GlobalProtect setup frustration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect setup frustration

L3 Networker

Hello -

Originally, I was going to setup GP with RSA MFA using this document: "RSA SECURID® ACCESS Implementation Guide Palo Alto Networks Next Gen Firewall 8.0"

 

It is written by RSA and is woefully lacking in detail and after seven hours on the phone with Palo support I decided to abandon that idea for now.

 

At this point I'd just like to get GP working in any capacity, but I can't seem to find any documentation that speak to what I need.  I understand that everyone's cirumstances are different and documentation would be tough to write for every unique situation.  That's why I'm hoping someone is willing to get out the coloring book and crayons to help walk me though this.

 

I'd like to have an external only VPN (just about every Google search come up with either Internal only or internal/external combo setups). Portal and gateway on same device.

 

I'm fairly certain that my main issue is with step one, the configuration of the Interface.  I'm trying to follow this: https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/get-started/create-interface... but clearly not having much luck.

 

Ethernet Internet setup like this:

Interface  Type  Mgt Profile   IP Address    VR   Security Zone

eth1/1      L3      Allow-ping   Routable.10/24   vr1   Outside

 

I have another routable.20/32 for GP.

 

What's the best way to get started.  Remember, coloring book and crayons.  You're not going to offend me.

23 REPLIES 23

I have not used the process option but i would assume it would be the name of any process you have running locally (or not) have you tried it?

@Mick_Ball Hey!  Yes, I've tried C:\windows\AppName\Name.exe as well as just Name.exe - no dice.

@Shawverr,

Just to verify, you do actually have a GlobalProtect subscription correct? 

@BPry Yup!

I figured it out.  Just in case anyone else needs it, you have to set up a Custom Check in three places, The HIP object, the Portal and the Gateway.

  1. Create the HIP Object
    1. Objects > GlobalProtect > HIP Objects > Add > Custom Checks > ProcessName.exe
  2. Create Portal Config
    1. Network > GlobalProtect > (click on your portal name) > Agent Tab > (open your agent config) > HIP Data Collection Tab > Custom Checks > Process List > Add > ProcessName.exe
  3. Network > GlobalProtect > (click on your Gateway name) > Agent Tab > HIP Notification Tab

Nice one @Shawverr .....

 

Next!

@Mick_Ball LOL!!  Thanks.  Next is trying to get RSA Authenticate to work.  Basically, after I enter my username and password on the client, I want a push notification to come to my phone, I click the "approve" and then I get into the VPN. 

Ok, good luck, i do have a working config for rsa fobs but thats just a radius config. I will watch out for further woes....  laters....

I actually got it to work, I thought about what you said @Mick_Ball and opted to give that (Radius) a go, but from the RSA Cloud Administration Console (CAC).

 

In case anyone ever comes across this post:

Here is how you configure the CAC for Radius:

https://community.rsa.com/docs/DOC-75847

 

From there, just follow the usual Palo Radius addition.

 

What this gives you is from :20 through minute 1:15 of this video: https://www.youtube.com/watch?v=765nH8if-9Q

 

Big thank you to Sean Martin from Palo Tech Support.  He scheduled a call with me everyday for like a week and a half until we worked through all the issues.

  • 10346 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!