https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/ta-p/322234 <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GlobalProtect: Expanded Setup" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25090i71694B3D3150D289/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Expanded Setup.png" alt="GlobalProtect: Expanded Setup" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect: Expanded Setup</span></span></P> <P>&nbsp;</P> <P data-unlink="true">In my previous article, "<A title="GlobalProtect: Initial Setup | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Initial-Set-Up/ta-p/322232" target="_self">GlobalProtect: Initial Setup</A>," we covered the initial setup of GlobalProtect, which included a portal, external gateway, and user authentication via local database.</P> <P>&nbsp;</P> <P data-unlink="true">In this post, we are going to configure multiple external authentication types as well as add an internal gateway. You can see a diagram of the environment <A href="https://live.paloaltonetworks.com/t5/Blogs/GlobalProtect-Overview/ba-p/322170" target="_self">here</A>.</P> <P>&nbsp;</P> <H3><STRONG>Internal Gateways &amp; External Authentication</STRONG></H3> <P><SPAN>The value of adding an internal gateway means that when users are on the local network, user-to-IP address mappings will be supplied to the firewall along with device context. This data can then be used as security policy match conditions, allowing for much more granular, identity-based visibility and enforcement.</SPAN><BR /><BR /><SPAN>External authentication types are recommended for a production environment. In this case, we are going to configure the deployment to leverage LDAP authentication for the portal, MFA via RADIUS (AD credentials and Duo) for the external gateway, and LDAP authentication for the internal gateway. This will provide the best possible user experience for users when they are internal, while also enforcing additional factors of authentication when users are remote.</SPAN></P> <P>&nbsp;</P> <DIV class="alert alert-warning" align="left"><STRONG>NOTE:</STRONG> This article assumes that you have already followed the initial setup, which is the previous article in this series. This article also assumes that you already have a domain controller (I am running Windows Server 2012 R2) in your environment installed with <A title="Authentication Proxy Reference | DUO" href="https://duo.com/docs/authproxy-reference" target="_blank" rel="noopener">DUO authentication proxy</A> installed and running. For details on DUO integration, see <A title="Palo Alto Networks Duo Integration | Palo Alto Networks" href="https://networkwiki.blogspot.com/2020/04/palo-alto-networks-duo-integration-via.html" target="_blank" rel="noopener">this post</A>.</DIV> <P>&nbsp;</P> <H2><STRONG>Part II - Expanded Setup</STRONG></H2> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Server Profiles &gt; LDAP &gt; Add</STRONG> to create an&nbsp;<STRONG>LDAP Server Profile</STRONG> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;Best practices dictate that a dedicated service account be used for integrating your domain controller with Palo Alto Networks</LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LDAP Server Profile" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25091iA2FAD6B03B2CB418/image-size/large?v=v2&amp;px=999" role="button" title="LDAP Server Profile.png" alt="LDAP Server Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">LDAP Server Profile</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Server Profiles &gt; RADIUS &gt; Add</STRONG> to create a <STRONG>RADIUS Server Profile</STRONG> <UL> <LI><STRONG>NOTE:</STRONG>&nbsp;Per my note above, this post assumes that you already have Duo Authentication Proxy installed and running on your domain controller</LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RADIUS Server Profile" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25092i1C2492FD265B4002/image-size/large?v=v2&amp;px=999" role="button" title="RADIUS Server Profile.png" alt="RADIUS Server Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">RADIUS Server Profile</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; User-ID &gt; Group Mapping Settings &gt; Add</STRONG>&nbsp;to create a<SPAN>&nbsp;</SPAN><STRONG>Group Mapping</STRONG></LI> <UL class="lia-list-style-type-circle"> <LI>For<SPAN>&nbsp;</SPAN><STRONG>Server Profile</STRONG>, select the<SPAN>&nbsp;</SPAN><I>LDAP<SPAN>&nbsp;</SPAN></I>profile that was previously created</LI> <LI>Enter the domain name under<SPAN>&nbsp;</SPAN><STRONG>User Domain</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Group Mapping - Server Profile tab" style="width: 623px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25093i3C2EE0351E4A0137/image-size/large?v=v2&amp;px=999" role="button" title="Group Mapping - Server Profile tab.png" alt="Group Mapping - Server Profile tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Group Mapping - Server Profile tab</span></span></P> <UL> <LI>Navigate to the<SPAN>&nbsp;</SPAN><STRONG>Group Include List&nbsp;</STRONG>and add the group where your users are stored <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;If you are unable to expand the available groups, this typically means that your credentials in the LDAP Server Profile are incorrect</LI> </UL> </LI> <UL class="lia-list-style-type-circle"> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> </UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Authentication Profile &gt; Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>For<SPAN>&nbsp;</SPAN><STRONG>Type</STRONG>&nbsp;select<SPAN>&nbsp;</SPAN><I>LDAP</I></LI> <LI>For<SPAN>&nbsp;</SPAN><STRONG>Server Profile</STRONG>&nbsp;select the LDAP profile that was previously created</LI> <LI>Enter<SPAN>&nbsp;</SPAN><I>sAMAccountName</I>&nbsp;for the<SPAN>&nbsp;</SPAN><STRONG>Login Attribute</STRONG></LI> <LI>Enter your domain for the<SPAN>&nbsp;</SPAN><STRONG>User Domain</STRONG></LI> </UL> </LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Authentication Profile - LDAP type" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25094i9360222B00AA19DF/image-size/large?v=v2&amp;px=999" role="button" title="Authentication Profile - Authentication Tab.png" alt="Authentication Profile - LDAP type" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Authentication Profile - LDAP type</span></span></I></P> <UL> <LI>Navigate to the<SPAN>&nbsp;</SPAN><STRONG>Advanced&nbsp;</STRONG>tab and select the user group that was previously added to the<SPAN>&nbsp;</SPAN><STRONG>Group Include List</STRONG>, which was part of the<SPAN>&nbsp;</SPAN><STRONG>Group Mapping</STRONG>&nbsp;you previously created</LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Authentication Profile &gt; Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>For<SPAN>&nbsp;</SPAN><STRONG>Type</STRONG>&nbsp;select<SPAN>&nbsp;</SPAN><I>RADIUS</I></LI> <LI>For<SPAN>&nbsp;</SPAN><STRONG>Server Profile</STRONG>&nbsp;select the RADIUS profile that was previously created</LI> <LI>Enter your domain name of the<SPAN>&nbsp;</SPAN><STRONG>User Domain</STRONG></LI> </UL> </LI> </UL> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Authentication Profile - RADIUS Type" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25095i52BE430EBF798D6F/image-size/large?v=v2&amp;px=999" role="button" title="Authentication Profile - RADIUS Type.png" alt="Authentication Profile - RADIUS Type" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Authentication Profile - RADIUS Type</span></span></P> <UL> <LI>Navigate to the&nbsp;<STRONG>Advanced&nbsp;</STRONG>tab and select the user group that was previously added to the&nbsp;<STRONG>Group&nbsp;Include List</STRONG>, which was part of the&nbsp;<STRONG>Group Mapping&nbsp;</STRONG>you previously created</LI> <LI>Click&nbsp;<STRONG>OK</STRONG></LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Network &gt; GlobalProtect &gt; Gateways &gt;&nbsp;</STRONG>select the existing external gateway<SPAN>&nbsp;</SPAN><STRONG>&gt; Authentication &gt;&nbsp;</STRONG>select the client authentication&nbsp;<STRONG>&gt;&nbsp;</STRONG>change the <STRONG>Authentication Profile</STRONG> to the RADIUS profile that was previously created</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Gateway Configuration - Home External Authentication" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25096i0AD9EA26CCB56619/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Gateway Configuration - SSL TSL Service Profile.png" alt="GlobalProtect Gateway Configuration - Home External Authentication" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration - Home External Authentication</span></span></P> <UL> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Network &gt; GlobalProtect &gt; Gateways &gt; Add</STRONG>&nbsp;to create an internal gateway <UL class="lia-list-style-type-circle"> <LI>Select the<SPAN>&nbsp;</SPAN><STRONG>Interface&nbsp;</STRONG>and<SPAN>&nbsp;</SPAN><STRONG>IPv4 Address</STRONG>&nbsp;that correspond to the trust interface</LI> <LI>Navigate to the<SPAN>&nbsp;</SPAN><STRONG>Authentication</STRONG> tab&nbsp; <UL class="lia-list-style-type-square"> <LI>Select the<SPAN>&nbsp;</SPAN><STRONG>SSL/TLS Service Profile</STRONG>&nbsp;that was created in the previous post</LI> <LI>Create a new<SPAN>&nbsp;</SPAN><STRONG>Client Authentication</STRONG>&nbsp;profile and select the <STRONG>LDAP&nbsp;Authentication Profile</STRONG>&nbsp;previously created</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Gateway Configuration - Home Internal Authentication" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25097iAB86AB07C80147E1/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Gateway Configuration - Internal Authentication.png" alt="GlobalProtect Gateway Configuration - Home Internal Authentication" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Gateway Configuration - Home Internal Authentication</span></span></P> <UL> <LI><SPAN>Click</SPAN><SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Network &gt; GlobalProtect &gt; Portals &gt;&nbsp;</STRONG>select the existing portal<SPAN>&nbsp;</SPAN><STRONG>&gt; Agent &gt;&nbsp;</STRONG>select the existing portal config<SPAN>&nbsp;</SPAN><STRONG>&gt; Internal &gt; Internal Gateways &gt; Add</STRONG>&nbsp;to create an<SPAN>&nbsp;</SPAN><STRONG>Internal Gateway</STRONG> <UL class="lia-list-style-type-circle"> <LI>The<SPAN>&nbsp;</SPAN>IPv4&nbsp;entry should correspond to the IP address assigned to the trust interface</LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Internal Gateway - Home Internal Gateway" style="width: 480px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25098i5CCC6589AE2DF2CC/image-size/large?v=v2&amp;px=999" role="button" title="Internal Gateway - Home Internal Gateway.png" alt="Internal Gateway - Home Internal Gateway" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Internal Gateway - Home Internal Gateway</span></span></P> <UL> <LI>Navigate to&nbsp;the&nbsp;<STRONG>App</STRONG> tab, and set the&nbsp;<STRONG>Connect Method</STRONG> to&nbsp;<STRONG>User-logon (Always On)</STRONG> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;Internal Gateway authentication will fail if the&nbsp;<EM>Connect Method</EM> is set to&nbsp;<EM>On-demand</EM></LI> </UL> </LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> </UL> <P><I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="55.PNG" style="width: 799px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25145iD7C12DE1BF8F0A91/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="55.PNG" alt="55.PNG" /></span></I></P> <UL> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Certificate Management &gt; Certificates &gt; Generate</STRONG> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;As&nbsp;you already created a GlobalProtect certificate in the previous post, you will be creating a new one that both the external and internal gateways can reference. The previous certificate contains a common name that refers to the IP address of the portal and external gateway. As the IP address of the internal gateway is not referenced, this will cause authentication to the internal gateway to fail.&nbsp; <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG>&nbsp;Keep in mind that you can also leave the current certificate in place and just create a new one for the internal gateway (essentially, having two), but for the purposes of this post, we will be creating a single certificate to be used for everything.</LI> </UL> </LI> </UL> <UL class="lia-list-style-type-circle"> <LI>Enter a<SPAN>&nbsp;</SPAN><I>Certificate Name</I></LI> </UL> </LI> <UL class="lia-list-style-type-circle"> <LI>Enter the IP address or the DNS name of the interface to which remote users will connect for<SPAN>&nbsp;</SPAN><I>Common Name</I> <UL class="lia-list-style-type-square"> <LI><STRONG>NOTE:</STRONG>&nbsp;In this series of posts, we will be using the public IP address for the common name (represented by 1.1.1.1). It is recommended to use a DNS name in a production environment, but IP addresses will work as well.<I></I></LI> </UL> </LI> <LI>Select the <STRONG>root CA</STRONG> that was previously created for<SPAN>&nbsp;</SPAN><STRONG>Signed By</STRONG></LI> <LI>Enter the IP address of the trust interface that corresponds to the internal gateway under<SPAN>&nbsp;</SPAN><STRONG>Certificate Attributes</STRONG></LI> </UL> </UL> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Generate Certificate" style="width: 398px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25099i84734646836D267D/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Generate Certificate.png" alt="GlobalProtect Generate Certificate" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect Generate Certificate</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Device &gt; Certificate Management &gt; SSL/TLS Service Profile &gt;&nbsp;</STRONG>select the existing profile that was created previously and change the<SPAN>&nbsp;</SPAN><STRONG>Certificate value</STRONG> from the old certificate to the new one that was just created</LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SSL/TLS Service Profile" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25100i5D750C46A190F1EA/image-size/large?v=v2&amp;px=999" role="button" title="SSL:TLS Service Profile.png" alt="SSL/TLS Service Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">SSL/TLS Service Profile</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Policy &gt; NAT &gt; Add</STRONG></LI> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;A NAT rule must be created so that the internal users can reach and authenticate to the portal from the internal network</LI> <LI>In the&nbsp;<STRONG>General</STRONG>&nbsp;tab, enter a<SPAN>&nbsp;</SPAN><I>Name&nbsp;</I></LI> <LI>In the<SPAN>&nbsp;</SPAN><STRONG>Original Packet</STRONG>&nbsp;tab, set the<SPAN>&nbsp;</SPAN><STRONG>Source Zone</STRONG><SPAN>&nbsp;</SPAN>to<SPAN>&nbsp;</SPAN><I>trust</I>,<SPAN>&nbsp;</SPAN><STRONG>Destination Zone</STRONG><SPAN>&nbsp;</SPAN>to<SPAN>&nbsp;</SPAN><I>untrust</I>, and the<SPAN>&nbsp;</SPAN><STRONG>Destination Address</STRONG>&nbsp;to the <EM>untrust IP address</EM> (the IP address to which the GlobalProtect Portal is assigned)</LI> <LI>In the<SPAN>&nbsp;</SPAN><STRONG>Translated Packet</STRONG>&nbsp;tab, leave everything set to<SPAN>&nbsp;</SPAN><I>None</I></LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>OK</STRONG></LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Creating a new NAT rule" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25101iFDD8559D1F33C864/image-size/large?v=v2&amp;px=999" role="button" title="Creating a new NAT rule.png" alt="Creating a new NAT rule" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Creating a new NAT rule</span></span></P> <DIV> <UL> <LI><STRONG>Commit</STRONG>&nbsp;the configuration</LI> </UL> <DIV>You should now be able to authenticate both internally and externally via the GlobalProtect app and access resources. It is important to note that authentication failures to an internal gateway are notoriously quiet. <STRONG>In other words, it will look as though you are connected even when you are not.</STRONG> You can validate connectivity by issuing the<SPAN>&nbsp;'</SPAN><I>show user ip-user-mapping all type GP'&nbsp;</I>command. If there is no mapping present, then it means that the app was unable to connect and authenticate to the internal gateway.</DIV> </DIV> <DIV>&nbsp;</DIV> <DIV>In my next article, "<A title="GlobalProtect: User/Device Context Compliance | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-User-Device-Context-and-Compliance/ta-p/322235" target="_self">GlobalProtect: User/Device Context &amp; Compliance</A>," we will make changes to the configuration to include security policy matching based on user identity and device context via the GlobalProtect app. We will also enable notifications based on compliance of the endpoint.</DIV> Tue, 12 Jul 2022 06:29:56 GMT SpencerMitchell 2022-07-12T06:29:56Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/ta-p/322234 <P>See how to configure multiple external authentication types as well as add an internal gateway.&nbsp;</P> Tue, 12 Jul 2022 06:29:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/ta-p/322234 SpencerMitchell 2022-07-12T06:29:56Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/tac-p/593078#M152 <P>Does 2FA part will be similar for on premise RSA Server ?</P> Thu, 25 Jul 2024 22:30:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/tac-p/593078#M152 B.Alimov 2024-07-25T22:30:33Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/tac-p/593550#M153 <P>Great tutorial, but Global protect Portal access part was missing to correct authentication method, if you following from previous tutorial you have to change it to LDAP from portal settings.</P> Tue, 30 Jul 2024 18:35:05 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-expanded-setup/tac-p/593550#M153 B.Alimov 2024-07-30T18:35:05Z