For compliance reasons I have to set up Global protect that only allows Windows clients to log in. This can be done with HIP checks.
But I would also like to remove the option to download the Mac client from the GP Portal page, is this possible to configure anywhere?
It can also be done by only assigning a windows entry in your agent config. No HIP check needed
Nope
We asked PA a while back and it’s not on the table right now.
Even better, you can access that page unauthenticated with the URL…
I haven’t been able to find how to block the specific OS version, but it doesn’t matter, as the whole page is blocked for compliance.
We created this config to block the download page entirely. This script is from the command line but can be done in the GUI. As mentioned, you can remove GP client from the firewall as well.
set profiles custom-url-category block-gp-sw-page type “URL List”
set profiles custom-url-category block-gp-sw-page list [ *.example.com/global-protect/getsoftwarepage.esp *.example.com/global-protect/getmsi.esp ]
set rulebase security rules Block-GP-SW-Page to Internet
set rulebase security rules Block-GP-SW-Page from Internet
set rulebase security rules Block-GP-SW-Page source any
set rulebase security rules Block-GP-SW-Page destination any
set rulebase security rules Block-GP-SW-Page source-user any
set rulebase security rules Block-GP-SW-Page category block-gp-sw-page
set rulebase security rules Block-GP-SW-Page application any
set rulebase security rules Block-GP-SW-Page service application-default
set rulebase security rules Block-GP-SW-Page hip-profiles any
set rulebase security rules Block-GP-SW-Page action deny
set rulebase security rules Block-GP-SW-Page rule-type intrazone
set rulebase security rules Block-GP-SW-Page description “Block access to GlobalProtect software download page”
set rulebase security rules Block-GP-SW-Page disabled no
move rulebase security rules Block-GP-SW-Page top
100% agree with Marx1 on everything
It looks to be only binary, all download off or on, but you can modify the login, welcome and home pages. Customize the GlobalProtect Portal Login, Welcome, and Help Pages
Did not think about that, that would probably be easier. Thanks for the tip.
you can always turn the page off…
ok, then I can stop looking. Thanks for the info.
So you can get to the download by using the url of the file? Is that logged ?
this works, great solution, do it in the GUI, very easly
I still want to use it to distribute the windows client.
Haven’t seen that option yet (and support didn’t know how). Got a tl;Dr guide/link?
I would be really interested in this…
Just as a traffic hit, unless you have URL filtering turned on inbound. Might be able to match it based off bytes sent/receive though (x # m)
Understood, as this configuration will disable the installation/upgrade of the GP client. This will work if you push the client or client upgrades via an MDM or similar.
Jeff
Under your portal configuration - “portal login page” set it to disable.
That doesn’t disable the ‘getsoftware’ page. And is still accessible unauthenticated
https:///global-protect/getsoftwarepage.esp
You can set up a download redirect to just point to some external site, like your website, to “disable” downloads. small steps…
set global-protect redirect on
set global-protect redirect location
Unless you know the specific URL to get the software (IE unless it’s bookmarked/saved), it does the job. The only use for the portal web page IS to show you the get software page.
You could also try removing GP from the firewall, and rely on installing it from 3rd party sources only.
global-protect/getsoftwarepage.esp
Nice tip. One of our audits required us to disable the WAN facing login page. I had to set up an internal portal address to fetch the client so I can run an automation to update clients.