Global Protect- Configuration Guide

Configuring Global Protect

Palo Alto Networks

232 E. Java Dr.
Sunnyvale, CA 94089
408.738.7700
www.paloaltonetworks.com

Revision history
November 2010

First draft- Jerish parapurath

January 11th 2011

Second draft- updated screen shots, HIP

objects, auth methods.

2010 Palo Alto Networks

Page 2

Table of Contents
Revision history .................................................................................................................................. 2
Overview............................................................................................................................................. 4
Global Protect elements ..................................................................................................................... 4
Deployment topologies ....................................................................................................................... 4
Configuration check list ...................................................................................................................... 6
Configuration steps ............................................................................................................................ 6
Software requirements.................................................................................................................... 6
User authentication ............................................................................................................................ 6
Local database ............................................................................................................................... 7
External server ................................................................................................................................ 7
RADIUS ....................................................................................................................................... 7
Kerberos ...................................................................................................................................... 8
LDAP ........................................................................................................................................... 8
Authentication profile................................................................................................................... 8
Defining Host Information Profile and Objects ............................................................................. 10
HIP objects ................................................................................................................................ 10
HIP profile ................................................................................................................................. 12
Certificate requirements ................................................................................................................... 12
Generating CA certificate.............................................................................................................. 13
Generate Server certificate ........................................................................................................... 13
Generate Client certificate ............................................................................................................ 14
Create a Client Certificate Profile ................................................................................................. 15
Creating Global protect gateway and profiles .................................................................................. 15
Gateway configuration .................................................................................................................. 16
Portal Configuration ...................................................................................................................... 18
Security Policy Configuration ........................................................................................................... 21
Establishing connection.................................................................................................................... 21
Logging and reporting ...................................................................................................................... 23
Useful Commands ............................................................................................................................ 24

2010 Palo Alto Networks

Page 3

Overview
GlobalProtect provides security for client systems, such as laptops, that are used in the field by
allowing easy and secure login from anywhere in the world. With GlobalProtect, users are
protected against threats even when they are not on the enterprise network, and application
and content usage is controlled on the client system to prevent leakage of data

Global Protect elements

There are three essential components that make up the Global Protect:
x
x
x

Global Protect Portal: A PAN-OS device that provides centralized control over the Global
Protect system.
Global Protect Gateway: One or more interfaces on one or more PAN-OS devices that
provide security enforcement for traffic from the Global Protect Agent.
Agent: Client software on the laptop that is configured to connect to the Global Protect
deployment.

Deployment topologies
GlobalProtect can be deployed with a single firewall acting as both the gateway and portal. For
larger deployments, a single portal can support multiple gateways. In this case the agent will
connect to the closest gateway

2010 Palo Alto Networks

Page 4

Sequence of steps
1. The user makes an initial browser based connection to the portal and authenticates.
2. Upon successful authentication, the user is prompted to download the agent software as
msi file. The msi files for both 32bit and 64bit OS are available
3. The downloaded agent is installed and configured with username and password and the IP
address or FQDN of the portal to connect to.
4. At this point, the Agent will obtain the host information, and find the closest Gateway to
connect to.
5. If the closest Gateway is "internal", where the user is inside the network and the Gateway
is the Internet firewall, then the Agent can connect to multiple Gateways, authenticate,
update the HIP and have access through the Gateways which may be using HIPaugmented policies.
6. If the closest Gateway is "external", where the user is outside the network, then the Agent
will find the closest Gateway, authenticate, establish a SSL VPN tunnel, and then provide
the HIP.
7. The Gateway provides notifications as configured back to the agent for user notification
(Agent allows manual resubmission of HIP).
8. The Gateway enforces security policy based on user, application, content and the HIP
submitted from the client.

And after a successful authentication, Portal will send agent configuration and the client certificate
to the agent. The agent configuration will contain the following

2010 Palo Alto Networks

Page 5

1. The gateway list (both internal and external)

2. (Optional) The DNS name/IP mapping that Global Protect client software uses to
determine if the PC is inside or outside the office. This is used to determine if the agent
must connect to an internal or external gateway.
3. Trusted CAs that client software should use to verify the Gateways belong to the same
company. .
4. Host Information Data Collection Instructions that client software should report, e.g. OS
version, AV version, Disk encryption version, specific registry key/value, etc. The client
software is designed to be dumb, meaning it will simply report the raw data instead of
saying it is up-to-date or not. That logic is reserved for each gateway to determine.
5. Base64 embedded Client certificate that allows agent to authenticate itself when
connecting to Gateways.
6. Third-Party VPN Clients that should be allowed to run.
7. Agent users override policy.
8. Portal agent software version. This is to allow agent software to determine if a different
version is available.

Configuration check list

Before you start configuring Global Protect, make sure if have the following list of items handy
x

IP address of the Authentication server

IP address for Portal

IP address of Gateway

Access to CA server to generate certificate.

