For details on cookie usage on our site, read our Privacy Policy
Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?
- LIVEcommunity
- Discussions
- General Topics
- Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-14-2013 10:37 AM
What I mean by the title of this discussion is that when the GlobalProtect client goes to initiate an SSL VPN session, instead of prompting the user to "cancel or continue," can the client respond to the user with something like "Invalid certificate detected. Due to security concerns your connection cannot be established at this time. Please call the Security Operations Center at 888-555-1212 for assistance with remote VPN connectivity or with any questions."
I'd rather not ask the user to choose, because it's highly likely they'll just click "Continue," opening themselves up for a Man-in-the-Middle attack.
It's trivially easy to do SSL man in the middle nowadays (http://mitmproxy.org/ is one example) so I'd rather them not connect then possibly have their entire VPN session captured by a 'bad guy.'
- Labels:
-
Networking
-
Set Up
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-18-2013 10:02 AM
Honestly Greg at this point we're looking to buy a pair of ASAs and go the AnyConnect route for remote user VPN access.
If you guys ("you guys" being PA) feel it's useful and a feature that makes sense, I'd ask that you guys go ahead and put in an FR/bug report/whatever for it.
I hate to sound so negative or sour, but GlobalProtect didn't live up to our expectations.
- GlobalProtect and Windows Hello for Business in GlobalProtect Discussions
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- CRL for Globalprotect in GlobalProtect Discussions
- Gateway certificate error when switching to SAML authentication in GlobalProtect Discussions
- misleading IOS Notification - "Globalprotect Always-On mode is enabled. Please sign in to continue" in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
