Basic GlobalProtect Configuration with On-Demand

Printer Friendly Page

 What is GlobalProtect with On-Demand?

 

As the name says, on-demand (at user's will), the user has control over when to connect or disconnect from GlobalProtect. Once connected to GlobalProtect, the user will see a 'disconnect' option to disconnect when needed.

 

This document explains basic GlobalProtect configuration for on-demand with the following considerations:

 

  • Authentication - local database
  • Same interface serving as portal and gateway.
  • Root, intermediate and server certs are generated on PAN

 

1. Generate a root CA, intermediate CA and a server cert as explained in this document:

https://live.paloaltonetworks.com/t5/1-Submit-and-Collaborate/Certificate-config-for-GP-SSL-TLS-Clie...  

 

Certificate-chain.png

 

 

2. Create an SSL/TLS profile under Device > Certificate Management > SSL/TLS service profile, referencing the above created 'server certificate'.

SSL-TLS-profile.png

 

3. Create an authentication profile under Device > Authentication Profile > Add.

 

Name- Give a name to this authentication profile

Type - Choose Local Database(You may choose ldap,radius etc depending on your requirement)

 

Advanced Tab > Allow List > Add - Select all (If you have groups, you may restrict it to required groups)

Click OK to save.

Auth-profile.png

 

 Auth-profile-2.png

 

 

4. Create a tunnel interface under Network > Interfaces >Tunnel. Give a tunnel number, virtual router and security zone. It is recommended to create a separate zone for VPN traffic as it gives better flexibility to create separate security rules for the VPN traffic.

 

tunnel-interface.png

 

 

Configure GlobalProtect Portal

 

5. Go to Network > GlobalProtect > Portals > Add.

General Tab. Give a name to the portal and select the interface that serves as portal from the drop down.

  GP-portal-general.png

 

6. Authentication Tab.

 

a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down.

b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3.

c. Click ok to save.

GP-portal-auth.png

 

7. Agent Tab. Add a new client config.

a. Authentication tab:

  • Give any name to this client config
  • Client certificate - leave it to none, this will only be needed if we want to push any client certificate to clients for authentication purpose.
  • Save user credentials - Yes(default)
  • (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of ''. 

GP-Client-config-on-demand-1.png

 

 b. User/User group tab. Leave the OS and User group to 'any' (You may restrict it to required groups if needed)

 

Important!

Gateways tab.  Under 'External gateways', click Add. Give any name to it.

Address- Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) of step 1. In this example we enter 'gp.portal-gw01.local'

GP-portal-gw.png

 

 

 

 d. App tab. Under 'Connect-method' drop down, select 'On-demand (Manual user initiated connection)'. 

Note: To change this GP setup from 'On-demand' to 'user-logon', just change the 'connect-method' from 'on-demand' to 'user-logon'.

 

on-demand.png

 

e. Click OK to save.

f. Under 'Trusted Root CA', select the root CA and intermediate CA. Also, select 'Install in Local root certificate store' to install these certificates in the client's local root certificate store after the client successfully connects to the portal for first time.

 

GP-Portal-Agent-config.png

g. Click OK to save and close GP portal config.

 

 

Configure GlobalProtect Gateway

 

8.  Go to Network>GlobalProtect>Gateways>Add.

General Tab. Give a name to the gateway and select the interface that serves as gateway from the drop down.

GP-GW-General.png

 

 9. Authentication Tab. This is similar to step 6 but this is for gateway.

a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down.

b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3.

c. Click ok to save.

 GP-GW-Authentication.png

 

10. Agent Tab.

a. Tunnel Settings. Check 'Tunnel mode' to enable tunnel mode and select the tunnel interface created in step 4 from the drop-down. 

b. Enable IPSec. Check this box to enable IPSec, this is highly recommended. With this setting enabled, GP will always try to first connect over IPSec, if it fails then GP falls back to SSL.

Gateway-tunnel.png

 

c. Timeout settings - leave them to defaults. For any changes to this, refer to GP admin guide.

d. Client settings

 

Click Add> Give a name to authentication override tab

 

-(Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate selected from the drop down of ''. Note: If a certificate is selected here under portal, the same needs to be selected here under Gateway 'certificate to encrypt/decrypt cookie'.

 

GP-GW-Client-config.png

 

e. User/User group tab. Leave the OS and User group to 'any' (You may restrict it to required groups if wanted). 

 

Important!

If a group is chosen from the drop-down, make sure that the GlobalProtect user is part of this group, if not the client will NOT receive IP address from gateway. Common issues here are when the user is identified by GlobalProtect as 'domain\user' but the firewall's userid may have it as 'fully qualified domain\user', in those cases make sure the group/user is shown identical at both places by overwriting domain field in user-identification>group mapping. 

 

GP-GW-Client-user-group.png

 

f. Network Settings. 

Under the Ip-pool:  

 

Very Important!

  • The GlobalProtect gateway will be assigning IPs from this pool to clients. Specify the one or more IP pool ranges which DO NOT OVERLAP with any of the existing networks in the organization. Overlapping subnets can cause routing issues and network outages.
  • (Optional but recommended) You can add a second IP pool range for backup which will be useful in cases where the user connects a wifi that is providing the same IP pool range as your primary IP pool.

GP-GW-IP-pool.png

 

g. Access Route. This defines which subnets can be reached by GP clients once they are connected to gateway.

  • If left blank, it takes it as 0.0.0.0/0 ie all the traffic from GP client will be forced to go through GP tunnel.
  • For split tunneling: Specify required internal subnets like 10.0.0.0/8, 192.168.x.0/24 etc so that GP client will use the tunnel to reach only these subnets. Anything outside these subnets will be accessed directly from the client's local network, this is called split tunneling.

 

h. Click OK to save and close client settings. One more OK to save and close GP gateway settings.

 

11. Create a local username/password under Device>Local user database>users for testing.

12. Create security and NAT policies for the newly created VPN zone to give access appropriately.

13. Commit the changes.

 

To test on client machine

 

1. From the browser, go to https://gp.portal-gw01.local/ ie https://<portal-ip/fqdn>

2. Enter the credentials

3. Download the GlobalProtect client 

4. In the GlobalProtect client, enter the Portal address and credentials, click connect.

 

 

Tags (7)
Comments

Hello,

 

In "7. Agent Tab. Add a new client config." Please clarify statement at very end of step: "Note: If a certificate was selected in step 7 under portal, the same certificate needs to be selected here under Gateway 'certificate to encrypt/decrypt cookie'."

 

Thank you,

Sergey.

Hi @sryazantse,

 

That note should be placed at step 10 d under GlobalProtect Gateway Agent Tab.

 

If you selected a certificate in step 7 then you need to select the same certificate in step 10d at 'certificate to encrypt/decrypt cookie' ...

 

While the note is in the wrong position, it's pretty obvious what it means so I'll move it to the correct spot in the article.