GlobalProtect VPN "Always On"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect VPN "Always On"

L1 Bithead

Hello,

 

We are currently migrating from Cisco AnyConnect to a GlobalProtect solution that is hosted on an Azure cloud VM and really like the "Always On" feature. The only set back we have noticed is there is no way to manipulate it to only connect when not on an internal LAN. We had manipulated DNS in the past to disable internal users from connecting to our VPN, but with the GlobalProtect client it will display an error message. We are trying to avoid having our end users notice this. 

 

Thank you any assistance is appreciated.

1 accepted solution

Accepted Solutions

Right, you can enable internal host detection (e.g. your domain controller).

If your client is connected to your internal network, you can tell him to connect to an internal global protect gateway.

 

There you can define e.g. user id and no tunnel configuration.

That is more secure than doing WMI probing or AD logs

Best Regards
Chacko

View solution in original post

6 REPLIES 6

L4 Transporter

you can set an external gateway in the agent config.

A tunnel will be only established, if you are outside of your lan.

As an internal gateway you can configure Globalprotect to act as an user-id collector

Best Regards
Chacko

The tunnel will always establish if the gateway is reachable, which it is since the host sits in Azure. We have modified DNS to not resolve the gateway when on the LAN, but the client will display an error message stating it cannot connect. I am not seeing anything within the configuration to state only connect if not on the domain/local network. Am I missing something? Again any help is appreciated.

can you post/describe your agent config on the portal?

Do you tried to define the internal host detection to connect to an internal gateway instead?

Best Regards
Chacko

Thank you for your replies, it is much appreciated.

 

As of right now we have done nothing to tweak the agent configuration and is using the default setup with SSO authentication. 

 

We do not actually have any PaloAlto gateways internally at the moment. As of right now we only have the 1 Azure VM firewall. From what I understand we would need an interface from a PaloAlto internally to achieve this correct?

 

Forgive me for any ignorance on this. My past experience has been mainly with Pulse and Cisco and am a bit green with GlobalProtect. 

Right, you can enable internal host detection (e.g. your domain controller).

If your client is connected to your internal network, you can tell him to connect to an internal global protect gateway.

 

There you can define e.g. user id and no tunnel configuration.

That is more secure than doing WMI probing or AD logs

Best Regards
Chacko

I think I understand now. I really appreciate your responses on this and pointing me to the correct path.

  • 1 accepted solution
  • 6052 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!