This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enforce Global protect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Enforce Global protect

Monicashree
L1 Bithead

‎05-28-2023 12:22 PM

Hi Everyone,

 

I have a query on Global Protect.

Requirement :

one of our customer wants the requirement

if user is working from home internet should only work on his laptop if he is connected to global protect

if user is not connected to global protect his internet should not work even if he is connected to wifi also. All his traffic should pass through Global Protect itself.

And if the same user is coming back into office network GP should disconnect and user machine should be working on LAN network.

Is it possible ?

If possible please let me know what are configuration changes that are required.

 

Thanks and Regards

Monica Shree

 

0 Likes Likes
1 REPLY 1

Adrian_Jensen
L6 Presenter

‎05-28-2023 01:37 PM

Yes, this is possible and is a very common setup. Your customer wants to set the GlobalProtect client to "Always-On" - the client always connects to the GlobalProtect Gateway and doesn't allow traffic until connected, and enable "Enforce GlobalProtect Connection for Network Access".

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Connect Method = User-logon (Always-On)

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Enforce GlobalProtect Connection for Network Access = Yes

 

You may also want to block local network access when connected to the VPN:

  Network -> GlobalProtect -> Gateways -<gateway_config> -> Agent -> <agent_config> -> Split Tunnel -> No direct access to local network = checked

 

Second, you want to enable "Internal Host Detection" to detect when the client is connected to the local network

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Internal -> Internal Host Detection = checked

 

You need to specify an internal IP address and matching reverse-DNS name that the IP will match. If the clients DNS returns a matching value (Note: this is case-sensitive), then the client will know it is on the internal network and will connect directly to the local network without requiring a VPN tunnel.

 

Note that the client must still connect to the Portal to get the GlobalProtect configuration, before it can determine if it is on a local network. So the GP client will still prompt for user credentials when connecting internally. You can get around this (have nearly transparent internal connection) by using a user/machine certificate for the Portal authentication. The Gateway authentication (for when connecting to the VPN from outside the network) can continue to use your standard user/password credentials.

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/enfor...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NcRCAU

 

  • 922 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks