In my previous article, "GlobalProtect: Initial Setup," we covered the initial setup of GlobalProtect, which included a portal, external gateway, and user authentication via local database.
In this post, we are going to configure multiple external authentication types as well as add an internal gateway. You can see a diagram of the environment here.
Internal Gateways & External Authentication
The value of adding an internal gateway means that when users are on the local network, user-to-IP address mappings will be supplied to the firewall along with device context. This data can then be used as security policy match conditions, allowing for much more granular, identity-based visibility and enforcement.
External authentication types are recommended for a production environment. In this case, we are going to configure the deployment to leverage LDAP authentication for the portal, MFA via RADIUS (AD credentials and Duo) for the external gateway, and LDAP authentication for the internal gateway. This will provide the best possible user experience for users when they are internal, while also enforcing additional factors of authentication when users are remote.
NOTE: This article assumes that you have already followed the initial setup, which is the previous article in this series. This article also assumes that you already have a domain controller (I am running Windows Server 2012 R2) in your environment installed with DUO authentication proxy installed and running. For details on DUO integration, see this post.
Part II - Expanded Setup
Navigate toDevice > Server Profiles > LDAP > Add to create an LDAP Server Profile
NOTE: Best practices dictate that a dedicated service account be used for integrating your domain controller with Palo Alto Networks
LDAP Server Profile
Navigate toDevice > Server Profiles > RADIUS > Add to create a RADIUS Server Profile
NOTE: Per my note above, this post assumes that you already have Duo Authentication Proxy installed and running on your domain controller
RADIUS Server Profile
Navigate toDevice > User-ID > Group Mapping Settings > Add to create aGroup Mapping
ForServer Profile, select theLDAPprofile that was previously created
Enter the domain name underUser Domain
Group Mapping - Server Profile tab
Navigate to theGroup Include List and add the group where your users are stored
NOTE: If you are unable to expand the available groups, this typically means that your credentials in the LDAP Server Profile are incorrect
Navigate toDevice > Authentication Profile > Add
ForServer Profile select the LDAP profile that was previously created
EntersAMAccountName for theLogin Attribute
Enter your domain for theUser Domain
Authentication Profile - LDAP type
Navigate to theAdvanced tab and select the user group that was previously added to theGroup Include List, which was part of theGroup Mapping you previously created
Navigate toDevice > Authentication Profile > Add
ForServer Profile select the RADIUS profile that was previously created
Enter your domain name of theUser Domain
Authentication Profile - RADIUS Type
Navigate to the Advanced tab and select the user group that was previously added to the Group Include List, which was part of the Group Mapping you previously created
Navigate toNetwork > GlobalProtect > Gateways > select the existing external gateway> Authentication > select the client authentication > change the Authentication Profile to the RADIUS profile that was previously created
GlobalProtect Gateway Configuration - Home External Authentication
Navigate toNetwork > GlobalProtect > Gateways > Add to create an internal gateway
Select theInterface andIPv4 Address that correspond to the trust interface
Navigate to theAuthentication tab
Select theSSL/TLS Service Profile that was created in the previous post
Create a newClient Authentication profile and select the LDAP Authentication Profile previously created
GlobalProtect Gateway Configuration - Home Internal Authentication
Navigate toNetwork > GlobalProtect > Portals > select the existing portal> Agent > select the existing portal config> Internal > Internal Gateways > Add to create anInternal Gateway
TheIPv4 entry should correspond to the IP address assigned to the trust interface
Internal Gateway - Home Internal Gateway
Navigate to the App tab, and set the Connect Method to User-logon (Always On)
NOTE: Internal Gateway authentication will fail if the Connect Method is set to On-demand
NOTE: As you already created a GlobalProtect certificate in the previous post, you will be creating a new one that both the external and internal gateways can reference. The previous certificate contains a common name that refers to the IP address of the portal and external gateway. As the IP address of the internal gateway is not referenced, this will cause authentication to the internal gateway to fail.
NOTE: Keep in mind that you can also leave the current certificate in place and just create a new one for the internal gateway (essentially, having two), but for the purposes of this post, we will be creating a single certificate to be used for everything.
Enter aCertificate Name
Enter the IP address or the DNS name of the interface to which remote users will connect forCommon Name
NOTE: In this series of posts, we will be using the public IP address for the common name (represented by 126.96.36.199). It is recommended to use a DNS name in a production environment, but IP addresses will work as well.
Select the root CA that was previously created forSigned By
Enter the IP address of the trust interface that corresponds to the internal gateway underCertificate Attributes
GlobalProtect Generate Certificate
Navigate toDevice > Certificate Management > SSL/TLS Service Profile > select the existing profile that was created previously and change theCertificate value from the old certificate to the new one that was just created
SSL/TLS Service Profile
Navigate toPolicy > NAT > Add
NOTE: A NAT rule must be created so that the internal users can reach and authenticate to the portal from the internal network
In the General tab, enter aName
In theOriginal Packet tab, set theSource Zonetotrust,Destination Zonetountrust, and theDestination Address to the untrust IP address (the IP address to which the GlobalProtect Portal is assigned)
In theTranslated Packet tab, leave everything set toNone
Creating a new NAT rule
Commit the configuration
You should now be able to authenticate both internally and externally via the GlobalProtect app and access resources. It is important to note that authentication failures to an internal gateway are notoriously quiet. In other words, it will look as though you are connected even when you are not. You can validate connectivity by issuing the 'show user ip-user-mapping all type GP' command. If there is no mapping present, then it means that the app was unable to connect and authenticate to the internal gateway.
In my next article, "GlobalProtect: User/Device Context & Compliance," we will make changes to the configuration to include security policy matching based on user identity and device context via the GlobalProtect app. We will also enable notifications based on compliance of the endpoint.