This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

New NG PA implementation path URL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

New NG PA implementation path URL

au_igs
L1 Bithead

‎04-16-2019 06:12 PM - edited ‎04-16-2019 06:35 PM

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards

0 Likes Likes
5 REPLIES 5

El-ahrairah
L3 Networker

‎04-16-2019 10:28 PM

Not really no.

 

Generally speaking it would be best practice to use a totally unrelated domain for the company/organization the remote access is for.

 

For example, it wouldnt be advisable for CompanyA to use...

eg "remoteaccess.companya.com"

 

Something generic that could not be traced back to the CompanyA in question would be much more advisable. Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....

 

eg. "tasty.spacechicken.systems"

 

Obviously something more appropriate than that, but you get the idea 🙂

OtakarKlier
Cyber Elite
Cyber Elite
In response to El-ahrairah

‎04-17-2019 07:54 AM

Hello @El-ahrairah ,

That is one cool domain ;)!

0 Likes Likes

Brandon_Wertz
L6 Presenter

‎04-17-2019 11:24 AM

@au_igs wrote:

Hi all, we are replacing our aging ASA VPN with the new PA GlobalProtect. ASA has a path of someurl.com/path rather than just a default someurl.com. Makes it a bit harder for the bad guys to guess. Is PA capable of creating a path, rather than a default url?

 

thank you in advance for the help

Regards

 

I think this is easier than you think, or perhaps I'm not understanding.  I just went through swapping out ~6,000 laptops from AnyConnect to GP.

 

For GP you define the DNS name so there's not really a common path that an external entity could guess would be your company's GP portal.

0 Likes Likes

au_igs
L1 Bithead
In response to El-ahrairah

‎04-17-2019 03:28 PM

that's a great idea, but then we'd need to register a new domain. Then we'd need to buy a new domain in Entrust for the certificate to match the new zone. All doable but sort of not thought of before.

 

Our 10 year old ASA could do it no dramas. 

 

thank you though. I really do appriciate your replies and help

0 Likes Likes

Remo
L7 Applicator
In response to El-ahrairah

‎04-18-2019 07:51 AM

@El-ahrairah wrote:

Also the use of a top level domain that doesnt require it to be registered to a legitimate organisation if you want to be really paranoid....

... and don't use anything "better" than a domain validation certificate - self signed would be good too if all the devices that connect are under your control 😉

0 Likes Likes
  • 4127 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks