4. 10.4 Configuration GlobalProtect gateway
In this video, we are covering PCNSA 210, which is our chapter ten global Protect remote access VPN. Now this is the fifth video of chapter ten which is 10.5 configuration of global protect agents. Now after all our configuration that we did on the previous lessons we did global protect portal configuration, global Protect gateway configuration, we made our firewall ready for global protect comes down to this can we install our agent in the client machines? So the global protect client software runs on an end-user system and enables access to your network resources via the global protect portals and gateways that we have deployed. This software will be available in both agent-based form for Windows and macros systems and app-based form for mobile devices. So the first step to installing the agent—because this agent must be installed before a connection can be established—is to download the software, which we can do by opening a secure web browser, navigating to the portal address, and authenticating with the username and password. After the authentication is done, the user will be prompted to download the agent software, and they can choose the appropriate version. So, for example, if you have a 32-bit machine, you choose 32-bit or 64-bit Windows, or you can have a Mac that is 32-bit or 64-bit, and after that, after we install the agent, the user may have to configure the client software depending on how the global protection administrator has configured the environment. But at least we need to have a fully qualified domain name or the IP address of the portal to start this connection process. If the global protect is not configured for single sign on, a user and password also are needed.
Client configuration now allows the global protect administrator to make the global protect completely transparent to the end user, which gives them no control over the connection. Clients that require manual configuration must supply their login information in the general tab of the agent and then to monitor we can go. So we got monitor logs, user ID and we look at what user has connected and how dowel get that user through global protect. For example. Okay, so the next thing I’m going to do, I’m going to actually demonstrate for you how to get global protect on the client machine. Okay, so the first thing I need to do is access my firewall and all the configuration we did in the previous lesson, lesson ten point 210.310.4, and so on. On this lesson I’m not going to go back and check everything. We can check everything on when we do the lab, we can do everything in one go, right? But with all this configuration that we did, it should be fine now. So the next thing I need to do is access a machine that is located on the outside zone, and then you can see the outside zone. And from this machine I’m going to download the global protect software and I’m going to access remote access VPN to our inside zone.
So first of all, I’m going to open command fronts we can see what IP address that we have. So IP just going to type here IP confit and wean see that we are in two or 301132 or four. So now, really, if I ping a server inside, it’s not going to work because that’s an inside server. So 120 is my domain controller. And see that’s not working. Right. What I’m going to do, I’m actually going to set as a continuous ping and then we’re going to download the Global Protect sign in and comeback here and hopefully we get some replies. Okay, so I’m going to minimize this and I’m going to open a browser and in the secure browser I’m going to connect to my Global Protect portal, which is the address is well, let’s go https 2030 one 1320.Okay, I’ve got a connection with my portal. So yes, this is not secure because I have not imported the trusted root CA certificate. So, yeah, I will advance this to this portal, and then I will have to log on to this. And the user I’m going to be using is some domain controller user that I have created called Astrid user. And the password is Palo Alto. And after I’m authenticated, you can see what software the portal is issuing me to install. I have to choose the correct one. So for example, this machine is running a 32bit I can check it, it’s got 32 bit machine and I’m going to download that software.
Okay, the download is complete. So, yes, I’m going to keep this software, and then I’m just going to click on that to start the installation of the software. Okay, something should have come up by now. Let me just see. Maybe it’s behind—yeah, there we go. Yes, I would like to run this software just like a normal, regular installation. Now to the finish. Okay, so the next screen is the welcome screen for the global project setup wizard. Yeah, click next to start the installation. Okay, now that it’s finished installing, closes and we should already have a Global Protect coming out down heredity will come very soon now because I’ve got so many machines again running very slowly, but it will come up. Okay, that took nearly a minute or so. Now that I need to put the IP address of my Global Protect portal, which is 2, or 3011 320, And you see it’s connecting to my Global Protect. And we’ll see now that we get certificate errors because it says we don’t trust a certificate. It’s not that in our trusted authority or certificate authority. Yes, we’ll continue to do that. It’s fine. OK, now because we have not enabled single sign-on, we have to sign on again. I’m going to sign on Astrid user. So Astrid user and the password is Palo alto sign in.
Okay, now we are connected. So if I click on this settings icon or gear icon, you can see the user. An asterisk user is connected to this address. And the connection you can see is an external gateway. The type of external tunnel is yes; we authenticated. And you can see the IP address that we have, and that’s our gateway. So we can see the host profile troubleshooting. We didn’t have to do anything. If we have to do some troubleshooting, then we can get logs. So Global Protect services or the agent should start logging. Anyway, everything is working fine. So there is no troubleshooting we have to do. And the next thing I’m going to look at is I’m going to look well that took like two minutes or something to connect.
And you can see now that I am pinging my server. So from the time we have connected, see, it didn’t work. It didn’t work, it didn’t work, it didn’t work. And then at this point we started connecting, and we can ping my server. Excellent, great. And now I can go to my firewall, and on the monitor, I can see who is connecting. So if I go to logs and then use rid, we can see that it should say the Asterisk user is logged in from Global Protect. As you can see, there Astrid user global protect. And the good thing is that we’re virtually connected to our inside network. We are pinging our local domain controller.
5. 10.5 Configuration Global Protect agents
In this video, we are covering PCNSA 210, which is our chapter ten global Protect remote access VPN. Now this is the fifth video of chapter ten which is 10.5 configuration of global protect agents. Now after all our configuration that we did on the previous lessons we did global protect portal configuration, global Protect gateway configuration, we made our firewall ready for global protect comes down to this can we install our agent in the client machines?
So the global protect client software runs on an end-user system and enables access to your network resources via the global protect portals and gateways that we have deployed. This software will be available in both agent-based form for Windows and macros systems and app-based form for mobile devices. So the first step to installing the agent—because this agent must be installed before a connection can be established—is to download the software, which we can do by opening a secure web browser, navigating to the portal address, and authenticating with the username and password. After the authentication is done, the user will be prompted to download the agent software, and they can choose the appropriate version. So, for example, if you have a 32-bit machine, you choose 32-bit or 64-bit Windows, or you can have a Mac that is 32-bit or 64-bit, and after that, after we install the agent, the user may have to configure the client software depending on how the global protection administrator has configured the environment. But at least we need to have a fully qualified domain name or the IP address of the portal to start this connection process. If the global protect is not configured for single sign on, a user and password also are needed. Client configuration now allows the global protect administrator to make the global protect completely transparent to the end user, which gives them no control over the connection. Clients that require manual configuration must supply their login information in the general tab of the agent and then to monitor we can go. So we got monitor logs, user ID and we look at what user has connected and how dowel get that user through global protect. For example. Okay, so the next thing I’m going to do, I’m going to actually demonstrate for you how to get global protect on the client machine. Okay, so the first thing I need to do is access my firewall and all the configuration we did in the previous lesson, lesson ten point 210.310.4, and so on. On this lesson I’m not going to go back and check everything. We can check everything on when we do the lab, we can do everything in one go, right?
But with all this configuration that we did, it should be fine now. So the next thing I need to do is access a machine that is located on the outside zone, and then you can see the outside zone. And from this machine I’m going to download the global protect software and I’m going to access remote access VPN to our inside zone. So first of all, I’m going to open command fronts we can see what IP address that we have. So IP just going to type here IP confit and wean see that we are in two or 301132 or four. So now, really, if I ping a server inside, it’s not going to work because that’s an inside server. So 120 is my domain controller. And see that’s not working. Right. What I’m going to do, I’m actually going to set as a continuous ping and then we’re going to download the Global Protect sign in and comeback here and hopefully we get some replies.
Okay, so I’m going to minimize this and I’m going to open a browser and in the secure browser I’m going to connect to my Global Protect portal, which is the address is well, let’s go https 2030 one 1320.Okay, I’ve got a connection with my portal. So yes, this is not secure because I have not imported the trusted root CA certificate. So, yeah, I will advance this to this portal, and then I will have to log on to this. And the user I’m going to be using is some domain controller user that I have created called Astrid user. And the password is Palo Alto. And after I’m authenticated, you can see what software the portal is issuing me to install. I have to choose the correct one. So for example, this machine is running a 32bit I can check it, it’s got 32 bit machine and I’m going to download that software. Okay, the download is complete. So, yes, I’m going to keep this software, and then I’m just going to click on that to start the installation of the software. Okay, something should have come up by now. Let me just see. Maybe it’s behind—yeah, there we go. Yes, I would like to run this software just like a normal, regular installation. Now to the finish. Okay, so the next screen is the welcome screen for the global project setup wizard. Yeah, click next to start the installation. Okay, now that it’s finished installing, closes and we should already have a Global Protect coming out down here.
