Palo Alto PCNSA Topic: Chapter 10 – Global Protect (Remote Access VPN)
December 19, 2022

1. 10.1 Global Protect overview

In this video, we are covering PCNSA 210, which is our chapter ten on Global Protect remote access VPN. Now, this is the second video of chapter ten, which is 10.2. Preparing the firewall for Global protect. Now, to prepare the firewall for Global Protect, we need to configure four areas. First, we need to configure Global Protect certificates. So we need to configure certificates for portal as well as gate eight ways if you want for clients as well. The second step is that we need to configure the authentication server profile. And for authentication server profile we could use LDAP Taka radius, but in our example we use in LDAP. Then, once we configure that server profile, we add it to the authentication profile. And the last step is to configure Global Protect client. So, the first step is to configure Global Protect certificates. Now, connectivity between all parts of the Global Protect infrastructure is authenticated using Secure Socket Layers certificates. So the portal, the gateway, and the agents must use certificates signed by the same certificate authority. So the certificate authority, which is the first certificate that we’re going to configure, is optional. We don’t have to configure, but it is recommended. Because of what we can do after we configure the certificate authority, this certificate authority is going to sign other certificates.

And with this certificate authority, we can export it from the firewall and then import it as a trusted certificate on the client machines. And then every certificate this certificate signs will be trusted by the clients. After we configure the certificate authority certificate, we’ll configure the Global Protect portal certificate and then the Global Protect gateway certificate. Now portal, it could be on the same as the gateway. We could have one certificate for the portal as well as for the gateway. But if you have a bigger enterprise, you might have separate firewalls for portals that are going to need the certificate, and separate firewalls for gateways that will also need the certificate. Now, the client can have their own certificate if you want gateways to authenticate and identify the clients. Now, if you look at what I’ve done, which I’m going to demonstrate on the live firewall anyway, I’m just going to go through the slides first. If I went to device, then certificate management, and then you have a certificate there, I have created a certificate authority as a Global Protect, and this certificate authority is a signing certificate that I have exported and imported on the client machines.

Then I have created another certificate signed by the certificate authority, external GP, or Global Protect portal. So this is the external gateway and the portal inside the same firewall with this IP address, and then the internal gateway has that IP address there. And as I said, I’m going to demonstrate for you all this on the live firewall anyway. And the second step was to configure the authentication server profile. Now, it will be used. Global Protect relies on the same system of server profile and authentication profile as Pan OS Software does with administration authentication or user ID. So authentication server profile we can configure if we navigate to device then we go to server profile and then we have a few choices like radios tag ax and LDAP. We choose an LDAP. In this instance, we give a name to whatever we want, and that’s the server list. We give a name of that server and that’s the IP address that we can connect to that server and the port number as well. So under the server settings we have a type is active directory, distinguished name is DC lab, DC local and then bind distinguished name is this is the account I have created on my domain controller, which we’re going to connect the domain controller with. Authentication server profile and then the password, the buying timeout, search timeout and retry interval are left into default. And I have untamed this require Salts secure connection. Right now, after we create this authentication server profile, we’re going to add it to or attach it to the authentication profile, and we can do that under a device, and then we have an authentication profile. We add a new authentication profile, give it a name, and then the type is going to be LDAP, and the server profile is the one that we already created already.

So this one here, number one, we created, and then the user domain is going to be lab local in advance. We can add all users there. And the last step is to actually check the agent software on the portal. Now to look at the software, if you have agent software activated and downloaded, it’s under the device, and then, if you scroll towards the end, you have a Global Protect client. Look at what is downloaded and what is currently activated. For example, version 5.1.4 of it was downloaded and activated. When I do the demonstration on the Global Protect, I’m actually going to use version 4.1, point eleven. I think because that works better for me. Sometimes this newer version does cause some trouble, and so on, but anyway, you have to find the one that works for you and use that one. Okay now I’m going to demonstrate for you all of this on the live firewall, okay? Now if I access my firewall, the first thing that we’re going to do is one of the four things. What we need to do is to first to configure the certificates then we’re going to configure authentication server profile you can use LDAP and then we’re going to add that to the authentication profile and we’re going to look at the Global Protect clients. So to configure the certificates, we need to navigate to device, then certificate management, and then certificates.

