Configuration Articles

Featured Article
Overview The GlobalProtect prelogon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed device certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs are in, instead of using cached credentials. Prior to user login, there is no username associated with the traffic. Therefore, to enable the client system to access resources in the trust zone there must be a security policy created that matches the prelogon user. These policies should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, and/or operating system update services. After the user logs in to the system and authenticates, the VPN tunnel is renamed to include the username so that user and group based policy can be enforced.   With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either through an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal pushes the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. When a client system attempts to connect in pre-logon mode, it will use cookies to authenticate to the portal and receive its pre-logon client configuration. It will connect to the gateway specified in the configuration and authenticate using its device certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.   Steps The Palo Alto Networks firewall is configured with a root certificate, the Root CA that signs the server certificate and the device certificate. Export the device (Machine) cert and the Root CA certificate to the individual device that will connect using GlobalProtect. The client can use their own PKI infrastructure to generate device certificates. In these type of scenarios, the firewall admin should import the Root CA signing these device certificates into the Palo Alto Networks firewalls.   Configure the certificates required for prelogon Go to Device > Certificate Management > Certificates > Device Certificate and select the "GP Machine Cert"(used for this example) device certificate: Click Export: Select Root CA and Export: Download the certs and install them onto their cert stores: For MAC OS X clients Open Keychain Access and go to the System keychains: Ensure that all applications have access to the private keys of the device and the Root CA certs: For Windows clients The correct way of importing certificates is either by GPO install or a manual certificate install. Below is an example for a Windows 7 device: Delete previous incorrect machine-certificate and root-CA-certificate on MMC Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate. Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate. Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate. Below are examples for installing the device certificate: Note: For more information about the MMC, see the TechNet library on the Microsoft website. Create a client Certificate Profile that includes the root certificate: Configure the portal as shown below: Enter values for Portal Configuration. The Portal Configuration does not require a client certificate, which was mandatory prior to PAN-OS 6.0 for the prelogon to work. On the Client Configuration tab, configure prelogon client configurations to use the CACR functionality: For both the client configurations, "Cookie authentication for config refresh" is chosen as the Authentication Modifier type. The Connect Method selected should be "pre-logon" and the "Use single sign-on" checkbox should be selected in both cases: Configure the GlobalProtect Gateway as shown below: Once the changes are committed, the configuration on the interfaces should reflect the GlobalProtect settings:   Prelogon client authentication The user has to connect to the portal for the first time to download the GlobalProtect client. The portal pushes the client configuration to the agent, along with a cookie that will be used for the portal authentication to receive a configuration refresh: When the user logs off from the client or when the clients' device finishes booting up, the clients' system attempts to connect in prelogon mode and uses cookies to authenticate to the portal and receive its prelogon client configuration. It will then connect to the gateway specified in the configuration, and authenticate using its device certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel. Shown below is a snapshot of when the user logs from their device. The device has been authenticated as a prelogon user: Prelogon logs on the the Palo Alto Networks firewall The firewall generates logs pertaining to the cookie based authentications when the sslvpn logs are set to the debug. The example below shows logs for the cookie based authentication for the prelogon user: When the end user logs into the device, if single-sign-on (SSO) is enabled in the client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user and group based policy can be enforced. If SSO is not enabled in the client configuration, or if SSO is no supported on the client system (for example, it is a Mac OS system) the users' credentials must be stored in the agent (the 'Remember Me" check box must be selected within the agent). The logs for the user authentication cookie are also generated as shown below: System logs for the preglogon functionality: The authentication type is cookie: System logs for the regular authentication: The authentication type is cookie:   owner: kprakash
View full article
‎07-30-2018 01:43 AM
64,281 Views
1 Reply
3 Likes
Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.   Here is how to do that: Create a loopback   Make sure the untrust interface can ping the loopback. Assign the loopback as the portal address and the gateway address     In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)   Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443 Create a security policy with destination address as the untrust interface and services as 7000 and 443 With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1 .Download and install the GlobalProtect client software.   Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.             owner: mvenkatesan
View full article
mvenkatesan ‎07-19-2018 06:07 AM
49,519 Views
17 Replies
4 Likes
 What is GlobalProtect with On-Demand?   As the name says, on-demand (at user's will), the user has control over when to connect or disconnect from GlobalProtect. Once connected to GlobalProtect, the user will see a 'disconnect' option to disconnect when needed.   This document explains basic GlobalProtect configuration for on-demand with the following considerations:   Authentication - local database Same interface serving as portal and gateway. Root, intermediate and server certs are generated on PAN   1. Generate a root CA, intermediate CA and a server cert as explained in this document: https://live.paloaltonetworks.com/t5/1-Submit-and-Collaborate/Certificate-config-for-GP-SSL-TLS-Client-cert-profiles/ta-p/131592         2. Create an SSL/TLS profile under Device > Certificate Management > SSL/TLS service profile, referencing the above created 'server certificate'.   3. Create an authentication profile under Device > Authentication Profile > Add.   Name- Give a name to this authentication profile Type - Choose Local Database(You may choose ldap,radius etc depending on your requirement)   Advanced Tab > Allow List > Add - Select all (If you have groups, you may restrict it to required groups) Click OK to save.         4. Create a tunnel interface under Network > Interfaces >Tunnel. Give a tunnel number, virtual router and security zone. It is recommended to create a separate zone for VPN traffic as it gives better flexibility to create separate security rules for the VPN traffic.       Configure GlobalProtect Portal   5. Go to Network > GlobalProtect > Portals > Add. General Tab. Give a name to the portal and select the interface that serves as portal from the drop down.      6. Authentication Tab.   a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down. b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3. c. Click ok to save.   7. Agent Tab. Add a new client config. a. Authentication tab: Give any name to this client config Client certificate - leave it to none, this will only be needed if we want to push any client certificate to clients for authentication purpose. Save user credentials - Yes(default) (Optional) Authentication override: Check the boxes for ' Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of ' Certificate to Encrypt/Decrypt Cookie '.     b. User/User group tab. Leave the OS and User group to 'any' (You may restrict it to required groups if needed)   Important! Gateways tab.  Under 'External gateways', click Add. Give any name to it. Address- Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) of step 1. In this example we enter 'gp.portal-gw01.local'        d. App tab. Under 'Connect-method' drop down, select 'On-demand (Manual user initiated connection)'.  Note: To change this GP setup from 'On-demand' to 'user-logon', just change the 'connect-method' from 'on-demand' to 'user-logon'.     e. Click OK to save. f. Under 'Trusted Root CA', select the root CA and intermediate CA. Also, select 'Install in Local root certificate store' to install these certificates in the client's local root certificate store after the client successfully connects to the portal for first time.   g. Click OK to save and close GP portal config.     Configure GlobalProtect Gateway   8.  Go to Network>GlobalProtect>Gateways>Add. General Tab. Give a name to the gateway and select the interface that serves as gateway from the drop down.    9. Authentication Tab. This is similar to step 6 but this is for gateway. a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down. b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3. c. Click ok to save.     10. Agent Tab. a. Tunnel Settings. Check 'Tunnel mode' to enable tunnel mode and select the tunnel interface created in step 4 from the drop-down.  b. Enable IPSec. Check this box to enable IPSec, this is highly recommended. With this setting enabled, GP will always try to first connect over IPSec, if it fails then GP falls back to SSL.   c. Timeout settings - leave them to defaults. For any changes to this, refer to GP admin guide. d. Client settings   Click Add> Give a name to authentication override tab   -(Optional) Authentication override: Check the boxes for ' Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate selected from the drop down of ' Certificate to Encrypt/Decrypt Cookie '. Note: If a certificate is selected here under portal, the same needs to be selected here under Gateway 'certificate to encrypt/decrypt cookie'.     e. User/User group tab. Leave the OS and User group to 'any' (You may restrict it to required groups if wanted).    Important! If a group is chosen from the drop-down, make sure that the GlobalProtect user is part of this group, if not the client will NOT receive IP address from gateway. Common issues here are when the user is identified by GlobalProtect as 'domain\user' but the firewall's userid may have it as 'fully qualified domain\user', in those cases make sure the group/user is shown identical at both places by overwriting domain field in user-identification>group mapping.      f. Network Settings.  Under the Ip-pool:     Very Important! The GlobalProtect gateway will be assigning IPs from this pool to clients. Specify the one or more IP pool ranges which DO NOT OVERLAP with any of the existing networks in the organization. Overlapping subnets can cause routing issues and network outages. (Optional but recommended) You can add a second IP pool range for backup which will be useful in cases where the user connects a wifi that is providing the same IP pool range as your primary IP pool.   g. Access Route. This defines which subnets can be reached by GP clients once they are connected to gateway. If left blank, it takes it as 0.0.0.0/0 ie all the traffic from GP client will be forced to go through GP tunnel. For split tunneling: Specify required internal subnets like 10.0.0.0/8, 192.168.x.0/24 etc so that GP client will use the tunnel to reach only these subnets. Anything outside these subnets will be accessed directly from the client's local network, th is is called split tunneling.   h. Click OK to save and close client settings. One more OK to save and close GP gateway settings.   11. Create a local username/password under Device>Local user database>users for testing. 12. Create security and NAT policies for the newly created VPN zone to give access appropriately. 13. Commit the changes.   To test on client machine   1. From the browser, go to https://gp.portal-gw01.local/ ie https://<portal-ip/fqdn> 2. Enter the credentials 3. Download the GlobalProtect client  4. In the GlobalProtect client, enter the Portal address and credentials, click connect.    
View full article
dreputi ‎06-18-2018 12:40 PM
21,034 Views
2 Replies
1 Like
Symptoms After installing or extracting GlobalProtect 4.1 on Linux and attempting to enter CLI mode by running the globalprotect file, you receive an error such as:  $ globalprotect -bash: /usr/bin/globalprotect: cannot execute binary file: Exec format error Diagnosis This may be caused by extracting/installing GlobalProtect on a 32-bit system. Only 64-bit systems can run GlobalProtect, there is no 32-bit package. Viewing the file info for the 'globalprotect' file shows it is 64-bit: $ file /opt/paloaltonetworks/globalprotect/globalprotect /opt/paloaltonetworks/globalprotect/globalprotect: ELF 64-bit LSB executable, x86-64...   On many Linux distributions, you can view your system type with the following command: $ uname -m   If you see "i686" (or "i386" on a very old computer), it is a 32-bit system. If you see "x86_64", the system is 64-bit and can use GlobalProtect Solution Ensure you are installing GlobalProtect on a 64-bit Linux system. There is no supported way to run GlobalProtect on a 32-bit Linux system.
View full article
gwesson ‎03-08-2018 01:07 PM
4,762 Views
0 Replies
Overview Listed below are scenarios when the GlobalProtect Portal and Gateway licenses are required.   Global Protect Portal License   Prior to PAN-OS 7.0: The GlobalProtect Portal license is required when: Using HIP Configuring multiple gateways Configuring internal gateway PAN-OS 7.0 and later: GlobalProtect Portal license is not required.     GlobalProtect Gateway License   The GlobalProtect Gateway license is required when: Using HIP Using iOS or Android mobile application The GlobalProtect Gateway License requirement remains same for PAN-OS version 7.0 and later.   High Availability deployment of the portal and gateway requires identical licenses to be installed on both the devices.   See Also GlobalProtect Configuration Tech Note GlobalProtect Configuration for the IPsec Client on Apple iOS Devices GlobalProtect Configuration for the IPSec Client on Android Devices   owner: sdarapuneni
View full article
zarina ‎02-21-2018 03:51 PM
90,905 Views
24 Replies
3 Likes
 What is GlobalProtect with User-logon (Always On)?   As the name says, user-logon, the GlobalProtect is connected after a user logs on to a machine. When this is used with SSO (Windows only) or save user credentials (MAC) , the GlobalProtect gets connected automatically after the user logs into the machine. The idea behind user-logon is to have the user 'always' stay connected to GlobalProtect. Once connected to GlobalProtect, the user will see the 'disable' option (if allowed by admin) to disable the GlobalProtect application when needed.   This document explains basic GlobalProtect configuration for user-logon with the following considerations:   Authentication - local database Same interface serving as portal and gateway. Root, intermediate and server certs are generated on PAN   1. Generate a root CA, intermediate CA and a server cert as explained in this document: https://live.paloaltonetworks.com/t5/Configuration-Articles/Certificate-config-for-GP-SSL-TLS-Client-cert-profiles/ta-p/131592       2. Create an SSL/TLS profile under Device > Certificate Management > SSL/TLS service profile, referencing the above created 'server certificate'.   3. Create an authentication profile under Device > Authentication Profile > Add.   Name- Give a name to this authentication profile Type - Choose Local Database(You may choose ldap,radius etc depending on your requirement) Advanced Tab > Allow List>Add - Select all (If you have groups, you may restrict it to required groups) Click OK to save.            4. Create a tunnel interface under Network > Interfaces > Tunnel. Give a tunnel number, virtual router and security zone. We recommend creating a separate zone for VPN traffic as it gives better flexibility and more security to create separate security rules for the VPN traffic.       Configure GlobalProtect Portal   5. Go to Network > GlobalProtect > Portals > Add. General Tab. Give a name to the portal and select the interface that serves as portal from the drop down.      6. Authentication Tab a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down. b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3. c. Click ok to save.       7. Agent Tab. Add a new client config    a. Authentication tab: Give any name to this client config Client certificate - leave it as none, this will only be needed if we want to push any client certificate to clients for authentication purpose. Save user credentials - Yes (default) (Optional) Authentication override: Check the boxes for ' Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of ' Certificate to Encrypt/Decrypt Cookie '. Note: If a certificate is selected here under portal, the same certificate needs to be selected under Gateway's  config for encrypt/decrypt cookie .      b. User/User group tab. Leave the OS and User group to 'any' (You may restrict it to required groups, if needed)   IMPORTANT! Gateways tab. c. Under 'External gateways', click Add. Give any name to it. Address- Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) of Step 1. In this example we enter 'gp.portal-gw01.local'         d. App tab. Under 'Connect-method' drop down, select 'User-logon (Always On)'.  Note: To change this GP setup from 'User-logon' to 'On-demand', just change the 'connect-method' from 'user-logon' to 'on-demand'.    e. Click OK to save. f. Under 'Trusted Root CA', select the root CA and intermediate CA. Also, select 'Install in Local root certificate store' to install these certificates in the client's local root certificate store after the client successfully connects to the portal for first time. g. Click OK to save and close GP portal config.     Configure GlobalProtect Gateway   8.  Go to Network > GlobalProtect > Gateways > Add. General Tab. Give a name to the gateway and select the interface that serves as gateway from the drop down.    9. Authentication Tab. This is similar to step 6 but this is for gateway. a. Under SSL/TLS service profile, select the SSL/TLS profile created in step 2 from the drop-down. b. Client Authentication>Add. Give any name to it, leave the OS to 'any' unless you want to restrict it. Under authentication profile, select the auth profile created in Step 3. c. Click ok to save.     10. Agent Tab. a. Tunnel Settings. Check 'Tunnel mode' to enable tunnel mode and select the tunnel interface created in step 4 from the drop-down.  b. Enable IPSec. Check this box to enable IPSec, this is highly recommended. With this setting enabled, GP will always try to first connect over IPSec, if it fails then GP falls back to SSL.   c. Timeout settings - leave them to defaults. For any changes to this, refer to the GlobalProtect admin guide. d. Client settings Click Add> Give a name to authentication override tab -(Optional) Authentication override: Check the boxes for ' Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate selected from the drop down of ' Certificate to Encrypt/Decrypt Cookie '. Note: If a certificate was selected in step 7 under portal, the same certificate needs to be selected here under Gateway 'certificate to encrypt/decrypt cookie'.   e. User/User group tab. Leave the OS and User group to 'any' (you may restrict it to required groups if wanted).    IMPORTANT! If a group is chosen from the drop-down, make sure that the GlobalProtect user is part of this group, if not the client will NOT receive an IP address from gateway. Common issues here are when the user is identified by GlobalProtect as 'domain\user' but  the firewall's userid may have it as 'fully qualified domain\user', in those cases make sure the group/user is shown as identical at both places by overwriting domain field in user-identification>group mapping.    f. Network Settings.  Under the Ip-pool:       IMPORTANT! GlobalProtect gateway will be assigning IPs from this pool to clients. Specify the one or more IP pool ranges which DO NOT OVERLAP with any of the existing networks in the organization. Overlapping subnets can cause routing issues and network outages. (Optional but recommended) You can add a second IP pool range for backup which will be useful in cases where the user connects a wifi that is providing the same IP pool range as your primary IP pool.   g. Access Route. This defines which subnets can be reached by GlobalProtect clients once they are connected to gateway. -If left blank, it takes it as 0.0.0.0/0 ie all the traffic from the GlobalProtect client will be forced to go through GlobalProtect tunnel.   For Split tunneling: Specify required internal subnets like 10.0.0.0/8, 192.168.x.0/24 etc. so that the GlobalProtect client will use the tunnel to reach only these subnets. Anything outside these subnets will be accessed directly from the client's local network, this is called split tunneling.   h. Click OK to save and close client settings. One more OK to save and close GlobalProtect gateway settings.   11. Create a local username/password under Device > Local user database>users for testing. 12. Create security and NAT policies for the newly created VPN zone to give access appropriately. 13. Commit the changes.   To test on client machine   1. From the browser, go to https://gp.portal-gw01.local/ ie https://<portal-ip/fqdn> 2. Enter the credentials 3. Download the GlobalProtect client  4. In the GlobalProtect client, enter the portal address and credentials, click connect.    
View full article
dreputi ‎01-25-2018 03:39 AM
41,418 Views
0 Replies
3 Likes
  Issue Different Certificate Profiles on GlobalProtect Portal and GlobalProtect Gateway which are using the same interface   Setup Certificate Profile #1: Cert-Prof-1 Certificate Profile #2: Cert-Prof-2   GlobalProtect Portal configured on ethernet1/3 (IP Address: x.x.x.x) using  Cert-Prof-1 GlobalProtect Gateway configured on same ethernet1/3 (IP Address: x.x.x.x) using  Cert-Prof-2   Outcome The Palo Alto Networks firewall will use "Cert-Prof-2" even for GlobalProtect Portal.   NOTE: In cases where Certificate Profiles are differently configured, connecting to GlobalProtect Portal might fail as the firewall will use the Gateway's Certificate Profile even for connection on GlobalProtect Portal.   Cause/Resolution When GlobalProtect Portal and Gateway are configured on the same interface and Certificate Profile is needed for Client Authentication on both GlobalProtect Portal and Gateway, please use the same Certificate Profile on both GlobalProtect Portal and Gateway as Dataplane (DP) on the Palo Alto Networks firewall uses only GlobalProtect Gateway's Certificate Profile for connections to both GlobalProtect Portal and Gateway.  
View full article
sahmed ‎01-09-2018 03:07 PM
3,479 Views
0 Replies
Issue When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues. For example: A remote employee is connecting from a hotel room where the IP address received locally was in the 10.0.0.0/8 range. The IP pool available for GlobalProtect clients is 10.1.1.0/24. This will cause issues since the IP pool is part of the local subnet. In this case, the following error is generated in System logs on the firewall: "Assign Private IP address failed".   Resolution The recommended solution for this issue is to create a new IP pool in a different subnet and leave that new pool lower on the list. IP pools are used from the top down, but if the client is in a subnet that conflicts with the first IP pool, the firewall will assign an IP address from the second pool automatically. owner: tpiens
View full article
npare ‎12-20-2017 12:45 AM
26,410 Views
4 Replies
2 Likes
Overview This document describes the steps to properly generate and apply certificates for a scenario involving multiple GlobalProtect Gateways managed by a single GlobalProtect Portal.   Steps Check licenses. Device hosting the portal should have a portal and gateway license.All the gateways managed by the portal need to have a gateway license. Generate and install certificates Generate a root Certificate Authority (CA) certificate on the Palo Alto Networks device which will host the portal. (On PAN-OS 4.0.x and 4.1.x go to Device > Certificates. On PAN-OS 5.0.x go to Device > Certificate Management > Certificates.) Export the generated root CA certificate Import the certificate to the Palo Alto Networks device which is hosting the external GlobalProtect Gateway. The generated root CA certificate must be imported to all external GlobalProtect Gateways. In this example, there are 2 GlobalProtect Gateways. First external GlobalProtect Gateway certificate. This certificate should be signed by the imported root CA certificate. The Common Name can be either IP or FQDN. Second External GlobalProtect Gateway certificate. This certificate should also be signed by the imported root CA certificate. The Common Name can be either IP or FQDN. Configure the GlobalProtect Portal (Network > GlobalProtect > Portals). Configure the Portal Configuration tab. For this example, the same certificate is being used for the GlobalProtect Portal and the first external GlobalProtect Gateway. Note: The "Satellite Configuration" tab shown in the screenshot below is not available before PAN-OS 5.0. Configure the Client Configuration tab Important: Only FQDNs associated with the gateway IP addresses can be entered under the list of External Gateways. If IP addresses for the gateways are entered, the following errors would show up in the PANGPS logs: Make sure the root CA certificate is added under Trusted Root CA: Configuration of the first external GlobalProtect Gateway: Configuration of the second external GlobalProtect Gateway:   See also How to Configure GlobalProtect GlobalProtect Configuration Tech Note   owner: sraghunandan
View full article
sraghunandan ‎12-08-2017 03:51 AM
9,688 Views
0 Replies
1 Like
Overview VPNC is an open-source third-party IPSec VPN client that supports Extended Authentication (X-Auth) and establishes a VPN tunnel to GlobalProtect Gateways for accessing internal corporate networks.   Check the link below for a list of supported X-Auth IPSec clients :   What X-Auth IPSec Clients are Supported ?   This document explains how split tunneling works when a VPNC client is connected to a GlobalProtect Gateway.   Details In order to define networks to be accessible from the VPNC client (or) for traffic to be sent over the VPN connection, access routes (also known as split tunneling) need to be added in the GlobalProtect Gateway's client configuration. Refer GlobalProtect Configuration Tech Note When access routes are configured on the GlobalProtect gateway, an aggregate route of all the access routes is sent to the VPNC client. If DNS server addresses are included, then they will also be taken into consideration while aggregating the routes.   For example: If the access routes contain the networks 10.66.22.0/23 and 192.168.87.0/24, then the aggregate route sent to the third-party VPNC client is a default route 0.0.0.0/0 as shown below. > show global-protect-gateway gateway name test_vpnc   GlobalProtect Gateway: test_vpnc (0 users) Tunnel Type          : remote user tunnel Tunnel Name          : test_vpnc-N         Tunnel ID                 : 7         Tunnel Interface          : tunnel.1         Encap Interface           : ethernet1/3         Inheritance From          :         Local Address             : 10.66.24.87         SSL Server Port           : 443         IPSec Encap               : yes         Tunnel Negotiation        : ssl,ike         HTTP Redirect             : no         UDP Port                  : 4501         Max Users                 : 0         IP Pool Ranges            : 172.16.7.1 - 172.16.7.7;         IP Pool index             : 0         Next IP                   : 0.0.0.0         DNS Servers               : 4.2.2.2                                   : 0.0.0.0         WINS Servers              : 0.0.0.0                                   : 0.0.0.0         Access Routes             : 10.66.22.0/23; 192.168.87.0/24;         Access Route For Third Party Client: 0.0.0.0/0         VSYS                      : vsys1 (id 1)         SSL Server Cert           : SERVER_CERT         Auth Profile              : vpnc_auth         Client Cert Profile       :         Lifetime                  : 2592000 seconds         Idle Timeout              : 10800 seconds   If the access routes contain the networks 10.66.22.0/23 and 10.66.12.0/23, then the aggregate route sent to the third-party VPNC client is 10.66.0.0/19, as shown below. > show global-protect-gateway gateway name test_vpnc   GlobalProtect Gateway: test_vpnc (0 users) Tunnel Type          : remote user tunnel Tunnel Name          : test_vpnc-N         Tunnel ID                 : 7         Tunnel Interface          : tunnel.1         Encap Interface           : ethernet1/3         Inheritance From          :         Local Address             : 10.66.24.87         SSL Server Port           : 443         IPSec Encap               : yes         Tunnel Negotiation        : ssl,ike         HTTP Redirect             : no         UDP Port                  : 4501         Max Users                 : 0         IP Pool Ranges            : 172.16.7.1 - 172.16.7.7;         IP Pool index             : 0         Next IP                   : 0.0.0.0         DNS Servers               : 10.66.22.77                                   : 0.0.0.0         WINS Servers              : 0.0.0.0                                   : 0.0.0.0         Access Routes             : 10.66.22.0/23; 10.66.12.0/23;         Access Route For Third Party Client: 10.66.0.0/19         VSYS                      : vsys1 (id 1)         SSL Server Cert           : SERVER_CERT         Auth Profile              : vpnc_auth         Client Cert Profile       :         Lifetime                  : 2592000 seconds         Idle Timeout              : 10800 seconds   Note: If the aggregate route sent to the VPNC client is a default route (0.0.0.0/0), then the VPNC client needs to be configured for split-tunneling as shown below.   Navigate to the VPNC client and go to IPv4 Settings > Routes   Add the required access route and ensure that the option "Use this connection only for resources on its network" is checked. Though the aggregate route sent by GlobalProtect is 0.0.0.0/0, access will only be allowed to the network 10.66.22.0/23  as shown below. Linux host's terminal output: t un0   Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00        inet addr:172.16.7.1 P-t-P:172.16.7.1 ask:255.255.255.255        UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1        RX packets:0 errors:0 dropped:0 overruns:0 frame:0        TX packets:0 errors:0 dropped:0 overruns:0 carrier:0        collisions:0 txqueue1en:500        RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)   Access route was not added for 192.168.87.0/24 though the aggregate route sent to the VPNC client was 0.0.0.0/0 tobby@VirtualBox:~$ ping 192.168.87.1 PING 192.168.87.1 (192.168.87.1) 56(84) bytes of data.   --- 192.168.87.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms   Access route added for 10.66.22.0/23 in the VPNC client tobby@VirtualBox:~$ ping 10.66.22.87 PING 16.66.22.87 (16.66.22.87) 56(84) bytes of data. 64 bytes from 10.66.22.87: icmp_req=1 ttl=61 time=6.87 ms 64 bytes from 10.66.22.87: icmp_req=2 ttl=61 time=2.02 ms   --- 16.66.22.87 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 2.021/4.450/6.879/2.429 ms   owner: gchandrasekaran