It will come very soon now because I’ve got so many machines again running very slowly, but it will come up. Okay, that took nearly a minute or so. Now that I need to put the IP address of my Global Protect portal, which is 2, or 3011 320, And you see it’s connecting to my Global Protect. And we’ll see now that we get certificate errors because it says we don’t trust a certificate. It’s not that in our trusted authority or certificate authority. Yes, we’ll continue to do that. It’s fine. OK, now because we have not enabled single sign-on, we have to sign on again. I’m going to sign on Astrid user. So Astrid user and the password is Palo alto sign in. Okay, now we are connected. So if I click on this settings icon or gear icon, you can see the user. An asterisk user is connected to this address. And the connection you can see is an external gateway. The type of external tunnel is yes; we authenticated. And you can see the IP address that we have, and that’s our gateway. So we can see the host profile troubleshooting. We didn’t have to do anything. If we have to do some troubleshooting, then we can get logs. So Global Protect services or the agent should start logging. Anyway, everything is working fine. So there is no troubleshooting we have to do. And the next thing I’m going to look at is I’m going to look well that took like two minutes or something to connect.
And you can see now that I am pinging my server. So from the time we have connected, see, it didn’t work. It didn’t work, it didn’t work, it didn’t work. And then at this point we started connecting, and we can ping my server. Excellent, great. And now I can go to my firewall, and on the monitor, I can see who is connecting. So if I go to logs and then use rid, we can see that it should say the Asterisk user is logged in from Global Protect. As you can see, there Astrid user global protect. And the good thing is that we’re virtually connected to our inside network. We are pinging our local domain controller.
6. 10.6 Lab Global Protect
Covering PCNSA 210 And this is our chapter ten global Protect remote Access VPN. Now this is the 6th video of Chapter 10, which is 10.6: Global Protect. Now I’m going to configure Global Protect from scratch. So I’m going to do every little thing that needs to be done in Global Protect. But I’m not going to explain every little detail because then this video is going to get very, very large or very, very long. It is not going to be a short video to watch because there’s a lot to configure for Global Protect. And this is what we’re going to do. We’re going to create certificates for the Global Protect portal, the internal gateway, and the external gateway. We can attach certificates to the SSL/TLS profile, we’re going to configure a server profile and authentication profile to be used with authenticating users, and we’re going to create and configure the tunnel interface to be used with external gateways. And then we’re going to configure the external gateway and portal, host the Global Protect agent on the portal for download, and then test the external gateway. So there is a lot of stuff to configure, but it is interesting and very fun when you configure Global Protect. Now this is a lab topology that we’ll be using to demonstrate for you the Global Protect.
I already have a Windows 7 machine that’s in the outside zone with this IP address that will be using Global Protect to come into the inside zone and start accessing the shares and contents on the inside zone. For this demonstration, I will be using one firewall to host both the Global Protect portal and the Global Protect gateway. So they will have the same IP address, and we’ll have only one certificate. This user is going to access the portal. The portal is going to authenticate and authorize it and actually give the software that this machine has to install, as well as the list of gateways they have. The firewall will actually authenticate with the Windows server to make sure the user in the outside zone has access to the global protect. I already have a user called Pan Agent in the Windows server, and that’s going to be communicating with a firewall and the agent, and I already have a user who’s allowed to come from outside to inside. That user just called my name. So Astrid user. Okay, so let’s start configuring global protection.
So the first thing that we’re going to do is actually go and create certificates for Global Protect portal’s internal gateway, even though I’m not going to use the internal gateway, but I’m going to show you one certificate to create for that and the external gateway. So I’m going to always come back to this window because there’s a lot of stuff to do and we don’t want to forget any of the items on this list. So if I access my firewall and in the firewall I have reset everything. I have cleared all the logs. So there’s nothing in there, just a regular configuration like zones and interfaces, IP addresses, and so on. But there is nothing for global protect configuration. Okay, so the first thing that we need to do is create certificates, and we’re going to create three certificates. One as a certificate authority, which is going to be trusted by internal users, and that’s going to be issuing and signing all other certificates. For example, for the internal gateway, the external gateway, and the portal. Okay, to create the certificates, I need to go to devices and then certificate management and certificates. So we have three certificates here.
So the first certificate that we’re going to generate is going to be our certificate authority certificate, which is going to be signing other certificates as well. So I’m just going to call this an Astrid CA certificate. And for the common name I’m going to use the same and I’m not going to assign it by any external authority. So we have to export the certificate and import it into our client machine to trust it; otherwise, they’re not going to trust it, and this is going to be our certificate authority. Okay? So if I press F11 here, I can see everything and generate the certificate. So this is my first certificate authority certificate generated, and then I’m going to generate two more certificates, one for the portal and one for the internal gateway. The portal will be the external gateway as well. So on this one, I’m going to call it a portal, a portal, and an external gateway. The certificate and IP address for this portal and external gateway certificate are 2030, 1320, and this certificate will be signed by this certificate authority.
That’s it. Then I’m going to create another certificate. Now this one is for the internal gateway. So it’s not going to be the portal, just an internal gateway. And I’m not going to actually use an internal gateway; I’ll just explain how to make a certificate for them. So 1921-6821 is the IP address of this internal gateway, and it’s signed by this same certificate authority. Click Generate. Now we have a certificate done. So the second step, if I go back here, was to attach certificates to the SSL/TLS service profile. So I need to go to my service profile and attach these certificates. So just a bit further down, still under the device, I have an SSL/TLS service profile, and I’m going to create one for the external. So external SSL TLS and external SSL TLS are going to use an external certificate. And I’m going to create another SSL TLS for the internal SSL TLS. and this is going to be for the internal TLS. So internal gateway. Okay, so my SSL/TLS service profile is done. So the first step to create the certificates and the SSL TLS is complete. The next step is to configure a server profile and an authentication profile. So server profile first.
Now for the server profile, we need to go to “Device server profiles,” and we’re going to be using LDAP, even though we can use radios, taka, LDAP, Kerberos, and soon, LDAP. So that’s going to be our server profile. Like I told you before, I already have an account on my domain controller as an agent that this firewall is going to use to access LDAP information. So I clicked “Add Here” under the profile name. I’m just going to call it that. Astrid LDAP server profile. Profile. And for the server list, I’m going to use my domain controller, which is our 2016 server and LDAP server. Well, the IP address is 1921-6812 the port we’re going to leave it to default the server settings that’s going to be for example, Active Directory. We can have others but for us is Active Directory and the distinguished base name is going to be DC Lab and DC Local.
Now to bind a distinguished name, I already have one; like it told you, I have a domain controller here that’s running, and in there I have an agent. So let me just log on and show you who the firewall is going to actually communicate with. Okay, so Palo Alto is the password. So in here, if I open Active Directory, users and computers just want to show you the agent. It’s already configured, and one account is going to be allowed to access Global Protect. So in Active Directory, users and computers are listed, and the agent is here. So pan agent. And this is going to communicate between the firewall and this domain controller. I already have an asterisk user here who’s allowed to access Global Protect. Excellent. So now if I go back to my firewall and press F 311 to see it better, And the connection here is PAN at LAB. The local password is Palo Alto. Easy so I can remember that bind timeout, search timeout, everything, leave them to default and untick require SSL TLS secure connection. This is my authentication server profile. Now I have configured that I have to add this to my authentication profile. So if I go to just be up and on the device authentication profile I’m going to create a new one and say Astrid authentication profile and type. Well, here is going to be where you can see what types of different authentication profiles we can use. I’m going to be using LDAP, and the one that I created earlier was this one.
