1. Global Protect Setup example
In this lecture we’ll talk about the global Protect. The Global Protect is the VPN client from the Palo Alto Firewall. The global Protect consists of three components, the global protect portal and global protect gateway and the global Protect client. The global protect portal is the reference point for the clients to get information about the gateways that are available in your global protect deployment. So the client connects to the portal and they basically will get the list of gateways that are available and receive configuration information from the portal, including information available about available gateway as well as any client certificates that may be required to connect to the global protect gateway.
The global protect portal also is responsible for distributing the global protect agent software for both the Mac and Windows laptops or mobile devices for Android and iPhone, you need to download it from the Apple software or the Android software, you need to download those from there. The global protect gateway there are two types of gateways, there is external and internal and internal. External is used by users to connect from the outside to your internal network and internal is used by your internal hosts to connect to the global protect gateway. It can provide enforcement and host information check to give them access to specific areas of the network based on their host check.
And then you have the global protect client which is the component that gets installed on the client to provide access to either the external or internal gateway. So the way it works here is the first thing is the global protect client connects to the portal, gets the information about gateways and then connects and then go ahead and connect to the gateway. If you are new installation you don’t have Global Protect client you connect to the portal first it downloads the client and based on the configuration information in the portal it downloads the gateways and tries to connect to if it’s external gateway it’s going to try to connect to multiple external gateway and see whichever is closer it’s going to connect to.
If it’s internal, it’s also going to do the same thing and based on the internal gateway you can do host enforcement on your internal traffic. The global protect client is available for Windows, Mac, iOS, Android, Google Chrome, and you can use IPsec client to connect to the global protect gateway as well. We’re going to see this in a different lecture. So about the licenses, you can have a single external gateway without a license, no license required. Single or multiple internal gateway, you don’t need a license for that. Multiple external gateways, you don’t need a license for that. You need a license to do the hip checks. The hip checks when the client connects to global protect it will run host checks to see what windows version you have, applications you have installed or not. And based on this information you can make policies decision.
This requires the license. Also, in order for you to connect using mobile apps, iOS, Android and Chrome, you need a license. Okay? So if you have single external gateway, that’s fine, if you have single or multiple internal gateway, that’s fine, if you have multiple external gateways, that’s fine. But if you do in hip checks you need a license. And if you do on mobile apps and Android, iOS, Android and others, you need a license as well. The Global Protect portal and the Global Protect gateway can be on the same firewall. In my scenario here I’m doing it on the same firewall. It requires the layer three interface to connect to.
So I’m using the outside interface of the file which is ethernet one one. For external gateway it requires the layer three or lOOpc interface and the logical tunnel interface for the client to connect to. To establish VPN tunnel, the layer three and lOOpc interface must be on the same zone. So in my case, the layer three interface is going to be the outside interface is an undressed zone. The tunnel interface can be on the same zone or it could be a different zone. I prefer to have it on a different zone. This way the global Protect client comes in on the tunnel interface. So we’re going to create a new zone and call this Global Protect. We need to enable user identification on this zone.
So this way identify the users and then click okay. And then we’re going to go to interfaces and we’re going to create a tunnel interface. Click on Tunnel and click Add. You can give it a number, I’m going to give ten and specify virtual router to be default and the security zone to be Global Protect. And I’m going to give you an IPV four address of 192, 168, 100, 124. The global protect relies on SSL. So one of the requirement is to create a certificate. You know, create a certificate, a local certificate, self generated certificate, or you can use a public certificates, prefer to use a public certificate because that’s how the global Protected client connects from the outside. And they really have to trust that nobody is playing men in the middle on them.
It needs to be trusted. This way they don’t get warned when they try to connect. You can use also a self generated certificate. We’re going to start by doing a self generated certificate. I’m going to call this global cert. I’m going to call this Global Protect. Global CN equal global Protect Lab. Local and click on certificate of authority and click Generate. So that certificate we’re going to use in Global Protect. Then also you need to provide an authentication method for the Global Protect. So we’re going to create an authentication profile and call this VPN users. We’re going to start by using the local database and then later on we’ll see how to use Radius server.
We’re going to allow all users and then click OK. And then we’re going to click on users and then create a test user for us. We’ll call this VPN user and then we’re going to go ahead and commit and then we’re going to go to network portals and then we’re going to add a portal and call this global portal, give it a name. The interface is going to be the untrust interface and I’m going to leave the IP addressnom because in my case I’m using Amazon. It’s dynamically assigned and authentication local auth then choose the authentication profile, VPN users certificate profile that’s if you want to authenticate using certificates we’re not going to do that.
The SSL TLS service profile points to the certificate that you’re using. So I’m going to call this global Cert, global Protect cert and then the certificate I’m going to select the certificate that I created and then click OK. And then under the agent we’re going to click on Add. We’re going to give you the name of client profile and users and user groups. You can specify a specific user or user groups now in case we’re going to leave it empty. And then you can have internal gateways. This is for internal users or external gateways. We’re going to add external gateway.
So I’m going to put the IP address here for that file public IP address. You can also get a domain name. I have only one global protect portal and gateway. So I’m going to put that in here and going to go ahead and click OK. So now we created the client profile. We’re going to go ahead and click OK. And the next step we have to create is create the gateway. The gateway is actual IP address that the client connects to. The portal is the information. It gets the information from the portal and then it can have multiple external gateways. It talk to any of the personal external gateways. We’ll call this GP gateway and the interface is going to be the same ethernet one one authentication.
I’m going to provide the SSL profile here the client authentication. I’m going to call to use the same client authentication VPN user and then authentication profile VPN users and under agent. This is where you specify what is the client allowed to access and the IP address change. So we click on client settings and click Add and then we are going to specify a name under network settings. Well we have to specify the tunnel actually. So click on the tunnel and the tunnel we created is tunnel ten. I’m not going to enable Ipsick client settings, network settings, you should have an IP pool for that. So we’re going to use IP pool 201 through 108 116, 254, the access route. We’re going to limit it to access route 170 216 network.
For now, no direct access to local network. If you want to prevent the users from accessing their local network at home you can check that users and user groups. We specified any and then click okay, okay. And we’ll start by having a relaxed policy here. We’ll do allow any any we’re starting small and then we expand on our scenario here. Source any definition, any action allow and then block. And I’m going to go ahead and commit since we created 192 one and we have to put a route for that create here under default. It’s in the default table. I’m going to specify that VPN clients 192 and 68 224 is going to go to tunnel ten and then none for the next top because there is no next stop.
And then I’m going to test it out. So we get the portal. I’m going to put VPN user VPN user login, download the Windows 64 client run. Then now we should have it showing up here and then I’m going to connect to it and we should be seeing some connectivity continue because that’s not trusted. It’s connecting right now and right now it’s connected. So we have here connection deals. We have an IP address here one, 8200 one. And the protocol is SSL. So we’re spend on the scenario in the next lectures. But that gives you the steps.
2. Getting a free publicly trusted ssl certificate to test Global Protect
In this lecture we will set up a free SSL certificate for our Amazon instance. You need to go back to the section where we set up the Amazon environment and we set up a DMZ server. It’s one of the earlier sections. And in there we have a DMZ server we’re going to utilize to validate our certificate. There is a free certificate provider out there. Out there if you do a search on free SSL certificate, it’s SSL for free. You have to register DNS name. I personally use no IP noip. com, register your own DNS name and basically you go to the website SSL for free. Put the name of your in my case it’s going to be awspolo three DDNS net and create certificate and then choose manual verification. And then on your DMZ server you have to enable Apache.
Install Apache. So do apt install Apache and then click on manual verify domain. And then here you need to download a file. So we’re going to save this file here and the file has to be like that. Okay save. So the file basically they provide you a file. So you need to get this file and you need to copy the file content into your web server. And I’ll show you how to do that. So on your web server you log in to the DMZ server, load the keys and sudo su. If you want to install Apache, you do app install Apache two. Apache two. For me it’s already installed. And then you go to CD VAR CDW. And then you need to create a folder called webroot. So the folder here, they tell you to create a folder called wellknown, wellknown acme challenge. So I’m going to delete it and recreate it.
So I show you guys you need to make okay, so I’m going to show you how to makedir well known and then CD well known and then make deere acme challenge and then CD acme challenge. For me, it already exists. And then the file name exactly like it’s written, it’s provided to you. You need to create the file. So VI then the file name VI file name. And then open the file and then a notepad and basically put your content. You type in insert. So you have beginning of file here and then paste the content of the file. And then you go to Vietc Apache, apache two, apache two comf. And then you need to allow people to read that file. It’s just basically you create a section called file match, files match and then put the name of the file here.
