This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enforcing Global Protect only on remote sessions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Enforcing Global Protect only on remote sessions

dahoove
L1 Bithead

‎02-24-2023 06:42 AM

My company only allows company issued laptops (Windows only) to remotely connect to our network via VPN. Since these are company devices I feel they should always be restricted to company internet usage polices that only allow access to approved sites and categories. My users are all in office based but do need to remote in for those few work at home days (weather, kid issues, blah blah) or if they are on the road.  Out of my 120 devices, only 15 of them even use VPN now so small group. 

We are only 2 months into using PA and I have Global Protect configure and working for single tunnel access, AD authentication, with the GP Portal set to user log in (always on). Portal and gateway are on the same device and pointed to the external interface. We do not have HIP licensing or requirements (yet). 

I have been playing with the Enforce Global Protect option. I discovered that if I turn that option on I can not log in when I am in the office. I wasn't surprised by this result, and I am having issues finding any documentation on what the correct config is for this scenario and wanted to make sure I wasn't missing some easy setting or config change.

What it looks like I have to do is create a 2nd gateway attached to the internal interface if I want the Enforce option on. Is that correct or is there a setting or something I can make? 

 

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎02-24-2023 10:05 AM

Hello,

I believe you would either need to setup an install portal/gateway or the following:

 

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PNid

 

Regards,

0 Likes Likes

dahoove
L1 Bithead

‎02-24-2023 11:37 AM

That might be needed but didn't fix the issue. I creates an internal gateway went into portal config under internal and add the internal info to that. When I try to connect the GP client from an internal network it seems to see the portal and then tries to get a configuration but then throws a Network connection is unreachable or portal is unresponsive. 

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎02-24-2023 11:42 AM

If its using an external IP/interface, you might need a u-turn NAT and policies to accomplish.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

 

Regards,

0 Likes Likes
  • 1127 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks