How to hide the global-protect login URL (FQDN or IP/sslmgr) for information while only allow few users

Some security scanners while doing scanning on the Firewall can discover the global protect login page. Since this URL is "FQDN-IP-address/sslmgr " which means the path is "sslmgr"  in the end, the most common confusion is the login page displays a process name. 

We want to hide the global-protect login page “FQDN or IP /sslmgr”, and only allow a few IPs to access this page.

• Palo Alto Firewall
• Global Protect configuration 

To achieve our objective, we can create a custom URL and use it in the security policy. In this article, we are blocking access to pages 10.46.43.25/sslmgr and 10.46.43.25/global-protect/login-esp. 
Please note the IP addresses can be replaced with the FQDN name such as "example[.]com/sslmgr."

Please follow the steps below to create the configuration.

1. Create a custom URL category as follows for the page we want to block the access for as GUI->Objects-> customer ->URL category -> name -> < any name you like. such as GP-login-page-block>
2. In the entry, click "Add button" and add the full URL for global protect path.
   1. <FQDN or IP/sslmgr>
   2. <FQDN or IP-address/global-protect/login.esp>

3. Now create a security policy to deny everyone from this address and allow only a few selected ones.
   1. GUI-> policy ->Create a policy and give a name.
   2. Under the source address tab, add the addresses those are allowed to access the page. Once you add the address, please click on the "Negate box".

3. Security policy ->user tab you can select any, and destination address also select any. 
4. Security policy-> application is also selected any.
5. Security Policy-> Service/URL category, select the customer url-category we created 'GP-login-page-block'.
6. Security Policy->action, please select deny. 
7. Now anyone who wants to access the page will be blocked, except the few IP we have added in the source tab - 10.47.125.7 and 10.101.102.96

4. Any other user for any other IP will be blocked and will receive the following message. 

 Note:  The sslmgr is used in global protect to fulfill OCSP and CRL query requests by daemons and dataplane. sslmgr basically manages Online certificate status protocol and Certificate Revocation List, so disabling sslmgr is not an option since it is expected behavior of Global protect /global-protect/login.esp is also part of the global protect portal


In case you want to see the URL block page, you can use the same custom URL category and URL profile.

1.  Create the custom URL configuration as above
2.  Modify the custom URL action in a URL-profile

 

3. Create the security policy and select the source IPs as above and select negate.

4. Select the destination address as GP address.

5.  In the action tab-> select "allow" and in the profile-> select -> URL-profile that we have modified. 

6. Now when any user (other than the IPs we have allowed) will be blocked