So I’m going to put the name of the file and then under it require all granted. So this way you grant the file. Okay, so we’ll go ahead and copy and then delete this. Okay. And then on the Palo Alto firewall, you need to log into the Palo Alto firewall. So we still haven’t finished those steps. Here you log into the palo alto firewall. You go to certificates and generate a certificate. I’m going to call this, give it a name. I’m going to call jeep Blueville protect. Then my DNS name that I have registered with the DNS and then signed by external authority. And then click generate and then click on it and choose export. So now that your file is there, we first need to restart Apache. Service apache to restart. This way we can validate. Basically it allows grant access to that location and then check on the website check I have my own CSR and then copy paste the CSR here.
That’s the Global Protect CSR. And then click once you’re done download the SSL certificate. Oops, I didn’t allow port 80. I might have to repeat the steps again. So under net I need to allow port 80 to the SSH server. So I’m going to add a rule here. Port 80 allow DMZ. Then original packet is untrust. Destination is untrust. Destination 107 23125 510. This is my outside interface of the palo alto firewall. And then service http. I’m going to do destination. Net to the IP address of the DMG server 315 and I’m going to allow it on the policy. Add an outpour 80 DNZ source is untrust. Destination is DNZ. Destination addresses one subview 31 two 5510 32. This is the PreNet address. This is the post nat zone application or web browser.
And then action is allow port 80. Commit. So I will probably have to repeat the steps again. Update and we’re going to do it one more time. Try manual verification. So it has a new file. So I’m going to download that file one more time. Bracket just makes perfect. Create that file again into my server LSVI and I create that file. And then open this file here. Then copy the content and then click insert and then paste the content. And then VIPC apache two, apache two. Going to update the file match here so that it’s allowed this file rename copy. Okay, service apache to restart. Should I have the CSR here and then click I have my own CSR. Click okay paste and then click on download SSL certificate. Okay, now it’s downloaded. Here’s the certificate. You copy the content or you can choose download all SSL certificate files. Going to download all SSL certificate files. Show in folder extract. This is certificate right there. I need to add it to the palo alto firewall. Now I need to bind the certificate. So I’m going to go to the palo alto firewall, go to device certificate and then bind the certificate. Click import, put the same name I have here, global protect and then browse to the certificate file certificate and then click OK.
All right. Now the next thing I need to do is import the CA bundle, which is the trusted certificate called this SSL free. We’ll just open the CA bundle. This is one of the file that’s in the download and then click OK. And then click on it and says trusted root this way it’s trusted and then click OK. So now that this is done, the global Protect will have a certificate that is trusted by the users because this SSL for free is a trusted routine in most browsers in most operating systems. Next lecture will continue expanding upon the buildup of the configuration.
3. Setting up global protect for on-demand mode, discover agent settings
Okay, so now that we set up the certificate, we’re gonna go ahead and go through the motion of setting up global protect one more time. We are going to create a global protect portal. We’re gonna call this AWS Apollo three interface is the outside interface, ethernet one one and then authentication. We’re going to create an SSL TLS profile and put our profile in it. SSL and then the certificate that we selected and then TLS version one and then click okay. And we are going to go to agent and then click on add and then we’ll call this on demand. This is the setup that basically will allow the user to connect as they wish. User and user groups as any gateway. We’re going to add a gateway, we’re going to give it a name and this is the DNS name that they will connect to.
It has to match the certificate and then under application so you have multiple connect method. User log on is always on meaning the user will be forcibly connected pre log on. This is if you want the machine when it boots up it automatically connects to global protect. We’re going to see how to do that in later lecture. On demand is manually user initiated and then pre log on, then on demand. So pre log on, then on demand. Basically when the machine boots up it’s going to connect to global protect without even the user being logged in. And then once the user logs in it’s going to connect using manually initiated connection. We’re going to do the manual on demand. Here some of client settings. Allow disallow user to make changes.
Disable the global protect app. You can allow with comments, you can allow a passcode or allow with a ticket. Here we select allow the user to upgrade global protect app. You can allow with the prompt. So you can basically prompt the user if there’s a new version of global protect. You prompt the user if they want to use it or not, if they want to download or not or disallow. This way the user cannot upgrade the global protect client will allow manually or allow transparently. Basically it’s going to transparently upgrade if there’s a new version of global protect on the Palo Alto file here we’re going to allow transparently for now use single sign on on Windows. We’re going to see on how this is done in later lecture.
But we’re not going to use single sign on. Choose no and then use authentication on curbuse authentication failure. We’re going to choose default authentication on curb authentication failure. So basically if single sign on fails, curb fails, it’s going to fail over to default authentication. Method enforced global protect connection for network access. So if you enable this feature, basically the user has to connect to global protect in order for them to be able to connect to the network. And this is a method make sure in a high security environment. Make sure that the user does not connect to any network without going through your VPN, your global protect so that they are always protected behind the Palo Alto firewall.