View full article
gchandrasekaran ‎11-28-2017 12:13 AM
31,954 Views
1 Reply
3 Likes
Overview This document explains how to modify the predefined GlobalProtect Portal Login Page to add a company logo.   Steps Navigate to Device > Response pages. Click GlobalProtect Portal Login Page. Export the Predefined page.    3. Modify the HTML code by adding the company logo as shown below. The code in italic type shows the URL where the image is located.   <HTML> <HEAD> <TITLE>Palo Alto Networks - GlobalProtect Portal</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="/styles/falcon_content.css?v=@@version"> <img src=" http://cdn.slidesharecdn.com/profile-photo-Palo_Alto_Networks-96x96.jpg?1382722588 "/> <style> td {   font-family: Verdana, Arial, Helvetica, sans-serif;   font-weight: bold;   color: black; /*#FFFFFF; */ } .msg {     background-color: #ffff99;     border-width: 2px;     border-color: #ff0000;     border-style: solid;     padding-left: 20px;     padding-right: 20px;     max-height: 150px;     height: expression( this.scrollHeight > 150 ? "150px" : "auto" ); /* sets max-height for IE */     overflow: auto; } .alert {font-weight: bold;color: red;} </style> </HEAD> <BODY bgcolor="#F2F6FA">   <table style="background-color: white; width:100%; height:45px; border-bottom: 2px solid #888888;">   <tr style="background-image:url(/images/logo_pan_158.gif); background-repeat: no-repeat">   <td align="left"> </td>   </tr>   </table>   <div align="center">   <h1>Palo Alto Networks - GlobalProtect Portal</h1>   </div>   <div id="formdiv"> <pan_form/> </div> </BODY> </HTML>      4. Import the modified response page by navigating to Device > Response Pages > Global Protect Portal Login Page. 5. Go to Network > GlobalProtect > Portals.   On the General Tab choose the Custom Login Page or import the modified page directly from here.           6. The GlobalProtect Portal Login page with the custom logo is displayed as shown below.   Note: Ensure that the image source URL in the HTML code is hosted from a server that is accessible to the remote GlobalProtect users. See also: Customizing Response Pages   owner: gchandrasekaran
View full article
gchandrasekaran ‎11-22-2017 05:47 AM
13,743 Views
9 Replies
Overview This document describes how to configure reserved IPs for GlobalProtect.   Symptom Currently, there is no way to create a reservation for an IP address for the GlobalProtect users that connects to the gateway.   Workaround See the following workarounds to resolve the symptom:                                                                                                   Use the registry to give preferred IP address to the client From the WebGUI, Go to Network > Gateways Click Add > Client Configuration > Network Settings The GlobalProtect user will be offered the first IP address that is defined in the pool of IP addresses. For the following scenario, "10.200.200.101" IP address is being used: From the CLI: Use the following command to determine if the user got the address as expected: > show global-protect-gateway current-user GlobalProtect Gateway: GP-GW-2 (1 users) Tunnel Name          : GP-GW-2-N Domain-User Name          : al\emea Computer                  : ILIJA_WIN7_DMZ Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit Mobile ID                : Private IP                : 10.200.200.101 Public IP                : 10.193.83.98 ESP                      : exist SSL                      : none Login Time                : Dec.31 14:57:36 Logout/Expiration        : Jan.30 14:57:36 TTL                      : 2591981 Inactivity TTL            : 10796 The next time the client needs to connect it will notify the gateway, they have a preferred IP address, if that address is free they can use it again. If the IP pool is large enough so the preferred IP is always available, the user should theoretically get the same IP. This setting can be configured by editing the registry on the client's machine, as shown below: Under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\PreferredIP add the desired IP: Modify the preferred IP address to a high end IP (in this case 10.200.200.150): In this case, the pool is 50 IP addresses and are not expecting more than 50 users to connect concurrently. The last IP will always be free on the gateway and can be used by the client. The user connects and should see the following: > show global-protect-gateway current-user GlobalProtect Gateway: GP-GW-2 (1 users) Tunnel Name          : GP-GW-2-N Domain-User Name          : al\emea Computer                  : ILIJA_WIN7_DMZ Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit Mobile ID                : Private IP                : 10.200.200.150 Public IP                : 10.193.83.98 ESP                      : exist SSL                      : none Login Time                : Dec.31 15:00:15 Logout/Expiration        : Jan.30 15:00:15 TTL                      : 2591981 Inactivity TTL            : 10798 Create an extra Gateway for that particular user by defining the source user in the GlobalProtect configuration, assign a pool to the gateway. The user will get the first IP address from the pool, as no one else would be sharing that pool. Note: The smallest pool that can be defined is /30, it is not possible to add a subnet with a /32 mask. This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it does not scale to doing this for dozens of individual IPs, but for one user it should work fine.   If in above example, the user is getting different IP addresses from the pool, define a static source NAT between the SSLVPN zone and Trust Zone, so that traffic from the VPN user should be seen from a single IP address on the Trust Side   Note: These workarounds are for limited use, for proper functionality a feature request must be submitted.   owner: ialeksov
View full article
kalavi ‎11-22-2017 05:28 AM
28,935 Views
2 Replies
1 Like
This article can still be used as a reference but I strongly recommend to check out the newer versions out there specifically created to cover newer PAN-OS versions :   Basic-GlobalProtect-Configuration-with-Pre-logon   Overview This document describes how to configure GlobalProtect SSO with the Pre-Logon access method using self-signed certificates.   Steps The example configuration below is for one portal and one gateway residing on the same Palo Alto Networks device but can be expanded to reflect multiple gateways. Local Database authentication is used for this example but other authentication methods (LDAP, Kerberos, Radius, etc.) can be applied. Generate the root Certificate Authority (CA) certificate on the Palo Alto Networks device. This will be used to sign the server certificates for for both GlobalProtect Portal and Gateway, as well as the machine certificate that will be deployed to the client machines. Generate the server and machine certificates. Each certificate should be signed by the CA certificate created in Step 1. Device certificates associated with GlobalProtect should appear as follows: Create a Certificate Profile. This will be used to confirm machine certificate validity when cross-checking with the CA Certificate. Make sure to select the CA Certificate when adding 'CA Certificates'. Create your GP Portal as follows: Under Portal Configuration, configure the network and authentication settings. Select the server certificate generated in Step 3 above. For Certificate Profile, select the profile created in Step 4. Under Client Configuration, create a config file. This will be pushed to GlobalProtect clients during initial connection and rediscover network attempts. Configure the pre-logon client config with pre-logon access method. Configure another config with 'any' user so that all users including pre-logon will get the same config. In the Trusted Root CA section, add the root CA created in Step 1. This certificate will be pushed out to the connecting agents. A sample GlobalProtect Gateway configuration is shown below. Make sure to use the same server certificate and certificate profile used in the GlobalProtect Portal configuration. The image below shows a GlobalProtect Gateway configuration that terminates users to tunnel.1 (L3-Trust Zone) and uses the 192.168.200.0/24 scope with access route only to the Internal Trust Network (192.168.144.0/24) Next step is to export the machine certificate which will then be added to the trusted certificate store on the local computer. Use the PKCS12 file format and provide a passphrase. On the client machine, import the previously exported machine certificate. The image below demonstrates the use of the MMC certificate snap in for the local computer. This will execute the Certificate Import Wizard. Follow the steps to complete the import. The certificate for this example was exported in pkcs12 file format. Make sure to confirm the correct cert is detected. Install the certificate into the local computer personal certificate store and then confirm the installation. Here, syslog indicates the initial connection with the agent using the user credentials to successfully connect. Subsequently, log off the machine and verify that the machine is still able to make a successful connection to both GlobalProtect Portal and Gateway as a 'pre-logon' user with the machine certificate validated by the CA certificate.   owner: rkalugdan
