09-17-2019 11:42 AM
Hello -
Originally, I was going to setup GP with RSA MFA using this document: "RSA SECURID® ACCESS Implementation Guide Palo Alto Networks Next Gen Firewall 8.0"
It is written by RSA and is woefully lacking in detail and after seven hours on the phone with Palo support I decided to abandon that idea for now.
At this point I'd just like to get GP working in any capacity, but I can't seem to find any documentation that speak to what I need. I understand that everyone's cirumstances are different and documentation would be tough to write for every unique situation. That's why I'm hoping someone is willing to get out the coloring book and crayons to help walk me though this.
I'd like to have an external only VPN (just about every Google search come up with either Internal only or internal/external combo setups). Portal and gateway on same device.
I'm fairly certain that my main issue is with step one, the configuration of the Interface. I'm trying to follow this: https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/get-started/create-interface... but clearly not having much luck.
Ethernet Internet setup like this:
Interface Type Mgt Profile IP Address VR Security Zone
eth1/1 L3 Allow-ping Routable.10/24 vr1 Outside
I have another routable.20/32 for GP.
What's the best way to get started. Remember, coloring book and crayons. You're not going to offend me.
09-25-2019 10:00 AM
I have not used the process option but i would assume it would be the name of any process you have running locally (or not) have you tried it?
09-25-2019 10:18 AM
@Mick_Ball Hey! Yes, I've tried C:\windows\AppName\Name.exe as well as just Name.exe - no dice.
09-25-2019 10:19 AM
Just to verify, you do actually have a GlobalProtect subscription correct?
09-25-2019 11:14 AM
I figured it out. Just in case anyone else needs it, you have to set up a Custom Check in three places, The HIP object, the Portal and the Gateway.
09-25-2019 11:23 AM
@Mick_Ball LOL!! Thanks. Next is trying to get RSA Authenticate to work. Basically, after I enter my username and password on the client, I want a push notification to come to my phone, I click the "approve" and then I get into the VPN.
09-25-2019 11:29 AM
Ok, good luck, i do have a working config for rsa fobs but thats just a radius config. I will watch out for further woes.... laters....
09-27-2019 12:57 PM
I actually got it to work, I thought about what you said @Mick_Ball and opted to give that (Radius) a go, but from the RSA Cloud Administration Console (CAC).
In case anyone ever comes across this post:
Here is how you configure the CAC for Radius:
https://community.rsa.com/docs/DOC-75847
From there, just follow the usual Palo Radius addition.
What this gives you is from :20 through minute 1:15 of this video: https://www.youtube.com/watch?v=765nH8if-9Q
Big thank you to Sean Martin from Palo Tech Support. He scheduled a call with me everyday for like a week and a half until we worked through all the issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
