07-02-2020 07:12 PM
(posted this in the global protect forum, but this seems to get more traffic, and maybe more suggestions, so I moved it here)
So I'm about due to retire my old 3050's and upgrade to 3250's - and this time I've convinced management to buy me the global protect subscription by pointing out that the changes in the way it operates after software version 8.1 remove the ability to split-tunnel for remotes, and would add load to the edge - so I win. Previously, I've just run with no license, and run the portal/gateway on the one box without any of the bells and whistles.
But what can I do with the subscription license? Things I want to consider.
1. Run two gateways - one for company PC's with pre-login enabled, and one for non-company PC's which just uses the old fashioned way of logging in. Can I do this on the same physical hardware by creating two portals (I have multiple external IP's I can bind to the outside interface of the firewall), or won't that work?
2. Create some kind of jump page or remote access page for users to login to selected apps/services without using the VPN client. Is that what Palo Alto call "clientless VPN"?
What other nifty stuff can I do with this new found power? Can someone point me to decent how-to's for making this kind of stuff work?
Thanks
07-03-2020 03:03 AM
Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless
1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
07-03-2020 03:03 AM
Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless
1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
07-04-2020 06:06 AM
Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.
This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly.
07-06-2020 08:54 AM
@pawelzwierz wrote:
Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless
1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
To add to what @pawelzwierz and @BPry mentioned. Palo in the "unlicensed" version of GP provides a robust client based VPN. There's really not anything lacking in this posture. In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness.
HIP enforcement however comes in the licensed version. The clientless VPN portal also needs a license which is something you said you're looking for. I think these two features alone should be able to help you justify the license purchase.
07-16-2020 07:17 PM - edited 07-16-2020 07:18 PM
@BPry wrote:Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.
This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly.
Hi @BPry
I've already got that on my radar, definitely. That's one of the major reasons (along with client-less VPN) I purchased the subscription when I got the new firewalls.
07-16-2020 07:20 PM
@pawelzwierz wrote:Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless
1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
In regard to point 1 - what if I bind a second IP address to the interface - can I run one portal on one IP address, and another on he second?
Thanks
07-16-2020 07:24 PM
@Brandon_Wertz wrote:
@pawelzwierz wrote:Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...
Generally licenses are needed:
- mobile devices
- higher security - HIPS check
- clientless
1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT
2. Yes, exactly
To add to what @pawelzwierz and @BPry mentioned. Palo in the "unlicensed" version of GP provides a robust client based VPN. There's really not anything lacking in this posture. In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness.
HIP enforcement however comes in the licensed version. The clientless VPN portal also needs a license which is something you said you're looking for. I think these two features alone should be able to help you justify the license purchase.
There is, actually, in unlicensed - once you install software above the 8.0 series on the firewall, you lose the ability to split-tunnel in the unlicensed version of global protect - something which is critical to my installation.
I've already got the license - I don't need to justify it - I just want to get the most out of it when I get the firewalls actually installed. HIP enforcement is the first thing on my list, for sure.
Thanks for your input
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