View full article
gswcowboy ‎11-22-2017 05:22 AM
43,287 Views
4 Replies
1 Like
Overview This document describes the steps to configure GlobalProtect for authentication using certificates only, without the user being prompted for login.   Steps Create the certificate profile under Device > Certificate Management > Certificate Profile. Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'. Add the root CA under CA Certificates. Certificate Profile The image below shows the certificates created: Certificates Configure the GlobalProtect Gateway. Set Authentication Profile to None and select the certificate profile set to the one created in Step 1 above. GlobalProtect Gateway Configure the GlobalProtect Portal Set the Authentication Profile set to None. Select the Client Certificate and Certificate Profile. Note: Having the firewall generate a Client Certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate.  Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment.  It may better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA. GlobalProtect Portal In the Client Configuration tab, disable SSO. Install the root and the client certificates in the machine local store of the client PC. Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format. Install the client certificate in the user personal store. In the GlobalProtect client, there is no need to enter the Username and Password: Commit the configuration on the firewall. The GlobalProtect client will automatically connect to the gateway. The remote users for the Gateway will show up as the client certificate logging in. owner: pvermuri
View full article
pvemuri ‎11-21-2017 05:50 AM
33,729 Views
7 Replies
Note that since this article was written some things might have changed.  I recommend to check out the following articles instead :   Basic GlobalProtect Configuration with On-Demand Basic GlobalProtect Configuration with Pre-logon Basic GlobalProtect Configuration with User-logon   ---   To implement GlobalProtect, configure:   GlobalProtect client downloaded and activated on the Palo Alto Networks firewall Portal Configuration Gateway Configuration Routing between the trust zones and GlobalProtect clients (and in some cases, between the GlobalProtect clients and the untrusted zones) Security and NAT policies permitting traffic between the GlobalProtect clients and Trust Optional: NAT Policy for GlobalProtect clients to go out to the internet (if split tunneling is not enabled) For iOS or Android devices to connect, GlobalProtect app can be used   Portal Configuration   It is recommended to first test without a Certificate Profile, which allows for simpler troubleshooting, if the initial configuration does not work as intended. First successfully configure and test basic authentication, then add the Certificate Profile for certificate authentication.   The portal address is the address where outside GlobalProtect clients connect. In most cases, this is the outside interface's IP address. The gateway address is usually the same outside IP address.   GlobalProtect Connect Methods: On-demand: Requires manually connecting when access to the VPN is required. User-logon: VPN is established as soon as the user logs into the machine. When SSO is enabled, user credentials are automatically pulled from the Windows logon information and used to authenticate the GlobalProtect client user. Pre-logon: VPN is established before the user logs into the machine. Machine certificate is required for this type of connection. The Agent tab contains important information regarding what users can or cannot do with the GlobalProtect Agent. Enabling Agent User Override-with-comment allows users to disable the agent after entering a comment or reason. The comment appears in the system logs of the firewall when this user logs in next.   Selecting the "disabled" option for Agent User Override prevents users from disabling the GlobalProtect agent:   Gateway Configuration For the initial testing, Palo Alto Networks recommends configuring basic authentication. When everything has been tested, adding authentication via client certificates, if necessary, can be added to the configuration.   To authenticate devices with a third-party VPN application, check "Enable X-Auth Support" in the gateway's Client Configuration. Group Name and password must be configured for this setting.   In most cases, for firewalls with static public IP addresses, set the inheritance source to none.   The IP pool settings information is important, because it is the pool of IP addresses that the firewall assigns to connecting GP clients. Even if Global Connect clients need to be considered as part of the local network, to facilitate routing, Palo Alto Networks does not recommend using an IP pool in the same subnet as the LAN address pool. Internal servers automatically know to send packets back to the gateway if the source is another subnet. If the GP clients were issued IP addresses from the same subnet as the LAN, then the internal LAN resources would never direct their traffic intended for the GP clients to the Palo Alto Networks Firewall (default GW).   Access Routes Access routes are the subnets to which  GlobalProtect clients are expected to connect. In most cases this is the LAN networks. To force all traffic to go through the firewall, even traffic intended for the Internet, the network that needs to be configured is "0.0.0.0/0," which means all traffic.   If 0.0.0.0/0 is configured, the security rule can then control what internal LAN resources the GlobalProtect clients can access. If a security policy does not permit traffic from the GlobalProtect clients zone to the Untrust the untrusted zone, then from the GlobalProtect clients connected to the Palo Alto Networks firewall through the SSL VPN, then those clients can access only local resources and are not be allowed on the internet:   The GlobalProtect clients zones and tunnels must be included in the same virtual router as the other interfaces.   owner: sjamaluddin
View full article
npare ‎11-16-2017 04:40 AM
167,247 Views
14 Replies
4 Likes
Overview This document describes the steps to configure an internal only GlobalProtect Gateway. This document was created on Palo Alto Networks device running PAN-OS 8.0   Steps Identify the interface where the customers are going to connect. Interfaces Configure GlobalProtect Gateway: Use the dropdown list to select the internal interface, IP address, and SSL/TLS Service Profile, and Authentication Profile Client configuration for the internal gateway is not needed if tunneling is not performed Internal Gateway Internal Gateway Authentication Configure GlobalProtect Portal: Use the dropdown list to select the internal interface, IP address, and SSL/TLS Service Profile, and Authentication Profile Add the trusted Root CA Add Agent Configuration Make sure the Connect Method is not On-Demand Add the gateway to the list of internal gateways GP Portal configuration GP Portal Authentication GP Portal Agent configuration Agent Internal Gateway configuration Agent App behavior - always-on       Now connect through the internal gateway:   See Also Reference the GlobalProtect Administrator Guide for any additional help with configuring GlobalProtect: GlobalProtect Administrator's Guide 8.0 (English)   owner: aabdelhalim
View full article
mbutt ‎10-30-2017 06:25 AM
21,944 Views
4 Replies
1 Like
Please see the Apple support article at https://support.apple.com/en-us/HT207828 for the source of this information.   In summary, these releases have the following requirements:   Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.  Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections. Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.  Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy. Note: If the SSL/TLS Service Profile for the GlobalProtect Portal and Gateway support a maximum TLS version of 1.1, then either an iOS 11 nor a Mac OS X 10.13 system will succeed in establishing a connection. Once the configuration is committed with the maximum version set to 1.2 or to "max:, then the GlobalProtect agent will succeed.   Changes coming with iOS 11 Security iOS 11, tvOS 11, and Mac OS High Sierra include the following changes to TLS connections: Removes support for TLS connections using   SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates. Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections. Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.  Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy. Changes coming with Mac OS High Sierra Security macOS High Sierra, tvOS 11, and iOS 11 include the following changes to TLS connections: Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates. Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections. Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.  Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.  