Features you can allow captive portal exception so an example captive portal exception sometimes if you’re on a hot spot or coffee shop or something, the captive portal will have to trigger for the user to be able to get internet access. So you can make an exception time out for connecting to the network so that they get the gap to portal and then after that time is out. So if a zero that’s disabled maximum 16 minutes 3600 seconds after 3600 seconds the user will not be able to connect. Traffic blocking notification you can notify the user of traffic got blocked. Play traffic block message here you can customize your message, allow the user to dismiss it.
Yes captive portal detection message if there’s a captive portal client certificate store lookup user and machine we’re not going to be using a client certificate or user certificate, a machine certificate at this time. Skept if you want to enroll the user using SCAP we’re going to see a lecture on that. Other features here you want to enable or disable advanced view you can enable or disable advanced view. Allow the user to dismiss welcome message you can allow the user to dismiss the welcome message. Rediscover network if you want the user to rediscover network to basically rediscover network and check the portal if there’s any new settings. Enable resubmit of host profile so let’s say in the case of host profile the user wasn’t allowed to look at host profiles later on but the user wasn’t allowed because you didn’t have antivirus running or something.
You can allow the user to resubmit their host profile. This way they can get validated and get logged in. Update DNS settings at connect Windows only to update their DNS to point your DNS server DNS settings that handed out by the global protect. Send Hip report immediately if Windows security state changes, if there’s something happen on the client, like the client disabled the firewall or did something install a software, remove the software, it will basically send the hip report and it sends a hit report. You might block them access. So this is always on protection. So if the user connects to global protect and then after that disables their file or disable their antivirus software, global protect would send the report and they will be blocked access according to your security policies you can block them access welcome page you can put the factory default page or you can add yours.
Basically if you want to create an HTML file and just imported here that will be used in lieu of the default factory default welcome page so you can set a passcode in order for the user to disable global protect they need to have that passcode. So in our case we’ll leave it like that and then click okay. And then we’re going to click okay. Here we need to create an authentication profile. So we’re going to use LDAP as an authentication method. So I’m going to point to my LDAP server LDAP off. The name of the server is l lab ad DC and LDAP server IP addresses 172, 31, 215 and then the type is active directory base DN is DC lab local. You can specify bindi n, which is the NTLM domain I’m. But going to bind as administrator if it requires SSL TLS. You check that. In my case it’s not requiring SSL TLS and then click OK and then create an authentication profile. And then we’re going to add here SSL VPN off. We’re going to use LDAP and then Server profile. Select the server profile LDAP auth basically under Advanced Allow list allow all and then click okay. So going back to network. Here the portal. We’re going to add this as an authentication profile and then here I’ll tap off and then click okay. And then the gateway. Are you going to add a gateway? AWS three gateway and then interface is outside interface authentication the Sltls profile.
We’re going to choose the same SSL TLS profile, add the authentication authentication profile SSL VPN off and agent tunnel mode. We’re going to create a new tunnel interface tunnel ten. We’re going to put this as part of the default per shared outer and part of the trust security zone and give it the IP address 192, 168, 100, 124 and then in our case here, the client settings. We’re going to click on add and then the name will be doing the name client config network settings. We’re going to choose a range in the same IP address, range of the tunnel and then access route. We’re going to specify the access route 30, 112 I just internal for now and then click OK.
And network services you can specify the primary DNS server. We’re going to choose the domain server and then the DNS suffix and choose lab local. This way we push this to the user and then click OK and then go ahead and click Commit. So we need to enable under zone Trust User identification. Then we go ahead and enable that and then click Commit. And then I’m going to go here to the URL AWS palo three DDNS net and here I’m good, I’m green verified by let’s encrypt. So I’m going to go ahead and log in. I’m unable to log in for some reason. Let’s go to monitor system username and authentication page invalid username and password.
So let’s look at the LDAP settings over time. LDAP authentication profile SSL VPN all user domain we have to put user domain lab. That’s my domain. Now log in again. Valid username and password. Still cannot log in. I actually fat finger the authentication profile here I put the local off. So let me update that. Now I should be able to log in and then download the software if you want. I’m going to go ahead and have the software installed, so I’m going to go ahead and connect to it. Good. Troubleshooting log start, which is here. It’s connected right now and I should be able to ping my domain controller in the lab. And there you have it. This is configuration from scratch using the SSL certificate that’s provided for free. If you validate, you on the fully qualified domain name.
