How to disable GlobalProtect portal login page from a web-browser for Prisma Access managed by Strata Cloud Manager
7943
Created On 02/03/25 03:05 AM - Last Modified 04/26/25 01:52 AM
Objective
- It is required to disable the GlobalProtect portal login page from Web-browser to increase security posture or mitigate brute force attack on the GlobalProtect portal in Prisma Access.
- This can be achieved on the Prisma Access managed by Panorama or Strata Firewalls with an UI option as defined in this article.
- But this option is currently not available for Prisma Access managed by Strata Cloud manager.
- The SCM (Strata Cloud Manager) currently does not support this feature where the user can disable the Portal login page from Web interface.
- The desired state can still be achieved using the following configuration changes where the GlobalProtect Portal login page will be unavailable from Web-browser without impacting the connections from GlobalProtect app.
Environment
- Prisma Access - Cloud Managed (Managed by Strata Cloud Manager)
- SAML (Security Assertion Markup Language)
- GlobalProtect (GP) Portal
Procedure
- Configure a SAML (Security Assertion Markup Language) profile only for authentication from Browser OS where the SAML configuration is pointing to a non-existent IDP (Identity provider) domain with the intension of the direction to fail. (Without a certificate profile)
- Any such "non-existent IDP domain" be owned and controlled by the company and they absolutely DO NOT just put in a random or unregistered domain for this which will prevent legit users to not visit malicious site.
- The separate authentication method for Browser OS needs to be placed on the top followed by other authentication method. ( A push from Strata Cloud manager is required).
- This configuration will cause anyone who tries to login to the portal from Web-browser to be redirected to the non-existent domain and fail with 404 error (Similar to the portal Disable method).
Additional Information
- The administrator needs to be aware that this change should not be configured if Clientless VPN configuration is being used on Prisma Access.
- The Clientless VPN access requires the portal to be available via Web-Browser.
- For the SAML profile itself, the configuration needs to be done with the target that the redirection to IDP will fail because the IDP URL does not exist. NOTE: Use a domain that is owned and controlled as mentioned in step 2.
- When the users try to connect using GlobalProtect app, they would not match the first auth method (Browser OS) and match the second method as per the configuration and can continue with their normal authentication procedure.
- This method will not show 404 not found with certificate profile associated with user authentication method when the certificate authentication is configured as SAML AND Client Certificate as the portal will than require client certificate first before the SAML auth can be attempted.
- The SCM (Strata Cloud Manager) does not support configuring certificate profile in 1 User Authentication method and not using the profile in another User Authentications method. In other words, either all the user auth profiles will have the certificate profile or none of them will.