View full article
jjosephs ‎10-25-2017 01:30 PM
17,790 Views
0 Replies
1 Like
This article shows how to configure DNS proxy for GlobalProtect clients.   For information on how to configure GlobalProtect on the firewall, please click here. For the video link, please click here.     Details DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used.      1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:         2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:     Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.     3. Navigate to Network > Global Protect > Gateways. Configure this IP address as the Primary DNS server IP for Global Protect Clients:   7.0.x 7.1.x                                       4. Navigate to Network > Global Protect > Gateways. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:   7.0.x   7.1.x                                     5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. (There is no change in location in the 7.1 version.)   7.0.x   Note: If a DNS query comes to the firewall tunnel interface for, let's say, paloalto.panvmlab.com, the firewall will send the DNS request to 192.168.243.221. However, if a DNS request comes for, let's say, google.com, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers 8.8.8.8 or 4.2.2.2.   Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:   7.0.x 6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:   Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.         Verification       Testing-proxy.com resolved to 1.1.1.1 ,which is the static entry configured in DNS proxy paloalto.panvmlab.com resolved to internal IP address using internal DNS server since the domain name matched google.com resolved to its IP address using external primary DNS server since the domain name did not match Following are the sessions created for internal and external DNS queries:       Note: To enable DNS Proxy in a multi-vsys environment, please read instructions for PAN-OS 7.0 here: Configure Virtual Systems    
View full article
hagarwal ‎06-02-2017 03:33 PM
13,411 Views
0 Replies
This document descibes the basics of configuring certificates in GlobalProtect setup. Please note that there can be other ways to deploy certificates for GlobalProtect which are not covered in this document.   A. SSL/TLS service profile -  Specifies Portal/gateway server cert, every portal/gateway needs one. B. Certificate profile(if any) - Used by portal/gateway to request client/machine certificate C. Installing client/machine cert in end client   A. SSL/TLS service profile In the context of GlobalProtect, this profile is used to specify GlobalProtect portal/gateway's "server certificate" and the SSL/TLS "protocol version range". If same interface serves as both portal and gateway, you can use the same SSL/TLS profile for both portal/gateway. If portal/gateway are served through different interfaces, you can use same SSL/TLS profile as long as the certificate includes both portal/gateway IPs/FQDNs in its Subject Alternate Name(SAN), if not, create different profiles for portals and gateways as needed.   The pre-requisite to create SSL/TLS profile is to either generate/import the portal/gateway "server certificate" and its chain To import a certificate generated externally, navigate to Device>Certificate Management>Certificates and click on 'import' at the bottom. To generate a certificate on the firewall, navigate to Device>Certificate Management>Certificates and click on 'generate' at the bottom.   If the server cert is signed by a well-known third-party CA or by an internal PKI server 1. Import the Root CA (private key is optional) 2. Import intermediate CAs if any (private key is optional) 3. Import the server cert signed by the above CAs "with" private key.   IMPORTANT! If subj alt name(SAN) does not exist in this cert: This cert's common name(CN) 'must' match the portal/gateway's IP or FQDN . If SAN exists with atleast one entry, then the IP or FQDN being used for portal/gateway 'must' be one of the entries in that SAN list. In this case the CN can be anything, it does not matter since only SAN will be used to match IP/FQDN. Should not be of type CA. It must be of type end-entity. As a good practice, it is better to use FQDN instead of IP. Keep this consistent across the configuration and also educate the end users to use this FQDN/IP in the GlobalProtect client's portal field. Eg. if portal/gateway can be reached at fqdn 'vpn.xyz.com' or IP 1.1.1.1; and if the certificate references the fqdn 'vpn.xyz.com', then the users 'must' use 'vpn.xyz.com' instead of '1.1.1.1'.   4. SSL/TLS profile (Location: Device>Certificate Management>SSL/TLS Service Profile)     -Name  - Give any name for this profile     -Certificate - Reference the server cert from step 3     -Protocol Settings - Select the minimum and maximum versions of ssl/tls for the ssl transaction between client and server   5. Reference this SSL/TLS profile in portal/gateway as needed.   If the server cert needs to be generated on the Palo Alto Networks  firewall 1. Generate a root cert with common name of any unique value. (other than IP or FQDN of portal/gateway)   (Location: Device>Certificate Management>Certificates click Generate at the bottom of the screen)   2. (optional) Generate a intermediate cert signed by above root cert. Specify its common name as any unique value. (other than IP or FQDN of portal/gateway)   3. Generate a sever cert signed by the above intermediate cert. a. This cert's common name 'must' match the portal/gateway's IP or FQDN if subj alt name(SAN) does not exist in this cert. In PAN firewalls, SAN can be created under the optional 'certificate attributes' of type 'hostname', 'IP' or 'email'. b. If SAN exists with atleast one entry, then the IP or FQDN being used for portal/gateway 'must' be present in that SAN list. c. Should not be a CA. d. As a good practice, it is better to use FQDN instead of IP. Keep this consistent across the configuration and also educate the end users to use this FQDN/IP in the GlobalProtect client's portal field. For example. if the portal/gateway can be reached at fqdn 'vpn.xyz.com' or IP 1.1.1.1; and the certificate references the fqdn 'vpn.xyz.com', the users 'must' use 'vpn.xyz.com' instead of '1.1.1.1'.        4. SSL/TLS profile (Location: Device>Certificate Management>SSL/TLS Service Profile)     Name  - Give any name for this profile     Certificate - Reference the server cert from step 3     Protocol Settings - Select the minimum and maximum versions of ssl/tls for the ssl transaction between client and server    5. Reference this SSL/TLS profile in portal/gateway as needed.   B. Certificate Profile (Location: Device>Certificate Management>Certificate Profile) Certificate profile specifies a list of CAs and Intermediate CAs. When this certificate profile is applied to the config, the portal/gateway will send a client certificate request to the client to request for a client/machine cert signed by the CA/intermediate CA specified in the cert profile. It is recommended to place both the root and intermediate CAs in this profile, instead of just root CA.    IMPORTANT! -Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. Used to authenticate a user. -Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. This is used to authenticate a device, not a user.   1. Import the "Root CA" that signed the client/machine cert into Device > Certificate Management > Certificates (optional private key) 2. Import the "intermediate CAs" if any that signed the client/machine cert into Device > Certificate Management > Certificates (optional private key) 3. Go to Device > Certificate Management > Certificate Profile, click Add. 4. Give a name to the profile. 5. Add the root and intermediate CAs from Step 1 & 2.   6. Note: Username field by default is set to 'None', in a typical setup where username is pulled from LDAP/RADIUS authentication, you can leave this to none. On the other hand, if certificates are the only method of authentication, that is, if you do not have RADIUS/LDAP for portal/gateway authentication then you must change username field from none to 'Subj' or 'Subj Alt' to extract username from the client certificate common name or email/principal name. Failing to do this will result in a commit failure. 7. (optional) Check CRL or OCSP if the portal/gateway needs to verify the client/machine cert's revocation status using CRL or OCSP. Please use this with caution as it can result in clients failing to connect if used in conjunction with 'Block session if certificate status is unknown'.   8. Reference this certificate profile portal/gateway as needed.   C. Installing client/machine cert in end client   When importing a client/machine certificate, import it in PKCS format which will contain its private key.   