So in here, we’re going to create three certificates. One is a certificate authority, which I’ll generate, that just uses the name Astrid Global protect CA. That’s it. And in the common name, I’m going to use the same, and I’m going to make this a certificate authority. It’s not going to be signed by any external authority, so it’s not going to be trusted by default. But if we export it and then import it onto the client machines, then they will trust that. Okay, let me just press F11 so we can see it all nicely. Okay? And that’s my certificate authority (CA), and this is going to sign all my certificates. Now this for example, exported and then imported on my client machines. So the second certificate I’m going to create is going to be for my external gateways.

So I’m going to call it an “external gateway,” and this is going to be a portal as well. So it’s going to be a global protection portal. So it’s going to have two jobs, two roles. It’s going to be the gateway as well as the portal in the same firewall under the same common name. On the IP address, I’m going to put the IPad dress of my firewall external two or 3011 320, and this is going to be now signed by is going to be signed by the certificate authority and the rest I’ll leave it as a default. And if you want to know how all of these then you have to look at the certificates. For example, I’m going to generate a certificate, and then I’m going to generate another certificate. You can see the hierarchy; you can see that this certificate is being signed by this certificate, and the third certificate I’m going to create is for the internal gateway. So this is not going to be a portal; it’s just going to be the gateway, and the IP address of this is going to be 1921-6821, and this certificate is going to be signed by the Certificate Authority. That’s it; our certificates are done.

Then after that, we need to configure the authentication server profile. Now authentication Server Profile, we can have few of them as you can see here. We can have Takas-Radial LDAP, Kerberos, and so on, but we cannot configure LDAP. Now to do that, we need to go to “Device Server Profile” and then “LDAP,” and we’re going to add a new one, which I’m going to call “Astrid app LDAP Server Profile.” That’s it. And Administrator use only just if you want to use only administrators on the server profile. But no, I’m not going to take that server list. I’m going to add the new server list, and this is my domain controller 2016, and that’s the LDAP server address; that domain controller address is 192-16-8212, and that’s the LDAP port that I’m going to be using. Three, eight, and nine servers are configured. This is going to be Active Directory, where we can choose other types if we want to. But for us it’s going to be Active Directory and Distinguished Name is going to be the DC lab DC local and we’re going to bind it to an IPod user that I got it under my domain controller.

So if I go to that user, let me just access my domain controller, which is this one here. Let me log into that. Okay, so the password is Palo Alto. Okay. Now I’m going to open my files, Active Directory users, and computers. And you’re going to see that I’ve created an account, like an agent, that is going to run in my domain controller and that I can bind to my authentication server profile. And the count is 1. So if I just show you expand this under lab local users and we have this user here pan agent and login for thesis going to be sorry, it’s going to be pan, just pan.

Okay, so this one, I’m going to use it as my agent between the domain controller and authentication server profile. So if I go back to my firewall, this is going to be PAN at the laptop toggle, and the password is Palo Alto. And bind timeouts first time out and retry interval. I’m just going to leave it to default, and I’m going to uncheck this require SSL/TLS box because we’re not using it in the secure connection and click. Okay, now I have an authentication server profile. So after that, I need to add this to the authentication profile, and that is under the device authentication profile. I’m going to create a new one and call it a strict authentication profile. And this one is going to be going to be using type. You’re going to use it not local database which you can radius LDAP like I told you. For us, it’s going to be LDAP, and the server profile is the one that we just created early under LDAP. So it should say Astrid LDAP, server profile, and user domain. We’re just going to say “local lab.” That’s it. Under the advanced tab, you can see this quickly red-lined.

