04-10-2013 01:13 AM
Hi, all,
In normal, "Advanced View" in GlobalProtect client will be locked if I configure to cancel "Enable advanced view" option in GlobalProtect Portal, and it will check the GlobalProtect portal information automatically after rebooting, so that client user cannot modify the settings easly.
But after GlobalProtect version 1.1.6, I found it won't be checked automatically after rebooting and client user can modify the settings, it must connect to GlobalPortect gateway one time then "Advanced View" will be locked. The situation is also found in version 1.2.x ( e.g. version 1.2.2 ), it's a issue of security control for my customer.
Is it normal ? or a bug ?
How to fix it ? or I need to open a case to report it ?
Thanks,
Sample Wu
04-10-2013 06:42 PM
I think it is working as expected now. With On-demand GlobalProtect agent will not automatically connect to the gateway. Instead the user will have to manually connect to the gateway by clicking to connect on the agent icon.
So in your case after a reboot the client won't connect to pull up the config instead the user has to initiate a connection, after which we will pull up the latest config.
04-10-2013 02:06 PM
Are you using on-demand or SSO?
04-10-2013 06:20 PM
Hi, sraghunandan,
I used "On Demand" mode,
Thanks,
Sample Wu
04-10-2013 06:42 PM
I think it is working as expected now. With On-demand GlobalProtect agent will not automatically connect to the gateway. Instead the user will have to manually connect to the gateway by clicking to connect on the agent icon.
So in your case after a reboot the client won't connect to pull up the config instead the user has to initiate a connection, after which we will pull up the latest config.
04-10-2013 07:51 PM
Hi, sraghunandan,
I got it, so, the behavior between 1.1.5 and 1.1.6 are changed to will not initiate connection with gateway automatically, right ? If yes, I think it's working as expected as you said.
For the workaround, could I enable both of "On Demand" mode and "SSO" mode to make it a behavior that be initiated with gateway after a reboot every time ?
Thanks,
Sample Wu
04-11-2013 09:35 AM
sraghunandan,
I really, really dislike this "feature"... I expressed this in a case I had open as well because I originally thought it was a bug(Case #00107848 - "GlobalProtect advanced mode is enabled after a reboot, even though it is disabled in the portal settings").
I realize it's "by design," but in my humble opinion 'Advanced mode' should default to disabled until the next successful port auth/VPN auth. After the auth, if 'Advanced mode' is enabled when the client refreshes its config from the server, only then should advanced mode come back on.
I can already forsee that rebooting and then having access to advanced mode would play havoc with a deployment of GlobalProtect for us, as we're forced to use "OnDemand mode" because we have two-factor authentication requirements that we have to enforce.
This issue and other issues we've had are collectively show-stoppers for us implementing GlobalProtect, to the point where my boss has us looking at ASAs in order to move to Cisco's AnyConnect.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
