Palo Alto Networks Knowledgebase: Allow User to Disable GlobalProtect" option behavior on iOS devices"

Allow User to Disable GlobalProtect" option behavior on iOS devices"

4193
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
VPNs
Resolution

 

Overview

The GlobalProtect Portal configuration allows the user to define whether the GlobalProtect user can "disable" the GlobalProtect agent on the local machine.

 

From the WebGUI, go to the Network > GlobalProtect > Portals > Client Configuration.

 

65709_pic_01.jpg

 

Symptom

If the option is set to "disabled," you only allow user to click on the "Disable" option within the GlobalProtect agent. This configuration works fine on PC, MAC and Android platforms.

 

There is a restriction for this option on iOS devices (iPhone, iPad), which prevents it from working. This is the expected behavior and it is there due to a limitation on interacting with operating system. The user can always disable VPN connection from global Settings menu, regardless of the GlobalProtect configuration.

 

In GlobalProtect version 2.2 and above, there is one behavior change where the user can disconnect the VPN connection from the GlobalProtect client, but the subsequent traffic will re-initiate the connection if we set the mentioned option to "Disable." However, the user can still disable the VPN through system settings.

 

Workaround

Create different proxy policies within .pac files that will be pushed to users:

  • Create a URL hosting a .pac file, for example: http://
  • The <server_name> should resolve to a private IP within the corporate network (or when the client is connected to GlobalProtect Gateway)
  • <server_name> should resolve to a public IP if the client is not within the corporate network (using public DNS servers, which are not pushed by the GlobalProtect Gateway)
  • Depending on the DNS resolution, .pac file will be fetched from different servers and will provide a different configuration.
  • Internally fetched .pac will tell the client to forward all http(s) requests directly to the Internet, and externally fetched .pac will force the client to redirect all traffic to a page, which is asking the user to enable GlobalProtect client VPN connection in order to have internet access.
  • Aproxy configuration can be pushed to the clients using an MDM solution.

 

owner: nmarkovic



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluYCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language