So we need to configure something—you can enable two authentication factors, and so on. I’m going to leave it alone for this lesson. But as we advance, we can allow lists. I’m going to use them all. Okay, so that’s my authentication profile done. An authentication server profile down here, it’s done using Lapland the last thing is we’re going to actually check the client software that we’re going to use for Global Protect, and that’s on the device. And if you just go scroll little bit further down, we have a global protect client and you can see different versions that are available. I have downloaded 522514, and so on. But the one I’m using and having a lot of success with is 4111. This is downloaded and currently active now because my Windows maybe is not up to date or something, I’m having some problems or issues with the latest ones. But I’m okay with this one because I’m using Windows 7, which I think is the problem anyway. Okay, so those are the four things or four areas that we need to configure to prepare a firewall for Global Protect. So first, what we did was everything on the device here: we configured certificates, external certificates, internal certificates, and an authentication server profile. So then we added that to the authentication profile, the normal authentication profile. And then we looked at the Global Protect Client software that we have installed, and I told you I’ve got this version available.

2. 10.2 Preparing the firewall for Global Protect

We are covering Penza 210 and this is our chapter ten global Protect remote Access VPN. Now we reach the third video of chapter ten which is 10.3 configuration global Protect Portal. Now remember global protect portal was very important device and it was our central end point of intelligence and most of configuration will happen at the global protect portal it is responsible for coordinating communication and interaction between all other global protect components. And in there, we can configure a level of control for users, for example, from fully locked down, where the users have to connect to some gateway, to one to which they can choose which gateway they want to connect to. So at the global protect portal, we can authenticate users initiating connections to global protect and have the ability to create and store custom client configuration.

The global protection portal will maintain a list of internal and external gateways and manage CA certificates for client validation of gateways. So to configure our global protect portal we need to navigate to network and then global protect and then portals and we can click add in there we need to under the general tab, we need to give a name to our global protect portal configuration and we need to identify a layer three interface. So for example, what we’re going to be using is actually our external interface, IPV 4, and then the IPV 4 address of that interface. Under appearances, we can have the appearance of our default or we can use our own company logos, and so on, whatever you want. And before we go to the authentication, which you can see has to be configured, as you can see by the quickly flashing red line, we need to actually do some pre-configuration beforehand. Yeah, so we need stuff to add to the authentication.

For example, the first thing that we need to configure is SSLTL’s service profile. Now to do that, we need to go to a device, and then under certificate management, we have the SSLTLS service profile. This profile object specifies which certificates and protocols will be used in securing the global protected portal traffic. The next thing after that is that we need to go to the certificate profile, and the certificate profile is still on the device here. Then we have certificate management, and we have a certificate profile there, which will be used only if you want to authenticate the users or the agent. So the gateway will authenticate the agent, and the agent will authenticate the gateway. So a mutual identity validation Okay, we’re not going to be doing that in our trial, but we’re going to configure server authentication. And then, after we are happy that we have configured the SSL TLS service profile, we can go back to our global protect portal configuration under global protect portals, and then under the authentication server authentication, we’re going to use the server authentication that we just configured under the SSL TLS server profile. And then we click on “add” to add the authentication profile.

And that’s the next window here or next slide. So after we click “add,” we have a client authentication, we give a name, and we have an operating system. We’re going to demonstrate all of this on the live firewall but anyway just going through the slides here and then authentication profile is the one that we just created on previous lesson. Lesson 10.2: Here is the asteroid underscore authentication profile, and the last thing we have is the authentication message. In here, you can type a message; it’s a customizable message that will be presented to the end user in this message. For example you can type here what credentials you want them to use or to enter. For example, if you want your users to use some other login credentials from Carious, Takas, or Radios, and so on, Okay excellent. The next thing is the agent certificate.

