Block user from connecting with Global Connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block user from connecting with Global Connect

L2 Linker

Hello,

I have tried searching and must be missing something.

I am trying to block a user from attaching Global Protect. From what I have read you should be able to go to Network>GlobalProtect>Device Block List and add the device\user to the list. The issue I am running into is that I do not see this list when I go there. 

I am running PANOS 10.1.3, does this list need to be created? Does someone have a link to the directions on how to create\find this list?

Thank you,

Tom 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@thoffman,

Whatever you were looking at must have been older. If you wish to block the device from connecting you would simply add it under Device -> Device Quarantine, and at that point the device won't be able to connect to GlobalProtect anymore. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-device-quarant...

 

If you're looking to block an individual user, regardless of device, there's a few ways you can do so:

 

* Remove the user from the Gateway Agent configuration so they don't have a configuration to hand out. This would allow them to authenticate technically, but GlobalProtect won't connect as they don't have an assigned agent config. 

 

* Remove the user from the AD groups (assuming active directory) that actually power authentication. So as an example you might have a Authorized-VPN-Users security group that is attached to the Authentication Profile in the Allow List, simply remove that user from the associated groups.

 

* Create a specific Agent configuration for this user, above all other configs in the list, that gives them a blocked IP Pool. Anyone assigned this agent config could be allocated an IP Pool that simply has a deny entry at the begining of your security rulebase as that while they'll be allowed to "connect", they can't process any network traffic.

 

* Setup a deny rule and just target their User-ID entry as the source-user and deny all of the traffic from that User-ID coming across your GlobalProtect security zones. 

 

Removing them from the authentication profile so they simply can't authenticate is the "correct" answer for this, but any of these will technically work perfectly fine. 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@thoffman,

Whatever you were looking at must have been older. If you wish to block the device from connecting you would simply add it under Device -> Device Quarantine, and at that point the device won't be able to connect to GlobalProtect anymore. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-device-quarant...

 

If you're looking to block an individual user, regardless of device, there's a few ways you can do so:

 

* Remove the user from the Gateway Agent configuration so they don't have a configuration to hand out. This would allow them to authenticate technically, but GlobalProtect won't connect as they don't have an assigned agent config. 

 

* Remove the user from the AD groups (assuming active directory) that actually power authentication. So as an example you might have a Authorized-VPN-Users security group that is attached to the Authentication Profile in the Allow List, simply remove that user from the associated groups.

 

* Create a specific Agent configuration for this user, above all other configs in the list, that gives them a blocked IP Pool. Anyone assigned this agent config could be allocated an IP Pool that simply has a deny entry at the begining of your security rulebase as that while they'll be allowed to "connect", they can't process any network traffic.

 

* Setup a deny rule and just target their User-ID entry as the source-user and deny all of the traffic from that User-ID coming across your GlobalProtect security zones. 

 

Removing them from the authentication profile so they simply can't authenticate is the "correct" answer for this, but any of these will technically work perfectly fine. 

L2 Linker

First off that you for your reply. I am very new to managing firewalls and it is appreciated.

From reading your post I think the best way to proceed is to block the device in the Device Quarantine list. I looked up the Host ID but when I go and click on add and put the Host ID in and click apply not errors pop up but the device never shows up in the list.

So will try to figure that one out. 🙂
Thank you again,

Tom

 

L2 Linker

Just an update that I did add the Host ID to the Device Quarantine list and it does show the device and being Quarantined in the Global Protect logs.

The funny thing is that there is nothing in the Device>Device Quarantine list in the firewall?

Thank you,

Tom

L2 Linker

Just a follow up that the reason the Device Quarantine list is that there is a bug in 10.1.3 that causes this. We were told to roll back to 10.0.8-h8 and all the issues cleared up.

Thank you,

Tom

  • 1 accepted solution
  • 7128 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!