This is the Q&A session from the GlobalProtect Agent Settings and CIS Controls Webinar presented by David Cumbow, Aaron McAllister, Shane Markley and Dan Smith.
GlobalProtect Agent Settings and CIS Controls Webinar is available here:
https://youtu.be/z9CSLiS9vI4
Q&A Questions documented below:
GlobalProtect Agent Settings and CIS Controls Webinar Q&A session questions
Q Why are we using Zoom given all the security vulnerabilities published about it recently?
A Hi J Noble, a few reasons. We make sure to utilize all security controls provided by Zoom, including webinar passwords, encrypted sessions, and we have moderators during the webinar. I think many of the security concerns for Zoom come from the free version and misconfigurations. Thanks for your question!
Q Can the NGFW perform OCSP check for the cert?
A Yes. Please see the following resources for additional detail - CONTROLLING GLOBALPROTECT VPN ACCESS WITH OCSP: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK
Q Is it possible to choose who sees HIP notifications based on group membership?
A So, as it sits today, HIP notification match on a HIP profile and corresponding HIP Object(s). Within each HIP object you can optionally set checks for things like Domain, OS, registry keys, certificates, etc. Although this approach doesn’t directly map to group memberships, it could potentially provide a similar result. Please see the following resource for additional detail: https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html Since HIP notifications are a gateway level setting, another option you have is to have another gateway configured for groups that you do want to have HIP notifications and another for those that you don’t. A bit more involved, but it’s an option.
Q Prelogon is important if your endpoints have their windows profiles stored on the server instead of the endpoint. With prelogon, the DC is already connected when the user logs in so the profile can be found on the server. Without prelogon, the server is not present until the user connects via the client, so the user's profile is not available when she logs in.
A Great point, Gene! Thanks for sharing.
Q Is there a way to reserve IPs for MAC addresses from the client pool you specify in Globalprotect?
A Not directly from the GlobalProtect client pool, but assuming the firewall is also acting as the DHCP server, the desired outcome can be accomplished as described here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLaCAK
Q Current recommended version of GP agent to use?
A 5.1.1 is currently ‘eTac preferred’: https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304
Q Is there a way to reserve IPs for MAC addresses from the client pool you specify in Globalprotect?
A Not directly from the GlobalProtect client pool, but assuming the firewall is also acting as the DHCP server, the desired outcome can be accomplished as described here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLaCAK
Q Current recommended version of GP agent to use?
A 5.1.1 is currently ‘eTac preferred’: https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304
Q PreLogin also allows new users to login to a laptop out in the field for the first time. Ie, cached credentials aren't needed, catches password updates, etc. A Another great point! Thanks, Carl!
Q I have opened a TAC case for HIP Notification being triggered on Windows FW. However I do not have that as one of the checks. Currently I am chekcing anti-malware for one HIP Profile and the other is checking for Disk Encryption. What I a seeing is the one HIP object in AV is checking Windows Defender and seems to be linikng to Vendor Microsoft in the Firewall. Causng a False Notofication. I am version 9.06. Thoughts??
A Hi Eric, I have some thoughts on this, but no corresponding resource or artifact to provide so I will follow up with you offline after this if that is ok.
Comments
Post a Comment