After we have configured in the general reconfigured authentication, we’re going to skip the portal data collection because there’s no collection. And under the agent the first thing that we need to do is to specify what will bathe root certificate so the agent can trust that. And here you must specify the root Car issuing certificate that the global protect agent will trust when connecting to the gateways. If a gateway presents a certificate to the agent that was not issued by one of the listed CAS, the agent will reject the handshake and terminate the connection. The next thing is that we’re going to configure the agent. So after in the Agent we click Addend we give a name we want to. And you can customize a Global Protect connection for different users by creating multiple client configurations. The next tab that we’re going to be looking at is the Internal tab. And here we’ll have the all internal global protect gateways. And here we put an IP address and a hostname. Hostname will be used for the clients to authenticate to internal gateways rather than to external. So what they will do is do a reverse lookup for that IP address, and if they get this hostname, then they will connect to that one. The next one is external gateway, and this will be the list of your external gateways, and the client will actually be connected to the one that actually responds best on SSL, and we also look at the priority value as well.

Now the client configuration app has different connection methods. There are three methods for client connections we have on demand where the users have to explicitly initiate the connection. User logon automatically will establish a global protect client connection after the user logs into the computer or pre log on the global protect establishes the connection even if the user is not logged in to their computer. Now for the client, client less VPN is where the users they don’t have to install the software, they can just open the web browser secure web browser and that will connect to the global protectant you can enable what applications you want users to be seen and be able to use it.But we can still control them through the security policy rule. Okay, so now I’m going to demonstrate to you now I’m going to demonstrate for you how to configure all of these that we talked about in the global protect portal. To do that, we need to navigate to Network, then Global Protect, and then Portals. But before I start configuring global protect portals, we need to do some other pre-configuration like the SSL TLS certificates, and to do that, we need to navigate to devices and then go to the SSL TLS service profile, and this will actually specify which certificates we can use for global protect portals and gateways, for example. So I’m going to click “add,” and here I’m just going to call it “Astrid portal certificate.” And the portal certificate I’m going to be using is this we created in less than 10.2 yeah, external G gateway and portal and protocol settings. I’m going to let it default. Another SDK TLS profile I’m going to create is for internal, so just call it the internal gateway. And for this, I’m going to use what certificate? internal gateway certificate, and that’s it.

So after we click “configure,” now I can go and configure my global protection portal. So go to Network, then Global Protect, then Portals, and add on the name. I’m just going to use it asterisk global protect portal. And the interface I’m going to be using is actually my exit, or outside-facing interface. Ethernet, one. And you can use IPV 4 and IPV 6. But I’m just using IPV4, and the IP address for that is 230-1132. And for the appearance, you can see that you can have a default or factory default, or you can have your own company’s appearance with your own logo and stuff. You can change it here if you want to. Okay, under the authentication, the server authentication will be Sltl’s service profile. Well, this is going to be my portal certificate, and then we have client authentication. Under the client of the authentication, I click add and this is going to be, say, global Protect. Global Protect client authentication and the operating system. You can see we can choose different authentication.

We can see that we can make a portal for different operating systems, but we can have a different one for Linux, Mac, Windows, Chrome, or I can choose. Any authentication profile is the one that we created earlier in the second lesson as an aspirate authentication profile, and then we have the authentication message. For example, username, password, and credentials What kind of credentials do you want your users to add? In there. Click. OK? And that’s it. On the authentication portal data collection, we are not going to be collecting any data on this lesson. Agents need to configure a trusted in here we need to specify the root CA for issuing certificates that Global Protect agent will trust. So anything that the certificate authority that we created in the previous lesson says is going to be trusted. So the client will trust Anything that we sign with this certificate authority will be trusted. And under the agent, we click “Add.” And here we give it a name. So let’s just call it Global protect agent. Global Protect, agent confit and client certificates. We don’t use any client certificates here. And we have, for example, two-factor authentication. We can be using it but for this lesson or for our curriculum, which is going to go straight to the internal, and this is going to be the internal gateways.

