GlobalProtect Enforce Connection for Network Access Captive Portal detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Enforce Connection for Network Access Captive Portal detection

L2 Linker

Hi,

 

We are using global protect with the following agent features :

 

GlobalProtect Enforce Connection for Network Access enable and Captive Portal detection enable with timeout of 3600 seconds.

 

Howver we can see many cases at some hotels, and airports where the actual portal detection is not being recognised by Global Protect agent.

 

Hence user cannot access any ressources.

 

Does anybody knows how the global protect agent captive portal detection actually works (cannot find any docs)?

 

Thank you

 

 

Kind regards

 

Pierrick L

 

 

 

 

 

 

1 accepted solution

Accepted Solutions

Hi Mick,

 

Based on current PANGPS.log and Wiresharks trace, we can see that the Global Protect agent is waiting for an HTTP redirect message type 302 coming from the Proxy.

 

As soon as the agent receive the 'HTTP redirect' message then local network ressource is enable and you can reach the captive portal.

 

What i believe is that this agent function is not supported behind any transparent proxy.

 

Some hotels rely on transparent proxies to provide internet access for their customers.

 

I hope Palo Alto would be able to provide more information on weither this function is fully supported behind hotel/airport proxies, or any other alternative.

 

 

Kind regards,

 

Pierrick L

 

 

 

 

 

 

View solution in original post

10 REPLIES 10

L7 Applicator

I may be wrong but its my understanding that the grace period gives the user, not global protect, a limited time to activate a captive portal.

 

the user should try to open a website within the time limit and if a captive portal is available it will intercept the web connection.

 

so.... in your case... users have 3600 seconds to browse to a website manually before enforcement kicks in.

Hi Mick,

 

Thank you for your reply, yes you are right in this case a user will have 3600 seconds to browse the internet.

 

What we found is that you have many hotels (Marriott for exemple), that do not rely on the HTTP redirect to send a splash page.

 

The issue is that Global protect agent captive portal detection is waiting for the HTTP redirect type 302 message ...which is never coming, 

 

Kind regards

 

Pierrick L

 

 

 

 

Sorry i never realised the expected behaviour of CP detection.

 

we did have issues when we first used this option but decided to use a proxy.pac file to restrict internet access until GP connected.

 

most of our usage is via corporate or home wifi. For the occasional times a hotel connection is made the users have a desktop icon “connect to public wifi”. This bypasses proxy settings and opens IE to our corporate web page, the captive portal kicks in, users authenticate, GP detects route change an connects. Probably no use to you but it is another option to enforce connection only traffic.

 

please update if you find a solution.

Hi Mick,

 

This is interesting, thank you for this, indeed it could be a potential solution, but will need to investigate further the .pac file option since it will require a change to the original design.

 

will keep the post updated as soon as i got more feedback from PA .

 

Kind regards

 

 

Pierrick L

Ok the pac option was easy for us as used it prior to using GP to restrict access.

 

its a basic setup..

 

proxy = 1.2.3.4 (obviously non exist)

allow = globalportal and gateways direct

if internal host is detected = send all traffic direct. (This part sends all traffic when GP has connected).

 

obviously not the correct syntax and not everyones cup of tea but works for us on both windows and ipad.

 

To be honest... i would rather let GP do all the work and would be happy to see the pac file go as its a workaround and somewhat dated.

 

Hi Mick,

 

 

Thank you for these details, technically using a .pac could be a workaround, eventhough it looks to be an old approach, i need to see as well how i could make use of it in our environment.

 

 

Agree would be much more better if Palo Atlo could efficiently support global protect behind hotel proxies.

 

 

Kind regards,

 

 

Pierrick L

Hi,

 

Just to let you know that Palo Alto TAC is still looking on this issue/limitation..

 

Kind regards,

 

Pierrick L

 

 

many thanks for the update.

do you have any good links on how this actually works. I know what it's meant to do but the best description on how it actually works came from you...

 

i would like to understand the process from start to fininsh and also was wondering if the page was returned via https so GP could not see what was needed...

 

you may guess by my previous statement that i really do need to understand the enforce connection process.

 

many thanks.

Hi Mick,

 

Based on current PANGPS.log and Wiresharks trace, we can see that the Global Protect agent is waiting for an HTTP redirect message type 302 coming from the Proxy.

 

As soon as the agent receive the 'HTTP redirect' message then local network ressource is enable and you can reach the captive portal.

 

What i believe is that this agent function is not supported behind any transparent proxy.

 

Some hotels rely on transparent proxies to provide internet access for their customers.

 

I hope Palo Alto would be able to provide more information on weither this function is fully supported behind hotel/airport proxies, or any other alternative.

 

 

Kind regards,

 

Pierrick L

 

 

 

 

 

 

This case has ben escalated to Palo Alto TAC 3 weeks ago and now closed with no resolution/solution.

 

So far, Palo Alto TAC has not been able to provide any valuable feedback nor to solve the connectivity issue related to the use the Global Protect agent with the enforce connection option enable behind any transparent hotel/airports...proxies.

 

They simply point the issue to the hotel or airport providers which is of course not an acceptable answer.

 

Until Palo Alto can provide a fix on the usability of the global protect 'enforce connection for network access' feature i will  not implement this option.

 

Kind regards,

 

Pierrick L

  • 1 accepted solution
  • 8287 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!