GlobalProtect: Initial Set Up

Printer Friendly Page

GlobalProtect: Initial SetupGlobalProtect: Initial Setup

 

 

In my blog, "GlobalProtect: Overview," I provided a synopsis of the GlobalProtect series and overall objectives, including a description of each article in this series. I would recommend starting there prior to moving forward.

 

In this post, I will cover the initial setup of GlobalProtect, which includes a portal, external gateway, and user authentication via local database. You can see a diagram of the environment here.

 

Part I - Initial Setup

 

  • Navigate to Device > GlobalProtect Client then download and activate the latest version (5.0.8 is a TAC-preferred version at the time of this blog post)
  • Navigate to Network > Network Profiles > Interface Mgmt > Add and create a management profile to apply to the tunnel interface to which remote users will connect
    • Enable Response Pages
      • NOTE: It is not required to enable Response Pages, but this feature will be used in a subsequent article
    • Click OK 

Interface Management Profile - Response PagesInterface Management Profile - Response Pages

  • Navigate to Network > Zones > Add and create a new Layer 3 security zone for your GlobalProtect users
    • Provide a name (e.g., gp)
    • Set Type to Layer3
    • Check the Enable User Identification box
    • Click OK

Zone - Enable User IdentificationZone - Enable User Identification

  • Navigate to Network > Interfaces > Tunnel > Add and create a new tunnel interface
    • Assign the interface a number (e.g., 1)
    • Assign the interface to the appropriate Virtual Router
    • Assign the interface to the appropriate Security Zone

Tunnel Interface - ConfigTunnel Interface - Config

  • Navigate to the IPv4 tab and assign a subnet to be used for your mobile users
    • NOTE: It should be a unique network. Also, note that an IP address on this interface is not a requirement.

Tunnel Interface - IPv4Tunnel Interface - IPv4

  • Navigate to the Advanced tab and apply the Management Profile created for the tunnel interface above 
  • Click OK

Tunnel Interface - AdvancedTunnel Interface - Advanced

  • Navigate to Device > Certificate Management > Certificates > Generate and create a trusted root certificate
    • NOTE: In this series of posts, we will be using self-signed certificates. It is recommended to use third-party certificates in a production environment, but self-signed certificates will work as well.
    • Enter a Certificate Name
    • Enter the management IP of the firewall for the Common Name
      • Check the Certificate Authority box
      • Enter information in other fields if desired (optional)
      • Click Generate

Generate Certificate - Local Certificate AuthorityGenerate Certificate - Local Certificate Authority

  • Select the certificate you just created, and check the Trusted Root CA box
  • Click OK

Certificate Information - Trusted Root CACertificate Information - Trusted Root CA

  • Navigate to Device > Certificate Management > Certificates > Generate and a create certificate for GlobalProtect
    • Enter a Certificate Name
    • Enter the IP address or the DNS name of the interface to which remote users will connect for Common Name
      • NOTE: In this series of posts, we will be using the public IP address for the common name (represented by 1.1.1.1), and it is recommended to use a DNS name in a production environment but IP addresses will work as well
    • Select the certificate previously created under "Signed By"
    • Enter information in other fields if desired (optional)
    • Click Generate

Generate Certificate - Cryptographic SettingsGenerate Certificate - Cryptographic Settings

  • Navigate to Device > Certificate Management > SSL/TLS Service Profile > Add
    • Enter a Name
    • Select the Certificate previously created
    • Click OK

SSL/TSL Service ProfileSSL/TSL Service Profile

  • Navigate to Device > Local User Database > Users > Add
    • Enter a Name and Password
    • Click OK

Local User DatabaseLocal User Database

  • Navigate to Device > Authentication Profile > Add
    • Enter a Name
    • Select Local Database for Type

Authentication ProfileAuthentication Profile

  • Navigate to Advanced > Add
    • Select All
    • Click OK

Authentication Profile - Advanced TabAuthentication Profile - Advanced Tab

  • Navigate to Network > GlobalProtect > Gateway > Add
    • In the General tab
      • Enter a Name
      • Select the interface to which remote users will connect
      • Select the IPv4 Address of the interface
        • NOTE: If your interface is assigned an IP address via DHCP, then you will not have an option to select an IPv4 Address. Just leave this field set to None.

