Given the current state of things, many technical professionals are scrambling to safely enable remote access to internal resources and the Internet for their end users. As a result, I thought I would share my GlobalProtect series of articles with the community, as this is an extremely viable option for Palo Alto Networks customers that need a robust remote access solution.
GlobalProtect is a very flexible Palo Alto Networks core capability that allows remote users to access local and/or Internet resources while still being protected from known and unknown threats. This feature provides policy consistency regardless of end user location, and eliminates the need for managing additional point products in your environment. If you are looking for something highly scalable and do not wish to leverage on-premise hardware/software/licensing, Prisma Access is a great option, as it is just as robust from a capabilities standpoint, but is a SaaS service that leverages the scale of public cloud to accommodate a 100% remote workforce.
The goal of this series is to provide Palo Alto Networks users with a walk through for setting up a basic configuration that is applicable to both traditional GlobalProtect and Prisma Access for Mobile Users deployments. This can also be something that you can reference prior to kicking off a PoC or implementation to better understand the general implementation flow. Each post in the series builds upon the previous one. Here are the details:
GlobalProtect Part I- A basic initial setup with a portal, external gateway, and local DB authentication.
GlobalProtect Part II- An expanded setup to include various forms of authentication (LDAP, RADIUS, Duo), as well as an internal gateway.
GlobalProtect Part III- A further expanded setup to include user-based and HIP-based policy, as well as HIP notifications.
GlobalProtect Part IV- A further expanded setup to include authentication policy with MFA for HTTP and non-HTTP access to sensitive resources.
GlobalProtect Part V- A further expanded setup to include pre-logon authentication using machine certificates.
If you are unfamiliar with GlobalProtect terminology, see this link. Additional details regarding GlobalProtect administration can be found in the official Palo Alto Networks documentation.