Palo Alto GlobalProtect

You can run both a gateway and portal on the same firewall, or you can have multiple distributed gateways throughout your enterprise.

Portal: Where user can download GlobalProtect client, specify gateway.

An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access.
Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint.

External gateway (auto discovery)

An external gateway (auto discovery )resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the best available external gateway, based on the priority you assign to the gateway, source region, and the response time.

External gateway (manual)  To configure a manual gateway, you must identify the gateway as Manual when you Define the GlobalProtect Agent Configurations.

License:

secure remote access or VPN solution via single or multiple internal/external gateways, you don't need any GlobalProtect licenses.
However, to use some of the more advanced features (such as HIP checks and associated content updates, support for the GlobalProtect mobile app, or IPv6 support) you must purchase an annual GlobalProtect Gateway license. 

About GlobalProtect Licenses (paloaltonetworks.com)

Configuration

 Steps:

1. Create VPN Security Zone, with User ID enabled

 Network>Zones
   

2. Create VPN Tunnel Interface
    Network>Interfaces>Tunnel

3.Add Security Policy
   3.1 Allow GlobalProtect connects to FW outside interface, this is not required if intrazone-default policy catch the traffic. It is required if  a deny access firewall outside IP rule exists.

     source zone: untrust
     destination zone: untrust
     destination address: FW outside interface
     application: web-browsing (ssl), panos-global-protect  
     
     3.2 Allow VPN client to access internal resource

            souece zone: GPVPN
            destination zone: trust

     destination address: LAN
     application:

   Policies>Security

   If GPVPN tunnel interface is in Trusted zone, then traffic between LAN and GPVPN will matches Intrazone-default policy.

4. Create an Authentication Profile, attach a server profile.
   Device>Authentication Profile
   Device>Server Profiles
         Bind DN can also use format: ldap@lab.local

5. Create a SSL/TLS Profile, assign a certificate

6. Gateway
   Network>GlobalProtect>Gateways

 

7. Portal
   Network>GlobalProtect>Portals

8. Prepare client software, Download and Activate.
   Device>GlobalProtect Client

==========================

After connected, on PA routing table, a prefix of VPN pool points to VPN tunnel interface.

Resource List

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS

=====Notes===========

1. Enable client disconnect button

portal agent config > App > Connect Method : On-demand (Manual user initialed connection)

=========Troubleshooting==============

1. user is unable to connect to GP portal using browser

    fix: added missing security policy to allow connection to FW outside IP with app: web-browsing 

2. user is able to connect to GP portal using browser, but can't connect using GP client

    fix: added missing security policy to allow connect to FW outside IP with app:  panos-global-protect

3. GP gateway configured with AP group, user can't connect with error:  "matching client config not found"

    fix: authentication profile is missing or has incorrect User Domain
  
    CLI:
     > show user group list

cn=contractors,cn=users,dc=sc,dc=local
cn=network admins,cn=users,dc=sc,dc=local
cn=helpdesks,cn=users,dc=sc,dc=local
cn=employees,cn=users,dc=sc,dc=local
Total: 4
* : Custom Group

   > show user group name cn=employees,cn=users,dc=sc,dc=local

===============

Internal gateways are not really VPNs. They are used in conjunction with an "always-on" VPN connection to provide UserID functionality for PCs/Users connected to your internal networks. Basically, you enable an always-on VPN configuration and provide an internal gateway with a DNS record that can only be resolved from your internal network. Then if your users are in the office, the GlobalProtect client will see that DNS record, connect to the Internal Gateway, and just report to the firewall the Username/IP mapping of the host for UserID purposes. If the user is WFH/on the road, they'll connect to an external gateway and get the full VPN experience with encryption.

 Just used to perform gp agent related functions without tunneling traffic.

GP related functions: Userid mapping, hip check/reports, scripting (if needed), quarantine identification (if panos 10.x), etc

GlobalProtect supports the following gateway types:

Internal
—An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint. If internal host detection is not configured, the GlobalProtect app first connects to the internal gateway followed by external gateway upon connection failure.
External gateway (auto discovery)
—An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the
Best Available
external gateway, based on the priority you assign to the gateway, source region, and the response time (see Gateway Priority in a Multiple Gateway Configuration).
External gateway (manual)
—A manual external gateway also resides outside of the corporate network and provides security enforcement and/or VPN access for your remote users. The difference between the auto-discovery external gateway and the manual external gateway is that the GlobalProtect app only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways. To configure a manual gateway, you must identify the gateway as
Manual
when you Define the GlobalProtect Agent Configurations.

The value of adding an internal gateway means that when users are on the local network, user-to-IP address mappings will be supplied to the firewall along with device context. This data can then be used as security policy match conditions, allowing for much more granular, identity-based visibility and enforcement.

====================

https://live.paloaltonetworks.com/t5/blogs/globalprotect-overview/ba-p/322170

================

PanGPA (PanGP Agent)    --- GlobalProtect UI program

PanGPS (PanGP Service) --- GlobalProtect service/daemon program

==========Collect GlobalProtect Client Log============

> Settings

> Troubleshooting > Collect Logs, logs will download in a Zip file, extract zip file to see log files

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS

=======GP Root Cert==============

This setting is supposed to push CA root cert to Trusted root store on user's PC' . This CA root cert is the GP cert's issuer. However it must be verified by PC's exiting root CA, in this case, lab AD root cert will not be trusted neither installed on user's PC.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5MCAW

GlobalProtect Stages

1. before-login : This is the stage where the Portal pre-login happens during which the client-side reachability (PORT=443, URL=/global-protect/prelogin.esp) and client certificate, etc are checked
2. login: This is the stage where the portal authentication happens against the user credentials depending on the authentication profile set
3. configuration: This is the stage where the Portal Configuration Digest is pulled from either the cached config or from the actual portal. It also matches the user to any existing cookies if at all present. It then checks for the available gateways.
4. before-login: Here it does the Gateway-Prelogin. It checks for the GW connectivity and server certificate verification and then completes the network discovery.
5. login: In this stage, it does the Gateway login and checks on the user cookies if at all available. It also gets the IPv4 or IPv6 address for Gateway and user.
6. tunnel: This is the stage where the IP-Sec/SSL tunnel is established for the GP traffic. GW configuration is obtained and creates the tunnel accordingly.
7. connected: This is the stage where the Gateway is connected.
8. host-info: Checks for the Host Information through the HIP checks.
9. logout: This is the stage when the user logs out.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VA3CAM&lang=en_US%E2%80%A9

Loopback interface for GlobalProtect

lookback interface in Untrust zone

GP connection will go through full threat prevention before hit lo interface.

 Manually Sync LDAP Group Mapping

You can refresh the user-group-mapping on the PAN by issuing the following the command:

> debug user-id refresh group-mapping all    ..... This command will fetch the only delta values or the difference.

You can also reset user-group-mappings by issuing the following command:

> debug user-id reset group-mapping all     ...... This command will fetch the entire group mappings once again.