Users adding Portals

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Users adding Portals

L4 Transporter

Hello -

Is there anyway to get visibility if someone adds a Portal Address to the Managed Portals within GlobalProtect? 

7 REPLIES 7

Cyber Elite
Cyber Elite

@RobertShawver,

On a Windows endpoint it'll show up in the registry under HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings with each portal having it's own key. On a Mac endpoint it'll show up in the plist file, but I forget where it's located off hand. 

@BPry Thanks for the quick reply.  I was hoping there would be some way via Panorama I could find any Portal not authorized, if that makes sense.  Otherwise, I'm at the mercy of the Windows team or some other method of crawling the devices registry for any Portal not intended.

Cyber Elite
Cyber Elite

@RobertShawver,

You won't have that capability directly built into the firewall. I think the best way you could accomplish this on the firewall would be using a custom check against HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings and pulling the value of LastUrl with your expected portal(s).

This would allow you to build out a hip-profile that checks for devices that don't match one of those hip-objects, as this would denote that the endpoint in question is using a non-approved address. If you simply just don't want to allow a user to change the portal address however, you could just set the 'Allow User to Change Portal Address' app setting to No. 

@BPry Or is there a way to limit the number of Portals to predefined ones?

Cyber Elite
Cyber Elite

@RobertShawver,

I'm not aware of a way to pre-specify portal addresses while also not allowing someone to add another portal address. You can pre-specify multiple portal addresses by GPO and updating the registry keys that I specified above, but I don't think you could allow them to change between portal addresses without also giving them the option to specify a new one completely without restricting registry key creation for a normal user account.

@BPry I just tested and that only populates on a successful connection.

Cyber Elite
Cyber Elite

@RobertShawver,

Correct. That value is just the last portal address utilized. When you add a new portal the associated registry add would be a new key under \HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings, however I can't think of an easy way to utilize a HIP check to validate that there isn't an unexpected key present. That's why I'd use the LastUrl value.

  • 1688 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!