Windows -  1. Click Start>Run, type mmc to open Microsoft certificate management console. 2. Go to File > Add/Remove Snap-in:     IMPORTANT! 3. Click Certificates>Add and select one or both of the below:   a. To add client(user) certificate, select 'My user Account'. This is used for 'user-logon' and 'on-demand' since it authenticates a user. b. To add machine(device) certificate, select 'Computer Account'. This is used for 'pre-logon' as it authenticates a machine.           4. Import client/machine certificate into mmc. a. If you are importing client certificate, import it to 'Personal' Folder under 'My user account' b. If you are importing machine certificarte, import it to 'Personal' Folder under 'Computer Account'       5. Similarly import the Root CA in the 'Trusted Root Certificate Authorities and Intermediate CAs(if any) in the 'Intermediate Certification Authorities'     IMPORTANT! 6. Once imported, double click the imported client/machine certificate to make sure  a. It has private key b. Its certificate chain is full upto its root CA. If the chain is missing root CA or intermediate CA, import them to their respective folders as explained in Step 5.         7. At this point, the certificates are imported on the client, so you can close the mmc console without saving it.
View full article
dreputi ‎02-13-2017 11:46 AM
55,320 Views
8 Replies
3 Likes
Active Directory (AD) policies sometimes require users to change passwords, but enterprises usually do not expose AD infrastructure over  the internet, so remote users may be unable to update their AD passwords. Learn how to use alternative methods and enable remote users to change Active Directory passwords over a GlobalProtect tunnel.
View full article
srajasekar ‎01-27-2017 06:06 AM
22,264 Views
3 Replies
2 Likes
Issue GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:   Resolution Topology: Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (2.2.2.2/24)---(2.2.2.1/24) ISP   Setup instructions: In the above setup, the Edge Internet Router (2.2.2.2) is performing NAT to the PAN's untrust interface (192.168.10.1). This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned  a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router. For example,  homexyz.dyndns.com ->resolves to 2.2.2.2 or to the latest Dynamic public address received by the Internet router. In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address 192.168.10.2, as shown in the screen shots below: However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below.  This list of gateways gets pushed to the PC which will try to tunnel and connect to them.   owner: achitwadg
View full article
panagent ‎04-28-2016 02:51 PM
8,169 Views
2 Replies
Overview This document explains how to configure HIP check for missing Microsoft patches. Note: GlobalProtect Client version 1.2.7 / 2.2.1 was used for the screenshots below.   Steps Configure Patch Managent Criteria in the HIP object: Go to Object > GlobalProtect > HIP Objects Click "Add new HIP Object" Go to Patch Management > Criteria Is Installed: This checkbox should be always turned on. This option is not used to check whether patch is installed. Check: This setting is only applied to the patches listed in the box below. For example, if "has-none" check criteria is selected, the hip object will match when there is a hip report that has none of the patches listed in Patches box. Patches: To check Microsoft KB patches, add the number(s) here. This can be left blank. Set "has-any" for the check, so HIP will match if there are any missing patches.  Configure Patch Management Vendor in HIP object: Go to Object > GlobalProtect > HIP Objects Add new HIP Object Go to Patch Management > Vendor Configure HIP profile: Go to Object > GlobalProtect > HIP Profiles Click Add Configure the HIP profile by clicking "Add Match Criteria" button: Configure Security Policy and assign HIP profile Go to Policies > Security Click Add Go to User > HIP Profiles Select the configured HIP profile: Optionally: Configure HIP Notification Go to Network > GlobalProtect > Gateways > HIP Notification Click Add Select the HIP profile and configure the Match Message and Not Match Message tabs as required. On the GlobalProtect Client, view the host state information from the Host State tab: On GlobalProtect client, the missing patch information does not appear immediately after a fresh installation. The missing patch information will appear after one or two hours.   Troubleshooting on Client Device Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message". When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.   Troubleshooting on the Palo Alto Networks Device The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway) > debug user-id dump hip-profile-database > debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>     For example: > show global-protect-gateway current-user Tunnel Name : gateway-sv-N Domain-User Name : xxxxx Computer : xxxxxx Client : xxxxx VPN Type : Device Level VPN Mobile ID : Private IP : 172.23.60.7 <=== This ip address Public IP : 201.247.44.57   The following CLI commands show debug logs: > debug user-id set hip all > debug user-id on debug > tail follow yes mp-log useridd.log   View the traffic logs and check the entries for rules configured with the HIP profile:   owner: ymiya**bleep**a
View full article
ymiyashita ‎04-13-2016 03:53 PM
18,011 Views
1 Reply
3 Likes
Details GlobalProtect Satellite  simplifies the deployment of traditional hub and spoke VPNs, enabling you to quickly deploy enterprise networks with several branch offices with a minimum amount of configuration required on the remote satellite devices. This solution uses certificates for device authentication and IPSec to secure data.     The setup includes configuring the portal, gateway, and satellite as under:   Note: This config uses the same interface for both portal and gateway and is tested on Devices running 7.0.X. Remember the configuration differences between earlier versions.   Certificate Requirements:   Generate a Root CA Certificate on the Portal (Self signed) and a Server Certificate used for Portal and Gateway certificate signed by the above Root CA.  Note: Make sure the Server Certificate's CN (Common Name) in the GlobalProtect Gateway configuration matches the IP address or FQDN of the IP address configuration in the GlobalProtect Gateway Configuration. (to be configured later) Otherwise, the error "certificate common name does not match the configured hostname on the satellite" is generated. Export the Root CA (CACert) in PEM format, without the private key, and import it to the satellite device (Device > Certificate Management > Certificates > Import). This certificate on the Satellite is used to validate the Portal/ Gateway Certifcate against the CACert.   GlobalProtect Portal Configuration:   Configure a portal (Network -> GlobalProtect -> Portals -> Add) and add the interface that will act as Portal/Gateway. Note: Notice that the Authentication Profile is just added to avoid commit errors. It is not used if using serial number is being used to enroll the satellite. This profile will serve for Username/Password based authentications for satellites which are not enrolled using Serial Number. In the above case, an authentication profile has been created which is using local users for username/password based authentication. Configure the satellite by adding the gateways and priorities. By adding the serial number of the satellite, the portal bypasses the authentication profile configured above and instead uses the serial number to validate the satellite. Note: Notice that the serial number is not added in the above Satellite configuration. You can add the Satellite Device's serial number if Serial Number based enrollment is required. Also notice the Truster Root CA cert and Issuing Certificate which has been added in the configuration. The Issuing Certificate will be used by the Portal to sign the Certificate Signing Request generated by the Satellite on connection. Configure the Portal as an OCSP Responder (Device > Certificate Management > OCSP Responder) to provide certificate revocation for GlobalProtect satellites. Also allow the OCSP service under the management profile binded to the Portal Interface. The OSCP responder setting is not rerequired if External CA is being used.   Gateway Configuration:   Configure the gateway (Network > GlobalProtect > Gateways > Add), with the proper interface and the certificate profile, which will be used to authenticate the satellite to the gateway.  