GlobalProtect Gateway ConfigurationGlobalProtect Gateway Configuration

  • In the Authentication tab
    • Select the SSL/TLS Service Profile previously created
    • Under Client Authentication click Add
      • Enter a Name
      • Select the Authentication Profile previously created
      • Click OK

GlobalProtect Gateway Configuration - Authentication ProfileGlobalProtect Gateway Configuration - Authentication Profile

  • In the Agent tab
    • In the Tunnel Settings tab
      • Enable Tunnel Mode
      • Select the Tunnel Interface previously created

GlobalProtect Gateway Configuration - Tunnel Settings TabGlobalProtect Gateway Configuration - Tunnel Settings Tab

  • In the Client Settings tab
    • Click Add
    • In the Config Selection Criteria tab, enter a Name

Configs - Config Selection CriteriaConfigs - Config Selection Criteria

  • In the IP Pools tab
    • Add an IP Pool

Configs - IP PoolsConfigs - IP Pools

  • In the Split Tunnel tab
    • Add an access route to the Include section
      • NOTE: In this series of posts we will be routing all traffic through the tunnel. It is recommended to tunnel all traffic in a production environment to ensure consistent protection.
    • Click OK

Configs - Split TunnelConfigs - Split Tunnel

  • In the Network Services tab
    • Enter values for Primary DNS and Secondary DNS
    • Click OK

GlobalProtect Gateway Configuration - Network ServicesGlobalProtect Gateway Configuration - Network Services

  • Navigate to Network > GlobalProtect > Portal > Add
    • In the General tab
      • Enter a Name
      • Select the Interface to which remote users will connect
      • Select the IP Address of the interface

GlobalProtect Portal Configuration - GeneralGlobalProtect Portal Configuration - General

  • In the Authentication tab
    • Select the SSL/TLS Service Profile previously created 

GlobalProtect Portal Configuration - AuthenticationGlobalProtect Portal Configuration - Authentication

  • Under Client Authentication click Add
    • Enter a Name
    • Select the Authentication Profile previously created
    • Click OK

Client Authentication - Portal AuthenticationClient Authentication - Portal Authentication

  • In the Agent tab
    • Click Add under Configs
      • In the Authentication tab
        • Enter a Name

Configs - Authentication TabConfigs - Authentication Tab

  • In the Internal tab
    • Enable Internal Host Detection IPv4
    • Enter an IP Address of resource that is always available internally
    • Enter the Hostname of the IP address to which it resolves
      • NOTE: Internal Host Detection uses a reverse lookup to determine whether or not a device is on the internal network in order to establish a VPN tunnel. See this post for additional details if you do not have an internal DNS server.

Configs - Internal TabConfigs - Internal Tab

  • In the External tab
    • Add an External Gateway 
      • Enter a Name
      • Enter the Address to which remote users will connect

Configs - External TabConfigs - External Tab

  • In the App tab
    • Change the Connect Method to On-demand
    • Click OK
      • NOTE: In subsequent posts, we will be setting the Connect Method to User-Logon (Always On), as that is the recommended best practice

Configs - App TabConfigs - App Tab

  • Back in the Agent tab, click Add under Trusted Root CA
    • Add the Root CA
    • Check the Install in Local Root Certificate Store
      • NOTE: Selecting this option will transparently install the trusted root CA so that we can test SSL Forward Proxy decryption in the future. It is not required in order for GlobalProtect to function.
    • Click OK

GlobalProtect Portal Configuration - Agent TabGlobalProtect Portal Configuration - Agent Tab

  • Navigate to Policies > NAT and add the gp zone you created previously to your source NAT rule so that users in the gp zone can get out to the Internet

Policies - NAT - Add GP ZonePolicies - NAT - Add GP Zone

  • Navigate to Policies > Security and add security policy rules so that users in the gp zone can access internal as well as public resources

Policies - Security - Add Security PolicyPolicies - Security - Add Security Policy

  • Navigate to Policies > Security and add a security policy rule that allows remote users to access GlobalProtect portal

Policies - Security - Add Security Policy for Remote UsersPolicies - Security - Add Security Policy for Remote Users

  • Commit the configuration 

You should now be able to log into the portal, download and install the GlobalProtect App, and test connectivity.

In my next post, "GlobalProtect: Expanded Setup," we will make changes to the configuration to include different forms of authentication and add an internal gateway.

Comments

Great explanation!