top of page

PA Remote Access or GLOBAL PROTECT

  • Writer: Mukesh Chanderia
    Mukesh Chanderia
  • Jan 16, 2022
  • 2 min read

Updated: Feb 27, 2022

GLOBAL PROTECT


There are three components


Global Protect Portal: : Can Have Multiple Gateway [Multiple Firewall to connect Main,DR]

Global Protect Gateway: : There can be multiple Firewalls [Main, DR]

Global Protect Client: : Must be downloaded and activated on PAFW


Step1: Create a New Zone e.g., GPZONE and enable "USER IDENTIFICATION"

Step2: Create a Tunnel Interface and put it in GPZONE

Step3: Generate self-signed digital certificate or install CA Certificate [both Root & Identity Certificate]

Common Name: Firewall External Interface IP address or FQDN [Fully Qualified Domain Name]

Step4: Create Authentication Profile and allow all users or specific Users/Groups

Step5: Create User from local user database or Use external User database [AD database]

Step6: Create Global Protect Gateway

Step7: Add Global Protect Portal

Interface: Outside Physical Interface

Authentication: Authentication Profile

TLS / SSL Profile: Create New Profile with self-signed digital certificate.

Step8: Create Security Policy

Step9: Commit


Step 1:


Download & activate a software of Global client in Firewall which you want to use.


Devices --> Global Protect Client


ree

Step 2: Create New Tunnel Interface & also new Zone "VPN". No ip is required to be assigned to tunnel.


In Zone enable user Identification



ree



ree

Step 3: Device --> Certificate Management --> Certificates --> Generate




ree


Step 4: Get Certificate Trusted



ree


ree



Step 5:


Create SSL/TLS Profile:

Device --> Certificate Management --> SSL/TLS Service Profile



ree


Step 6: Create Local Users / or AD database can be used



ree


Step 7: Create Authentication Profile to allow which user can access RAVPN.

We chose all users.


ree


ree

Multi Factor Authentication can also be enabled. You may see list of supported vendors.


ree



Step 8: Create GP_GATEWAY


Network --> Gateway


This Gateway can either be external interface of Fw or ip from Public ip Pool.



ree

To enforce client certificate authentication, select Certification Profile.


ree


ree

SSL Authentication is generally required to connect to Gateway & download certificate.




ree


Add ip pool which will be assigned by firewall to client systems.



ree


Add the subnet for which if traffic originates then only pass-through VPN tunnel.

This 192.168.204.0/24 is our internal subnet.



ree

We are required to provide DNS server ip if we don't enable split tunnel. As then all traffic going to internet will to pass through firewall.



ree


Step 9: Now do similar config for Portal


Network --> Global Protect --> Portal



ree


ree

Under Agent we also need to specify certificate which will be installed on client.



ree


ree

Define the ip as well as region from where user can connect.



ree

ree

There is an option to add third party VPN for Cisco or Juniper

ree


Step 10


Define Security Policy for VPN User



ree


ree


ree

ree

Security Policies to require to allow traffic i.e. from VPN Zone to DMZ or Inside.


Note: SSL ,panos-global-protect & panos-web-interface must be allowed in Application (in case any isn't selected)



ree

Recent Posts

See All
PANORAMA

Hook Firewall & Panorama Step 1: Go to Firewall and add the IP address of Primary and secondary Panorama. Step 2: Go to Panorama and in...

 
 
 

Comentarios


Follow me

© 2021 by Mukesh Chanderia
 

Call

T: 8505812333  

  • Twitter
  • LinkedIn
  • Facebook Clean
©Mukesh Chanderia
bottom of page