03-12-2025 07:41 PM - edited 03-12-2025 07:44 PM
Hello,
I am trying to deploy GlobalProtect on some of our endpoints, but I'm running into a set of issues due to our business requirements.
The requirements are:
VPN is in Always-On with full enforcement
All traffic from those devices must stay internal, or be tunneled over the VPN (excepting what's needed for tunnel establishment)
MFA is required to establish a VPN tunnel outside
Our MFA utilizes RADIUS with OTP
The devices that GlobalProtect is installed on can move between our internal LAN and external locations
My solution was to create internal and external portals with the same FQDN that resolve differently depending if the device is internal or external. For the internal portal, I am using the machine certificate to auth which triggers internal host detection successfully. Externally everything works as desired with the MFA authentication prompt triggering on user login and the connection method is set to User-Logon(Always-On) both internally and externally.
The issue I am running into is internal host detection before a user logs in. If they reboot and let the device sit, it is completely inaccessible which I am pretty sure is going to brick patching. I have the internal network CIDRs in the Enforce GlobalProtect agent config, but that hasnt helped.
I think the normal recommendation would be to enable pre-login on the internal portal, but I was also hoping to have Connect Before Logon configured to address some weird remote-only user corner cases. As far as I can tell, when I register CBL, it does not allow for any pre-login configurations to apply.
Does anyone have a good recommendation to address idle-machines while they are internally connected? I can't disable Enforcement when it's internally connected because the worry would be that a user takes the device home without first logging in, and now it's on their home wifi with unrestricted internet access.
03-13-2025 03:00 PM
Pretty much all of your issues are solved with pre-login. What exactly is the issue that is preventing you from enabling it and wanting CBL for the remote-only users; that's the whole point of pre-login and that capability solves the rest of your issues.
03-14-2025 10:05 AM
That's my plan unless I can think of something else. I'm just a little frustrated that with the way an initial portal authentication is required before internal network detection will trigger. It makes automated provisioning a little awkward as after it gets provisioned it requires a portal authentication before it will allow communications after GP client is installed. It also necessitates a second, internal-only portal since I could not find a way to enable machine certificate only authentication for internal hosts while enforcing MFA auth for external hosts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
