Wednesday, December 7, 2016

Palo Alto Networks - GlobalProtect - Part I

In many customer environments, I see administrators leveraging multiple products to protect remote users from cyber threats and/or inappropriate content (i.e. SOHO firewalls, endpoint anti-virus, content filtering products like OpenDNS or Digital Guardian, etc.). The problem with this approach is that these disparate products are only focused on a specific aspect of security protections and not integrated, so they don't talk to each other, nor can they see the whole picture when it comes to a cyber-attack. Even management, logging, troubleshooting, etc. is more cumbersome due to separate graphical/CLI interfaces. Fortunately for Palo Alto Networks users, GlobalProtect is a very flexible Palo Alto Networks feature that allows remote users to access local and/or Internet resources while still being protected from known and unknown threats. This feature eliminates the need for managing additional products in your environment. Here's a pretty common configuration scenario:

You have an initiative to allow users to take corporate assets (i.e. laptops, etc.) off network, but still enforce the same security posture that is implemented on network. You need to provide content filtering, threat protections, and user-based access control. You want to give users the ability to enable/disable this capability as needed. How can this be done with GlobalProtect?
  • Navigate to Device -> GlobalProtect Client and download and active the latest version.
  • Navigate to Network -> Network Profiles -> Interface Mgmt and create a management profile to apply to the interface to which remote users will connect.
    • Enable https
  • Navigate to Network -> Interfaces, and select the interface to which remote users will connect.
    • Navigate to the Advanced tab and apply the Management Profile created in step 3 and click OK
  • Navigate to Network -> Interfaces -> Tunnel -> Add and create a new tunnel interface
    • Assign the interface a number (i.e. 1)
    • Assign the interface to the appropriate Virtual Router
    • Assign the interface to the appropriate Security Zone
      • Note that in this example the tunnel interface is assigned to the L3-Trust zone. You could create a new security zone (i.e. L3-VPN), you just need to be sure to create the associated security policies so that traffic is allowed through the firewall.
    • Click OK
  • Navigate to Device -> Certificate Management -> Certificates -> Generate and create a trusted root certificate
    • Enter a Certificate Name
    • Enter the management IP of the firewall for the Common Name
    • Check the Certificate Authority checkbox
    • Enter information in other fields if desired (optional)
      • Click Generate
    • Select the certificate you just created, and check the Trusted Root CA checkbox
    • Click OK
  • Navigate to Device -> Certificate Management -> Certificates -> Generate and a create certificate for GlobalProtect
    • Enter a Certificate Name
    • Enter the IP address of the interface to which remote users will connect for Common Name
    • Select the certificate created in step 6 under Signed By
    • Enter information in other fields if desired (optional)
    • Click Generate
  • Navigate to Device -> Certificate Management -> SSL/TLS Service Profile -> Add
    • Enter a Name
    • Select the Certificate created in step 7
    • Click OK
  • Navigate to Device -> Local User Database -> Users -> Add
    • Enter a Name and Password
    • Click OK
  • Navigate to Device -> Authentication Profile -> Add
    • Enter a Name
    • Select Local Database for Type
    • Navigate to the Advanced tab -> Add
    • Select All
    • Click OK
  • Navigate to Network -> GlobalProtect -> Gateway -> Add
    • In the General tab
      • Enter a Name
      • Select the interface to which remote users will connect
      • Select the IP Address of the interface
    • In the Authentication tab
      • Select the SSL/TLS Service Profile created in step 8
      • Under Client Authentication click Add
        • Enter a Name
        • Select the Authentication Profile created in step 10
    • In the Agent tab
      • In the Tunnel Settings tab
        • Enable Tunnel Mode
        • Select the Tunnel Interface created in step 5
      • In the Client Settings tab
        • Click Add
        • In the Authentication Override tab, enter a Name
        • In the Network Settings tab
          • Add an IP Pool
          • Add an Access Route
            • In this example, we will enter a default route to ensure that all traffic is routed back through the firewall
          • Click OK
      • In the Network Services tab
        • Enter values for Primary DNS and Secondary DNS
      • Click OK
  • Navigate to Network -> GlobalProtect -> Portal -> Add
    • In the General tab
      • Enter a Name
      • Select the Interface to which remote users will connect
      • Select the IP Address of the interface
    • In the Authentication tab
      • Select the SSL/TLS Service Profile created in step 8
      • Under Client Authentication click Add
        • Enter a Name
        • Select the Authentication Profile created in step 10
    • In the Agent tab
      • Click Add under Configs
        • In the Authentication  tab
          • Enter a Name
        • In the External tab
          • Add an External Gateway
            • Enter a Name
            • Enter the Address to which remote users will connect
        • In the App tab
          • Change the Connect Method to On-demand
        • Click OK
      • Back in the Agent tab, click Add under Trusted Root CA
        • Add the Root CA
    • Click OK
    • Commit the configuration
In my next post, I will expand upon the configuration to provide different levels of access and GlobalProtect agent control based on group membership.

1 comment:

  1. Your site is amazing and your blogs are informative and knowledgeable to my websites.This is one of the best tips in my life.I have in quite some time.Nicely written and great info.Thanks to share the more information's.

    Seo Experts
    Seo Company
    Web Designing Company
    Digital Marketing
    Web Development Company
    App Development

    ReplyDelete