How to Configure GlobalProtect

Printer Friendly Page

Note that since this article was written some things might have changed. 

I recommend to check out the following articles instead :

 

Basic GlobalProtect Configuration with On-Demand

Basic GlobalProtect Configuration with Pre-logon

Basic GlobalProtect Configuration with User-logon

 

---

 

To implement GlobalProtect, configure:

 

  • GlobalProtect client downloaded and activated on the Palo Alto Networks firewall
  • Portal Configuration
  • Gateway Configuration
  • Routing between the trust zones and GlobalProtect clients (and in some cases, between the GlobalProtect clients and the untrusted zones)
  • Security and NAT policies permitting traffic between the GlobalProtect clients and Trust
    • Optional: NAT Policy for GlobalProtect clients to go out to the internet (if split tunneling is not enabled)
  • For iOS or Android devices to connect, GlobalProtect app can be used

 

Portal Configuration

GP-portal.png

 

It is recommended to first test without a Certificate Profile, which allows for simpler troubleshooting, if the initial configuration does not work as intended. First successfully configure and test basic authentication, then add the Certificate Profile for certificate authentication.

 

The portal address is the address where outside GlobalProtect clients connect. In most cases, this is the outside interface's IP address. The gateway address is usually the same outside IP address.

GP-client.png

 

GlobalProtect Connect Methods:

  • On-demand: Requires manually connecting when access to the VPN is required.
  • User-logon: VPN is established as soon as the user logs into the machine. When SSO is enabled, user credentials are automatically pulled from the Windows logon information and used to authenticate the GlobalProtect client user.
  • Pre-logon: VPN is established before the user logs into the machine. Machine certificate is required for this type of connection.

The Agent tab contains important information regarding what users can or cannot do with the GlobalProtect Agent. Enabling Agent User Override-with-comment allows users to disable the agent after entering a comment or reason. The comment appears in the system logs of the firewall when this user logs in next.

GP-agent-tab.png

 

Selecting the "disabled" option for Agent User Override prevents users from disabling the GlobalProtect agent:

GP-agent-disabled.png

 

Gateway Configuration

For the initial testing, Palo Alto Networks recommends configuring basic authentication. When everything has been tested, adding authentication via client certificates, if necessary, can be added to the configuration.

GP-gateway.png

 

To authenticate devices with a third-party VPN application, check "Enable X-Auth Support" in the gateway's Client Configuration. Group Name and password must be configured for this setting.

GP-Gateway-Tunnel.png

GP-Gateway-Network.png

 

In most cases, for firewalls with static public IP addresses, set the inheritance source to none.

 

The IP pool settings information is important, because it is the pool of IP addresses that the firewall assigns to connecting GP clients. Even if Global Connect clients need to be considered as part of the local network, to facilitate routing, Palo Alto Networks does not recommend using an IP pool in the same subnet as the LAN address pool. Internal servers automatically know to send packets back to the gateway if the source is another subnet. If the GP clients were issued IP addresses from the same subnet as the LAN, then the internal LAN resources would never direct their traffic intended for the GP clients to the Palo Alto Networks Firewall (default GW).

 

Access Routes

Access routes are the subnets to which  GlobalProtect clients are expected to connect. In most cases this is the LAN networks. To force all traffic to go through the firewall, even traffic intended for the Internet, the network that needs to be configured is "0.0.0.0/0," which means all traffic.

 

If 0.0.0.0/0 is configured, the security rule can then control what internal LAN resources the GlobalProtect clients can access. If a security policy does not permit traffic from the GlobalProtect clients zone to the Untrust the untrusted zone, then from the GlobalProtect clients connected to the Palo Alto Networks firewall through the SSL VPN, then those clients can access only local resources and are not be allowed on the internet:

NAT.png

GPSecurity.png

 

The GlobalProtect clients zones and tunnels must be included in the same virtual router as the other interfaces.

 

owner: sjamaluddin

Comments

Great doc, thanks!

I went through several GlobalProtect Configuration documents before I came across this one, which answered all the questions I had in mind before I ever read the manuals or touched the keyboard.  The others not so much.  You can tell it was written by someone who has deployed SSL VPNs in the field.

I'm forced to choose a certificate and the only option I have is "web server". I can't choose "none". Any thoughts on that?

If using PAN OS 4.1.x you would need a certificate for ssl connections and that would have be a new certificate (different from the Webserver certificate). You may have to generate a self signed certificate if you do not already have a ssl certificate.

How to Generate a New Self-Signed Certificate

If you are using Global Protect client version 1.1.7 and above, you'd need to have client certificates as per the following thread

Followed your steps, IPSec VPN on iOS device is now working. I'm using certificates, not PSK. Everything work well, except for split tunneling. Even though I have access routes defined, and that these routes are pushed to my non iOS device, on iOS, I'm always in a "route all" mode. I've read that it might be a limitation of iOS. Do you get the same issue ? Is there any workaround ?

PatrickD,

Split tunneling on iOS devices only works with the iOS GlobalProtect client from the Apple AppStore.  Also, you need to have a GlobalProtect Gateway Subscription on your firewall to support the iOS client app.

I hope this helps.

Thanks,

Jeff

Thanks for the quick reply. I'll give it a try!

Great article. I do have a question. Why does the GP-VPN to Untrust policy show a destination zone as Trust and a destination address range of an RFC1918 address range? If traffic is destined for the internet would that not need to be destination zone Untrust and address range of Any? 

Thank you for your help. 

 

 

Nothing is mentioned here about authentication profiles

 

Hi @T-Squared 

I'm guessing the auth profile was left out as there are many different ways to set that up (ldap, radius, kerberos, ...) and several other articles already cover that process (for example How to Configure Active Directory Server Profile for Group Mapping and Authentication or How to Configure RADIUS Authentication )

Followed on your step, on my Globalprotect VPN,  we can use the firewall local authenication, all successful.

 

After I change to use Radius Server for authen, that will be failed to logon on the Client side.

The Message will show "  Authenication Failed:  Please enter username and password to connect ".

The traffic log can be send out to destination server.  And the System log will show ......... Reason: Authenication failed: Invalid username and password, Auth type: Profile.   ( I am using Domain for login )

 

Now, I am checking on

i).  Server side Radius setting ,

ii).  Server side firewall setting,  

iii). On PA firewall Radius setting, is it need enter the domain information too ?

Is it anything I still missed ??

 

Thanks.

How to configure Global protect in PAn os 8.0. Please help


@npare wrote:

To implement GlobalProtect, configure:

 

  • GlobalProtect client downloaded and activated on the Palo Alto Networks firewall
  • Portal Configuration
  • Gateway Configuration
  • Routing between the trust zones and GlobalProtect clients (and in some cases, between the GlobalProtect clients and the untrusted zones)
  • Security and NAT policies permitting traffic between the GlobalProtect clients and Trust
    • Optional: NAT Policy for GlobalProtect clients to go out to the internet (if split tunneling is not enabled)
  • For iOS or Android devices to connect, GlobalProtect app can be used

 

Portal Configuration

GP-portal.png

 

It is recommended to first test without a Certificate Profile, which allows for simpler troubleshooting, if the initial configuration does not work as intended. First successfully configure and test basic authentication, then add the Certificate Profile for certificate authentication.

 

The portal address is the address where outside GlobalProtect clients connect. In most cases, this is the outside interface's IP address. The gateway address is usually the same outside IP address.

GP-client.png

 

GlobalProtect Connect Methods:

  • On-demand: Requires manually connecting when access to the VPN is required.
  • User-logon: VPN is established as soon as the user logs into the machine. When SSO is enabled, user credentials are automatically pulled from the Windows logon information and used to authenticate the GlobalProtect client user.
  • Pre-logon: VPN is established before the user logs into the machine. Machine certificate is required for this type of connection.

The Agent tab contains important information regarding what users can or cannot do with the GlobalProtect Agent. Enabling Agent User Override-with-comment allows users to disable the agent after entering a comment or reason. The comment appears in the system logs of the firewall when this user logs in next.

GP-agent-tab.png

 

Selecting the "disabled" option for Agent User Override prevents users from disabling the GlobalProtect agent:

GP-agent-disabled.png

 

Gateway Configuration

For the initial testing, Palo Alto Networks recommends configuring basic authentication. When everything has been tested, adding authentication via client certificates, if necessary, can be added to the configuration.

GP-gateway.png

 

To authenticate devices with a third-party VPN application, check "Enable X-Auth Support" in the gateway's Client Configuration. Group Name and password must be configured for this setting.

GP-Gateway-Tunnel.png

GP-Gateway-Network.png

 

In most cases, for firewalls with static public IP addresses, set the inheritance source to none.

 

The IP pool settings information is important, because it is the pool of IP addresses that the firewall assigns to connecting GP clients. Even if Global Connect clients need to be considered as part of the local network, to facilitate routing, Palo Alto Networks does not recommend using an IP pool in the same subnet as the LAN address pool. Internal servers automatically know to send packets back to the gateway if the source is another subnet. If the GP clients were issued IP addresses from the same subnet as the LAN, then the internal LAN resources would never direct their traffic intended for the GP clients to the Palo Alto Networks Firewall (default GW).

 

Access Routes

Access routes are the subnets to which  GlobalProtect clients are expected to connect. In most cases this is the LAN networks. To force all traffic to go through the firewall, even traffic intended for the Internet, the network that needs to be configured is "0.0.0.0/0," which means all traffic.

 

If 0.0.0.0/0 is configured, the security rule can then control what internal LAN resources the GlobalProtect clients can access. If a security policy does not permit traffic from the GlobalProtect clients zone to the Untrust the untrusted zone, then from the GlobalProtect clients connected to the Palo Alto Networks firewall through the SSL VPN, then those clients can access only local resources and are not be allowed on the internet:

NAT.png

GPSecurity.png

 

The GlobalProtect clients zones and tunnels must be included in the same virtual router as the other interfaces.

 

owner: sjamaluddin


 

@reaper,

 

I’ve got a single public IP address, which is used for GlobalProtect SSL VPN. I also want use this single public IP address to allow inbound static NAT to a SSL web server on my LAN. 

 

Using GP 4.0.5

 

When I do this, the GlobalProtect SSL VPN client stops working and starts redirecting the traffic to the SSL web server. Is there a way around this so that both the GlobalProtect SSL VPN client and SSL web server will work on a single public IP address without having to use a separate IP address?

hi @Farzana

 

there's no "clean" way to accomplish this since you're trying to share the same port between 2 services

 

one workaround is to enable the gateway on a loopback interface, then set up NAT to redirect a 'different' external port (eg. 5000) to 443 onto the loopback. that way your GP client will connect to the gateway via port 5000 which the firewall will NAT to 443 on the loopback

 

portal may only be accessible from LAN as you can't use the same trick for portal

 

port 5000.png