8 Client Configuration Client configuration controls most of the behavior of GP

8 client configuration client configuration controls

This preview shows page 8 - 9 out of 14 pages.

©2012, Palo Alto Networks, Inc. [8] Client Configuration Client configuration controls most of the behavior of GP client. Source User It supports user/group specific configuration to allow more granular control on which users should get what portal config. Admin can specify users or groups. Root CA list This configures the CA list that GP client should use to verify the server certificate. If it is self-signed certificate, nothing needs to be configured in the Root CA list. Gateways One defines the internal and external gateways here. For internal gateway, GP client can establish tunnel to ONE of the internal gateways and send HIP check/report message to all internal gateways. For external gateway, GP client always measure the latency of each external gateway and select the best one to establish tunnel. The priority attribute can be used to allow GP client to favor gateway that has a LOWER priority value (1 is the highest priority and 5 is the lowest). Internal Host Detection Internal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. If it is not configured, GP client will always try to connect to each internal gateway first. If it fails to connect to any internal gateway or if there is no internal gateway defined, it will then attempt to connect to the best external gateway. Admin should try to set internal host detection as it speeds up the tunnel establishment. On Demand If checked, this will change GP client to on demand mode. User has to use the “Connect” menu item to tell GP client to establish tunnel. Note that internal host detection IS IGNORED in on-demand mode. GP client will always attempt to try internal gateways first followed by external gateways. It is definitely NOT a good idea to set up both internal and external gateways for on demand mode. The most common use case is to configure a single external gateway for on demand mode, simulating NetConnect functionality. Use Single Sign On (for Windows only) If enabled, the Windows GP client will try to use the Windows login credential to authenticate the user. Note that one must log off once after installation before GP client can use SSO. Third Party VPN Admin can specify the substring of the supported third party VPN clients that GP client should allow to run simultaneously. If split tunneling is used for GlobalProtect (not common), GP client will increase the metric of its own routes to let the OS favor the third party VPN client’s access routes. If only default route is set for GlobalProtect, GP client will only increase its own metric if the third party VPN client also uses default route. Data Collection Admin can specify which categories should be excluded from HIP report collection (to save CPU cycles and improve response time in client) as well as what custom checks to collect. The custom checks are case insensitive. The maximum wait time specifies how long the GP client can use to collect the HIP information from the client PC. A value of 60 seconds is a good start for most PC.
Image of page 8
Image of page 9

You've reached the end of your free preview.

Want to read all 14 pages?

  • Spring '16
  • Dea
  • Information Security, ........., Web server, Client-server, Certificate authority

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture