Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administrators
Guide
Version8.0
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandGlobalProtect8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
RevisionDate:February6,2017
2 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................14
GetStarted.......................................................... 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21
Authentication....................................................... 25
AboutGlobalProtectUserAuthentication ............................................26
SupportedGlobalProtectAuthenticationMethods .................................26
HowDoestheAgentorAppKnowWhatCredentialstoSupply? ....................28
SetUpExternalAuthentication .....................................................30
SetUpLDAPAuthentication ....................................................31
SetUpSAMLAuthentication ....................................................33
SetUpKerberosAuthentication.................................................35
SetUpRADIUSorTACACS+Authentication ......................................37
SetUpClientCertificateAuthentication..............................................39
DeploySharedClientCertificatesforAuthentication ...............................39
DeployMachineCertificatesforAuthentication...................................40
DeployUserSpecificClientCertificatesforAuthentication.........................43
SetUpTwoFactorAuthentication ..................................................46
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles ......46
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)...............49
EnableTwoFactorAuthenticationUsingSmartCards ..............................53
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients ......................56
EnableAuthenticationUsingaCertificateProfile ..................................56
EnableAuthenticationUsinganAuthenticationProfile .............................58
EnableAuthenticationUsingTwoFactorAuthentication ...........................60
SetUpMultiFactorAuthentication..................................................63
EnableGroupMapping.............................................................66
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 3
TableofContents
GlobalProtectGateways..............................................69
GlobalProtectGatewayConcepts .................................................... 70
GatewayPriorityinaMultipleGatewayConfiguration .............................. 70
GlobalProtectMIBSupport...................................................... 71
PrerequisiteTasksforConfiguringtheGlobalProtectGateway .......................... 72
ConfigureaGlobalProtectGateway .................................................. 73
GlobalProtectPortals .................................................81
PrerequisiteTasksforConfiguringtheGlobalProtectPortal ............................. 82
SetUpAccesstotheGlobalProtectPortal............................................ 83
DefinetheGlobalProtectClientAuthenticationConfigurations .......................... 84
DefinetheGlobalProtectAgentConfigurations .................................... 86
CustomizetheGlobalProtectAgent .............................................. 93
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages................103
MobileEndpointManagement....................................... 155
MobileEndpointManagementOverview............................................156
SetUpaMobileEndpointManagementSystem ......................................157
ManagetheGlobalProtectAppUsingAirWatch......................................158
DeploytheGlobalProtectMobileAppUsingAirWatch.............................158
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................159
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................162
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............166
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................169
ConfiguretheGlobalProtectAppforiOS.........................................169
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................170
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................171
ConfiguretheGlobalProtectAppforAndroid.....................................172
4 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
Example:SetVPNConfiguration................................................ 173
Example:RemoveVPNConfiguration........................................... 174
HostInformation ...................................................175
AboutHostInformation ........................................................... 176
WhatDataDoestheGlobalProtectAgentCollect?................................ 176
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?............... 178
HowDoUsersKnowifTheirSystemsareCompliant? ............................. 179
HowDoIGetVisibilityintotheStateoftheEndClients? .......................... 179
ConfigureHIPBasedPolicyEnforcement ........................................... 180
CollectApplicationandProcessDataFromClients ................................... 187
BlockDeviceAccess .............................................................. 192
GlobalProtectQuickConfigs .........................................193
RemoteAccessVPN(AuthenticationProfile)......................................... 194
RemoteAccessVPN(CertificateProfile)............................................. 197
RemoteAccessVPNwithTwoFactorAuthentication................................. 200
AlwaysOnVPNConfiguration..................................................... 204
RemoteAccessVPNwithPreLogon................................................ 205
GlobalProtectMultipleGatewayConfiguration....................................... 211
GlobalProtectforInternalHIPCheckingandUserBasedAccess ....................... 215
MixedInternalandExternalGatewayConfiguration .................................. 219
GlobalProtectReferenceArchitecture .................................225
GlobalProtectReferenceArchitectureTopology...................................... 226
GlobalProtectPortal .......................................................... 226
GlobalProtectGateways ....................................................... 227
GlobalProtectReferenceArchitectureFeatures...................................... 228
EndUserExperience .......................................................... 228
ManagementandLogging ..................................................... 228
MonitoringandHighAvailability ................................................ 229
GlobalProtectReferenceArchitectureConfigurations ................................. 230
GatewayConfiguration ........................................................ 230
PortalConfiguration .......................................................... 230
PolicyConfigurations.......................................................... 231
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 5
TableofContents
6 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'semployeesworkoutsidethephysicalcorporateboundaries.Thisincreasedworkforcemobilitybrings
increasedproductivityandflexibilitywhilesimultaneouslyintroducingsignificantsecurityrisks.Everytime
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
associatedpoliciesthataredesignedtoprotectboththeuserandthenetwork.GlobalProtectsolvesthe
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 7
AbouttheGlobalProtectComponents GlobalProtectOverview
AbouttheGlobalProtectComponents
GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.This
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient
GlobalProtectPortal
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,includinganycustominformationyourequire.YouSetUpAccesstotheGlobalProtectPortal
onaninterfaceonanyPaloAltoNetworksnextgenerationfirewall.
GlobalProtectGateways
GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
applyingsecuritypolicyforaccesstointernalresources.WhenusedinconjunctionwithUserIDand/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/ordevicestate.Internalgatewaysareusefulinsensitiveenvironments
whereauthenticatedaccesstocriticalresourcesisrequired.Youcanconfigureaninternalgatewayin
eithertunnelmodeornontunnelmode.
YouConfigureaGlobalProtectGatewayonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.Youcanrunbothagatewayandaportalonthesamefirewall,oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.
8 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AbouttheGlobalProtectComponents
GlobalProtectClient
TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
viatheGlobalProtectportalsandgatewaysyouhavedeployed.TherearetwotypesofGlobalProtectclients:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
GlobalProtectportal.Youconfigurethebehavioroftheagentforexample,whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)youdefineontheportal.See
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,andChromebookdevices.Usersmust
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 9
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview
WhatClientOSVersionsareSupportedwithGlobalProtect?
PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,andmobiledevices.WerecommendthatyouconfigureGlobalProtectonfirewallsrunning
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
endpoints.TheminimumGlobalProtectappreleasevariesbyoperatingsystem;todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
systemsandPANOSreleaseswithwhichtheywerereleased.ForminimumPANOSreleasesupportfor
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite.
10 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?
WhatFeaturesDoesGlobalProtectSupport?
ThefollowingtableliststhesupportedfeaturesonGlobalProtectbyOS.Anentryinthetableindicatesthe
firstsupportedreleaseofthefeatureontheOS.Aindicatesthefeatureisnotsupported.For
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?
Authentication
Clientless VPN
Clientless VPN
Connect Methods
Connection Priority
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 11
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview
Modes
Networking
Customization
12 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 13
AboutGlobalProtectLicenses GlobalProtectOverview
AboutGlobalProtectLicenses
IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures(suchasHIPchecksandassociatedcontentupdates,
supportfortheGlobalProtectmobileapp,orIPv6support)youneedtopurchaseanannualGlobalProtect
subscription.Thislicensemustbeinstalledoneachfirewallrunningagateway(s)that:
PerformsHIPchecks
SupportstheGlobalProtectapponmobiledevices
ProvidesIPv6connections
ForGlobalProtectClientlessVPN,thisfeaturealsorequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect
Clientless VPNdynamicupdatestousethisfeature.
Feature SubscriptionRequired?
HIP Checks
IPv6 support
Clientless VPN
SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.
14 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
communicate.Atabasiclevel,thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
usersconnecttoaccesstheportalandthegatewaystothenetwork.BecausetheGlobalProtectcomponents
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
components.ThefollowingsectionsguideyouthroughthestepstosetuptheGlobalProtectinfrastructure:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 15
CreateInterfacesandZonesforGlobalProtect GetStarted
CreateInterfacesandZonesforGlobalProtect
YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbe
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
asDMZ.Atunnelinterfacecanbeinthesamezoneastheinterfaceconnectingtoyourinternal
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,suchascorpvpn.Ifyoucreateaseparatezoneforyourtunnelinterface,youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
InternalgatewaysRequiresaLayer3orloopbackinterfaceinyourtrustzone.Youcanalsocreate
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?
Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.
SetUpInterfacesandZonesforGlobalProtect
16 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted CreateInterfacesandZonesforGlobalProtect
SetUpInterfacesandZonesforGlobalProtect(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 17
EnableSSLBetweenGlobalProtectComponents GetStarted
EnableSSLBetweenGlobalProtectComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)intheconfigurations.Thefollowingsectionsdescribethesupported
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents
TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
certificatesforalloftheGlobalProtectcomponents.However,thissolutionislesssecurethantheother
optionsandisthereforenotrecommended.Ifyoudochoosethisoption,enduserswillseeacertificate
errorthefirsttimetheyconnecttotheportal.Topreventthis,youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).
ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:
Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices
18 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 19
EnableSSLBetweenGlobalProtectComponents GetStarted
FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.
20 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents
ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:
DeploySSLServerCertificatestotheGlobalProtectComponents
Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
GlobalProtectportal.Thispractice Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.
CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 21
EnableSSLBetweenGlobalProtectComponents GetStarted
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
22 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor componenttowhichyoudeploytheservercertificate.If
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
deploy.ThenusethespecificSCEP capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe request.UseeitheraFixedchallengepasswordwhichyou
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust choicetotheSCEPServer.ForaDynamicSCEPchallenge,
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
TocomplywiththeU.S.Federal c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL http://10.200.101.1/certsrv/mscep/).
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) bytheSCEPserver.Thesubjectmustincludeacommon
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
settingsintheSCEPprofile.Ifsuccessful,the f. SelecttheSubject Alternative Name Type.Toenterthe
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 Name.Youcanalsoenter
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate Fingerprint.Obtainthis
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
certificate.TheGlobalProtectportalusesthesettingsinthe
SCEPprofiletosubmitaCSRtoyourenterprisePKI.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 23
EnableSSLBetweenGlobalProtectComponents GetStarted
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
24 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication
TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
GlobalProtectresources.Youmustconfigureauthenticationmechanismsbeforecontinuingwiththeportal
andgatewaysetup.Thefollowingsectionsdetailthesupportedauthenticationmechanismsandhowto
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
SetUpMultiFactorAuthentication
EnableGroupMapping
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 25
AboutGlobalProtectUserAuthentication Authentication
AboutGlobalProtectUserAuthentication
ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
portal.Ifauthenticationsucceeds,theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
tothegateways.Aftersuccessfullydownloadingandcachingtheconfiguration,theclientattemptsto
connecttooneofthegatewaysspecifiedintheconfiguration.Becausethesecomponentsprovideaccessto
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
resourcesthatthegatewayprotects.GlobalProtectprovidesaflexibleauthenticationframeworkthatallows
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupply?
ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.
AuthenticationMethod Description
26 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication AboutGlobalProtectUserAuthentication
AuthenticationMethod Description
Two-factor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,suchasaonetimepasswordinadditiontoADlogincredentials.You
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
differentmethods.Regardless,withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
profile.Forexample,iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
authenticationservertriestoauthenticatetheuser.Ifyoudonotwanttoforceusersto
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
NonefortheUsernameField.SeeRemoteAccessVPNwithTwoFactorAuthenticationfor
anexampleconfiguration.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 27
AboutGlobalProtectUserAuthentication Authentication
AuthenticationMethod Description
Multi-Factor Forsensitive,nonHTTPnetworkresources(forexample,financialapplicationsorsoftware
Authentication for developmentapplications)thatmayrequireadditionalauthentication,GlobalProtectclients
non-HTTP applications cannownotifyandprompttheusertoperformthetimely,multifactorauthentication
neededtoaccesstheseresources.
Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
forportallogin.Inthesimplestcase,wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways
CookieAuthenticationonthePortalorGateway
Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
toeach.Thisimprovestheuserexperiencebyminimizingthenumberoftimesthatusersmustenter
credentials.Inaddition,cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
onthesamecookietoauthenticatetheuser.Whentheagentpresentsthecookie,theportalorgateway
evaluateswhetherthecookieisvalidbasedontheconfiguredcookielifetime.Ifthecookieexpires,
GlobalProtectautomaticallypromptstheusertoauthenticatewiththeportalorgateway.When
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
sensitiveinformationas24hours.Whentheuserfirstauthenticateswiththeportal,theportalissuesthe
authenticationcookie.Ifafterfivedays,theuserattemptedtoconnecttotheportal,theauthentication
cookiewouldstillbevalid.However,ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
receiveareplacementauthenticationcookie.Thenewauthenticationcookiewouldthenbevalidforanother
15daysontheportalandanother24hoursonthegateways.
28 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication AboutGlobalProtectUserAuthentication
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
CredentialForwardingtoSomeorAllGateways
Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)thatpromptfortheirownsetofcredentials.Thisoptionspeedsuptheauthenticationprocess
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
allowingyoutocustomizethesecurityfordifferentGlobalProtectcomponents.Forexample,youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 29
SetUpExternalAuthentication Authentication
SetUpExternalAuthentication
ThefollowingworkflowsdescribehowtosetuptheGlobalProtectportalandgatewaystouseanexternal
authenticationservice.ThesupportedauthenticationservicesareLDAP,Kerberos,RADIUS,SAML,or
TACACS+.
Theseworkflowsalsodescribehowtocreateanoptionalauthenticationprofilethataportalorgatewaycan
usetoidentifytheexternalauthenticationservice.Thisstepisoptionalforexternalauthenticationbecause
theauthenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.
GlobalProtectalsosupportslocalauthentication.Touselocalauthentication,createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.
Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.
Theoptionsforsettingupexternalauthenticationinclude:
SetUpLDAPAuthentication
SetUpSAMLAuthentication
SetUpKerberosAuthentication
SetUpRADIUSorTACACS+Authentication
30 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication
LDAPisoftenusedbyorganizationsasacentralrepositoryforuserinformationandasanauthentication
service.Itcanalsobeusedtostoretheroleinformationforapplicationusers.
SetUpLDAPUserAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 31
SetUpExternalAuthentication Authentication
SetUpLDAPUserAuthentication(Continued)
32 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication
SetUpLDAPUserAuthentication(Continued)
8. SelecttheAdvancedtab.
9. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
10. ClickOK.
SecurityAssertionMarkupLanguage(SAML)isanXMLbased,openstandarddataformatforexchanging
authenticationandauthorizationdatabetweenparties,inparticular,betweenanidentityprovider(IdP)and
aserviceprovider.SAMLisaproductoftheOASISSecurityServicesTechnicalCommittee.
SetUpSAMLUserAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 33
SetUpExternalAuthentication Authentication
SetUpSAMLUserAuthentication(Continued)
34 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication
Kerberosisacomputernetworkauthenticationprotocolthatworksonthebasisofticketstoallownodes
communicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
SetUpKerberosAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 35
SetUpExternalAuthentication Authentication
SetUpKerberosAuthentication(Continued)
36 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication
SetUpKerberosAuthentication(Continued)
RADIUSisaclient/serverprotocolandsoftwarethatenablesremoteaccessserverstocommunicatewitha
centralservertoauthenticatedialinusersandauthorizetheiraccesstotherequestedsystemorservice.
TACACS+isawellestablishedauthenticationprotocolcommontoUNIXnetworksthatallowsaremote
accessservertoforwardauser'slogonpasswordtoanauthenticationservertodeterminewhetheraccess
canbeallowedtoagivensystem.
SetUpRADIUSorTACACS+Authentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 37
SetUpExternalAuthentication Authentication
SetUpRADIUSorTACACS+Authentication(Continued)
38 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication
SetUpClientCertificateAuthentication
Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
connectionrequesttotheGlobalProtectportalorgateway.Theportalorgatewaycanuseeitherasharedor
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication
Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
endpointsorgenerateseparatecertificatestodeploywithaparticularagentconfiguration.Usethis
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.
DeploySharedClientCertificatesforAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 39
SetUpClientCertificateAuthentication Authentication
Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
certificateforexport.Withtheprelogonconnectmethods,amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
toauthenticatetheuser.SeeTwofactorauthentication.
Usethefollowingworkflowtocreatetheclientcertificateandmanuallydeployittoanendpoint.Formore
information,seeAboutGlobalProtectUserAuthentication.Foranexampleconfiguration,seeRemote
AccessVPN(CertificateProfile).
DeployMachineCertificatesforAuthentication
40 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication
DeployMachineCertificatesforAuthentication(Continued)
4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.
5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
thePasswordthatyouusedtoencrypttheprivatekey.Select
PersonalastheCertificate store.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 41
SetUpClientCertificateAuthentication Authentication
DeployMachineCertificatesforAuthentication(Continued)
42 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication
DeployMachineCertificatesforAuthentication(Continued)
Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
deploytheclientcertificatetotheendpointspriortoenablingGlobalProtect.Toautomatethegeneration
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
requestsitandsendsthecertificatetotheportal.Theportalthentransparentlydeploysthecertificatetothe
client.Whenauserrequestsaccess,theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
whethertopermitaccesstotheuser.GlobalProtectblocksaccessifthehostIDisonadeviceblocklistorif
thesessionmatchesanyblockingoptionsspecifiedinacertificateprofile.Ifclientauthenticationfailsdueto
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
settingsintheauthenticationprofileandretrievethecertificate.Iftheclientcannotretrievethecertificate
fromtheportal,thedeviceisnotabletoconnect.
DeployUserSpecificClientCertificatesforAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 43
SetUpClientCertificateAuthentication Authentication
DeployUserSpecificClientCertificatesforAuthentication(Continued)
44 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication
DeployUserSpecificClientCertificatesforAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 45
SetUpTwoFactorAuthentication Authentication
SetUpTwoFactorAuthentication
Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
authenticationscheme.Atwofactorauthenticationschemerequirestwothings:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
authenticatebothtoacertificateprofileandanauthenticationprofile.Theusermustsuccessfully
authenticateusingbothmethodsinordertoconnecttotheportal/gateway.Formoredetailsonthis
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.
46 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 47
SetUpTwoFactorAuthentication Authentication
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)
48 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication
Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
andgateways.Whenauserrequestsaccess,theportalorgatewaypromptstheusertoenteranOTP.The
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,theagentsuppliesthesamecredentialsitusedtologintotheportalandtothegateway.Inthe
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,theusersOTPmayexpire.Toprevent
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
override.Thisenablestheportalsandgatewaystogenerateandacceptasecureencryptedcookieto
authenticatetheuserforaspecifiedamountoftime.Theportalsand/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.
EnableTwoFactorAuthenticationUsingOTPs
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 49
SetUpTwoFactorAuthentication Authentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
50 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 51
SetUpTwoFactorAuthentication Authentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
52 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
ThesecondpromptrequestsyourtokenorOTP:
Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
cardsontotheportalandgateway.YoucanthencreateacertificateprofilethatincludesthatRootCAand
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.
EnableSmartCardAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 53
SetUpTwoFactorAuthentication Authentication
EnableSmartCardAuthentication(Continued)
54 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication
EnableSmartCardAuthentication(Continued)
ThesecondpromptrequestsyourtokenorOTP:
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 55
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication
SetUpAuthenticationforstrongSwanUbuntuandCentOS
Clients
ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.
ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.
ToconnecttotheGlobalProtectgateway,theusermustsuccessfullyauthenticate.Thefollowingworkflows
showexamplesofhowtoenableauthenticationforstrongSwanclients.Forcompleteinformationabout
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.
EnableAuthenticationUsingaCertificateProfile
56 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
EnableAuthenticationUsingaCertificateProfile(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 57
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication
EnableAuthenticationUsingaCertificateProfile(Continued)
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
profile.TheauthenticationprofilespecifieswhichserverprofiletousewhenauthenticatingstrongSwan
clients.
EnableAuthenticationUsinganAuthenticationProfile
58 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
EnableAuthenticationUsinganAuthenticationProfile(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 59
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication
EnableAuthenticationUsinganAuthenticationProfile(Continued)
Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
certificateprofileandanauthenticationprofiletoconnecttotheGlobalProtectgateway.Thefollowing
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.
EnableAuthenticationUsingTwoFactorAuthentication
60 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 61
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
62 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpMultiFactorAuthentication
SetUpMultiFactorAuthentication
YoucanleverageAuthenticationFeatureswithinGlobalProtecttosupportaccesstononHTTPapplications
thatrequiremultifactorauthentication.GlobalProtectcannotifyandprompttheusertoperformthetimely,
multifactorauthenticationneededtoaccesssensitivenetworkresources.
Whenmatchingpolicyagainstuserrequestsforresources,thefirewallfirstevaluatesAuthenticationpolicy
andthenSecuritypolicy.UponmatchinganAuthenticationpolicyrule,thefirewallfirstinvokestheprimary
authenticationserviceassociatedwiththerule.Theprimaryservicecanusesinglefactorauthentication
(suchasSAML2.0authenticationorclientcertificateauthentication)orMFAthatyouconfiguredthrougha
RADIUSserver.ThenthefirewallinvokeseachMFAservicethatyouconfiguredthroughanAPIintegration.
EachMFAservicecanprompttheusertoselectoneauthenticationmethodfromalistofseveral.
GlobalProtectsupportsthefollowingmethods:
PushAnendpointdevice(suchasaphoneortablet)promptstheusertoallowordenyauthentication.
Shortmessageservice(SMS)AnSMSmessagepromptstheusertoallowordenyauthentication.
VoiceAnautomatedphonecallpromptstheusertoauthenticatebypressingakey.
Onetimepassword(OTP)Theuserreceivesanautomaticallygeneratedalphanumericstringthat
enablesauthenticationforasingletransactionorsession.
AGlobalProtectclientisarequirementformultifactorauthenticationonnonHTTPapplications.For
browserbasedapplicationsthatrequiremultifactorauthentication,usersareautomaticallypresentedwith
AuthenticationPortalpage(previouslycalledtheCaptivePortalpage).FornonHTTPapplications,ifa
sessionmatchesanAuthenticationpolicyrule,thenthefirewallwillsendaUDPnotificationtothe
GlobalProtectclientwithanembeddedURLlinktotheAuthenticationPortalpage.GlobalProtectdisplays
thismessageasapopupnotificationtotheuser.
YoucancustomizethemessagethatGlobalProtectusersseewhenpromptedtoauthenticate.Clickingthis
linksendstheusertotheAuthenticationPortalpagewheretheycanstartthemultifactorauthentication
process(thesameaswithbrowserbasedHTTPapplications).
ForGlobalProtecttosupportmultifactorauthenticationonexternalgateways,youmust
configurearesponsepageonthetunnelinterface.RefertoConfigureMultiFactor
AuthenticationformoreinformationonhowtoconfigureanMFALoginresponsepage.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 63
SetUpMultiFactorAuthentication Authentication
64 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpMultiFactorAuthentication
ConfigureGlobalProtecttoSupportMultiFactorAuthentication
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 65
EnableGroupMapping Authentication
EnableGroupMapping
Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,theidentityofeachGlobalProtectuserisknown.However,if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
directoryserver.Thisisknownasgroupmapping.
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
information.AfterthefirewallconnectstotheLDAPserverandretrievesthegroupmappings,youcanselect
groupswhenyoudefinetheagentconfigurationsandsecuritypolicies.Thefirewallsupportsavarietyof
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:
66 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication EnableGroupMapping
MapUserstoGroups
Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 67
EnableGroupMapping Authentication
MapUserstoGroups(Continued)
68 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways
BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
EnforcesecuritypolicyfortheGlobalProtectagentsandappsthatconnecttoit.YoucanalsoenableHIP
collectiononthegatewayforenhancedsecuritypolicygranularity.FormoreinformationonenablingHIP
checks,seeHostInformation.
Providevirtualprivatenetwork(VPN)accesstoyourinternalnetwork.VPNaccessisprovidedthrough
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.
YoucanalsoconfigureGlobalProtectgatewaysonVMSeriesfirewallsdeployedintheAWScloud.Bydeploying
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
resources.Fordetails,seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.
GlobalProtectGatewayConcepts
PrerequisiteTasksforConfiguringtheGlobalProtectGateway
ConfigureaGlobalProtectGateway
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 69
GlobalProtectGatewayConcepts GlobalProtectGateways
GlobalProtectGatewayConcepts
Thesesectionsprovideinformationaboutgatewayconnectionpriorityinamultiplegatewayconfiguration
andMIBsupportforGlobalProtectgateways.
GatewayPriorityinaMultipleGatewayConfiguration
GlobalProtectMIBSupport
Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
gateways.Todeterminethepreferredgatewaytowhichyouragentsconnect,addthegatewaystoaportal
agentconfigurationandassigneachgatewayaconnectionpriority.SeeDefinetheGlobalProtectAgent
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
connecttoallgatewayslistedinitsagentconfiguration.Theagentwillthenusepriorityandresponsetime
astodeterminethegatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyifthe
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:
Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,connectstogw2.Inthis
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:
Inthisexample,theaverageresponsetimeforallgatewaysis35ms.Theagentwouldthenevaluatewhich
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
responsetimes.Theagentwouldthenconnecttowhichevergatewayhadthehighestpriority.Inthis
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.
70 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways GlobalProtectGatewayConcepts
Inadditiontogatewaypriority,youaddoneormoresourceregionstoanexternalgatewayconfiguration,
GlobalProtectrecognizesthedeviceregionandonlyallowsusestoconnecttogatewaysthatareconfigured
forthatregion.Forgatewaychoices,sourceregionisconsideredfirst,thengatewaypriority.
PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)Framework.YoumustloadtheseMIBsintoyourSNMPmanagertomonitor
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS8.0AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
group.ThefollowingtabledescribestheobjectsthatmakeupthepanGlobalProtectobjectgroup.
Object Description
panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway
panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed
panGPGWUtilizationActiveTunnels Numberofactivetunnels
UsetheseSNMPobjectstomonitorutilizationofGlobalProtectgatewaysandmakechangesasneeded.For
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 71
PrerequisiteTasksforConfiguringtheGlobalProtectGateway GlobalProtectGateways
PrerequisiteTasksforConfiguringtheGlobalProtect
Gateway
BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)fortheinterfacewhereyouplantoconfigureeachgateway.For
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
tunnelinterface.SeeCreateInterfacesandZonesforGlobalProtect.
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
toestablishanSSLconnectionwiththegateway.SeeEnableSSLBetweenGlobalProtectComponents.
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
GlobalProtectusers.SeeAuthentication.
72 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway
ConfigureaGlobalProtectGateway
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:
ConfiguretheGateway
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 73
ConfigureaGlobalProtectGateway GlobalProtectGateways
ConfiguretheGateway(Continued)
74 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 75
ConfigureaGlobalProtectGateway GlobalProtectGateways
ConfiguretheGateway(Continued)
76 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 77
ConfigureaGlobalProtectGateway GlobalProtectGateways
ConfiguretheGateway(Continued)
78 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 79
ConfigureaGlobalProtectGateway GlobalProtectGateways
ConfiguretheGateway(Continued)
80 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals
TheGlobalProtectPortalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
connecttothegateways.Inaddition,theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.
TheportaldoesnotdistributetheGlobalProtectappforuseonmobiledevices.TogettheGlobalProtectappfor
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,orMicrosoftStoreforWindows10UWP.However,theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
haveaccess.Formoredetailsonsupportedversions,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
InadditiontodistributingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portal
to providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,and
Javascripttechnologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowserswithout
installingGlobalProtectclientsoftware.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccess
toapplications,andtosafelyenableunmanagedassets,includingpersonaldevices.RefertoGlobalProtect
ClientlessVPN.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 81
PrerequisiteTasksforConfiguringtheGlobalProtectPortal GlobalProtectPortals
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)forthefirewallinterfacewhereyouplantoconfiguretheportal.See
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
services.SeeEnableSSLBetweenGlobalProtectComponents.
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
authenticateGlobalProtectusers.SeeAuthentication.
ConfigureaGlobalProtectGatewayandunderstandGatewayPriorityinaMultipleGateway
Configuration.
82 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals SetUpAccesstotheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
AfteryouhavecompletedthePrerequisiteTasksforConfiguringtheGlobalProtectPortal,configurethe
GlobalProtectPortalasfollows:
SetUpAccesstothePortal
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 83
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
DefinetheGlobalProtectClientAuthentication
Configurations
EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
authenticatewiththeGlobalProtectportal.YoucancustomizethesettingsforeachOSoryoucanconfigure
thesettingstoapplytoalldevices.Forexample,youcanconfigureAndroiduserstouseRADIUS
authenticationandWindowsuserstouseLDAPauthentication.Youcanalsocustomizetheclient
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.
DefinetheGlobalProtectClientAuthenticationConfigurations
84 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectClientAuthenticationConfigurations(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 85
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,basedonthesettingsyoudefined.Ifyouhavedifferent
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
eachusertypeorusergroup.TheportalusestheOSoftheendpointandtheusernameorgroupnameto
determinetheagentconfigurationtodeploy.Aswithothersecurityruleevaluations,theportalstartsto
searchforamatchatthetopofthelist.Whenitfindsamatch,theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
Theclientcertificatethattheendpointshouldpresenttothegatewaywhenitconnects.This
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.
Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.
86 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
Usethefollowingproceduretocreateanagentconfiguration.
CreateaGlobalProtectAgentConfiguration
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 87
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CreateaGlobalProtectAgentConfiguration(Continued)
88 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
CreateaGlobalProtectAgentConfiguration(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 89
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CreateaGlobalProtectAgentConfiguration(Continued)
90 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
CreateaGlobalProtectAgentConfiguration(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 91
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CreateaGlobalProtectAgentConfiguration(Continued)
92 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
agentsinstalledontheirsystemsortheGlobalProtectappinstalledontheirmobiledevices.Youcandefine
differentagentsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.Formore
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Youcancustomizethedisplayandbehavioroftheagent.Forexample,youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
Whethertodisplayawelcomepageuponsuccessfullogin.Youcanalsoconfigurewhetherornotthe
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
touseGlobalProtectwithinyourenvironment.SeeCustomizetheGlobalProtectPortalLogin,Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.
