With everything that is happening around the world, and the increased need for employees to work from home, many organizations are seeing the need for remote access to their networks. This post will be covering the entire configuration needed for setting up remote Palo Alto GlobalProtect.
GlobalProtect is Palo Alto's remote access VPN solution. GlobalProtect requires a portal for users to download the remote VPN Client, and a gateway for the client to remotely connect to. In this post we will not be using client certificates, but in a large environment where a PKI infrastructure is already present, that is a better option than just authenticating with user credentials.
List of section headers:
I. Client Download
II. Configuring Interfaces
III. Certificate Creation
IV. Authentication Method
V. Configuring Gateway and Portal
VI. Downloading and Connecting GlobalProtect Client
The firewall used in this tutorial is running PAN-OS 9.1.1 while we doing testing; we suggest using a recent stable version like 8.1.13 in production.
I. Client Download
First we will need to download and activate the GlobalProtect Client so that users can download it from the portal.
1. Open the Admin web portal for your Palo Alto firewall. Under the 'Device' tab at the top of the web UI, and then click 'GlobalProtect Client' in the left column.
2. Click ‘Check Now’ at the bottom of the page to obtain the most up-to-date versions of the GlobalProtect client. Then select the version of the client you would like to use and click download. After the download is complete, click activate.
II. Configuring Interfaces
This tutorial assumes that you already have the physical interfaces on the firewall configured and accessible. In this section we will be creating a tunnel interface for use with the GlobalProtect gateway. This tunnel interface is where the clients will be connecting through.
1. Under the ‘Network’ tab, select ‘Interfaces' in the left column, and then the 'Tunnels’ tab.
2. At the bottom of the page, click ‘Add’ to add a new tunnel interface. Give the tunnel a number and select the router you want the tunnel to be a part of.
3. Select the ‘Security Zone’ drop down, and click ‘New Zone’ to make a new zone for the remote access traffic. Give it a name and click ‘OK’. Then click ‘OK’ again to create the tunnel interface. Also check 'Enable User Identification'.
4. Next you need to create rules in the security policy to allow traffic from the remote access traffic to any resources they need to access on the internal network as well as out to the internet.
III. Certificate Creation
Now that the tunnel is created and rules for remote access are in place, we need to create certificates for the GlobalProtect portal and the GlobalProtect gateway. In this example I will be creating a Certificate Authority on the firewall, but if you have an external certificate authority or want to use LetsEncrypt, you can import the certificates for use with the portal and gateway.
(Note: When using a self signed cert, you will need to install the created Certificate Authority Cert into the ‘Trusted Root Certificate Authorities’ store on each of the client devices.)
1. Under the ‘Device’ tab, select ‘Certificates’ in the left column.
2. At the bottom of the page, select ‘Generate’ to create a new certificate. This will be the certificate authority used for signing the portal and gateway certificates. Give it a name and a common name, and ensure to check ‘Certificate Authority'. Then click ‘Generate’ to create the certificate.
3. After creating the CA certificate, select ‘Generate’ at the bottom again to create a new certificate. This will be for the GlobalProtect web portal. Give the certificate a name, and the common name should be either the IP address of the interface or the FQDN that users will be connecting to in their web browser. Also select the CA certificate we just created for signing the certificate.
If you’re not using DNS and your users will download the client from the internal network, it should be the IP of whatever interface on the firewall you intend to enable the portal on. If the portal or gateway will be accessible from the internet, the common name should be your external address.
4. Now create a certificate for the gateway that the GlobalProtect Client will connect to. In our environment we are connecting to a FQDN, so that is what is in the common name field.
5. Now that the certificates are created, select ‘SSL/TLS Service Profile’ from the left column.
6. Click ‘Add’ at the bottom of the page to create a new profile. Give the profile a name and select the portal certificate that was just created and click ‘OK’ to create the profile.
7. Create another profile except with the gateway certificate.
IV. Authentication Method
Next we need to create the authentication method that the portal and gateway are going to use. For authentication we will just be using the local database on the firewall, but if you already have an LDAP or RADIUS server setup with your users, you can use that instead.
1. Under the ‘Device’ tab, select ‘Authentication Profile’ from the left column.
2. Click ‘Add’ at the bottom of the page to create a new profile. Give it a name and for the type, select ‘Local Database’.
3. Under the ‘Advanced’ tab, select which users will be allowed to authenticate using this profile.
Note: The local Database does not include administrative users.
V. Configuring Gateway and Portal
With all of the profiles created, now its configuring the portal for downloading the GlobalProtect client and gateway for connecting with the client.
1. Under the ‘Network’ tab, select ‘Portals’ from the left column.
2. Click ‘Add’ to create a new portal. Give the portal a name, select the interface the portal will be accessible from, and select the IP address that the portal will be listening on.
3. Select the ‘Authentication’ tab. At the top select the SSL/TLS profile that was created for the portal.
4. Under the ‘Client Authentication’ section, click ‘Add’. Give it a name, and select the authentication profile that was previously created. Also change the bottom drop down to 'Yes' since we are not using client certificates. Then click ‘OK’.
5. Go to the ‘Agent’ section.
6. Click ‘Add’ under ‘Agent’. Give the agent config a name.
7. Go to the ‘External’ tab. This is where the external gateways will be defined in the client when a user downloads the client.
8. Click ‘Add’ under ‘External Gateways’. Give the gateway a name, the FQDN or IP that is reachable externally, and select the source region that is to connect to the gateway. It is important that the FQDN or IP matches the common name in the certificate that was created for the gateway, not the common name of the portal certificate.
9. Click ‘OK’ a few times to finish creation of the portal. Then head over to ‘Gateways’ in the left column.
10. Click ‘Add’ at the bottom of the screen. Give the gateway a name, and select the interface and IP for the gateway to listen on.
11. Go to the ‘Authentication’ tab, select the SSL/TLS profile for the gateway, and add a client authentication method. This is the same process as steps 3 and 4 in this section.
12. Go to the ‘Agent’ tab. Enable Tunnel Mode and select the tunnel interface that was created earlier.
13. Go to the ‘Client Settings’ tab and click ‘Add’.
14. Give the configuration a name.
15. Go to the 'IP Pools' tab. In the right box, add the address pool you want to be used for the remote clients.
16. Under the ‘Split Tunnel’ tab, in the left box, add what subnets you want the clients to be able to access remotely. If you want all traffic to pass through the tunnel put 0.0.0.0/0.
17. Then under the ‘Network Services’ tab, put the name of the DNS server you want distributed to the clients.
18. Click ‘OK’ a few times to finish creation of the gateway object. Now commit your changes to active the portal and gateway.
VI. Downloading and Connecting GlobalProtect Client
Finally the users will need to download the GlobalProtect client from the portal and connect to the remote access VPN.
1. In a web browser, access the web portal via the address that was set when creating the portal.
2. Log into the portal and download the agent.
3. Input the address for the gateway and the username and password when prompted for it.
4. The GlobalProtect client should then connect and you will have access to the internal network.
This is quite an involved process for setting up remote access, but that also comes with the possibility of customization. In our next post on Palo Alto we will be using RADIUS for authenticating to the GlobalProtect Portal and Gateway. If you need any help setting up Remote Access for your business, please reach out to us at contact@spikefishsolutions.com or DM us @teamspikefish on Twitter/Instagram. We are here to help during this time of crisis and it benefits all of us to keep businesses of all sizes up and running.