I searched through previous threads to see what the best practices are for securing GlobalProtect but the only thread I saw was dated and didn't have too much information. Could anyone share what their best practice is with setting up GlobalProtect? I'm currently using Cisco AnyConnect and would like to transition to GlobalProtect. My enviornment is around 7500 hosts, we have 2 PA-5250 in an HA configuration with numerous VM-300 firewalls as well. Currently GlobalProtect is working for a small test group but I need to secure the configuration before I deploy it to the masses. We do use RSA 2FA and I plan on having multiple groups depending on their access requirements. Other than the usual; no split tunneling (but need to allow local LAN access for some) I'm looking for ideas to ensure I'm doing this securely.
From what you have described so far...
use RSA to authenticate to portal on HA pair.
use this portal config to generate a cookie for gateway auth. (This will prevent passcode re-use or user waiting for code to change for gateway auth.
it may be easier to use the same portal config for all users and use security policies for network access.
if all devices are domain members then also go for device certificates to ensure only domain members can authenticate.
you have the option of setting up a different portal config to either enforce GP or not to resolve local traffic issues.
You could have enforce GP but allow a small group to disable the client.
you have so many options available that its not easy to suggest whats best...
we have 3k users, always on, no pre logon, proxy.pac file to prevent users browsing if not connected.
we are only able ro do this as our users are severely restricted via group policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!