How to configure GlobalProtect VPN on Palo Alto Firewall

In this article, We’ll configure GlobalProtect VPN in Palo Alto Firewall. We will cover all basic to advanced configuration of GlobalProtect VPN. The public IP address on the Palo Alto firewall must be reachable from the client PC so that the client can connect to GlobalProtect VPN. However, they not need any static IP configuration. You can download GlobalProtect VPN from the Palo Alto support portal. Let’s start configuring the GlobalProtect VPN.

how-to-configure-globalprotect-vpn-on-palo-alto

A scenario for GlobalProtect VPN

In this article, we will use a Public IP address (i.e. 101.1.1.2) which is assigned on the Palo Alto Firewall interface. Clients need to connect their GlobalProtect to this public IP address. A client on the Branch site can access corporate resources using the GlobalProtect VPN.

palo-alto-globalprotect-vpn-configuration

Steps need to configure GlobalProtect VPN

I am starting the configuration with basic steps. You can skip any step if you have already knowledge related to a particular step.

Generating a Self Sign Certificate

In order to configure the GlobalProtect VPN, you must need a valid root CA certificate. So, you can generate your own certificate on Palo Alto firewall or you can use any certificate which is signed by any of the CA authority. To generate a self-sign certificate, Go to Device >> Certificate Management >> Certificates >> Device Certificates >> Generate. Now, just fill the Certificate filed as per the reference Image. Make sure you put your Public IP address on the Common Name field.

how-to-generate-self-sign-certificate-in-pa

trusted-root-certificate-in-pa

Creating an SSL/TLS Service Profile

Now, you need to create an SSL/TLS profile that is used for portal configuration. So, Go to Device >> Certificate Management >> SSL/TLS Service Profile >> Add. Select the certificate you just created and the minimum and maximum version of TLS.

ssl-tls-profile-in-pa

Creating Local Users for GP VPN

GlobalProtect VPN needs to be authenticated during the VPN connection process. If you are running LDAP in your environment, you can integrate GlobalProtect VPN with your LDAP Server. For now, I’m creating a local user. Go to Device >> Local User Database >> Users and click on Add.

pa-user-creation

Creating Authentication Profile for GlobalProtect VPN

Now, you need to create an authentication profile for GP Users. Go to Device >> Authentication Profile and click on Add. Access the Advanced tab, and add users to Allow List. Just follow the steps and create a new Authentication profile.

authentication-profile-in-palo-alto-firewall

adding-users-to-authentication-profile

Creating a zone for GlobalProtect

Like IPSec VPN, in GlobalProtect VPN, you need to create a zone for the tunnel interface. Although you can choose one of the pre-created zones, but it is always recommended to create a new zone so that you have granular control over the GlobalProtect traffic. To create Security Zone, go to Network >> Zones >> Add. Make sure the Zone Type should be Layer 3 and Enable User Identification.

security-zone-for-global-protect-vpn

Creating a tunnel interface for GlobalProtect

Likewise IPSec tunnel, you need to create a separate tunnel interface for the GlobalProtect VPN. Go to Network >> Interfaces >> Tunnel >> Add, to create a tunnel interface. Also, make sure you assign the same security zone which is created in the previous step. You can attach a management profile to the tunnel interface as per your requirement. Although, you do not need to assign an IP address to this interface.

tunnel-interface-for-gp

Portal Configuration for GlobalProtect

Now we will start configuring the actual configuration for GlobalProtect. Go to the GlobalProtect >> Portals >> Add. Access the General tab and Provide the name for GloablProtect Portal Configuration. Below this in Network Settings, select the interface on which you want to accept requests from GlobalProtect client.

GlobalProtect-portal-configuration

Access the Authentication Tab, and select the SSL/TLS service profile which you are created in Step 2. In Client Authentication, click on ADD. Here, you need to define a user-friendly name for Client Authentication and select the Operating Systems on which you want to run GlobalProtect. Also, select the Authentication Profile which was created in one of the previous steps.

globalportect-auth-configuration

globalprotect-portal-auth-config

Now, access the Agent tab, and select the Trusted Root CA (created in Step 1) and check the option “Install in Local Root Certificate Store”. After this, click on Add Agent. Provide a user-friendly name for the agent.

gp-portal-agent-configuration

gp-portal-agent-client-configuration

Access the User/User Group tab and select OS and User/User Group you have on your environment. In this example, I am using ANY, ANY option.

