After much discussion we will let the Firewall vpn’s do their jobs. ☺ Basically they wanted to know ahead of time before moving to the Palo. The ASA never had the NAP turned on so users could come in un protected if they could have gotten the settings on the AnyConnect correct. We have required that all mobile (VPN Users) bring in their device and have a hands on approach to validating the AntiVirus is installed and up to date. Thanks all.
From: [email protected] [mailto:[email protected]] On Behalf Of Don Ely Sent: Wednesday, May 17, 2017 9:36 AM To: [email protected]; Patch Management Mailing List ([email protected]) <[email protected]> Subject: Re: [NTSysADM] software inventory over vpn tunnel Notice: This email is from an outside source. Please do not open any attachments, click on any hyperlinks, or respond without first confirming the authenticity of the email. And yes, it is preferred to have a machine checked BEFORE it's allowed on the network... On Wed, May 17, 2017 at 6:34 AM Don Ely <[email protected]<mailto:[email protected]>> wrote: What's their reasoning? The ASA AnyConnect feature was designed for it. As were the Palo Global Protect features. I've configured both at my gig and it works well. We check for AV, Defs up to date, and a machine cert to validate it's a company owned device. On Wed, May 17, 2017 at 6:17 AM David McSpadden <[email protected]<mailto:[email protected]>> wrote: Would like to check for Antivirus on an endpoint after they have connected to my ASA VPN. Terminate tunnel if the inventory does not meet requirements or at least notify admins of a potential issue. What I am thinking of is like a NAP but my firewall guys would like it not on the ASA or the Palo when the migrate to it? Isn’t it best to have the NAP on the firewall and let it do the work prior to actually connecting to SCCM or Active Directory? David McSpadden Systems Administrator Indiana Members Credit Union P: 317.554.8190<tel:(317)%20554-8190>| F: 317.554.8106<tel:(317)%20554-8106> <http://imcu.com/> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
