Tuesday, March 24, 2020

Palo Alto Networks - GlobalProtect - Part I

ATTENTION: Please visit the Palo Alto Networks Live site for the latest version of this post.

----------------------------------------------------------------------------------------------------------------

In my previous post, I provided an overview of the GlobalProtect series and overall objectives, which included a description of each post in this series. I would recommend starting there prior to moving forward.

In this post, we will cover the initial setup of GlobalProtect, which includes a portal, external gateway, and user authentication via local database. You can see a diagram of the environment here.

Part I - Initial Setup
  • Navigate to Device -> GlobalProtect Client and download and activate the latest version. 5.0.8 is a TAC-preferred version at the time of this blog post.
  • Navigate to Network -> Network Profiles -> Interface Mgmt -> Add and create a management profile to apply to the public interface to which remote users will connect.
    • Enable https
    • Click OK
  • Create another profile to apply to the tunnel interface to which remote users will connect.
    • Enable Response Pages
    • Click OK
  • Navigate to Network -> Interfaces, and select the interface to which remote users will connect.
    • Navigate to the Advanced tab and apply the Management Profile created for the public interface above and click OK
  • Navigate to Network -> Zones -> Add and create a new Layer 3 security zone for your GlobalProtect users
    • Provide a name (i.e. gp)
    • Set Type to Layer3
    • Check the Enable User Identification check box
    • Click OK
  • Navigate to Network -> Interfaces -> Tunnel -> Add and create a new tunnel interface
    • Assign the interface a number (i.e. 1)
    • Assign the interface to the appropriate Virtual Router
    • Assign the interface to the appropriate Security Zone
  • Navigate to the IPv4 tab and assign a subnet to be used for your mobile users
    • Note that it should be a unique network. Also, note that an IP address on this interface is not a requirement.
  • Navigate to the Advanced tab and apply the Management Profile created for the tunnel interface above 
  • Click OK
  • Navigate to Device -> Certificate Management -> Certificates -> Generate and create a trusted root certificate
    • Note - In this series of posts we will be using self-signed certificates. It is recommended to use third-party certificates in a production environment, but self-signed certificates will work as well.
    • Enter a Certificate Name
    • Enter the management IP of the firewall for the Common Name
      • Check the Certificate Authority checkbox
      • Enter information in other fields if desired (optional)
        • Click Generate
      • Select the certificate you just created, and check the Trusted Root CA checkbox
      • Click OK
  • Navigate to Device -> Certificate Management -> Certificates -> Generate and a create certificate for GlobalProtect
    • Enter a Certificate Name
    • Enter the IP address or the DNS name of the interface to which remote users will connect for Common Name
      • Note - In this series of posts we will be using the public IP address for the common name (represented by 1.1.1.1). It is recommended to use a DNS name in a production environment, but IP addresses will work as well.
    • Select the certificate created in step 6 under Signed By
    • Enter information in other fields if desired (optional)
    • Click Generate

  • Navigate to Device -> Certificate Management -> SSL/TLS Service Profile -> Add
    • Enter a Name
    • Select the Certificate created in step 7
    • Click OK
  • Navigate to Device -> Local User Database -> Users -> Add
    • Enter a Name and Password
    • Click OK
  • Navigate to Device -> Authentication Profile -> Add
    • Enter a Name
    • Select Local Database for Type

    • Navigate to the Advanced tab -> Add
    • Select All
    • Click OK
  • Navigate to Network -> GlobalProtect -> Gateway -> Add
    • In the General tab
      • Enter a Name
      • Select the interface to which remote users will connect
      • Select the IPv4 Address of the interface
        • Note - If your interface is assigned an IP address via DHCP, then you will not have an option to select an IPv4 Address. Just leave this field set to None.
    • In the Authentication tab
      • Select the SSL/TLS Service Profile previously created
      • Under Client Authentication click Add
        • Enter a Name
        • Select the Authentication Profile previously created
    • In the Agent tab
      • In the Tunnel Settings tab
        • Enable Tunnel Mode
        • Select the Tunnel Interface previously created
      • In the Client Settings tab
        • Click Add
        • In the Config Selection Criteria tab, enter a Name

        • In the IP Pools tab
          • Add an IP Pool

        • In the Split Tunnel tab
          • Add an access route to the Include section
            • Note - In this series of posts we will be routing all traffic through the tunnel. It is recommended to tunnel all traffic in a production environment to ensure consistent protection.
          • Click OK
        • In the Network Services tab
          • Enter values for Primary DNS and Secondary DNS
          • Click OK

  • Navigate to Network -> GlobalProtect -> Portal -> Add
    • In the General tab
      • Enter a Name
      • Select the Interface to which remote users will connect
      • Select the IP Address of the interface
    • In the Authentication tab
      • Select the SSL/TLS Service Profile previously created 
      • Under Client Authentication click Add
        • Enter a Name
        • Select the Authentication Profile previously created
        • Click OK
    • In the Agent tab
      • Click Add under Configs
        • In the Authentication  tab
          • Enter a Name

        • In the Internal tab
          • Enable Internal Host Detection IPv4
          • Enter an IP Address of resource that is always available internally
          • Enter the Hostname of the IP address to which it resolves
            • Note - Internal Host Detection uses a reverse lookup to determine whether or not a device is on the internal network in order to establish a VPN tunnel. See this post for additional details if you do not have an internal DNS server.
        • In the External tab
          • Add an External Gateway
            • Enter a Name
            • Enter the Address to which remote users will connect
        • In the App tab
          • Change the Connect Method to On-demand
        • Click OK
          • Note - In subsequent posts, we will be setting the Connect Method to User-Logon (Always On), as that is the recommended best practice.

      • Back in the Agent tab, click Add under Trusted Root CA
        • Add the Root CA
        • Check the Install in Local Root Certificate Store
          • Note - Selecting this option will transparently install the trusted root CA so that we can test SSL Forward Proxy decryption in the future. It is not required in order for GlobalProtect to function.

        • Click OK
  • Navigate to Policies -> NAT and add the gp zone you created previously to your source NAT rule so that users in the gp zone can get out to the Internet
  • Navigate to Policies -> Security and add security policy rules so that users in the gp zone can access internal as well as public resources
  • Navigate to Policies -> Security and add a security policy rule that allows remote users to access GlobalProtect portal
  • Commit the configuration
You should now be able to log into the portal, download and install the GlobalProtect App, and test connectivity.

In my next post, we will make changes to the configuration to include different forms of authentication and add an internal gateway.
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)