Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Enforce Global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Enforce Global protect

L1 Bithead

Hi Everyone,

 

I have a query on Global Protect.

Requirement :

one of our customer wants the requirement

if user is working from home internet should only work on his laptop if he is connected to global protect

if user is not connected to global protect his internet should not work even if he is connected to wifi also. All his traffic should pass through Global Protect itself.

And if the same user is coming back into office network GP should disconnect and user machine should be working on LAN network.

Is it possible ?

If possible please let me know what are configuration changes that are required.

 

Thanks and Regards

Monica Shree

 

1 REPLY 1

L6 Presenter

Yes, this is possible and is a very common setup. Your customer wants to set the GlobalProtect client to "Always-On" - the client always connects to the GlobalProtect Gateway and doesn't allow traffic until connected, and enable "Enforce GlobalProtect Connection for Network Access".

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Connect Method = User-logon (Always-On)

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Enforce GlobalProtect Connection for Network Access = Yes

 

You may also want to block local network access when connected to the VPN:

  Network -> GlobalProtect -> Gateways -<gateway_config> -> Agent -> <agent_config> -> Split Tunnel -> No direct access to local network = checked

 

Second, you want to enable "Internal Host Detection" to detect when the client is connected to the local network

  Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Internal -> Internal Host Detection = checked

 

You need to specify an internal IP address and matching reverse-DNS name that the IP will match. If the clients DNS returns a matching value (Note: this is case-sensitive), then the client will know it is on the internal network and will connect directly to the local network without requiring a VPN tunnel.

 

Note that the client must still connect to the Portal to get the GlobalProtect configuration, before it can determine if it is on a local network. So the GP client will still prompt for user credentials when connecting internally. You can get around this (have nearly transparent internal connection) by using a user/machine certificate for the Portal authentication. The Gateway authentication (for when connecting to the VPN from outside the network) can continue to use your standard user/password credentials.

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/enfor...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NcRCAU

 

  • 1243 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!