Forescout eyeExtend Connect GlobalProtect App README.md Version: 1.2.1
Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.Forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191 Support: 1.708.237.6591
- Refer to the Technical Documentation page on the Forescout website for additional documentation: https://www.Forescout.com/company/technical-documentation/
- Have feedback or questions? Write to us at documentation@forescout.com
© 2020 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a Delaware corporation. A list of our trademarks and patents can be found at https://www.Forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products, or service names may be trademarks or service marks of their respective owners.
The App gather users and endpoints information that connected to GlobalProtect servers. User can also use policies or actions to disconnect user from the GlobalProtect Server. The App uses admin management interface to access the GlobalProtect server.
The App supports:
- PANOS 8.1
- Forescout CounterACT 8.2
- Forescout eyeExtend Connect 1.1
- See license.txt file for license information
You can refer to the Forescout eyeExtend Connect Module: Connect Application Building Guide, in particular the sections on ”Define system.conf File” and “User Interface Details”.
User can add GlobalProtect server to the App.
- Server name shall be the GlobalProtect server in "https://" format
- User shall be admin that can access GlobalProtect web APIs via management interface
- Password shall be the admin password that can be used to accrue token for the web API call to GlobalProtect server
- User can test the device by clicking TEST button after applying changes.
- User can add multiple devices, they need to be unique and has a dedicated focal appliance.
Each device shall run on one dedicated focal appliance.
- User can set rate-limiter for the API allowed to the GlobalProtect per unit time.
- Default in the App is allowing up to 100 API calls per second.
- Range is 1 to 1000 APIs.
- Certification validation
- Authorization
- Rate limiter
- Test is enabled by default.
- Device info need to be saved (applied) before test can be successfully run.
- User can import the GlobalProtect Connect App via eyeExtend Connect module
- App file shall look like GlobalProtectApp.ECA which is signed
- User can start and stop the GlobalProtect App
- When the App is stopped, all properties resolve, actions and policy are suspended.
- User can remove the App if no longer needed
- User need to delete the GlobalProtect policy first to remove the App.
- There are two default GlobalProtect Templates: GlobalProtect Policy and GlobalProtect HIP Policy
- After importing the App, the policy can be find under Policy > Add > GlobalProtect > GlobalProtect Policy/ GlobalProtect HIP Policy
- User can use the default policy to resolve properties from endpoint on a schedule.
- User need to define rules to disconnect a user from GlobalProtect server.
There are a few properties gathered from the GlobalProtect server for the endpoint.
- GlobalProtect User's Domain
- GlobalProtect Computer Name
- GlobalProtect IP Type
- GlobalProtect User
- GlobalProtect Gateway
- GlobalProtect Client Type, such as: Microsoft Windows 7 Ultimate Edition Service Pack 1, 64-bit
- GlobalProtect Public IP
- GlobalProtect HIP Anti-Malware
- GlobalProtect HIP Disk Backup
- GlobalProtect HIP Disk Encryption
- GlobalProtect HIP Firewall
- GlobalProtect HIP Patch Management
- GlobalProtect HIP Missing Patches
User can disconnect a connected GlobalProtect from the endpoint. If the user is disconnected from GlobalProtect, some endpoint properties can't be resolved. Error would indicate that user is disconnected.
Disconnect user action is a one-time actions. User needs to be reconnect to the GlobalProtect server for resolve and disconnect actions to work properly again.
There are five scripts and two library files.
- globalprotect_disconnect_user.py User can disconnect a connected user from GlobalProtect.
- globalprotect_resolve.py User can get the GlobalProtect properties of the an endpoint.
- globalprotect_test.py User can test the connection to GlobalProtect server with defined device.
- globalprotect_discovery.py User can enable discovery on a specified period to poll endpoint properties. Default is 4 hours.
- globalprotect_hip_resolve.py User can get the GlobalProtect Host Information Profile (HIP) data of an endpoint.
- globalprotect_library.py Library files scripts use.
- globalprotect_hip_library.py Library files scripts use for extracting hip data.
A new checkbox "Syslog GlobalProtect Client Discovery Enabled" is added in the server panel. To use the integration with PANOS syslog and allow Foresout to get GlobalProtect server via Syslog info, Forescout Syslog plugin must be enabled with GlobalProtect log parsing. And GlobalProtect server retrieved by syslog will be used to query and update client data. when "Syslog GlobalProtect Client Discovery Enabled" is enabled
- If the GlobalProtect server cannot be retrieved, he GlobalProtect server on the GlobalProtect Connection panel is used.
- For discovery and test, only GlobalProtect server specified on the GlobalProtect Connection panel is used.
- When user in an endpoint is disconnected to GlobalProtect, there is an error indicating that user might be disconnected during resolve. And the disconnected user shall fail on a disconnected endpoint action.
- User on the endpoint needs to reconnect to GlobalProtect to resolve properties or take actions correctly again.
- The Disconnect User will only work if the GlobalProtect(VPN) is disabled from trying to establish a connection again. The GlobalProtect admin should not setup the configuration for "user-logon (Always-on)" as the connect method.
This App bundles with a license.txt file. Please review the license.txt file.
In disconnect action, if user name, computer name or gateway portal contains special characters, such as apostrophe, the URL with content is not escaped correctly which is fixed in 1.1.1.
Supporting a user connecting to GlobalProtect via multiple gateways and connect from multiple hosts.
Add HIP data visibility to the GlobalProtect App
Fixed an issue with disconnect action failing when a GlobalProtect endpoint was missing a domain
Modified the API call ip-user-mapping to improve performance