New NG PA implementation path URL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

New NG PA implementation path URL

L1 Bithead

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards

5 REPLIES 5

L3 Networker

Not really no.

 

Generally speaking it would be best practice to use a totally unrelated domain for the company/organization the remote access is for.

 

For example, it wouldnt be advisable for CompanyA to use...

eg "remoteaccess.companya.com"

 

Something generic that could not be traced back to the CompanyA in question would be much more advisable. Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....

 

eg. "tasty.spacechicken.systems"

 

Obviously something more appropriate than that, but you get the idea 🙂

Hello @El-ahrairah ,

That is one cool domain ;)!

L6 Presenter

@au_igs wrote:

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards


 

I think this is easier than you think, or perhaps I'm not understanding.  I just went through swapping out ~6,000 laptops from AnyConnect to GP.

 

For GP you define the DNS name so there's not really a common path that an external entity could guess would be your company's GP portal.

that's a great idea, but then we'd need to register a new domain. Then we'd need to buy a new domain in Entrust for the certificate to match the new zone. All doable but sort of not thought of before.

 

Our 10 year old ASA could do it no dramas. 

 

thank you though. I really do appriciate your replies and help


@El-ahrairah wrote:

Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....


... and don't use anything "better" than a domain validation certificate - self signed would be good too if all the devices that connect are under your control 😉

  • 3773 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!