What can I do with a Global proect subscription?

Reply
Highlighted
L4 Transporter

What can I do with a Global proect subscription?

(posted this in the global protect forum, but this seems to get more traffic, and maybe more suggestions, so I moved it here)

 

So I'm about due to retire my old 3050's and upgrade to 3250's - and this time I've convinced management to buy me the global protect subscription by pointing out that the changes in the way it operates after software version 8.1 remove the ability to split-tunnel for remotes, and would add load to the edge - so I win. Previously, I've just run with no license, and run the portal/gateway on the one box without any of the bells and whistles.

 

But what can I do with the subscription license? Things I want to consider.

 

1. Run two gateways - one for company PC's with pre-login enabled, and one for non-company PC's which just uses the old fashioned way of logging in. Can I do this on the same physical hardware by creating two portals (I have multiple external IP's I can bind to the outside interface of the firewall), or won't that work?

 

2. Create some kind of jump page or remote access page for users to login to selected apps/services without using the VPN client. Is that what Palo Alto call "clientless VPN"?

 

What other nifty stuff can I do with this new found power? Can someone point me to decent how-to's for making this kind of stuff work?

 

Thanks


Accepted Solutions
Highlighted

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

 

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly

View solution in original post


All Replies
Highlighted

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

 

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly

View solution in original post

Highlighted
Cyber Elite

@darren.g,

Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.

This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly. 

Highlighted
Cyber Elite


@pawelzwierzynski wrote:

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

 

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly


To add to what @pawelzwierzynski  and @BPry  mentioned.  Palo in the "unlicensed" version of GP provides a robust client based VPN.  There's really not anything lacking in this posture.  In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness. 

 

HIP enforcement however comes in the licensed version.  The clientless VPN portal also needs a license which is something you said you're looking for.  I think these two features alone should be able to help you justify the license purchase.

Highlighted
L4 Transporter


@BPry wrote:

@darren.g,

Honestly before you do anything else, I would recommend setting up HIP checks to ensure endpoint compliance and securing any critical workloads with HIP match requirements. So something like file server access should require that the endpoint is actually up-to-date and that it has some form of antivirus installed.

This is more important now that we have so much WFH across most of the world and a record number of BYOD endpoints being used on enterprise networks. You want to make sure that those endpoints don't bring something into your network, and HIP checks allow you to do that if configured correctly. 


Hi @BPry 

 

I've already got that on my radar, definitely. That's one of the major reasons (along with client-less VPN) I purchased the subscription when I got the new firewalls.

L4 Transporter


@pawelzwierzynski wrote:

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

 

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly


In regard to point 1 - what if I bind a second IP address to the interface - can I run one portal on one IP address, and another on he second?

 

Thanks

Highlighted
L4 Transporter


@Brandon_Wertz wrote:

@pawelzwierzynski wrote:

Here is feature list https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about...

Generally licenses are needed:

- mobile devices

- higher security - HIPS check

- clientless

 

1. No, ip should be binded to interface. U can acheive it by configuring portal with loopback and NAT

2. Yes, exactly


To add to what @pawelzwierzynski  and @BPry  mentioned.  Palo in the "unlicensed" version of GP provides a robust client based VPN.  There's really not anything lacking in this posture.  In the unlicensed version there's no restrictions on capacity or throughput HIP even works for alerting and awareness. 

 

HIP enforcement however comes in the licensed version.  The clientless VPN portal also needs a license which is something you said you're looking for.  I think these two features alone should be able to help you justify the license purchase.


There is, actually, in unlicensed - once you install software above the 8.0 series on the firewall, you lose the ability to split-tunnel in the unlicensed version of global protect - something which is critical to my installation.

 

I've already got the license - I don't need to justify it - I just want to get the most out of it when I get the firewalls actually installed. HIP enforcement is the first thing on my list, for sure.

 

Thanks for your input

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!