01-14-2016 01:19 PM
It's my first post on the forum here. I've been working with PA products in the enterprise for about 2 years.
Just out of curiosity, what are organizations doing for company owned roaming device URL filtering (if at all)? Obviously one option is to use Global Protect with an always-on VPN. However, the drawback for us it that it would require significant bandwidth and additional distributed hardware. The organization I work for is globally distributed with users spread out in almost every region. Internet bandwidth and private WAN bandwidth at the head end(s) is a significant factor.
Some other solutions we are considering is anti-virus agent based platforms that include a URL filtering component. There are other cloud based products that proxy or use DNS for filtering. Again, just looking for general feedback on what others are doing successfully. Any input is much appreciated.
Thanks,
-Mike
01-14-2016 01:35 PM
That's what we've seen.
MPLS is going away, so to speak, the reliance for using it for everything is going away. For us, hundreds of Meg/Gigabit INet circuits are relatively cheap, but ingesting all that data comes at an expense.
For our users they're split-tunneled with specific work traffic coming back to HQ, while general INet traffic goes out their local connections. Using this cloud design works well with "hybrid networking or an iWAN" solution as our traditional remote office locations can have the same "funnel the junk" policy direct "to the cloud" via business broadband links while traditional business traffic contnues to use the smaller MPLS links.
01-14-2016 03:54 PM
Hello,
I know that OpenDNS has a small agent that runs on the users machine and forces them to the 'cloud' for updates and DNS resolution. The drawback is that it only works for things that need DNS resolution, so IP's wont get filterd, obvisouly. There are other proxy/dns services out there. It kinda depends on your budget on what you can do.
Hope this helps!
01-15-2016 06:03 AM
Thanks for the feedback. I think we may look at both OpenDNS and Zscaler.
Another challenge is supporting and maintaining several agent based solutions (AV, VPN, URL, etc). 2 agents is not so bad. It seems like when you get around 3-4 it really starts to be a pain.
I think the best fit for us would be a VPN client + some kind of agent that performs URL and host protection. It's too bad PA doesn't have a client that can do this without having to backhaul traffic to a GP gateway...
01-15-2016 06:27 AM
Agent bloat is a huge issue, especially when mutiple agents for the same basic purpose.
While OpenDNS and ZScaler are good platforms there are other options. Especially if you've already have a large scale Cisco routed infrastructure and use ASAs for VPN access they really have the most mature solution for what you're looking for.
Integrated with the Cisco Any Connect client there's a plug-in that you can install called Cisco Web Security. At your fixed sites with the appropriate router using DMVPN / IWAN / PFRv2 your fixed clients can use the same cloud web policy that your mobile/VPN clients use with CWS. (No I'm not a Cisco rep...Yes my company has over 18 Palo devices from 5060s down to PA200s) Cisco just has a better solution for cloud based filtering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