Note: It is mandatory to have a certificate profile or the commit fails. Authentication Profile is not mandatory. Bind a tunnel interface to this Satellite and configure the Network Settings for the IP Pool and the Access Routes. Note: The IP pool will be used to assign an IP to the tunnel interface on the Satellite. Access Route will be installed in the Routing Table of the Satellite for the traffic from network behind Satellite to be routed properly over the tunnel to the Gateway. The gateway can accept all/selective routes advertised by the satellite by checking the "Accept published Routes" check box under Satellite Configuration > Route Filter. Commit the config for Portal and Gateway.   Satellite Configuration:   Create a new IPSec tunnel config and select the type as GlobalProtect Satellite. Add the tunnel interface, portal config, and the interface that can reach the portal address.    To have the satellite advertise the routes to the gateway, check "Publish all static and connected routes to Gateway" to advertise all the static and connected routes or only selected routes by adding the subnets. In the below snapshot the Satellite is configured to advertise the network 20.1.1.0/24 only to the Gateway. Remember to commit the changes on the satellite.   Testing the Connectivity   On the satellite, click Gateway Info, which will provide an option to enter credentials to authenticate to the portal, if the serial number was not used to enroll the Satellite. The bwloe snapshot highlight the status, the assigned IP to the tunnel interface and the access route. Verify this information on the gateway.   owner: sdarapuneni
View full article
zarina ‎04-12-2016 06:00 PM
14,600 Views
4 Replies
1 Like
This document walks you through the steps when the users try to setup GlobalProtect on a firewall that is not the edge device. Also, we are assuming that you are not performing NAT on the firewall.   The public ip-address of the edge router in this case is 67.133.166.12 The outside interface on the firewall in this case is 10.66.24.53   To set up GlobalProtect, follow these steps: Port-forward any traffic that comes to the public ip of the edge router (67.133.166.12) to the outside interface ip-address on the Palo Alto Networks firewall (10.66.24.53). On the firewall create a GlobalProtect server certificate. Make the CN the public ip-address of the edge router (67.133.166.12). Configure the Certificate CN with the public ip of the router because that is the ip-address which users connect to and there should not be a certificate CN mismatch. Configure the GlobalProtect Portal on the outside interface on the Palo Alto Networks firewall, but on the client configuration. Where you specify the External/Internal Gateways, the GW should be the public ip-address of the edge-router (67.133.166.12). You need to configure the gateway on the client config as the public-ip address of the edge router (67.133.166.12) because the Portal pushes this config to the client and the client, in return, tries to connect to the gateway specified in this setting. If the GW specified here is firewall address (10.66.24.53), the client will not know where the 10.66.24.53 address is and it will be stuck in connecting state.   The Gateway config on the firewall is like any other normal scenario in this case.     You should now be connected to GlobalProtect. 
View full article
achalla ‎11-30-2015 05:29 PM
3,652 Views
0 Replies
Issue How and when does the GlobalProtect client get a new configuration?   Resolution The GlobalProtect client configuration is refreshed when: The GlobalProtect client is launched when logging into the system. The network is rediscovered from the GlobalProtect icon in the task tray.   Launch GlobalProtect client UI (when logging into the system). Rediscover the network from GlobalProtect icon in the task tray. The GlobalProtect client refreshes the cached portal configuration every 24 hours. GlobalProtect client updates to the newer version and retrieves portal configuration after the update.   owner:  yogihara
View full article
panagent ‎09-22-2015 05:34 PM
10,356 Views
8 Replies
Issue The disable option in the GlobalProtect client is greyed out because the client cannot be disabled.   Resolution The disable option will be greyed out/not available if on-demand option is checked in the portal configuration in the firewall.  In on-demand mode, the user has the ability to connect and disconnect whenever required.  So the client is automatically disabled by clicking on disconnect.   Make sure to check the option single sign-on to use the option "disable".  Refer to the screenshot below.     owner: mvenkatesan
View full article
mvenkatesan ‎09-10-2015 08:24 AM
10,046 Views
0 Replies
Steps Below are the following steps to customize the GlobalProtect Welcome Page: Import the new HTML welcome page into the following location: Device > Response Pages > GlobalProtect Portal Welcome Page Go to Network > Portals > Client Configuration (Inside Portal) > Agent > Welcome Page Select the Drop-down option in the Welcome Page tab and select the new imported file Commit for the changes to take effect   See Also Using A Modified GlobalProtect Portal Login Response Page   owner: nnayak2
View full article
nnayak2 ‎09-08-2015 06:19 AM
5,430 Views
0 Replies
1 Like
Details For this scenario, the IP address 192.168.200.1/24 is configured on ethernet1/4 and the user wants to run GlobalProtect on the IP address 192.168.200.2:   Steps There are two options to achieve this: Configure the IP address 192.168.200.2 on the interface itself as 192.168.200.2/32: Now, select this IP address in the GlobalProtect configuration after selecting interface ethernet1/4. The second option is to terminate GlobalProtect on the loopback interface and create a NAT policy to perform a destination NAT from 192.168.200.2 to the loopback IP address. See the following link for more information on creating a NAT policy: How to create NAT and Security Policies from the CLI   See Also Fundamentals Guide: Security Policies How to Create a NAT Rule on the CLI   owner: csharma
View full article
bat ‎09-07-2015 04:23 AM
4,210 Views
0 Replies
Details In order to mass deploy the GlobalProtect Client with the Microsoft Group Policy Object (GPO), define the GPO to push the installation of the GlobalProtect Client using the GlobalProtect.msi. The GlobalProtect.msi installer can be downloaded from the Palo Alto Networks Customer Support Portal under Software Updates.   After completing installing of the GlobalProtect Client onto the endpoint devices, another GPO is required to push the registry entry for the GlobalProtect Portal FQDN or IP address. This information is required by the GlobalProtect Clients to retrieve GlobalProtect configurations.   Configure the GPO to assign the "Portal" String Value under HKEY_LOCAL_MACHINE\Software\Palo Alto Networks\GlobalProtect\PanSetup with the GlobalProtect Portal hostname (or IP address). The following example shows the Portal String Value set to gp.paloaltonetworks.com.     owner: gcapuno
View full article
gcapuno ‎09-02-2015 06:40 PM
12,146 Views
3 Replies
Overview This document describes the steps to configure a security policy to block brute force attacks on the GlobalProtect Portal page.   Steps Create a vulnerability profile. Go Object > Security Profiles > Vulnerability Protection. Click the "Edit" Icon under the Threat Name column to open the Edit Time Attribute dialog. Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. The child signature "Palo Alto Networks Firewall VPN Login Authentication Attempt" with ID 32256 is looking for "x-private-pan-sslvpn: auth-failed" from the http response header. The default is 10 hits within a 60-second time window. The screenshot below shows an example of a configured vulnerability profile. When creating the profile, search for the vulnerability ID 40017 in the search bar and check the enable box. Set the action to block-ip. With this option a block time can be configured and tracked by IP source or source and destination. Create a security policy to apply this profile. While creating a security policy, add the IP address of the portal under Destination Address and select the vulnerability profile created in step 1 above.   Follow these steps to test if it is working. This is how the GlobalProtect Portal page appears when users try to authenticate for the first time: Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts: After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt: Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat. If block-ip action was configured, check the block-list on the CLI with command: debug dataplane show dos block-table   New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat". Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".   owner: schaganti
View full article
schaganti ‎09-01-2015 04:24 AM
13,781 Views
2 Replies
4 Likes
Ask Questions Get Answers Join the Live Community