GlobalProtect

Remote Access VPN

2
Components
GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable
secure access for all your users, regardless of what endpoints they are using or where they are
located. This infrastructure includes the following components:
➔ GlobalProtect Portal
◆ Authenticates users initiating connections to GlobalProtect
◆ Stores client configurations
◆ Maintains lists of internal and external gateways
◆ Manages CA certificates for client validations of gateways
➔ GlobalProtect Gateway
◆ Provides security enforcement for traffic from GlobalProtect clients
◆ Requires a tunnel interface for external clients
◆ Tunnel interfaces are optional for internal gateways
➔ GlobalProtect App
The GlobalProtect app software runs on endpoints and enables access to your network
resources through the GlobalProtect portals and gateways that you have deployed.
3
Generate
Trusted Root Certificate

4
To configure the GlobalProtect VPN, you must need a valid root CA certificate. So, you can generate your
certificate on the Palo Alto firewall or you can use any certificate which is signed by any of the CA authority.
To generate a self-sign certificate, Go to Device >>Certificate Management >>Certificates >>Device
Certificates >>Generate.

➔ Firewall itself will become a Trusted Certificate Authority,

after selecting a ‘Certificate Authority’ checkbox.

➔ A firewall can use this self-signed certificate to automatically

issue certificates for SSL/TLS decryption and for satellites in
a GlobalProtect large-scale VPN.

➔ When establishing a secure connection with the firewall, the

remote client must trust the root CA that issued the
certificate. Otherwise, the client browser will display a
warning that the certificate is invalid and might (depending
on security settings) block the connection. To prevent this,
after generating the self-signed root CA certificate, import it
into the client systems.

We can take FQDN (recommended) at Common Name option, in

this lab we have taken FW outside interface IP address.
5
Certificate got generated and now we have to make it as Trusted Root CA by opening this certificate and select
the Trusted Root CA checkbox option in the next slide-

6
Select checkbox Trusted Root CA

7
Certificate Management

SSL/TLS Service Profile

8
Firewall and Panorama use SSL/TLS profile to specify a certificate and the allowed protocol versions for SSL/TLS services.
Here firewall use SSL/TLS for GlobalProtect portal and gateway service.

Go to Device>>Certificate Management>>SSL/TLS Service profile

We defined the protocol versions in the profile to restrict cipher suites when client requesting the services.(cipher suites, provide a
set of algorithms and protocols required to secure communications between clients and servers.)

9
Local User Database

USERS

10
You can set up a local database on the firewall to store authentication information for firewall administrators, Authentication
Portal end users, and end users who authenticate to a GlobalProtect portal and GlobalProtect gateway.
Go to Device>>Local User database>>Users>>click on Add
>>>>The user ‘shuja’ will be able to login on GP Portal/Gateway and managed/stored on firewall into its local database.

Note: GlobalProtect VPN needs to be authenticated during the VPN connection process. If you are running LDAP in your
environment, you can integrate GlobalProtect VPN with your LDAP Server.

11
Authentication Profile
For GlobalProtect VPN user

12
Here, we need to create ‘local database’ authentication profile for GlobalProtect VPN users.
For creating new authentication profile, Go To Device>>Authentication Profile>>Click on Add & and follow the below
process:

Note: We can also create profile for other services including; RADIUS, TACACS, LDAP, Kerberos and SAML.

We left User Domain blank and in Username Identifier select %USERINPUT% , as we are going to authenticate the
username from local database.

13
In Advanced, and add users to Allow List

14
ZONE and TUNNEL Interface
For GlobalProtect VPN Traffic

15
In GlobalProtect VPN, you need to create a
zone for the tunnel interface so that you have
granular control over the GlobalProtect traffic.

To create Security Zone, go to Network >>

Zones >>Add. Make sure the Zone Type
should be Layer 3 and Enable User
Identification.

16
Points to Remember

➔ To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface for the firewall to connect
to and establish a VPN tunnel.
➔ A tunnel interface is a logical (virtual) interface that is used to deliver traffic between two endpoints.
➔ The tunnel interface must belong to a security zone to apply policy and it must be assigned to a virtual router in order to
use the existing routing infrastructure.
➔ Ensure that the tunnel interface and the physical interface are assigned to the same virtual router so that the firewall can
perform a route lookup and determine the appropriate tunnel to use.
➔ If you create a separate zone for the tunnel interface, say a VPN zone, you will need to create security policies to enable
traffic to flow between the VPN zone and the trust zone.
17
In Network>Interfaces>Tunnel> click on Add Tunnel Interface, where we create interface tunnel 10, assigned to default virtual router
and add it into VPN Security Zone.

