I have just started my journey to PA world and spend several days configuring global protect features.
I successfully configured portal for as internal point of connection for Global protect client.
Idea is to provide User-id information to firewall without VPN connection.
As result my GP client tells me that "you are connected to internal network" but under PA device I don't see user<->ip information. User-id based rules don't work. no information from "show user ip-user-mapping all."
1. Are there any additional steps required to enable User-id features. I enable it only at security zone level.
2. Would it be possible to have one portal but two gateways (ext, int) for internal (user-id provisioning only ) and external (vpnssl) deployments. Or there are two portals external / internal are required ?
Thanks in advice !
That's correct. Say for example I'm using the interface ethernet1/2 for the internal gateway and you have that assigned to the default 'trust' zone, you'll need to ensure that you have user ID enabled for the zone.
So I believe you're looking for how to authenticate logged in users whether they're outside or inside. I've spent 2 ways on how to do it, the documentation is not describing it clearly. You need to have 2 gateways for this, one external, and one internal one. The internal gateway can be your firewall interface inside IP address, the main trick is here:
this IP must be resolvable into your internal hostname you specified in the portal config in both ways: in the direct internal DNS resolution, and also reversed DNS resolution.
In my example I have the inside L3 interface with the IP 192.168.1.1. In my internal DNS there is an A record pa-int.ovel.ru pointing to this IP, and ALSO there is reversed zone arpa.1.168.192 that resolves .1 into pa-int.ovel.ru.
The gateway config is here:
And then the portal config is here:
And after that your GlobalProtect should be able to get your user authenticated straight away.
And yes, it's very important: All this is working in "Always-On" mode only!!! At least in my case.
Hope this helps.
Ovel , hi !
Appreciate your detailed instruction.
I started from very simple scenario , just internal portal without Gateway detection.
As I said GP shows that "you are in internal corporate network" but under Connection tab I don't see "YES" as you marked in red.
I have "user-id" enable on all zones as soon as my device is in lab mode at this moment.
only two reasons which I see right now :
1.certificate issues/ because I have self-signed , and some errors under GP client logs.
2. user-id matching problem. Because under monitor->global protect-> source user shows as domain\username. Might it be the problem ?
Under monitor->user-id - i don't see anything .
The certificate is not so important at this stage, i also have a self signed one, but it's better if your GP client would install the firewall Root CA into the host PCs if you plan to use SSL Decryption. You don't need to enable user-id on the outside zone. The outside zone is not supposed to identify users, it's the gateway's role on that side. What is important though is that your internal users have to be able to reach your external gateway IP from inside. In my understanding when GP client is trying to authenticate the user, it goes to the external gateway, authenticate it over there as per your auth profile, and only AFTER that it checks whether the user is internal or not.
My issue was resolved after some GP client analizis from my side.
Misconception was that I used IP (FQDN ) in configuration of connection between Portal and Gateway. As result GP authenticates well on portal but returns logs warrings for gateway because i have WC certificates . As soon as I moved config to FQDB based approve it works well.
Appreciate everyone assistance !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!