07-26-2022 05:58 AM
Hey all - We're currently in the beta-testing phase of our GlobalProtect implementation, and I have a couple of questions around 'best practices' to ensure a good user experience. First, our setup:
- PAN-OS 10.1.5-h1
- GlobalProtect client v5.2.11-10 (Mac OS (12.x) & Windows 10)
- Pre-logon via machine-based certificates
- User logon via Okta SSO (with MFA) w/ Pre-logon (Always On)
- Authentication Overrides via cookies so user is only prompted once
Overall our setup works pretty well. My team and I have been actively using it almost daily for a couple of weeks now, and have had little-to-no issues. However, we do have an edge case scenario we're having a debate over:
We have our gateway timeout set to 12hrs. This matches our Okta session timeouts, and works well for normal M-F work days, as it generally means people authenticate to Okta once a day. This is totally reasonable in our environment. However, when people leave their laptop up and running over the weekend, they get prompted on Sat morning to log in - which of course they are not there to see - and the prompt just stays there until Monday. When they get in on Monday, they try to put their creds into the logon prompt, but it doesn't work (presumably because the session started on Sat morning has expired). This situation could also happen while people are on vacation.
The 'solution' is to close out of the browser sessions and click 'refresh connection' in the client to restart the logon process. This totally works, but the concern is that it's not a great user experience.
We really like the idea of users authenticating to Okta daily. Not only does this make certain VPNs only stay up for as long as they are needed, it also proactively has them logging into Okta, meaning they will have a better user experience when interfacing with other Okta-based applications.
I'd love to know what people think, and what you've done around this subject. I realize everyone's use case is different, but I'm hoping someone has gone through this already and figured out what works best for their users.
07-28-2022 05:57 PM
I've personally never found a good way to handle this cleanly on the client side of things. What I've had some organizations choose to do in the past is simply restart the device Sunday evenings. If the machine isn't on then no problem, and if it is on it just restarts the machine and puts it into a clean slate for them come Monday morning. If you schedule it to happen only after say 1hr of inactivity or even 30 minutes you generally don't run into any issues. Just have a policy that all work needs to be saved at the end of the day.
08-02-2022 07:39 AM
Thanks for the information @BPry. In our environment, I think auto-rebooting the client machines would cause more problems then solutions.
I also agree that there's seemingly no good way to handle this. I think a lot of people are using the Always-On solution with certificates (both machine and user) that give some basic connections to the network (DNS, AD access, etc), and then allowing users to 'upgrade' their connection by manually connecting to another gateway to give them access to other resources. I'm not sure this works in our environment though.
Thanks for the suggestion though!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