Note: This step is not required if you are using the PA firewall as the CA server

Licenses- License for Global Protect Portal and Gateway is required. If there are multiple
gateways managed by the portal, a license for each gateway is required

Configuration steps
Software requirements
Global Protect require PAN-OS version 4.0.
Download and activate the Global Protect client (Device> GlobalProtect Client)
Latest Application and Threats, Antivirus is required. Configure schedule for GlobalProtect Data
File

User authentication
Identify the authentication method that you will be using to authenticate Global Protect users. PA
devices support using local database and external authentication servers for authenticating users

2010 Palo Alto Networks

Page 6

Local database
Define a local user
- Device>Local user Database>Users and click on add to add a new user

External server
Device>Server Profiles>

RADIUS

2010 Palo Alto Networks

Page 7

Kerberos

LDAP

Authentication profile
The authentication profile refers to the authentication method configured earlier. Screen shots
below shows the authentication profiles for both local auth and RADIUS auth
Device>Authentication Profile

2010 Palo Alto Networks

Page 8

If using external database, choose the authentication method and the server profile. Screenshot
shows the example of using RADIUS server

Group membership can be checked as well without requiring any AD-agent being deployed.
In other words, Global Protect can be an alternative design for User-ID in case youd prefer
an agent on the systems, to complement user authentication with a HIP validation.

For LDAP, the user groups can be retrieved like this

Device>User Identification> and click Add in the LDAP server section

2010 Palo Alto Networks

Page 9

Defining Host Information Profile and Objects

HIP objects
HIP objects refer to the reports the Global Protect gateway will generate base on the HIP report
sent by the agent. The agent wills send all information about all categories, and the gateway
reports on the HIP objects that is configured to match .In this example, we match objects
x Firewall and AV enabled
x Patch management
To create a HIP object, Object>Global Protect > HIP object

2010 Palo Alto Networks

Page 10

From the firewall tab select firewall enabled, optionally you can also specify the vendor list.
Similarly from the AntiVirus tab select Antivirus enabled.

Similarly a HIP object for patch management is created to check for any patch installed

Once the HIP objects are configured you will be objects are shown in the screen shot

2010 Palo Alto Networks

Page 11

HIP profile
A HIP Profiles defines an evaluation of a set of collected HIP objects, combined logic such that
when evaluated, the result will either be true or false. HIP profile is then referred to in the security
policy
From Objects>HIP profiles> Add- to add a new profile
Give the HIP profile a name, Click on Add match criteria to add the HIP objects to the profile. The
list of the available HIP objects will be displayed in a new pop-up window. The HIP profile can be
configured to use the Boolean AND/OR/NOT operation to match all or any one of the HIP objects.
Choose the operator from the top of the HIP objects screen and click on the + sign next to the
object to add the object to the HIP profile

Certificate requirements
The same must be used to create all the certificates used by the Portal and each gateway and thus
can be used to verify the PC is not connecting to the wrong Gateways. In addition, the client
certificate should also be created by the same CA so that the Gateways can verify the PC belongs
to the same company
Global protect requires three types of certificates
CA certificate
Server Certificate
Client Certificate
The PAN-OS device itself can act the CA server.

2010 Palo Alto Networks

Page 12

Generating CA certificate
Device>certificate>generate
Check the CA certificate, to make the CA certificate

Generate Server certificate

From the signed by drop down select the CA certificate generated earlier

2010 Palo Alto Networks

Page 13

Generate Client certificate

From the signed by drop down select the CA certificate generated earlier

2010 Palo Alto Networks

Page 14

Create a Client Certificate Profile

Device>client certificate profile
From the CA certificate drop down select the CA certificate generated earlier and click on add

Creating Global protect gateway and profiles

Global Protect portal provides first point of user authentication. The Global Protect Portal is an
identified by an IP address on an active interface on the firewall. These interface can be a logical
interface. A single PAN-OS device can function as both as the portal and gateway. This is
accomplished by configuring two IP address on two different interfaces.
In the figure below a single PAN-OS device is functioning as the portal and the gateway. Loopback
interfaces are used for this function.
Note: The interface used for portal must have HTTPS management service enabled. To see user
names in the traffic log, enable user identification on the zone that binds the global protect gateway
interface

2010 Palo Alto Networks

Page 15

Portal: 192.168.50.57/32
Gateway: 192.168.50.58/32
Static NAT is configured on the upstream router to map the 192.168.50.57 and 58 IP addresses to
public IP address.

Gateway configuration
Gateway configuration defines how the clients connect to and authenticate to Global protect
gateways. If the clients are connecting to the gateway on the internet, tunnel mode must be
enabled. This configuration will enable the clients connect to the gateway either via a SSL VPN
tunnel or IPSec tunnel. The gateway in the tunnel mode must be configured to assign IP address.
DNS and WINS information to the client (similar to IPSec mode config)
Network>Global Protect
General Tab:
IP address field is the address of the global protect gateway.
Select the tunnel interface. This is required when the agent connects to external gateways. If
enable IPSec is selected, then agent establishes a IPSec tunnel to the gateway. If the IPSec
connection fails, the agent uses SSL to connect to the gateway.