GP-portal-agent-user-configuration

Access the External tab, and Add an External Gateway. Give the Name to External Gateway and provide IP, Source Region, and Priority details and click OK.

portal-agent-external-client-configuration

Gateway Configuration for GlobalProtect

After the GlobalProtect portal configuration, we need to configure the Gateway Configuration for GlobalProtect VPN. Access the Network >> GlobalProtect >> Gateways and click on Add. Give the name to GP Gateway and In the Network Settings, define the interface on which you want to accept the requests from GlobalProtect.

globalprotect-vpn-gateway-configuration

Access the Authentication tab, select the SSL/TLS service profile and click on Add to add a client authentication profile. Here, you need to select Name, OS and Authentication profile.

globalprotect-gateway-auth-configuration

Access the Agent tab, and Enable the tunnel mode, and select the tunnel interface which was created in the earlier step.

agent-configuration-gp-gateway

Access the Client Settings tab, and click on Add. Just, give a user-friendly name to this.

client-configuration-for-gp-vpn

Now, access the IP Pools and assign an IP subnet’s or IP range which is used to assign the IP address once the client successfully authenticates the GP authentication.

client-configuration-for-gp-vpn

Access the Split Tunnel tab, and Include all networks you want to gives access to remote clients. For all routes, you need to provide a 0.0.0.0/0 network. For this example, I just configure my LAN network which is 10.10.10.0/24.

client-configuration-for-gp-vpn

Security policy for GlobalProtect

If you created a new zone for the GlobalProtect tunnel interface, then you must define the security policies to allow the traffic from the tunnel interface. Although, if you put the tunnel interface in Trust or Inside security zone, for example, you do not need to define the security policy for InteraZone traffic. To create a security policy, access the Policy >> Security and click on Add.

NAT Policy for  GloabalProtect clients

If you want to provide Internet access to the VPN client through your corporate office, you must have to create a Source NAT (Network Address Translation) rule. You need to select your security zone (which is created in an earlier step) as source zone and destination zone should be your internet-facing zone. To create NAT rule access Policies >> NAT and click on Add.

Verification of GlobalProtect Configuration and Accessing defined Routes from Client Machine

So far we have configured GlobalProtect VPN in Palo Alto Firewall. Now, we will test our configuration by accessing the GlobalProtect agent from a client machine. You must download the GP agent on the client machine directly from the support portal, or you must have a GP agent on your firewall itself. You can access the GlobalProtect portal by access the public IP of firewall i.e. https://101.1.1.2 in my case.

global-protect-web-login-portal

I already downloaded a GP agent from the support portal and installed it on my test machine. Once, you installed the GP agent, open it and try to connect it on your firewall Public IP. If the configuration is correct, it will prompt for username and password. Once you type the username and password, it will automatically connect to the firewall and you can access corporate resources using GlobalProtect.

gp-vpn-connectivity-to-office gp-vpn-connectivity-to-office

 

gp-vpn-connectivity-to-office

Now, we will test our configuration by access an internal system. I have a router on my LAN segment and I can directly access that Router by using private IP. You can try to access the firewall using it’s LAN segment.

ping-after-pa-gp-connectivity

Related Articles

Summary

In this article, we discuss how you can configure GlobalProtect VPN in the Palo Alto firewall. We configured the GlobalProtect VPN from basics to advanced steps. You need to define a certificate, GlobalProtect Portal and GlobalProtect Gateway. Additionally, you required security policies in order to allow the traffic which is received from the GlobalProtect tunnel interface.

Did you found this article helpful? If you are facing any challange, please let me know in the comment box!

Leave a Reply

Your email address will not be published. Required fields are marked *