Hello,
Our users are working remotely and connecting via GlobalProtect VPN.
If they disconnect from the VPN or choose not to connect, they bypass all the URL filtering rules I have applied, which is understandable.
Therefore, I will enforce the use of VPN, ensuring that if a VPN connection is not established, users will be unable to access the internet, thereby making VPN usage mandatory. Below are the parameters I intend to activate. If you have any suggestions or insights on this matter, I would appreciate hearing them.
Thank you for your valuable ideas.
Parameters;
-User-Logon Always On
-Allow user to disconnect GlobalProtect App: No/ disable
-Enable GlobalProtect Connection for Network Access: Yes/ Enable
Enforcer will require some FQDN fine tuning as you will want to whitelist authentication domains for your IdP, captive portals (for airports, hotels…)
Start with always-on and disable users to disable or disconnect GP. For disconnect, i would suggest to use “ticket”, which will allow you to provide one-time passcode in case user needs to be disconnected for short period or troubleshooting.
You may not need the network enforcement if users are not allowed to disable or disconnect. It is still nice to have, if you consider the case where vpn cannot connect (being blocked by mistake or on purpose)
This sounds easy but is complicated. Pre-logon helps. Tunnel rename and grace period prevent awkward issues. Lots of issues with resolving even Microsoft 365 saml.
There is no standard for captive portal. It is not possible to add everything in the country. I wonder what problems I will encounter.
This scared me, we are logging in with o365, I think there will be problems here. Thanks
Also consider enabling the option that blocks access to the local LAN. This doesn’t directly address your original point of bypassing URL filtering, but it’s just a little bit better for your overall security posture