So internal host detection IP So we’re going to give, for example, our internal gateway address, which is two one with an internal gateway lab logo. What’s going to happen is that this address, when it’s given, is going to be tried, and the agent is going to try to resolve it based on this name. So only the inside DNS server should be able to actually resolve this. And if it’s resolved, then the host will actually connect to this internal gateway. I click “Add,” and the name is going to be “internal gateway.” And I’m going to use an IP address, an IPV4 address, or 1921-6821. Okay. And then we have an external list. external list we’re going to use and what types of external gateways we’re going to be using. So, for example, we can add external gateways.

And my external gateway, the gateway IP address I’m going to be using, is 2030, 1320. And then we’re going to put the source region. So for example, if we say in United Kingdom here, say the priority is the highest. If we say for say United States, wean go to priority maybe next highest high. Or we can have, for example, for other, say, Brazil. If we connect from Brazil, we’re going to have it set to maybe a low or medium priority; it doesn’t matter here; we choose a priority where users will connect to what external gateway. Then we have an app there and a host information profile, which I’m just going to leave at default and click okay. And for client list VPN, we’re not configuring any client list VPN for nothing. For satellite, I’m going to leave a default, and that’s it. So that’s our global protection portal.

3. 10.3 Configuration Global Protect portal

In this video, we are covering PCNSA 210, which is our chapter ten global Protect Remote Access VPN. Now this is the fourth video of Chapter 10. So 10.4 configuration of global protect Gateway now, global protect Gateway So from previous lessons, we learned that we have one global protection portal, which is the central point of intelligence. And it will have in the map of all global protect gateways there are there. And the client will log on first to the portal, which will send them a list of all available gateways. And then the client will choose one of the gateways they’re going to connect to, either an internal gateway or an external gateway. If they have to choose, internal will be preferred to external. If you have external gateways, they do require a tunnel, while internal gateways don’t require one. Well, we can configure one. Now, to configure a tunnel, for example, an external gateway is a require one. You need to go to network interfaces and then tunnel.

When you add it, you can’t change the name; it’s a read-only name, and you can change the number, but you have to add it to the virtual router and security zone, IPV 4 and IPV 6, in advance. You don’t need to configure anything in there; it will be used. This tunnel will be used as a secure connection to the gateway, and the firewall will use the logical tunnel interface for encrypting and decrypting traffic with the client. After we configure the tunnel then we can go and configure our global protect gateway. And to do that, we need to go to Network Global Protect, and then we have a gateway. After we click add on the general tab we click we add the name, whatever you want to call it and we have to add a layer three interface. So for example, here is my outside zone facing interface and in IP address type I chose an IPV four only where you can choose IPV six or both IPV four and IPsec, IPV four only and IPV four address. And after we configure the general tab, then we have to configure the authentication because, as you can see in this quick line, it’s telling us that we have to configure something in there. The configuration to authentication to configure this section will allow you to select different authentication methods based on the operating system. So once we configure select authentication, we give it a name, and then we choose what operating system to use, and I’m going to demonstrate all of these for you in the live router, but you can choose different types of operating systems, such as Windows, Mac, Linux, and so on.

And then we can have an authentication profile for the operating system you’ve chosen and then see how the app login screen is going to look, including an authentication message. For example, here you can tell the users what type of login credentials they need to add and then we can link the tunnel on the agent. When we start configuring the agent, we have to click on the tunnel settings. This is required for external gateways, and we have to choose what tunnel we want to use. We need to enable IPV SEC, so we need to keep it enabled, and we can choose extendable X-Augh support if you use that protocol under the client settings. So the next tab you saw was a client setting that we had to type, and then from the 9.0 operating system, you can deploy different tunnel configurations for multiple users’ locations from a single gateway, and after that, after we configure client selection criteria, we have to configure the IP pools. So in an IP pool, a gateway with configured internal modes functions as a DHCP server to connect the client, and it will issue them with networking information. For example IP addresses, subnet mask as well as we have a support for split tunneling so split tunneling to enable it enter the multiple network addresses.

