Hi Yall, I’m looking at some configuration from my previous collegue whom abruptly left and I’m just looking for opinions so here goes.
Back Story; MFA is enabled with Geolocation on my tenant (AZURE)
There is a SAML configuration with Global Protect in the Enterprise applications.
On my PAN Firewalls; vpn is configured and SAML is part of the authentication process; works great.
BUT…
When staff decide to travel outside of the US; I find it a bit much to allow not only the country they are travelling to ; but then I have to add the region on the Global Protect Portal / Gateway to allow these countries; is there something else I should or change?
Whats your organization’s security policy? Do you have to allow access from the country they travel to? It would be best to come up with a list of specific regions users are permitted to connect remotely from and add only those regions to your access policies.
We use conditional access in Azure, user attempts to log into GP, gets the SSO login, gets denied unless a ticket is lodged with travel location and dates.
Takes a few moments to update the known countries CA policy and done.
An idea. Before a user leaves, make them install a dynamic dns agent on their device. register a dynamic dns hostname for them that will get updated by that agent. On the firewall side, create an fqdn object with that dns hostname and reference it in a security policy that’s above your policies blocking GP access. That way, you can allow them to login from the country but not the whole country, just their current ip (discovered via the dynamic dns, so no need to manually implement this if their ip changes).
Seeing this is a medical facility, we only allow Canadian access. But I’m finding I have to edit my conditional access policy on azure because my GP is associated with saml and then I have to update the region on the portal or gateway.
It’s a bit annoying every time some people travel to the US or UK - I have to change. And no I cannot leave on us and I’m on permanent it’s all temporary
We have the same setup with Azure SAML and GlobalProtect and some traveling users. You can keep the enterprise application set to allow any country and control the allowed locations in PanOs. Even if they cleared authentication with the Enterprise App they still can’t login outside of your allowed regions.
Our firewall rules set to only allow from our “normal counties” and a “custom region”. We make traveling users provide their Public IP when they get to their destination. Then we add them to the “custom region” in PAN OS until their travel expires.
Enabling geofilters on the security policy allowing GP access really cuts down on the amount of drive-by attack attempts on GlobalProtect. I’d also look at using the TOR exit node EDL as a source for a block rule as well. Lastly, ensure you’re blocking failed attempts by source. In a few environments, 3 incorrect logins and your source IP is blocked from anywhere from 30 minutes to an hour.
Reducing your attack surface on GP can pay dividends.
Any reason to not have it running on VPN users computers all the time not just out of country so it can use their home address too or the coffee shop or whatever?
Sorry, this is theoretical for me, I’ve never done it, just an idea. I suspect the downside is having to manage all those hostnames. Also i suspect it might hurt user experience since it will take time for the dyn dns to update (both client agent upgrading dns and firewall learning of the change) before they can connected.
Log forwarding profile with a rule to tag based on matching the GP brute force threat id. Dynamic address group matching the tag. Security policy denying the dynamic address group. There is a knowledge base article outlining the process and tons of posts here discussing it.