2010 Palo Alto Networks

Page 16

Client configuration tab:

When the clients connect to the external gateway using a tunnel, networking configuration will be
pushed to the client. Specify the DNS, WINS and DNS suffix to be used by the client. Also specify
the pool from which IP addresses will be assigned to the client.
Access routes: By default all traffic from the client will be sent to the gateway. Access routes,
allow you to define networks that will be accessible by the client through the tunnel.

In the HIP notification tab select the HIP profile that was configured in step xx. You can also specify
the message to be displayed to the end user when the PC is in compliance as defined in the HIP
object.

2010 Palo Alto Networks

Page 17

Portal Configuration
Select the client and the server certificate and the authentication profile used to authenticate users.
The gateway address is the IP address of the interface configured for the portal

2010 Palo Alto Networks

Page 18

Client configuration general tab:

On demand mode
With this setting GlobalProtect agent will not automatically connect to the gateway. Instead, a
menu item will be available for user to click to manually connect to the gateway. In this mode,
GlobalProtect will send the HIP report as well as establishing the tunnel with one gateway.
Single Sign on
The agent will use the windows credentials of the user to authenticate to the global protect portal
Gateway list
Portal provides agents with a list of the IP address/FQDN of gateways within the deployment. The
gateways are separated into two categories: internal and external gateways. In each category, you
can specify the list of gateways that agent can connect to. In this example the real IP address of
the gateway is 192.168.50.58, which is a private IP address. Since this IP address must be
reachable from outside of the LAN, this IP address must be translated. In this example the IP
address in the external gateway is the post NAT IP address i.e public IP address that address
translated to 192.168.50.58
Root CA
Add the root CA that was used to sign the server and client certificates

2010 Palo Alto Networks

Page 19

Advanced tab

Third party VPN clients allows administrator to specify the VPN traffic that will exempt from being
sent through the global protect gateway. If no virtual adapters are selected, all traffic VPN traffic
from the host will be routed via the global protect gateway.
Internal Host Detection
This is an optional configuration. It helps agent determine whether the host is inside the network
and connect to the internal gateway
The DNS name specifies a hostname that can be reached from internal network and the IP
address is the host IP address. The Agent will do a reverse lookup on the IP address and if it
receives the expected hostname as a response, it will attempt connecting to the gateways in the
internal list. If no response is received that agent will attempt to connect to the gateways in the
external list
If no internal-host-detection configuration is provided, agent tries the internal gateways first,
followed by external gateways.

2010 Palo Alto Networks

Page 20

Agent UI:
User can disable the agent on the PC. Agent User Override option allows the administrator to have
configure whether or not the agent can be disable and if it can be disabled, the user will need a
passcode or reason for disabling the agent.
Data Collection

The global protect agent will send HIP report about all categories Host Info, Anti Virus, antispyware, disk backup, disk encryption and firewall. Click on Add to exclude the agent sending
reporting on any category. Please note that if you have a HIP object configured to report on Anti
Virus and if you add antivirus to exclude category, this will negate purpose of configuring HIP
object to report on anti-virus.
To enable custom checks, enter the value for registry key values and services in the custom
checks tab,
The max wait time is amount of time the global protect agent waits to submit a HIP report to the
gateway.

Security Policy Configuration

The value for this column in a security rule is any, no-hip or HIP profiles. any will match any
host, regardless of whether a HIP was submitted or not. no-hip will match any host that has not
submitted a HIP. If more than 1 HIP profile is defined in the rule, it is a match if either one of the
HIP profiles matches.

Establishing connection
Connection to the global protect portal is initial from browser using a SSL connection. To connect
to the portal browse to https://<ip address/FQDN> of the portal. Once authenticated, end users will

2010 Palo Alto Networks

Page 21

have to download the agent software. There agent software is available for both 32 bit and 64bit
OS. Administrator privileges are required to install the agent for the first. Subsequent upgrades do
not require administrator rights
After installing agent, agent must be configured to connect to the Global Protect portal. Provide the
IP address/FQDN of the portal and user credentials to connect to the portal

Once successfully connected you can verify the connection detail under the details tab of the agent

The user will be required to authenticate to the portal via ssl only the first time connecting the
portal. Once the agent is downloaded and installed all subsequent connects to any of the portal is
done using the agent.

2010 Palo Alto Networks

Page 22

To view the categories that agent will send HIP report, go to the settings tab on the agent

Logging and reporting

Logs can be viewed under the HIP match section of the Monitor tab

ACC provides reports for HIP objects and profiles

2010 Palo Alto Networks

Page 23

System logs provide information about user activity

Useful Commands
To view the users connected
show global-protect-gateway current-user
show user ip-user-mapping type GP
To view the tunnels established
show global-protect-gateway flow
show global-protect-gateway flow tunnel-id <value>

2010 Palo Alto Networks

Page 24