article GlobalProtect: Initial Set Up in GlobalProtect Articles

article GlobalProtect: Initial Set Up in GlobalProtect Articles https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232 <DIV class="lia-message-template-content-zone"> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GlobalProtect: Initial Setup" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25087iA6CCC1726BC8160E/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Initial Setup.png" alt="GlobalProtect: Initial Setup" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect: Initial Setup</span></span></SPAN></P> <P> </P> <P> </P> <P data-unlink="true"><SPAN>In my blog, "</SPAN><A href="https://live.paloaltonetworks.com/t5/Blogs/GlobalProtect-Overview/ba-p/322170" target="_self">GlobalProtect: Overview</A><SPAN>," I provided a synopsis of the GlobalProtect series and overall objectives, including a description of each article in this series. I would recommend starting there prior to moving forward.</SPAN></P> <P> </P> <P data-unlink="true"><SPAN>In this post, I will cover the initial setup of GlobalProtect, which includes a portal, external gateway, and user authentication via local database. You can see a diagram of the environment <A href="https://live.paloaltonetworks.com/t5/Blogs/GlobalProtect-Overview/ba-p/322170?lightbox-message-images-322170=25053i4232C172B9024D26" target="_blank" rel="noopener">here</A>.</SPAN></P> <P> </P> <H2><SPAN><STRONG>Part I - Initial Setup</STRONG></SPAN></H2> <P> </P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device</STRONG> <STRONG>></STRONG> <STRONG>GlobalProtect Client</STRONG> then download and activate the latest version (5.0.8 is a TAC-preferred version at the time of this blog post)</LI> </UL> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Network > Network Profiles > Interface Mgmt > Add</STRONG> and create a management profile to apply to the tunnel interface to which remote users will connect<BR /> <UL class="lia-list-style-type-circle"> <LI>Enable <EM>Response Pages</EM><I><BR /></I> <UL> <LI><STRONG>NOTE:</STRONG> It is not required to enable <EM>Response Pages</EM>, but this feature will be used in a subsequent article</LI> </UL> </LI> <LI>Click <STRONG>OK </STRONG></LI> </UL> </LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Interface Management Profile - Response Pages" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25056i7C813B0E3B78C94C/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Interface Management Profile - Response Pages.png" alt="Interface Management Profile - Response Pages" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Interface Management Profile - Response Pages</span></span></I></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Network > Zones > Add</STRONG> and create a new<SPAN> </SPAN><STRONG>Layer 3</STRONG> security zone for your GlobalProtect users</LI> <UL class="lia-list-style-type-circle"> <LI>Provide a name (e.g.,<SPAN> </SPAN><I>gp</I>)</LI> <LI>Set<SPAN> </SPAN><STRONG>Type</STRONG> to<SPAN> </SPAN><I>Layer3</I></LI> <LI>Check the<SPAN> </SPAN><STRONG>Enable User Identification</STRONG> box</LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Zone - Enable User Identification" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25058i819A4AD5BBEF81D8/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Zone - Enable User Identification.png" alt="Zone - Enable User Identification" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Zone - Enable User Identification</span></span></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Network > Interfaces > Tunnel > Add</STRONG> and create a new tunnel interface</LI> <UL class="lia-list-style-type-circle"> <LI>Assign the interface a number (e.g., <EM>1</EM>)</LI> <LI>Assign the interface to the appropriate<SPAN> </SPAN><STRONG>Virtual Router</STRONG></LI> <LI>Assign the interface to the appropriate<SPAN> </SPAN><STRONG>Security Zone</STRONG></LI> </UL> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tunnel Interface - Config" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25059i5B9846E2A392E0D3/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Tunnel Interface - Config.png" alt="Tunnel Interface - Config" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Tunnel Interface - Config</span></span></I></P> <UL> <LI>Navigate to the<SPAN> </SPAN><STRONG>IPv4 </STRONG>tab and assign a subnet to be used for your mobile users</LI> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG> It should be a unique network. Also, note that an IP address on this interface is not a requirement.</LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tunnel Interface - IPv4" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25060iDA8A1A18CCDE759A/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Tunnel Interface - IPv4.png" alt="Tunnel Interface - IPv4" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Tunnel Interface - IPv4</span></span></P> <UL> <LI>Navigate to the<SPAN> </SPAN><STRONG>Advanced </STRONG>tab and apply the <EM>Management Profile</EM> created for the tunnel interface above </LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tunnel Interface - Advanced" style="width: 699px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25160iCC5B45AFD418FF92/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="tunnel interface.PNG" alt="Tunnel Interface - Advanced" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Tunnel Interface - Advanced</span></span></STRONG></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device > Certificate Management > Certificates > Generate</STRONG> and create a trusted root certificate</LI> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG> In this series of posts, we will be using self-signed certificates. It is recommended to use third-party certificates in a production environment, but self-signed certificates will work as well.</LI> <LI>Enter a<SPAN> </SPAN><I>Certificate Name</I></LI> <LI>Enter the management IP of the firewall for the<SPAN> </SPAN><I>Common Name</I></LI> </UL> <UL> <UL class="lia-list-style-type-square"> <LI>Check the<SPAN> </SPAN><STRONG>Certificate Authority</STRONG> box</LI> <LI>Enter information in other fields if desired (optional)</LI> <LI>Click<SPAN> </SPAN><STRONG>Generate<BR /></STRONG><I></I></LI> </UL> </UL> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Generate Certificate - Local Certificate Authority" style="width: 399px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25061i1F45CF2F83772154/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Generate Certificate - Local Certificate Authority .png" alt="Generate Certificate - Local Certificate Authority" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Generate Certificate - Local Certificate Authority</span></span></I></P> <UL> <LI>Select the certificate you just created, and check the <STRONG>Trusted Root CA</STRONG> box</LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Certificate Information - Trusted Root CA" style="width: 599px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25062iA389791D292C90E2/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Certificate Information - Trusted Root CA.png" alt="Certificate Information - Trusted Root CA" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Certificate Information - Trusted Root CA</span></span></I></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device > Certificate Management > Certificates > Generate</STRONG> and a create certificate for GlobalProtect <UL class="lia-list-style-type-circle"> <LI>Enter a <I>Certificate Name</I></LI> <LI>Enter the IP address or the DNS name of the interface to which remote users will connect for<SPAN> </SPAN><I>Common Name</I> <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG> In this series of posts, we will be using the public IP address for the common name (represented by<SPAN> </SPAN><I>1.1.1.1</I>), and it is recommended to use a DNS name in a production environment but IP addresses will work as well</LI> </UL> </LI> </UL> </LI> <UL class="lia-list-style-type-circle"> <LI>Select the certificate previously created under "Signed By"</LI> <LI>Enter information in other fields if desired (optional)</LI> <LI>Click<SPAN> </SPAN><STRONG>Generate</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Generate Certificate - Cryptographic Settings" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25063i42EEE9A6E03E97A0/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Generate Certificate - Cryptographic Settings.png" alt="Generate Certificate - Cryptographic Settings" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Generate Certificate - Cryptographic Settings</span></span></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device > Certificate Management > SSL/TLS Service Profile > Add</STRONG></LI> <UL class="lia-list-style-type-circle"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Select the <EM>Certificate</EM> previously created</LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SSL/TSL Service Profile" style="width: 399px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25064i562C90205CD383F0/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="SSL:TSL Service Profile.png" alt="SSL/TSL Service Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">SSL/TSL Service Profile</span></span></I></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device > Local User Database > Users > Add</STRONG></LI> <UL class="lia-list-style-type-circle"> <LI>Enter a<SPAN> </SPAN><I>Name<SPAN> </SPAN></I>and<SPAN> </SPAN><I>Password</I></LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Local User Database" style="width: 505px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25065i8891F650031418EB/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Local User Database.png" alt="Local User Database" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Local User Database</span></span></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Device > Authentication Profile > Add</STRONG></LI> <UL class="lia-list-style-type-circle"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Select<SPAN> </SPAN><EM>Local Database</EM> for<SPAN> </SPAN><STRONG>Type</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Authentication Profile" style="width: 598px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25066i8E2BE25F783588E8/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Authentication Profile.png" alt="Authentication Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Authentication Profile</span></span></P> <UL class="lia-list-style-type-disc"> <LI>Navigate to<SPAN> </SPAN><STRONG>Advanced > Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>Select<SPAN> </SPAN><I>All</I></LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Authentication Profile - Advanced Tab" style="width: 599px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25067i8616DE18640CA644/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Authentication Profile - Advanced Tab.png" alt="Authentication Profile - Advanced Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Authentication Profile - Advanced Tab</span></span></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Network > GlobalProtect > Gateway > Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>In the<SPAN> </SPAN><STRONG>General</STRONG> tab <UL class="lia-list-style-type-square"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Select the<SPAN> </SPAN><STRONG>interface</STRONG> to which remote users will connect</LI> <LI>Select the<SPAN> </SPAN><STRONG>IPv4 Address</STRONG> of the interface <UL> <LI><STRONG>NOTE:</STRONG> If your interface is assigned an IP address via DHCP, then you will not have an option to select an<SPAN> </SPAN><I>IPv4 Address</I>. Just leave this field set to<SPAN> </SPAN><I>None</I>.</LI> </UL> </LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Gateway Configuration" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25068iFD79370E5868DD1C/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Gateway Configuration.png" alt="GlobalProtect Gateway Configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>Authentication</STRONG> tab <UL class="lia-list-style-type-circle"> <LI>Select the<SPAN> </SPAN><STRONG>SSL/TLS Service Profile </STRONG>previously created</LI> <LI>Under<SPAN> </SPAN><STRONG>Client Authentication</STRONG> click<SPAN> </SPAN><STRONG>Add</STRONG> <UL class="lia-list-style-type-square"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Select the<SPAN> </SPAN><STRONG>Authentication Profile</STRONG> previously created</LI> <LI>Click <STRONG>OK</STRONG></LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="GlobalProtect Gateway Configuration - Authentication Profile" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25069i67D5EDC718D1F232/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Gateway Configuration - Authentication Profile.png" alt="GlobalProtect Gateway Configuration - Authentication Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration - Authentication Profile</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>Agent </STRONG>tab <UL class="lia-list-style-type-circle"> <LI>In the <STRONG>Tunnel Settings</STRONG> tab <UL class="lia-list-style-type-square"> <LI>Enable<SPAN> </SPAN><STRONG>Tunnel Mode</STRONG></LI> <LI>Select the<SPAN> </SPAN><STRONG>Tunnel Interface</STRONG> previously created</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Gateway Configuration - Tunnel Settings Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25070i5E40A0A708FEF642/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Gateway Configuration - Tunnel Settings Tab.png" alt="GlobalProtect Gateway Configuration - Tunnel Settings Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration - Tunnel Settings Tab</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>Client Settings</STRONG> tab <UL class="lia-list-style-type-circle"> <LI>Click<SPAN> </SPAN><STRONG>Add</STRONG></LI> <LI>In the<SPAN> </SPAN><STRONG>Config Selection Criteria</STRONG> tab, enter a<SPAN> </SPAN><I>Name</I></LI> </UL> </LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - Config Selection Criteria" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25071iCF329F22D1280FAD/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - Config Selection Criteria.png" alt="Configs - Config Selection Criteria" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - Config Selection Criteria</span></span></I></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>IP Pools</STRONG> tab <UL class="lia-list-style-type-circle"> <LI><STRONG>Add</STRONG> an <I>IP Pool</I></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - IP Pools" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25072iF3D28D00FD723B99/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - IP Pools.png" alt="Configs - IP Pools" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - IP Pools</span></span></P> <UL> <LI><SPAN>In the</SPAN><SPAN> </SPAN><STRONG>Split Tunnel</STRONG><SPAN> tab</SPAN> <UL class="lia-list-style-type-circle"> <LI><STRONG>Add</STRONG> an access route to the<SPAN> </SPAN><EM>Include</EM> section <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG> In this series of posts we will be routing all traffic through the tunnel. It is recommended to tunnel all traffic in a production environment to ensure consistent protection.</LI> </UL> </LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - Split Tunnel" style="width: 748px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25152iC67CDA0B62D7BABC/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="split tunnel.PNG" alt="Configs - Split Tunnel" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - Split Tunnel</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>Network Services</STRONG> tab <UL class="lia-list-style-type-circle"> <LI>Enter values for<SPAN> </SPAN><I>Primary DNS</I> and<SPAN> </SPAN><I>Secondary DNS</I></LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Gateway Configuration - Network Services" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25073iF9C03D751B24082F/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Gateway Configuration - Network Services.png" alt="GlobalProtect Gateway Configuration - Network Services" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration - Network Services</span></span></I></P> <UL> <LI><SPAN>Navigate</SPAN><I><SPAN> to</SPAN></I><SPAN> </SPAN><STRONG>Network > GlobalProtect > Portal > Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>In the<SPAN> </SPAN><STRONG>General</STRONG> tab <UL class="lia-list-style-type-square"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Select the<SPAN> </SPAN><STRONG>Interface </STRONG>to which remote users will connect</LI> <LI>Select the<SPAN> </SPAN><STRONG>IP Address</STRONG> of the interface</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Portal Configuration - General" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25074i84926C544F1952DA/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Portal Configuration - General.png" alt="GlobalProtect Portal Configuration - General" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Portal Configuration - General</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>Authentication</STRONG> tab <UL class="lia-list-style-type-circle"> <LI>Select the <I>SSL/TLS Service Profile<SPAN> </SPAN></I>previously created </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Portal Configuration - Authentication" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25075iBDEC05D32BBD1577/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Portal Configuration - Authentication.png" alt="GlobalProtect Portal Configuration - Authentication" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Portal Configuration - Authentication</span></span></P> <UL> <LI>Under <STRONG>Client Authentication</STRONG> click <STRONG>Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>Enter a <I>Name</I></LI> <LI>Select the <I>Authentication Profile</I> previously created</LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Client Authentication - Portal Authentication" style="width: 478px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25076i22D5E70E270D825D/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Client Authentication - Portal Authentication.png" alt="Client Authentication - Portal Authentication" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Client Authentication - Portal Authentication</span></span></P> <UL> <LI><SPAN>In the</SPAN><SPAN> </SPAN><STRONG>Agent</STRONG><SPAN> tab</SPAN> <UL class="lia-list-style-type-circle"> <LI>Click<SPAN> </SPAN><STRONG>Add</STRONG> under <I>Configs</I> <UL class="lia-list-style-type-square"> <LI>In the<SPAN> </SPAN><STRONG>Authentication</STRONG> tab <UL class="lia-list-style-type-disc"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> </UL> </LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - Authentication Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25077i433FAC81B9B674D3/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - Authentication Tab.png" alt="Configs - Authentication Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - Authentication Tab</span></span></P> <UL> <LI><SPAN>In the</SPAN><SPAN> </SPAN><STRONG>Internal</STRONG><SPAN> tab</SPAN> <UL class="lia-list-style-type-circle"> <LI>Enable<SPAN> </SPAN><STRONG>Internal Host Detection IPv4</STRONG></LI> <LI>Enter an<SPAN> </SPAN><I>IP Address</I><SPAN> </SPAN>of resource that is always available internally</LI> <LI>Enter the<SPAN> </SPAN><I>Hostname</I> of the IP address to which it resolves <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG> Internal Host Detection uses a reverse lookup to determine whether or not a device is on the internal network in order to establish a VPN tunnel. See<SPAN> </SPAN><A title="Palo Alto Networks DNS Proxy | Palo Alto Networks" href="https://networkwiki.blogspot.com/2020/03/palo-alto-networks-dns-proxy.html" target="_blank" rel="noopener">this post</A><SPAN> </SPAN>for additional details if you do not have an internal DNS server.</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - Internal Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25078i0A4BAE74665241C1/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - Internal Tab.png" alt="Configs - Internal Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - Internal Tab</span></span></P> <UL> <LI><SPAN>In the</SPAN><SPAN> </SPAN><STRONG>External</STRONG> <SPAN>tab</SPAN> <UL class="lia-list-style-type-circle"> <LI>Add an<SPAN> </SPAN><I>External Gateway</I>  <UL class="lia-list-style-type-square"> <LI>Enter a<SPAN> </SPAN><I>Name</I></LI> <LI>Enter the<SPAN> </SPAN><I>Address</I> to which remote users will connect</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - External Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25079i485642DEF663B2F9/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - External Tab.png" alt="Configs - External Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - External Tab</span></span></P> <UL> <LI>In the<SPAN> </SPAN><STRONG>App </STRONG>tab <UL class="lia-list-style-type-circle"> <LI>Change the<SPAN> </SPAN><I>Connect Method</I> to<SPAN> </SPAN><I>On-demand</I></LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG> <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG><I><SPAN> </SPAN></I>In subsequent posts, we will be setting the<SPAN> </SPAN><I>Connect Method</I> to<SPAN> </SPAN><I>User-Logon (Always On)</I>, as that is the recommended best practice</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Configs - App Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25080i313A97494526C0D2/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Configs - App Tab.png" alt="Configs - App Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Configs - App Tab</span></span></P> <UL> <LI><SPAN>Back in the</SPAN><SPAN> </SPAN><STRONG>Agent</STRONG><SPAN> tab, click</SPAN><SPAN> </SPAN><STRONG>Add</STRONG><SPAN> under</SPAN><SPAN> </SPAN><I>Trusted Root CA</I> <UL class="lia-list-style-type-circle"> <LI>Add the<SPAN> </SPAN><I>Root CA</I></LI> <LI>Check the<SPAN> </SPAN><I>Install in Local Root Certificate Store</I> <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG> Selecting this option will transparently install the trusted root CA so that we can test <I>SSL Forward Proxy</I><SPAN> </SPAN>decryption in the future. It is not required in order for GlobalProtect to function.</LI> </UL> </LI> <LI>Click<SPAN> </SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Portal Configuration - Agent Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25082iB828AEE30F6243BA/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="GlobalProtect Configuration - Agent Tab.png" alt="GlobalProtect Portal Configuration - Agent Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Portal Configuration - Agent Tab</span></span></P> <UL> <LI>Navigate to<SPAN> </SPAN><STRONG>Policies > NAT</STRONG> and add the<SPAN> </SPAN><I>gp<SPAN> </SPAN></I>zone you created previously to your source NAT rule so that users in the<SPAN> </SPAN><I>gp</I> zone can get out to the Internet</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policies - NAT - Add GP Zone" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25083iDD203779EFFB208F/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Policies - NAT - Add GP Zone.png" alt="Policies - NAT - Add GP Zone" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Policies - NAT - Add GP Zone</span></span></P> <UL> <LI><SPAN>Navigate to </SPAN><STRONG>Policies > Security</STRONG><SPAN> and add security policy rules so that users in the </SPAN><I>gp</I><SPAN> zone can access internal as well as public resources</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policies - Security - Add Security Policy" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25084i46B7E7EFA8AFA672/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Policies - Security - Add Security Policy.png" alt="Policies - Security - Add Security Policy" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Policies - Security - Add Security Policy</span></span></SPAN></P> <UL> <LI><SPAN>Navigate to <STRONG>Policies > Security </STRONG>and add a security policy rule that allows remote users to access GlobalProtect portal</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policies - Security - Add Security Policy for Remote Users" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25085i456AD29881B89381/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Policies - Security - Add Security Policy for Remote Users.png" alt="Policies - Security - Add Security Policy for Remote Users" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Policies - Security - Add Security Policy for Remote Users</span></span></SPAN></P> <UL> <LI><SPAN><STRONG>Commit</STRONG> the configuration </SPAN></LI> </UL> <P data-unlink="true"><SPAN>You should now be able to log into the portal, download and install the GlobalProtect App, and test connectivity.<BR /><BR />In my next post, "<A title="GlobalProtect: Expanded Setup | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Expanded-Setup/ta-p/322234" target="_self">GlobalProtect: Expanded Setup</A>," we will make changes to the configuration to include different forms of authentication and add an internal gateway.</SPAN></P> </DIV> Thu, 07 Jul 2022 20:57:38 GMT SpencerMitchell 2022-07-07T20:57:38Z GlobalProtect: Initial Set Up https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232 <P>Learn more about <SPAN>the initial setup of GlobalProtect, including a portal, external gateway, and user authentication via local database.</SPAN></P> Thu, 07 Jul 2022 20:57:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232 SpencerMitchell 2022-07-07T20:57:38Z Re: GlobalProtect: Initial Set Up https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/tac-p/322765#M15 <P>Great explanation! </P> Tue, 14 Apr 2020 23:02:11 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/tac-p/322765#M15 Retired Member 2020-04-14T23:02:11Z