The gateway is assigned an IP address for the connection. So you can map the IP address to the user for user ID functionality. And then we have the next tab that wean go to is the network services in there. We can provide information about primary DNS and secondary DNS, or we can leave it to the inheritance source. So this is getting from whatever the user is using and global protect and user ID for mobile or roaming users. The global protect client provides the user-mapping information directly to the firewall directly. This login information is then added to the user ID user mapping table on the firewall for visibility and user-based security policy enforcement. Next thing I’m going to do, I’m actually going to start configuring all of these that we talked on the live firewall. The first thing is that we need to configure a tunnel interface because we’re going to have a global protected external gateway. So to do that I need to stay on the network and go to the interfaces and the interfaces. I have a tunnel tab here, and I’m going to configure a tunnel interface.

This is a virtual interface; it doesn’t exist yet, so the interface name is “tunnel,” so read “only.” I can’t change that, but just dot 55. For example I’m going to use after we put some comments. We don’t have a network profile; we need to add it to the virtual router. So, for example, our virtual router is going to be outside, and the security zone is going to be on the inside. That’s all we have to do. We don’t need to give an IP address or we don’t need to configure advanced or anything and click Oxo now that our tunnel interface is configured, we can go and configure the global protect gateway, which is called “network global protect gateways,” and here I click “add.” I’m going to give a name as a global protect gateway and then we need to give allayer three interface which for example for us is going to be the one that’s pointing outside. So interface Ethernet eleven, and you can see that we can have IPV four and IPV six. I’m going to just choose IPV4 only, and the IPV4 address for this is going to be this two or 3011 320. This is the address where the user is going to try and connect to the Global Protect portal as well as the gateway.

And then under the authentication I have to chooseSsltls server profile which here I’m going to be using the portal certificate and the client authentication. On the client authentication. I’m just going to choose as a name global protect gateway client authentication.

And then you can see that for operating systems, we can choose any of these—any of these that we have here. You can choose the word “any,” which will include all of these operating systems. Or you can just choose, for example, a different authentication profile for Windows, a different authentication profile for Mac, and so on. But I’m going to use any in the authentication profile. We did this on lesson 10.2, and this is the asterisk authentication profile, which is going to look at the LDAP and then the global protected login screen. We can change it or we can just leave it as a default. After we did the authentication the next thing I’m going to do is global protect gateway agent configuration. So I need to go to agent, and then, because this is going to be an external gateway, we need a tunnel mode, and in the tunnel interface I’m going to be using, it’s the one that I created at 55. We’re going to leave IPsec enabled by default, and then IPsec crypto, we’re going to leave it at default, and we’re not going to enable X-Factor authentication support under the client settings. I need to configure the client settings what configuration the clients are going to get, right? So as a name, I’m going to give it the name “just client settings,” and then I’m going to leave authentication override default, just IP pools. I’m going to configure an IP pool because we have a tunnel there. So I’m going to add here what IP addresses my global protect user is going to get.

So anything on this network, ten 1100 up to ten one10 I’ll say 210 for example 210 from 200 to 210.So anything in the range from ten one 1200 up to ten one 1210 that’s my global protect users. We’re going to get split tunneling, we’re going to not use split tunneling, and that’s it. The next step I’m going to go to is network services, and here we can define what a primary DNS server and a secondary DNS server are. So for example, for the primary DNS server, let’s just give it to our Windows domain controller, and for the secondary, we can maybe give it a public one and click OK, client IP pools, and all that. I’m just going to leave the rest to default. So that’s my global protect gateway configure. And that’s it. I’m going to commit this and after we do the next section we’re going to go with the client machine and try and get or actually connect to. So commit here. Okay, excellent. The commit has completed successfully. But we got one warning that says well, two warning actually. First warning says zone inside does not have enabled user ID identification turned on for global protect

gateways. So we need to enable user identification. And then the second warning is that IPV6 is not enabled. But that’s okay; it can be ignored. So we need to go to that zone, the inside zone, and enable the user identification. So inside the enabled user identification, click OK, and then I’m going to commit it again. Okay, this has committed now successfully. Excellent. And we can go and test the next video.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!