GlobalProtect, FortiClient, AnyConnect, etc. hand-in-hand with

GlobalProtect, FortiClient, AnyConnect, etc. hand-in-hand with

Firewalls are foundational. I’ve only ever set up a Cisco Virtual ASA, but it gave me a newfound respect for the folks who do this daily. I’m sure the process is similar-ish whether you’re using a Palo Alto NGFW, Fortinet, F5, etc. The point is, that although they can be complex, NGFWs and VPNs are and will be critical to companies worldwide.

Yeah, the “Kill The VPN” campaigns aren’t exactly realistic.

I believe that there’s a balance. Even when we release dope.private_access, it might reduce cost and reliance, but it’s not going to kill the VPN. Let’s be real, it’s very difficult to expect a massive bank or complex organization to completely cut over given a company’s competing priorities.

It doesn’t even have to be a big company, you can imagine someone attempting to analyze all applications that users access through the VPN, building the priority list by app-user combo, then deploying the necessary app connectors to facilitate the agent-app connector connection.

Even after this best-case effort, you can’t just dump VPN entirely, because someone might still need to use it for an uncommon app. Is it worth it? Yes/no, one could make a persuasive case either way.

So, why is dope holding hands with VPNs?

Whether you use ZTNA/Private Access yet or not, if you're reading this you probably have to use a VPN at work. 

But, what we have seen is a pretty typical situation:

In situation 1, the user is in the office (or on VPN), and so there is some control and visibility at the firewall level. This typically includes DNS filtering, or some URL Filtering with SSL inspection.

In situation 2, the user disconnects or leaves the office, and now, the device and user are free to do whatever they want!

Believe it or not, this situation is pretty common around the world at public companies, banks, and small/big companies. It’s a security gap that hasn’t been an easy problem to solve…

Great, so what do I do?

Well, you have three options:

  1. Buy and configure an always-on VPN, like Palo Alto Prisma Access ($,$$$,$$$ 💰💰💰)
  2. Buy and configure a stopover SWG, like Zscaler ($,$$$,$$$ + Internet Re-routing Frankenstein when VPN is turned on, as you VPN to FW then proxy to Stopover POP 🤮 + Slow HTTP/1.1 + Slow/Unreliable when Off-VPN)
  3. Buy dope.swg with zero configuration, and you are Flying Direct on Day 1; no nonsense and no big $$$

(p.s. if you don’t believe me on (2) just drop Rohit (CISO Yext) a message as this was a nightmare for him ☠️)

Of course, I am slightly biased, but it begs the question:

Why is this so easy with dope?

It comes down to our Fly Direct architecture. Remember, the dope.endpoint is an ***on-device*** HTTP/2 SSL Inspection proxy that auto-updates and you can update policy in real-time through the cloud console.

As you guessed, the key is that it’s on-device. When you access the Internet, whether that’s through Wi-Fi, VPN, ethernet, or Personal Hotspot, the traffic is first re-routed to the local on-device proxy, the company policy is enforced based on your SSO user, and *only* then it is sent through the network (read: VPN / Corp Network).

The result is exactly equal protection and visibility both on-VPN and off-VPN. It’s like magic! There are no special bypasses, IP bypasses, etc. needed. And yes, this works beautifully with both Full-Tunnel and Split-Tunnel VPNs.

That was easy! 

As my homie Jeff Moore at Staples said, it’s not “innovation”, it’s evolution. At dope, we want to make your life a little easier by providing you beautifully designed products built with attention to detail.

It’s all part of the first-class experience, because the best configuration is no configuration required at all.

Hope you love it!

– kunala

Technology Solutions
Technology Solutions
back to blog Home