10-25-2017 11:26 AM
Hi,
We are using global protect with the following agent features :
GlobalProtect Enforce Connection for Network Access enable and Captive Portal detection enable with timeout of 3600 seconds.
Howver we can see many cases at some hotels, and airports where the actual portal detection is not being recognised by Global Protect agent.
Hence user cannot access any ressources.
Does anybody knows how the global protect agent captive portal detection actually works (cannot find any docs)?
Thank you
Kind regards
Pierrick L
11-03-2017 07:16 AM
Hi Mick,
Based on current PANGPS.log and Wiresharks trace, we can see that the Global Protect agent is waiting for an HTTP redirect message type 302 coming from the Proxy.
As soon as the agent receive the 'HTTP redirect' message then local network ressource is enable and you can reach the captive portal.
What i believe is that this agent function is not supported behind any transparent proxy.
Some hotels rely on transparent proxies to provide internet access for their customers.
I hope Palo Alto would be able to provide more information on weither this function is fully supported behind hotel/airport proxies, or any other alternative.
Kind regards,
Pierrick L
10-26-2017 12:46 PM
I may be wrong but its my understanding that the grace period gives the user, not global protect, a limited time to activate a captive portal.
the user should try to open a website within the time limit and if a captive portal is available it will intercept the web connection.
so.... in your case... users have 3600 seconds to browse to a website manually before enforcement kicks in.
10-27-2017 12:41 AM
Hi Mick,
Thank you for your reply, yes you are right in this case a user will have 3600 seconds to browse the internet.
What we found is that you have many hotels (Marriott for exemple), that do not rely on the HTTP redirect to send a splash page.
The issue is that Global protect agent captive portal detection is waiting for the HTTP redirect type 302 message ...which is never coming,
Kind regards
Pierrick L
10-27-2017 01:47 AM
Sorry i never realised the expected behaviour of CP detection.
we did have issues when we first used this option but decided to use a proxy.pac file to restrict internet access until GP connected.
most of our usage is via corporate or home wifi. For the occasional times a hotel connection is made the users have a desktop icon “connect to public wifi”. This bypasses proxy settings and opens IE to our corporate web page, the captive portal kicks in, users authenticate, GP detects route change an connects. Probably no use to you but it is another option to enforce connection only traffic.
please update if you find a solution.
10-27-2017 01:57 AM - edited 10-27-2017 01:59 AM
Hi Mick,
This is interesting, thank you for this, indeed it could be a potential solution, but will need to investigate further the .pac file option since it will require a change to the original design.
will keep the post updated as soon as i got more feedback from PA .
Kind regards
Pierrick L
10-27-2017 02:09 AM
Ok the pac option was easy for us as used it prior to using GP to restrict access.
its a basic setup..
proxy = 1.2.3.4 (obviously non exist)
allow = globalportal and gateways direct
if internal host is detected = send all traffic direct. (This part sends all traffic when GP has connected).
obviously not the correct syntax and not everyones cup of tea but works for us on both windows and ipad.
To be honest... i would rather let GP do all the work and would be happy to see the pac file go as its a workaround and somewhat dated.
10-30-2017 03:19 AM
Hi Mick,
Thank you for these details, technically using a .pac could be a workaround, eventhough it looks to be an old approach, i need to see as well how i could make use of it in our environment.
Agree would be much more better if Palo Atlo could efficiently support global protect behind hotel proxies.
Kind regards,
Pierrick L
11-03-2017 06:48 AM
Hi,
Just to let you know that Palo Alto TAC is still looking on this issue/limitation..
Kind regards,
Pierrick L
11-03-2017 07:04 AM
many thanks for the update.
do you have any good links on how this actually works. I know what it's meant to do but the best description on how it actually works came from you...
i would like to understand the process from start to fininsh and also was wondering if the page was returned via https so GP could not see what was needed...
you may guess by my previous statement that i really do need to understand the enforce connection process.
many thanks.
11-03-2017 07:16 AM
Hi Mick,
Based on current PANGPS.log and Wiresharks trace, we can see that the Global Protect agent is waiting for an HTTP redirect message type 302 coming from the Proxy.
As soon as the agent receive the 'HTTP redirect' message then local network ressource is enable and you can reach the captive portal.
What i believe is that this agent function is not supported behind any transparent proxy.
Some hotels rely on transparent proxies to provide internet access for their customers.
I hope Palo Alto would be able to provide more information on weither this function is fully supported behind hotel/airport proxies, or any other alternative.
Kind regards,
Pierrick L
11-29-2017 02:44 AM - edited 12-04-2017 01:59 AM
This case has ben escalated to Palo Alto TAC 3 weeks ago and now closed with no resolution/solution.
So far, Palo Alto TAC has not been able to provide any valuable feedback nor to solve the connectivity issue related to the use the Global Protect agent with the enforce connection option enable behind any transparent hotel/airports...proxies.
They simply point the issue to the hotel or airport providers which is of course not an acceptable answer.
Until Palo Alto can provide a fix on the usability of the global protect 'enforce connection for network access' feature i will not implement this option.
Kind regards,
Pierrick L
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
