecting you from unauthorized clients download the GP client and/or config off the Portal.

 

So I have got myself a little confused with the whole setup.

Originally I had an external portal and gateway. When a user is at home they launch the GP app and are prompted for a username and password to connect - All great.

I have now configured a new Internal Portal and have set the authentication to user name or certificate, but when connecting my laptop to my internal network I get prompted for a username and password. 

So what I am ultimately looking to achieve is. Always on VPN for when the user is offsite outside our network. But when they are back on our network Internal Host Detection kicks without interaction from the user.

 

I am close to achieving this but I am still required to login even when connected to the internal network - Once logged in it detects the internal network.

  • 3011 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!