So this binds to the LDAP server profile area, and the user domain is going to be Lab Local. That’s it. And under the advance you can see this quickly red line. That means that we have to fill something in it and we have to allow some users for authentication. I’m just going to select all of them and click OK. Now I have my server authentication profile and the authentication profile. So if I go back to my list, what I need to do is configure the server profile and authentication profile to be used with the authentication user. Done that. Create and configure the tunnel interface to be used with an external gateway. So the next thing we need to do is configure the tunnel. So I need to do that under the network interfaces, and I go to the tunnel interface, click Add, and we can’t change the name. It’s read-only, but I’m just going to give a number. So 55 and comment nothing. I don’t need to configure anything apart from adding it to the virtual router, which is going to be my lab VR, and the security zone, which is going to be the inside zone. So that’s it for our terminal interface. Just give it an ID and create a virtual router and security zone. We don’t need to give an IP address or anything else in advance. That’s it. The next thing is to configure the external gateway and portal. You can see all of this; you can see that everything up to here has been done quite quickly. Now we need to configure the gateway, the external gateway, and the portal. So first I’m going to do the portal, and to configure that, I need to go to the network global, protect portals, and click add under the portal. So I’m going to just add a name. So global protect portal.
And the interface for this portal is going to be our outside-facing interface, which is Ethernet one. And the IP address, which I’m going to use. Only IPV four. Is this 1230-1132 now appearance I’m going to leave it into default. I’m not going to change how it appears. For authentication I need to use SSL Teleservice profile which I have configured already. And this. Is my external Salts. And this is going to be used for a portal, and it’s going to be used for a gateway. And under the client authentication, I click Add, and I give it a name. So global Protect client authentication. Authentication and you can see the operating system wean use different operating system for different authentication but we can see we have Windows, Mac, Linux and so on but I’m going to leave it to any an authentication profile is what we configured earlier. So it’s going to be that authentication profile, which means that it says “use LTAP” and you can see the apologia screen while we leave it to default. You can change the entry, like the command, or the message if you want to. What kind of authentication Login authentication you want to use or login credentials.
Okay, let me go back there. Okay, so after authentication is done, we’re not going to collect any data. So we’re going to go straight to the agent. An agent. We need to add something to the root CA that the clients will trust. And here we add our root CA so certificate authority certificate that we have and we say install this in the local certificate store. And after that, we configure the agent. So if I go to “agent” and under “agent,” I’ll just put the name “Global Protect Agent Confit,” for example. We’re not going to have anything. All this is by default. I’m just going to go straight to the external because I don’t even have anything here to configure. Nothing internal; just external straightaway, and configure my gateway. Here, click “add” and enter “external gateway” and the IP address of the external gateway. I can use a fully qualified domain name, but I don’t have any DNS set up. So I’m just going to use the IP address, which is two or three and does zero 1320, and then I can configure, for example, the priority from the region. So say any region; I’m going to give it the highest priority. And in the other videos, we talked about different regions, for example, the UK, the United States, Brazil, and so on.
But here I’m just going to say any and highest and click OK, I’m not going to configure anything under the app or host information profile, so click okay here I’m not going to configure clients VPN, client less VPN or anything for the satellite. So we’re just done here. The next thing I’m going to configure is the next thing I’m going to configure is a global protect gateways. So I click that and select Add. Now under the name I just put global protect gateway. And on the network setting, we need to put the layer three interface, which is going to be our outside phasing interface, which is Ethernet 1, and that’s the IP address under the authentication. Well, I’m going to use an external SSL/TLS profile under client authentication. Again, same thing. I’m going to put the name as an external gateway authentication and this is again for every operating system I’m going to just use one authentication profile that we have and login screen leave it as a default. After that, I’m going to configure the agent, and the agent is actually the one that is performing, like DHCP is going to give out the IP addresses and so on. Because we are using an external gateway, Global Protect, we need tunnel mode. I’m just going to leave it to enable IPsec by default there, and the tunnel interface is the one that I created earlier. So 55 everything, leave it to default.
Under the client settings, I need to add the client setting. This is going to be like your DHCP server. So what we need to add, we need to add the well give it a name so client global Protectant we just need to add here the pool what addresses our PC is going to get. So the IP addresses of PC is going to get is on the network ten. So anything with a ten from ten one 1200all the way up to ten one 1210.So these are the range on their addresses, only ten IP addresses available. Well eleven, so I’m not going to configure anything for split tunnel or Network services, just click okay here on the Network services here I’m going to configure like what is going to be the primary DNS which is my Windows domain controller, one six 8120 and for secondary I’m just going to use a public domain DNS. Everything else we leave it to default. Click OK. So now we have configured an external gateway and portal. The next thing is to actually check the global protect agent on the portal for download. So we need to actually see what kind of software we have installed so device and we have to go to global down at the end, towards the end global protect client. So I have all these latest versions downloaded, and I have them currently activated as well. They didn’t work because maybe I have all the versions of Windows 7 that I’m using. For me, 4.1 points out of 11 actually worked correctly, and I could use it.
So at the moment currently active have is 4.1 point eleven. So after we just going to commit everything that we did and then we’re going Togo to the client and test is working. Okay, the one thing that actually says “this commit” is telling us the inside zone has not got user identification enabled. So we have to go there and configure, just as the second warning is about IPV6 not being enabled, but it says that this one can be ignored. So we need to go to the inside zone and enable user identification. So I close that, go to networks, then zones, and I’ll have an inside zone. So I’ll access the inside zone and enable user identification. Click OK, commit it again, and then go and test it. Excellent. Now the commit has completed successfully, we can go and test its if I just click F11 there, then let me just start this.
Okay, now this machine is going to be used because it’s located. You can see 230-1132 or 4. It’s located on the Internet, right? So in the cloud. So we’re going to use global protect to access the inside network. And I’m going to show you here, let me just show youth IP address that it’s using IP confit and you can see it’s two or 301132 or four, that’s the IP address. And if I try, for example, to ping this Windows server from that IP address, it should not work. So if I say “ping” (1921-6812), that’s a service IP address, and that’s not working. So, as you know, that’s expected because it’s a private IP address inside a private network. Okay, so what I’m going to do is run the continuous ping, and after we download the global protection and sign in, we come back here and have a look, and hopefully the pinks should have replied, which means that we are in the inside network. So the first thing to do on this client machine is to open the browser and navigate to the portal’s IP address. And then the portal will tell us or give us software. After he authorizes and authenticates, it will issue us the software that we can download for Global Protect. So the address is Https and the global Protect address, a portal address is 2301 320.So the first thing is that we access the portal. Okay, so we don’t trust because I have not imported that main certificate. So it’s fine that we’re not trusting.
We just go and proceed here. Okay, here. Now I have a global login screen for the Protect portal login screen. I have to use one of the accounts I created that’s allowed to access so Astrid user and password, Palo Alto, just so I remember it. Okay, so now that Global Protect has authenticated and authorized us, it is giving us the option to download the Global Protect software. So for the software to download, we have to choose the one that we actually have the correct version of. So either 32 bit windows, 64 bit windows or Mac 32, 64 bit. To check it, I can just right-click on the computer and go to properties, and that will show me whether it is 32-bit or 64-bit. As you can see, this is a 32-bit operating system. So I need to download 32 bits. Okay, now they’ve downloaded. Do you want to keep this file? Yes, I do want to keep it. And then we start the installation. So if I just click in there, that should start the installation. Okay, so the installation should be easy. It’s pretty much next to everything. Because I have three or four machines running this now, it’s going to start slowing down a little bit. Okay, we got the wizard that says “welcome to the global Protect setup wizard.” Do you want to install it? Yes, at the next location where you want to install it? Well, yeah, that’s fine. that location, click next, and then we’re ready to install. Okay, now the installation has been completed successfully. We can close this, we can minimize this, and we’ll see how Global Protect is going to come out here. Okay, it has come back. So now we need to put the IP address of the global Protect portal, which is two, three, dot, zero, one, 1320. Now we got the server certificate error because, again, I didn’t import the certificates on this machine. So yes, I can, and I’m okay with that. Okay, now because we don’t have a single sign on, so we have to sign on again, and it was asterisk user and the password was follow also.
Okay, now we have connected. Now it’s taking this time because I have so many machines running in one machine, so many virtual machines running. But you can see now that Global Protect is connected and that we have a reply from our internal server. If I click on the gear right under here and go to settings, I can see the asterisk user is connected to the portal and connection. We have connected to an external gateway and a VPN tunnel and authenticated. That’s the IP address that we got. That’s the gateway that we are using, which is excellent. Now we can access the server. You can see that we ping the server if I disable it, for example. So to disconnect you have to just click on that and then click disable and that’s going to stop there. Then you can’t ping it. So if I enable it, then we’re going to start pinging it. Okay, I’ll enable it again and if I go back to the firewall and look at the monitor so just monitor and we should have under logs user ID. You can see that we have a user iDMe. We connected through a VPN client, and the source type is Global Protect.
