- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-16-2023 12:16 PM
Hi Folks,
One of our customer has a requirement in GP as follows,
GP user working in home network >> connect GP automatically > should not have permission to disable GP
When the same user working from Office LAN network > GP has to detect user located in office LAN > then GP should disconnect automatically.
this kind of feature is available in Barracuda NAC, May I know is this possible in PaloAlto and how to do it ?
Thanks in advance.
Regards,
Kumaradev
03-16-2023 01:36 PM
This is easily accomplished. What you'll want to look into is "Always On" for the connection method, ensure that you have the 'Allow user to diconnect GlobalProtect App' option configured away from 'Allow' or 'Allow with Comment' to one of the other options, and ensure that internal host detection is configured and enabled.
One this to note; I'm personally not a fan of setting the 'Allow user to disconnect GlobalProtect App' option to disallow outside of heavily regulated industry. I'd recommend that you set this option to 'Allow with Ticket'. This ensures that you have the ability to disable the agent if absolutely necessary, but requires they contact someone with the ability to generate the ticket prior to doing so.
03-16-2023 02:16 PM - edited 03-16-2023 02:18 PM
As @BPry says, yes it is easily accomplished using the 'Always On" feature. We do this currently - required to always use the VPN at home/away with no local traffic (certain explicit FQDNs allowed for remote control/management even if the user isn't connected to the VPN). When the user shows up at the office they detect the internal network and connect directly.
You will need to determine a couple things first:
1) How do you want the external VPN to connect, "Always-On User-Login" or "Always-On Pre-Login"? The former will immediately prompt the user to log into the VPN when they log into the PC. The later will attempt to connect to the VPN with a machine credential (typically certificate) before the user has ever logged in, switching to user authentication after the user logs in.
2) How do you want to authenticate the user? Either by userID/password (which may point to a MFA resource) and/or certificate. The certificate has the advantage that it doesn't prompt the use so it can take place automatically. (The GP client will also save user/pass credentials and try to reuse those on the next connection if you don't deny that in the app options.) There are 2 places where authentication is required:
a) the Portal where the GP client gets it's configuration and list of Gateways to connect to
b) the Gateway where the GP client connects to actually pass the VPN data
If you use a certificate for the Portal authentication and user/pass for the Gateway authentication, then it makes the user experience much better as the GP client can automatically connect and get its configuration (without user interaction) to determine if it should connect to a Gateway and prompt for a login, or connect to directly to an internal network without prompts. The basic way you set this up is:
- Create a GP Portal and set the Portal Authentication to use a Certificate Profile, either a user certificate or a machine certificate that is recognized by your internal CA authority.
- Set the Agent client configuration to Always-On (in the Agent App tab settings, along with options for the user to disable).
- Set the Agent client configuration to enable Internal Host Detection (in the Agent Internal tab settings). This will perform a rDNS query for a specified IP and compare the result to the specified FQDN (this should be an internal-only host name and the result is case sensitive).
- Create a GP Gateway for external connections and configure as desired (probably with the Authentication set to a user/password profile, with or without MFA).
- You do not need to create an internal Gateway unless you want to collect HIP check information from internally connected GP clients.
After an initial setup, the client will automatically try to connect to the Portal using a certificate whenever the user logs into the PC or the network changes. The client will download its configuration and test to see if it is on an internal company network. If it is, it will automatically connect to the internal network without further user action. If it is not connected internally the GP client will connect to the external Gateway and prompt the user for authentication details.
03-16-2023 01:36 PM
This is easily accomplished. What you'll want to look into is "Always On" for the connection method, ensure that you have the 'Allow user to diconnect GlobalProtect App' option configured away from 'Allow' or 'Allow with Comment' to one of the other options, and ensure that internal host detection is configured and enabled.
One this to note; I'm personally not a fan of setting the 'Allow user to disconnect GlobalProtect App' option to disallow outside of heavily regulated industry. I'd recommend that you set this option to 'Allow with Ticket'. This ensures that you have the ability to disable the agent if absolutely necessary, but requires they contact someone with the ability to generate the ticket prior to doing so.
03-16-2023 02:16 PM - edited 03-16-2023 02:18 PM
As @BPry says, yes it is easily accomplished using the 'Always On" feature. We do this currently - required to always use the VPN at home/away with no local traffic (certain explicit FQDNs allowed for remote control/management even if the user isn't connected to the VPN). When the user shows up at the office they detect the internal network and connect directly.
You will need to determine a couple things first:
1) How do you want the external VPN to connect, "Always-On User-Login" or "Always-On Pre-Login"? The former will immediately prompt the user to log into the VPN when they log into the PC. The later will attempt to connect to the VPN with a machine credential (typically certificate) before the user has ever logged in, switching to user authentication after the user logs in.
2) How do you want to authenticate the user? Either by userID/password (which may point to a MFA resource) and/or certificate. The certificate has the advantage that it doesn't prompt the use so it can take place automatically. (The GP client will also save user/pass credentials and try to reuse those on the next connection if you don't deny that in the app options.) There are 2 places where authentication is required:
a) the Portal where the GP client gets it's configuration and list of Gateways to connect to
b) the Gateway where the GP client connects to actually pass the VPN data
If you use a certificate for the Portal authentication and user/pass for the Gateway authentication, then it makes the user experience much better as the GP client can automatically connect and get its configuration (without user interaction) to determine if it should connect to a Gateway and prompt for a login, or connect to directly to an internal network without prompts. The basic way you set this up is:
- Create a GP Portal and set the Portal Authentication to use a Certificate Profile, either a user certificate or a machine certificate that is recognized by your internal CA authority.
- Set the Agent client configuration to Always-On (in the Agent App tab settings, along with options for the user to disable).
- Set the Agent client configuration to enable Internal Host Detection (in the Agent Internal tab settings). This will perform a rDNS query for a specified IP and compare the result to the specified FQDN (this should be an internal-only host name and the result is case sensitive).
- Create a GP Gateway for external connections and configure as desired (probably with the Authentication set to a user/password profile, with or without MFA).
- You do not need to create an internal Gateway unless you want to collect HIP check information from internally connected GP clients.
After an initial setup, the client will automatically try to connect to the Portal using a certificate whenever the user logs into the PC or the network changes. The client will download its configuration and test to see if it is on an internal company network. If it is, it will automatically connect to the internal network without further user action. If it is not connected internally the GP client will connect to the external Gateway and prompt the user for authentication details.
03-24-2023 12:57 AM
Hi @Adrian_Jensen and @BPry
Thanks for your response.
We configure the above mentioned in the customer firewall and it is working fine as expected.
Thanks again for your immediate support.
Regards,
Kumaradev
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!