![]() Give the policy a name in our example, we use block-gp-sw-page. Now we can create the Security Policy to block access to the GP client download page. URL CategoryĬlick OK in the Custom URL Category window. If you want to be specific, you can remove the wildcard (*) and use the specific name, for example,. Using the wildcard (*), we will block all *. We do this in case we have multiple DNS record names, for example, or. Also, note the asterisk at the start of the URL. In SITES, add the two URLs but remember to use those which pertain to your environment. Give the category a name in this example, we use block-gp-sw-page. Objects>Custom Objects>URL Category and click Add URL Category Add Let’s start with the URL Category we need. ![]() Further down, I have the text to do the same at the CLI. We’ll start with the GUI to create the needed URL Category and Security Policy. In testing, when I had this enabled to upgrade to a new GP client version activated on the firewall, the upgrade failed even though the user received a prompt that an upgrade would occur. If you have the firewall configured (manual or transparent) to upgrade the GP client when a user connects and these links are blocked, the upgrade will fail. ![]() IMPORTANT: If a manual or transparent upgrade is allowed in the GP App configuration on the firewall and these links are blocked, the upgrade will fail. GlobalProtect Download Page Caution: Block Access to the Download Pages The name would be replaced with the production GP page. This GP download page can be directly accessed (up to version 10.1) using the following links. If possible, the installation of the GP client should be managed with a Mobile Device Manager (MDM) or similar management platform. Though today with much compliance, this page should be disabled or access to it blocked. The upside of this page is allowing users to download the GP client for installation, which is very convenient. One example is that employees can download and install the GP client to a personal computer and then use their credentials to connect to the VPN from that personal computer instead of the corporate-provided laptop or desktop. Also, it provides a web page to be exploited. If enabled, your firewall becomes a repository to which anyone can download the GlobalProtect (GP) client. As with anything in life, this can be a good or bad thing. Last updated on November 16th, 2022 at 03:46 pmĪ Palo Alto Networks firewall configured as a GlobalProtect Portal or Gateway will, by default, display a page to download the GlobalProtect client.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |