8. Global Protect Always On User-Logon and Pre-Logon configuration
So in this lecture we will see how to configure global protect to do pre logon. Basically what pre logon does is when the machine boots up it automatically connects to global protect. So we can achieve this by using the prelogon settings. Preloadon allows you to do is when the computer boots up it’s going to go ahead and connect using the computer authentication and then when the user logs on it’s going to switch to the user authentication which relies on the user certificate. You need to have a certificate template that will be issued for the user. You just need to create, manage and then duplicate the user, cert user and then duplicate it and then basically give it a name and then under subject name make sure you select common name and use principal name. And then in the security settings, give your global Protect users access to enroll and auto enroll.
And then after that in the group policy in the group policy, you just make sure that your group policy let me see. Your group policy domain. Group policy? You would have the user configuration has a certificate service, client, auto enrollment set up and an auto enrollment policy setup. Both are set up so exactly like we did with computer but for user. And then now we’re going to switch the portal from using computer authentication. We’re going to switch the agent settings to be using call this pre log on and then the applications we’re going to specify pre log on what’s always on, okay? And then authentication we’re going to remove the two factor because we’re going to rely on the certificate for authentication because if you put the two factor the computer cannot pre log on.
The user has to be there typing in. It’s not going to work. Basically we’re going to rely on a certificate for that and then let’s make sure another setting here we switch the app to user and machine authentication certificate stored, lookup user and machine and then click OK. The global protect portal is using the certificate profile for authentication and then the gateway is also going to be using the certificate profile for authentication and then go ahead and commit. And then commit. And then basically once you issue the certificate template, the user will have a certificate if they are connected and they refresh their group policy to make sure that the user has a certificate. You go to MMC and go to file Add, remove, snap in and under certificates, click Add and then current user here and then basically you will see on the personal there’s a certificate for the user.
Another thing is notice I cannot rediscover the network and the reason why is we’re using an authentication that require the user to type in something and then once we switch the certificate authentication we can do that automatically. We have that feature available to us. So I’m going to remove the username and password because right now I’m relying on a certificate and I click on Disconnect and I’m going to click on Connect. And now I’ll check the global protect gateway and see that the user authenticated is the computer still. But for it to work we probably need to go ahead and reboot right now. I did this so that they refresh the setting and see that the pre login is in place.
So we’ll go ahead and reboot the computer and then I’ll go ahead and clear that session log out. So if you notice you haven’t logged in yet. Let’s see if there’s a session established by dual refresh. I see the user type is pre log on and the computer authenticated. So computer authenticated automatically even though the user didn’t authenticate yet. So once user authenticate should switch to the user certificate for authentication. Go ahead and refresh. Let’s see what you see. You notice here rediscover network became available because there is no manual authentication required. And we see here now in this user authenticated.
So for pre log on you are utilizing both the user and computer authentication to validate the user connection and you’re authenticating both the user and the computer and having the computer automatically log on for you when the machine is outside your network. And anytime it boots up it’s going to be connected automatic to global protect as long as it has network connectivity. So that’s free log on always on and user log on always on is a different option. So let’s switch it to user log on always on. Go ahead and click OK and click OK and then commit. So we excluded the user authentication, the computer authentication at this time. So I’m going to go ahead and once it finished pushing I’ll rediscover the network and we’ll see what the impact of this is going to be rediscovered network.
We’ll see the scaling, its setting, then pre log on, then on demand value is no. So it basically removed the pre log on settings and basically got the configuration from the portal. Empty domain name, empty username. So let’s see now once this setting took place I’m going to go ahead and reboot and we’ll see what happens. So computer finish booting up. I probably wouldn’t see here any connection remote users there’s nobody logged in so the computer didn’t automatically log in. Let’s see when the user logs in refresh it’s still starting up. So Google product should come up anytime now. We see a retrieving configuration and connect thing. So let’s see what the connection is and we see it picked up the user certificate this time and it knows what the computer is.
9. Global Protect Pre-Logon with User Logon (on demand) configuration example
So in this lecture we will talk about the less connectivity method of the global protect client. We saw in the previous lecture the user log on and prelogon and they both relied on having the certificate available and for users auto login, whether they like it or not, it’s always on connectivity. In this lecture we will look at how to use the prelogon on with user log on. What pre logon with user logon allows you to do is when the computer boots up it automatically connects to global protect and this helps to take care of issues like updating computers and so on. And then when the user logs on it disconnects from the global protect and then uses the manual login for the user to log in if they want to.
And in order for you to set this up you need the different type of settings in the portal you need to have the pre log on, you need to have the first step which is user and group. User group type is Prelog on and that basically points to the gateway that has the certificate authentication and then set this up to pre log on then on demand and then you need to create another config for user log on. So you see here where it says this one has user and user group pre log on. So in the first one you have to set the user and user group pre log on. In the second one you have to put user log on but you have to point it to a different gateway because the authentication will be different. The authentication this time will be using the username and password.
The second factor authentication. So because of AWS limitation that the c three x large does only have four interfaces and we use pretty much the four interfaces management inside and DMZ. Then we are going to push to the client the address with a port 844343 and then we’re going to create a loopback interface and then so under interfaces create a loop back interface and give this loop back interface an IP address. So in my case I give it 172-31-2541. Okay and then I will create a net that net the outside interface port 8443. So service TCP port eight, four, three the outside interface of the firewall pointed to the lOOpc interface to port four, four, three and then configure under network gateways, a new gateway and then run this gateway on loop back one.
And then under the authentication put the GP two factor authentication profile and remove certificate profile. So here the GP two factor and then the agent I put it just to differentiate between the computer login and user login I created a terminal new tunnel interface tunnel 20. I give it an IP range of IP address of 192, 100 and 6200, 124. And the client settings, I assign them client settings of network settings of 1821, 6200 and ten through 250 and access to out is one, 72160, zero. Okay so everything is ready. You have the nap and adding to that interface. So it points to 8443 and then the portal basically pushes the decline. Two sets of configs, one for pre log on which points them to the gateway which is the address of the DNS, name of the interface, no port and then the user log on which gives the interface gateway interface with port eight, four, three.
So let’s test this out in the left. So here I’m going to restart the computer and we’ll see the pre log on. Let’s see here, this is the first gateway. There’s no user right. Now once the computer boots up it’s going to log in automatically using the first gateway which it will authenticate using certificate and authenticates using the computer certificate. So here the computer booted up. Let’s take a look here and see the remote users. You see the pre log on and the computer authenticated. And if I look at monitor system we see the user login succeeded, tunnel mode succeeded, pre log on, username pre log on and it’s authenticating using the certificate.
And then now I’m going to go ahead and log in to the computer which will basically disconnect the computer log on, the pre log on and we’ll keep your network. See you still connected refresh. And you’ll notice here that it’s going to disconnect in a minute. Now you see the icon disconnected in a fair refresh takes a minute. Here the computer log on disappeared and now the user can log on. So now basically log in with my two factor and should be logging in and I should see this under the other gateway which is the user log on. So this is hitting two birds with 1 st doing automatic log on for the computer and then give the user the choice to log in.
That’s another option. So the options recovered from the for now basically that’s required to be understood for the exam. The first the different authentication method are pre log on user log on which is always on for the user and this should have be a certificate pre log on which is always on for the computer, which starts with this computer logging in as it boots up and then on demand. That gives the user the ability to control when they’re going to connect. Then predog on then on demand will have the computer automatically log on. And then when the user logs on the computer gets disconnected and then the user has the free freedom whether to log on or not.
10. Global Protect HIP Check
In this lecture we will talk about Hip Checks. Hip Checks is the host information that you can use in policy enforcement. You’re going to collect information about the hosts that are connecting and based on this information you can make policy decisions. One of the requirements for you to be able to do this is that your system has to have a license. You should have the Global Protect Gateway license and the Global Protect Gateway license allows you to check the host information and make policy enforcement decision. For the Global Protect Hip checks you have two different things. You have the Hip objects, this allows you to craft certain things to check for and the Hip profile.
So under Hip objects you can create different Hip objects to check for certain things. When we click on add Hip object you have several criteria to check against operating system contains. Like for example you want to shift this to Microsoft Windows. And this is under host info. Patch management allows you to make decision based on patch management and firewall allows you to make a decision based on installed firewall and client antivirus allows you to make decision based on AV installed or not installed on the system and other criteria like anti spyware disk backup, disk encryption, data loss prevention and also you can add custom checks. So Hip object is the building block for us to set up a Hip profile that we can match against.
So under general here we can create a simple Hip profile here and let’s call this Hip profile EV installed. So we’re going to check for antivirus and then antivirus is installed. Real crime protection is on yes. And virus definition, you can specify virus definition to be within like seven days. And if you want to specify the vendor, you can specify the vendor, if not you can leave it. And we can use this as a Hip object. And then we’re going to create a Hip profile. The Hip profile will check against certain criteria and compliance. So in our case here we’re going to add a match criteria and this match criteria we’re going to use the object we created and we’re going to specify that AV is installed, click OK.
And then now we will go into our policy and we will go ahead and create a policy. So in our case when the user connects, they’re going to be coming in from the Tunnel 20 interface which belongs to Trust zone and we’re going to restrict them from accessing the internet completely by just creating a rule that restrict those who do not match that profile. So in here we’re going to say Gpcompliant users and we’re going to specify the discount from the trust and the metro range of the Global Protect pool destination on trust and any on the untrust. And then under user we’re going to check for select Hit profile and basically this would require compliance.
They have to match that required compliance and when they match it they’re going to be allowed access because we’re going to create a rule here that will allow them access. So we put this up top. If the rules are processed, top down and basically if they hit the required compliance and they hit this rule they don’t match, we have to deny them. Otherwise they’re going to be allowed by the following rule. So we can add another rule here says GP compliant noncompliant users and in that case same source which the IP range of the global tech and destination untrust. And we are going to deny them because they don’t have compliance, they don’t have an AV and we are going to log at session start because this is a deny. So top down.
The users that connect that are compliant are going to be allowed Internet access. Users that do not match that Hip profile will be basically denied access and we’re going to deny them complete access to any application, any service board, not just the default. Now in that case when user connects they’re going to try to access the internet. They will be not allowed. However, you don’t want to leave the user in the dark so you want to give them a message letting them know that you will not have access. So you do this by going to the Globe Protect Gateway configuration. Going to go to the Globe Protect configuration, Globe Protect Gateway and click on Agent, click on Hip notification and this will allow you to create a Hip notification.
So because they don’t match our required compliance Hip profile, we want to send them a message, let them know hey, you’re going to have restricted access. So required compliance here and then enable and we’re going to specify a message say your system did not meet compliance and will not have network access. This is just an example and click OK and then click okay, let’s commit this configuration. And now on the client we’re going to go ahead and connect and see if we are able to access the internet and see if we can get the message. And I’m going to look at the logs here. It’s connected right now, I didn’t get the message yet, but here is the message pop up and it will tell the user your system did not meet compliance and will not have Internet access.
If I tried to access the internet, we’ll get it denied. I’m going to use Internet Explorer and here it’s trying to connect and we should see here under Monitor get denied, drop deny and policy deny. This is GP non compliant users. So it’s at least at both. We see the user logging in and we see the connection succeeded but the user traffic is getting dropped because they don’t match the compliance requirement which is having an AV installed on the system. And they also get a message because you configured the gateway. If they do not match the required compliance Hip profile that they will get notified that the system doesn’t meet compliance and they will not have internet access.
Now because I don’t want to install the AV on this machine, I’m going to simplify that object check that we’re doing to allow this host to connect and see the difference. So if we go here under or AV installed the Hip object that we configure, I’m going to specify host information. OS contains Microsoft all any Microsoft go ahead and remove the AV check. And so now basically it just checks for the operating system to be Microsoft and Hit profile is still matching AV install which now just check for operating system just for us to see what happens when the machine is compliant and then we’re going to go ahead and commit that and we’re going to go ahead and click Connect.
And if your host profile matches you should see your information in the Hip match logs and basically that means you are a match. And if we look at when you look at the Hip match it will basically show you all the collected information about the client. We only check in to see if Microsoft Windows is installed it’s operating system as Microsoft Windows so we should be able to access the Internet now. And now we’re able to access the Internet. If I go to monitor traffic, you see here the username and you see it’s matching the GP compliant users now, not the GP non compliant users which it was matching earlier when we check in for the AV. The Hip check is a powerful tool for you to do some network admission control and restrict users based on their host information. And it’s utilized heavily for network admission control out in the field.