Palo Alto GlobalProtect

-


You can run both a gateway and portal on the same firewall, or you can have multiple distributed gateways throughout your enterprise.

Portal: Where user can download GlobalProtect client, specify gateway.

An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access.
Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint.
External gateway (auto discovery)

An external gateway (auto discovery )resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the best available external gateway, based on the priority you assign to the gateway, source region, and the response time.

External gateway (manual)  To configure a manual gateway, you must identify the gateway as Manual when you Define the GlobalProtect Agent Configurations.


 Steps:


1. Create VPN Security Zone, with User ID enabled

 Network>Zones
   

















2. Create VPN Tunnel Interface
    Network>Interfaces>Tunnel













3.Add Security Policy
   3.1 Allow GlobalProtect connects to FW outside interface, this is not required if intrazone-default policy catch the traffic. It is required if  a deny access firewall outside IP rule exists.




     souece zone: untrust
     destination zone: untrust
     destination address: FW outside interface
     application: web-browsing (ssl), panos-global-protect  
     
     3.2 Allow VPN client to access internal resource


            souece zone: GPVPN
            destination zone: trust

     destination address: LAN
     application:

   Policies>Security

   If GPVPN tunnel interface is in Trusted zone, then traffic between LAN and GPVPN will matches Intrazone-default policy.

4. Create an Authentication Profile, attach a server profile.
   Device>Authentication Profile
   Device>Server Profiles
         Bind DN can also be: ldap@lab.local


























5. Create a SSL/TLS Profile, assign a certificate














6. Gateway
   Network>GlobalProtect>Gateways



 







































7. Portal
   Network>GlobalProtect>Portals






























8. Prepare client software, Download and Activate.
   Device>GlobalProtect Client


==========================

After connected, on PA routing table, a prefix of VPN pool points to VPN tunnel interface.


Resource List

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS



=====Notes===========

1. Enable client disconnect button

portal agent config > App > Connect Method : On-demand (Manual user initialed connection)




=========Troubleshooting==============

1. user is unable to connect to GP portal using browser

    fix: added missing security policy to allow connection to FW outside IP with app: web-browsing 


2. user is able to connect to GP portal using browser, but can't connect using GP client

    fix: added missing security policy to allow connect to FW outside IP with app:  panos-global-protect


3. GP gateway configured with AP group, user can't connect with error:  "matching client config not found"

    fix: authentication profile is missing or has incorrect User Domain
  
    CLI:
     > show user group list

cn=contractors,cn=users,dc=sc,dc=local
cn=network admins,cn=users,dc=sc,dc=local
cn=helpdesks,cn=users,dc=sc,dc=local
cn=employees,cn=users,dc=sc,dc=local
Total: 4
* : Custom Group

   > show user group name cn=employees,cn=users,dc=sc,dc=local


===============


Internal gateways are not really VPNs. They are used in conjunction with an "always-on" VPN connection to provide UserID functionality for PCs/Users connected to your internal networks. Basically, you enable an always-on VPN configuration and provide an internal gateway with a DNS record that can only be resolved from your internal network. Then if your users are in the office, the GlobalProtect client will see that DNS record, connect to the Internal Gateway, and just report to the firewall the Username/IP mapping of the host for UserID purposes. If the user is WFH/on the road, they'll connect to an external gateway and get the full VPN experience with encryption.

 Just used to perform gp agent related functions without tunneling traffic.

GP related functions: Userid mapping, hip check/reports, scripting (if needed), quarantine identification (if panos 10.x), etc



GlobalProtect supports the following gateway types:
  • Internal
    —An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint. If internal host detection is not configured, the GlobalProtect app first connects to the internal gateway followed by external gateway upon connection failure.
  • External gateway (auto discovery)
    —An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the
    Best Available
     external gateway, based on the priority you assign to the gateway, source region, and the response time (see Gateway Priority in a Multiple Gateway Configuration).
  • External gateway (manual)
    —A manual external gateway also resides outside of the corporate network and provides security enforcement and/or VPN access for your remote users. The difference between the auto-discovery external gateway and the manual external gateway is that the GlobalProtect app only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways. To configure a manual gateway, you must identify the gateway as
    Manual
     when you Define the GlobalProtect Agent Configurations.

The value of adding an internal gateway means that when users are on the local network, user-to-IP address mappings will be supplied to the firewall along with device context. This data can then be used as security policy match conditions, allowing for much more granular, identity-based visibility and enforcement.

====================

https://live.paloaltonetworks.com/t5/blogs/globalprotect-overview/ba-p/322170


Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more