GlobalProtect & SCCM

Reply
L2 Linker

GlobalProtect & SCCM

Long story short, we purchased GP and configured rules etc to allow SCCM traffic to and from VPN clients who are users working from Home.

 

We are struggling to release applications or updates to these users and would like to know if anyone has GP with SCCM configured and working? 

 

Someone mentioned on a Palo FB forum, that pre-logon should be set for SCCM to work seamlessly.

 

Anyone able to share some info on this? 

 

ColonelHawx_0-1591016150266.png

 Glo

Cyber Elite

@ColonelHawx,

What specific issue are you actually having in regards to SCCM? Can users not download updates or applications from SCCM at all, or is it just getting stopped because the user isn't on the VPN long enough for SCCM to check in and get everything downloaded?

 

If you are pushing updates from SCCM, I would switch over to pre-logon so that the device is connected to your internal network and can actually communicate with your SCCM infrastructure without the user actively logged on and connected to the VPN. Just keep in mind that if these are laptops, depending on how your power profile is set up pre-logon may not actually give you any additional benefit. 

Cyber Elite

We've got GP being managed / deployed by SCCM.  GP connect method is pre-logon / always on.  We've done an initial deployment (4.1.6) 2 years ago, with a recent upgrade to 5.0.7 via SCCM all without major issue.

 

Like @BPry  mentioned what are you needing help with?

L2 Linker

@BPry , thanks for the reply. We are just not receiving ANY deployments at all. SCCM is able to see the client, communicate with it etc. All clients are active when we view SCCM Console. It just wont deploy and we ruled out any SCCM issues when we recently deployed a VM on the same subnet which does not have/need the GP client. So now it all points to Global Protect.

Cyber Elite

@ColonelHawx,

So that's a completely separate thing then, and switching to utilize pre-logon isn't going to help that issue at all. Just to be sure, have you enabled interzone-default logging or otherwise setup a rule that would log any denied traffic between SCCM and whatever zone you have your GlobalProtect users setup in? 

You'll also want to ensure that you've properly setup your boundary groups in SCCM to include GlobalProtect clients. Both those things would be the first things I would look at. 

L2 Linker

Some random config screenshots:

 

ColonelHawx_0-1592490321997.pngColonelHawx_1-1592490722703.png

 

L2 Linker

Thanks, indeed - Boundary Groups were the first stuff I checked and they are all in order.

regarding the zones, the Global Protect clients are on a different zone as the sccm primary server, but rules are in place to allow for this:

 

ColonelHawx_0-1592491116732.png

 

L2 Linker

I am also seeing ALOT of aged out TCP (80) traffic . Well actually almost all of them...

Cyber Elite

Do you bytes send and receive in the traffic logs?

Try to do the packet capture on the PA where source is GP Client IP of PC and destination is SCCM server.

 

Also you can see global counters to confirm that PA is not dropping the traffic.

Also check your threat logs.

 

Once in PCAP you see no drops and global counter filter and threat logs show no drop or block then it is not the firewall.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!