We have had our Palo 3020 along with GlobalProtect for about a year now, and we continue to struggle with all sorts of GP issues. I'm curious to know how are you all using GlobalProtect?
One Issue - Our strategy was to use GlobalProtect as an Always-On connection, as we've invested in Palo's URL filtering and solely use that for URL inspection. Because of this, we do not use split tunneling and send all traffic, including inordinate amounts of DNS requests through the Palo. This has proved to be cumbersome at best, and ensuring GP is always connected using SSO and Windows 10 machines is a challenge which translates in to security concerns because user's may not always be connected for a variety of reasons.
Are any of you using GlobalProtect and URL filtering in this way?
We use gp always on. Sso was troublesome. Have switched to cert auth.
our AD issues user certs to all domain members
we have a copy of the AD root cert on the palo.
1 portal and 6 gateways. 4500 users... No problem whatsoever..
However.. this is only permitted for us with disk encryption. (Pin to unlock).
Hmm... I need to look into this. Yes, SSO is a mess. We've personally reported 2 issues recently that have warrented bug ID's from Palo.
We use machine certs for pre-logon strictly so users can change their domain passwords when they expire. Thsi has also proved to be a nightmare from a management standpoint.
Are you routing all traffic from your Always On clients through GP?
We are at a point where we need to make a decision on how we want to deploy GP. I voted against always on vpn because I don't like the idea that the laptop is the identifier. What I mean is that if GP issues a machine cert then that laptop is the identifier and not the actual user because of a cert on a machine. To me that's a security risk.
So if I am to deploy always on vpn then I would need to have a user not only authenticate via a machine cert on a laptop but I would also require the user to MFA using something like OTP for example. What would be the reason for always on vpn? I see it as a big hit to our environment because I am essentially passing all vpn traffic back through the corporate network all the time. If I am to go with always on vpn then I would need assurances that it is not going to be a management nightmare or a security nightmare due to performance issues with the firewall fulfilling all kinds of requests for the users.
I do like the always on vpn and I do like the ability to granular control of what users can access. But how would I do that? I would need to create security groups on the fw which means I would manually enter all this information into the fw and then connect to ldap/AD to integrate the users to the groups. To me that's a huge undertaking. We purchased the PAs now it's time to put them to use but I am having a hard time finding strategy and best practices by searching the web for what is the most secure way to implement GlobalProtect? What is the most secure and efficient way to implement GlobalProtect is what I should ask?
I am not sure how large your environment is but we are fairly large and I am afraid that all of this will just break and I can just see the continuous open tickets and the nagging and the complaining about why their vpn doesn't work 🙂 Yeah if I can just figure out the best way moving forward that would be great. I think I might create a subject to have answers from the community.
Thank you kindly
We have always on GP we use SSO and Cert.
We manually insert a computer cert into each machine
Note the comment about the cert and it identifing a laptop not a user.
The way GP SSO works is that the currently logged in user is registered with GP.
so laptop no user - logged in as nouser (can't remember the actual name right now.)
if I logged in - GP registers me as the user.
If I switch (not log out) to my admin account - gp registers my admin account ..
so yes the cert tracks a laptop - but GP tracks the currently logged in user.
Now, in theory when i switch to my admin account, my normal account in the back group could connect as thought it was my admin account !
We also use internal gateways - to remove the IPSEC/VPN SSL encapsulation - this works well as well.
But I do use split tunnel - for O365 access.
also we use the DNS proxy on the PA's as well.
I treat GP vpn IP addresses as internal addresses.
Also if you have licensing you have access to HIP info as well.
It works for us!
@MichaelKaishar , Hi.
you really need to think about how your users work and how high your security levels are before anybody can assist here.
@Alex_Samad solution works well but not for us as we do not allow split tunneling. also... if your users are allowed to connect to your LAN then why bother with any policies, as Alex stated, they are just LAN users so treat them the same...
We have "user" certificates issued by AD, not "machine" certs and this is the only authentication we have, so the user has no input for VPN, however we do have a strict laptop password regime and devices also require a user PIN for bitlocker encryption.
as per Alex, once connected they have open access to the LAN just as if the were connected locally.
FYI. we have over 8k staff (approx) and over 5k connections per day and hardly ever receive calls for connection failure. and of course no calls for access to apps etc as LAN is open.
everybody will have a different setup for different reasons but at least we have choices.
Thank you for the informative response.
I do have follow up questions in regards to your setup. You stated that you're using user certs. I don't understand. So once a user logs into their laptop they automatically are part of the LAN as if they're in the office? And this is without any type of challenge except for the domain\username + the user's password? Essentially you've done a pre-logon, is that correct?
For example, the employee is working from home. They would just login into their laptop using their domain credentials and they're instantly part of the corporate LAN? I'm trying to think through this and wondering about the security concerns.
For us that would be a big issue since our industry is financial. I would probably have a combination of factors. I would take into account the user experience. I would have the certs, the windows credentials plus some form of OTP. Because if I am remote and someone steals the laptop they would need more than just the credentials to get onto the network. But I can see why some companies would implement the same way you have it implemented so that the user experience is transparent but you're right we have to figure out our requirements.
OK yes you have the correct concerns.
we used to have OTP as we are of a similar nature, but not now and if the laptop is stolen then the user needs to know the very strict password and also the users 8 digit PIN of which they only have 3 attempts.
that was deemed secure enough for our network and has never been compromised.
so to confirm.... we do not use pre-logon. it will not work for us as the user wifi will only join when a user has logged in.
so to confirm-2 the user switches laptop on, the 8 digit PIN needs to be entered, windoze then boots up, user logs in with username + password, wifi joins known ssid in user profile or user joins new ssid, GP detects network change ad attempts to connect automatically. no user intervention.
if you are using OTP for additional security the go for it but if it's just for user id then use user cert or sso.
also... we do use OTP still for non domain users, and policies restrict them to certain areas.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!