18
For IP address assignment, we’ve added IP address because we would like to enable tunnel monitoring, so here we have taken
10.3.3.0/24 subnet for the logical VPN zone and the Ip Address for this tunnel is 10.3.3.10/24.
Note: To route traffic between the sites, a tunnel interface does not require an IP address.

19
GlobalProtect
PORTAL Configuration

20
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure.

Every endpoint that participates in the GlobalProtect network receives configuration information from the portal, including
information about available gateways and any client certificates that may be required to connect to the gateways.

In addition, the portal controls the behavior and distribution of the GlobalProtect app software to both macOS and
Windows endpoints.

21
Go to the GlobalProtect >>Portals >>Add. Access the General tab and provide the name for GlobalProtect Portal
Configuration i.e. GP_Portal (as per your choice).
Below this in Network Settings, select the interface on which you want to accept requests from GlobalProtect client; i.e.
interface ethernet 1/1(which is FW outside untrust in our lab) and Ip Address 192.168.1.250/24

22
Access the Authentication Tab, and select the SSL/TLS service profile: Our SSL Profile which we have already
created earlier.

23
In Client Authentication, click on ADD. Define a name as GP_Auth for Client Authentication and select the Operating
Systems on which you want to run GlobalProtect. Also, select the Authentication Profile new auth pro which was created
earlier..

24
Now, access the Agent tab, and select the Trusted Root CA (created earlier).
Click on Add Agent and provide a user-friendly name for the agent.

25
Access the User/User Group tab and
select OS and User/User Group you have
in your environment.

In this example, I am using the ANY, ANY

option.
26
Access the External tab, and Add an External Gateway. Give the Name to External Gateway and provide IP, Source Region,
and Priority details and click OK.

27
Go to in App and select connect method: On-demand(manual user initiated
connections)

28
GlobalProtect
Gateway - Configuration

29
After the GlobalProtect portal configuration, we need to configure the Gateway Configuration for GlobalProtect VPN.
Access the Network >>GlobalProtect >>Gateways and click on Add. Give the name to Gateway as PA FW(as per your
choice) and In the Network Settings, define the interface on which you want to accept the requests from
GlobalProtect(Firewall’s outside untrust interface in our lab)

30
Access the Authentication tab, select the SSL/TLS service profile(already created), and click on Add to add a client
authentication profile. Here, you need to select Name (GP Client Auth, in our case), OS, and Authentication profile (new auth
pro, in our case). There is one option below we need to focus on before commit, Select ‘Yes’ for Allow Authentication with
user credentials OR Certificate.

31
Access the Agent tab, and Enable the tunnel mode, and select the tunnel interface which was created earlier and uncheck
enable IPSec, as we are configuring remote user access only, instead Site to Site.

32
Access the Client Settings tab, and click on Add. Just, give a name to this.(GP Agent in our case)

33
Now, access the IP Pools and assign an IP subnet or IP range (10.3.3.1-10.3.3.100) which is used to assign the IP address
once the client successfully authenticates the GP authentication.

34
Access the Split Tunnel tab, and Include all networks you want to gives access to remote clients. Here, we have given
access to INSIDE network which is 10.1.1.0/24.

35
Here in Agent>Client Settings>Network Services tab, we can add DNS server but for now in this lab leave it blank as
it is.

36
Here in Agent>Network Services tab, we can add Primary DNS 8.8.8.8 and click OK..

37
Policies
Security Rule

38
If you created a new zone for the GlobalProtect tunnel interface, then you must define the security policies to allow the
traffic from the tunnel interface.

In this lab we have defined VPN Security Zone for tunnel traffic, therefore, we need to define rule.

To create a security policy, access the Policies >>Security and click on Add.(rule defined in next slides)

Reference:
https://www.gns3network.com/how-to-configure-globalprotect-vpn-on-palo-alto-firewall/ 39
Go to Security Policy Rule>General tab, assign a name of our policy rule as mentioned below: VPN Connection

Next go to Source tab and select

Source Zone VPN, Source Address
any, Source user any and Source
device any.

40
Next move onto Destination tab and select Destination Zones: DMZ & INSIDE
Select Destination Address and Destination Device Any.

In the next slides, select Application Any, Service/URL Category: Application Default & Any and the
Action is Allow.
41
42
Testing/Troubleshooting
WIN 10 Remote User

43
Login on PORTAL https://192.168.1.250/ through Windows 10 remote machine by
Local User, which we created into PALO ALTO FW Local Database.

44
After successful login, we can see the latest agent versions which we need to download and install in the system to
connect VPN gateway.

45
Here you type PORTAL address to connect and secure access to your application and the internet.

46
Enter the appropriate username and password to connect to the agent portal and select the best available
gateway for secure access VPN.

47
Now, we connected to the best and available VPN Gateway.

48