06-16-2023 06:43 AM
Hello -
Is there anyway to get visibility if someone adds a Portal Address to the Managed Portals within GlobalProtect?
06-16-2023 06:47 AM - edited 06-16-2023 06:47 AM
On a Windows endpoint it'll show up in the registry under HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings with each portal having it's own key. On a Mac endpoint it'll show up in the plist file, but I forget where it's located off hand.
06-16-2023 06:57 AM
@BPry Thanks for the quick reply. I was hoping there would be some way via Panorama I could find any Portal not authorized, if that makes sense. Otherwise, I'm at the mercy of the Windows team or some other method of crawling the devices registry for any Portal not intended.
06-16-2023 07:06 AM
You won't have that capability directly built into the firewall. I think the best way you could accomplish this on the firewall would be using a custom check against HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings and pulling the value of LastUrl with your expected portal(s).
This would allow you to build out a hip-profile that checks for devices that don't match one of those hip-objects, as this would denote that the endpoint in question is using a non-approved address. If you simply just don't want to allow a user to change the portal address however, you could just set the 'Allow User to Change Portal Address' app setting to No.
06-16-2023 07:11 AM
@BPry Or is there a way to limit the number of Portals to predefined ones?
06-16-2023 07:22 AM
I'm not aware of a way to pre-specify portal addresses while also not allowing someone to add another portal address. You can pre-specify multiple portal addresses by GPO and updating the registry keys that I specified above, but I don't think you could allow them to change between portal addresses without also giving them the option to specify a new one completely without restricting registry key creation for a normal user account.
06-16-2023 07:36 AM
@BPry I just tested and that only populates on a successful connection.
06-16-2023 07:51 AM
Correct. That value is just the last portal address utilized. When you add a new portal the associated registry add would be a new key under \HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings, however I can't think of an easy way to utilize a HIP check to validate that there isn't an unexpected key present. That's why I'd use the LastUrl value.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
