I’ve just started using Globalprotect to connect via VPN to my company PC. It seems all good but one of my colleagues said that this can possibly monitor what websites I’m visiting in the background and what I’m doing in the background. That’s literally spyware but I have no choice but to use GlobalProtect to keep working.
So I’m here to ask real PaloAlto Networks engineers:
- Does GlobalProtect spy on the user’s local PC when it’s used to establish VPN connection to the company PC?
- Even if the answer is “usually not”, is it capable of doing so?
My company has BYOD policy so I had no choice but to install this on my personal laptop & PC.
I’m worried about my privacy so I’m treating my personal devices like company PC, staying away from doing anything personal with it. It’s very inconvenient and I’d like to know if my concern is justified.
This needs to be said since a lot of you are talking about the technical details, but not pointing out the obvious. Most of this only applies when you are actually connected to Global Protect. Global Protect the application doesn’t record anything in regards to your traffic. The firewall at the other end is what’s logging traffic. It’s not accurate to consider GP spyware, it’s just not, GP isn’t spying on you. When a standard deployment of GP is used all of your traffic is being routed through your company’s firewall and unless they’re just weird they should be logging all traffic flowing through that firewall. While connected to GP you should understand that you should have no more expectation of privacy than if you were onsite working. If they are enforcing BYOD for remote work you can always hit the Disconnect button at the end of the day.
A few things you need to consider. 1. While on the clock if you’re required to be connected to GP don’t visit inappropriate sites. You’re technically at work and should treat your home work space as if you were on site. While on the clock physically at work if you wouldn’t visit certain sites, don’t do it at home. 2. If you don’t want to mix work with your personal machine I suggest you either purchase a separate machine or setup a virtual machine on your home PC so you can isolate work from personal. VMs are real easy to setup these days and there is plenty of free software to do it. The hard part will be getting a Windows license, but I think you can basically run Windows 10 these days without buying it. They do stuff like disable wallpapers and put in the occasional popup notification about buying a full version, but I don’t think they restrict any functionality.
I’m lucky enough that in addition to being the person who would have to tell on myself, my company provides me with a device to use while not onsite.
If you are working from, perhaps your work computer should be in your home, used for work. And your home computer should not be used for work.
If you are required to provide your own computer for BYOD and BYOD is not merely an optional convenience your employer has extended, then there are probably some questions about the quality of your employment.
Lastly, GlobalProtect does not / cannot “spy” (not getting into the split tunnel technicalities) when it is not connected to a gateway. So perhaps during working hours when you are connected with GP, you should not be doing personal online activities.
Yes. Privacy laws in your country may limit what they can /do/ with this information, but you should assume that they can see everything unless you use TOR or something similar to hide your activity.
They can only snoop SSL traffic if they have a root cert installed on you PC. If not then no they cannot snoop the SSL base traffic that is encrypted between your pc and say your bank.
Can’t OP just install VirtualBox and run a VM as his “Work Machine” to avoid any fear of prying? Would keep things separate, even when both running simultaneously, no?
Number one rule of BYOD is don’t. I will never understand why people want to pay for their own devices to do work for a company. Use your work computer or Browser-based SSL VPN if provided. Even being careful you will have some embarrassing moments.
If and only if Global protect is set to use no split tunnel in which case all your traffic even internet will pass through Palo Alto and volaa I know what all you were accessing yesterday
If you are on windows system, goto CMD and issue command route print, if the default route is pointing to global protect tunnel interface instead of your router then you are lucky person
Yes your company will monitor your traffic when connected to their network. And if you are given a work computer there is a pretty good chance they are able to monitor all the activity from that device regardless of whether or not you are connected to the vpn.
Use the computer for work stuff during work day. Turn it off for personal things. I have vpn for certain tasks I just turn it on when I need to go to a resource if I don’t need to then I turn it off and continue working.
If your work doesn’t consist of a constant need of network resources then turn it off and only use it when you need to
I guess with us we are full tunnel and only allowed to connect from corporate devices so most sites are blocked by corp firewall , makes it wasy to seperate work and personal browsing.
Feeling for you when having this on a byod device.
I run a VM on byod device when i need to use gpvpn as a backup connection to troubleshoot on a legscy portal but im a sysadmin so you probably wont get to that point. And the uninstall is a pos so dont want it corrupting.
Hi All, I had a question about this. I do agree with all the comments of “Work during work hours, play when you close the shop”. But my concern is that, while I’m connected to GP and working, can the Company firewalls and other policies monitor the files and folders that are already located on my personal machine?
I won’t be doing any shady stuff, but if, hypothetically, any such content existed on the OP’s machine, what is the possibility of that getting scanned and reported.
The problem is that your company most probably won’t use GP to spy on you, but there are plenty of other tools such as keylogger etc. which is not a secret any more.
My company uses global protect. So if I’m reading everything right the company can see what I’m doing on other personal devices I use around my home? My personal cellphone traffic and my personal computer? Really? Well… if they are that intrusive I no longer care if I’m fired for, let’s say on my lunch break, using my personal cellphone, if I’m going to a channel they don’t like. I never do anything on my work laptop but work. It’s all too much really.
And if they’re doing split tunnel, then chances are all of your DNS queries are being logged. They might not get specific URL’s, but they can certainly get hostnames.
Dns will give you away anyway. Mixing private and company hardware is a bad idea. Also almost impossible to have private owed hardware managed and free from viruses. Let’s face it they are used for porn and worse :).
If you can disable pulse it won’t send you stuff for that time. Maybe dual boot to keep things apart.