Promptusersifmultifactorauthenticationisneededtoaccesssensitivenetworkresources.
YoucanalsodefineagentsettingsdirectlyfromtheWindowsregistryortheglobalMacplist.For
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/MsiexecortheMacplist.Formoredetails,seeDeploy
AgentSettingsTransparently.
AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 93
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
UsethefollowingproceduretocustomizetheGlobalProtectagent.
CustomizetheAgent
94 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 95
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CustomizetheAgent(Continued)
96 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 97
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CustomizetheAgent(Continued)
TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.
98 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 99
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
CustomizetheAgent(Continued)
CustomizetheAgent(Continued)
CustomizetheAgent(Continued)
GlobalProtectprovidesdefaultlogin,welcome,and/orhelppages.However,youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.
Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configurethe Portal Login Page > Disable optionfromNetwork
> GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninstead
useasoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.
CustomizethePortalLogin,Welcome,andHelpPages
CustomizethePortalLogin,Welcome,andHelpPages(Continued)
TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectHelp.Thenewhelp
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome Page.The
newwelcomepagewilldisplay.
DeploytheGlobalProtectClientSoftware
InordertoconnecttoGlobalProtect,anendhostmustberunningGlobalProtectclientsoftware.The
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
distributedbytheGlobalProtectportal.Toenablethesoftwarefordistribution,youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
thenactivatethesoftwarefordownload.Forinstructionsonhowtodownloadandactivatetheagent
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
Windows10phoneandWindows10UWPendpointsRequiretheGlobalProtectapp.Aswithother
mobiledeviceapps,theendusermustdownloadtheGlobalProtectappfromtheMicrosoftStore.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
iOSandAndroidendpointsRequiretheGlobalProtectapp.Aswithothermobiledeviceapps,theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
ChromebooksRequiretheGlobalProtectappforChromeOS.Similartothedownloadprocessfor
mobiledeviceapps,theendusercandownloadtheGlobalProtectappfromtheChromeWebStore.You
canalsodeploytheapptoamanagedChromebookusingtheChromebookManagementConsole.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?
AsanalternativetodeployingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portalto
providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,andJavascript
technologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowsers withoutinstalling
GlobalProtectclientsoftware.RefertoGlobalProtectClientlessVPN.
ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
sothatenduserscaninstalltheupdateswhentheyconnecttotheportal.Thisoptionprovidesflexibility
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/oroperatingsystem.However,ifyouhavealargenumber
ofagentsthatrequireupdates,itcouldputextraloadonyourportal.SeeHostAgentUpdatesonthe
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
youmustfirstuninstalltheexistingagent.Inaddition,Msiexecallowsfordeploymentofagentsettings
directlyontheendpointsbysettingvaluesintheWindowsregistryorMacplist.SeeDeployAgent
SettingsTransparently.
UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,usingactivedirectorygrouppolicy.ADGrouppoliciesallowmodificationof
Windowshostcomputersettingsandsoftwareautomatically.Refertothearticleat
http://support.microsoft.com/kb/816102formoreinformationonhowtouseGroupPolicyto
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
GlobalProtectapp.SeeMobileEndpointManagement.
HostAgentUpdatesonthePortal
ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
connectingtotheportal.Todothisautomatically,thefirewallmusthaveaserviceroutethatenablesitto
accessthePaloAltoNetworksUpdateServer.IfthefirewalldoesnothaveaccesstotheInternet,youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.
YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto
https://www.paloaltonetworks.com/support/tabs/overview.html.)
Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
version.Fordetailsoncreatinganagentconfiguration,seeDefinetheGlobalProtectAgentConfigurations.
HosttheGlobalProtectAgentonthePortal
HosttheGlobalProtectAgentonthePortal(Continued)
HostAgentUpdatesonaWebServer
Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,considerhostingtheGlobalProtectagentsoftwareimagesonanexternalwebserver.Thishelps
reducetheloadonthefirewallwhenusersconnecttodownloadtheagent.Tousethisfeature,thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.
HostGlobalProtectAgentImagesonaWebServer
HostGlobalProtectAgentImagesonaWebServer(Continued)
TesttheAgentInstallation
Usethefollowingproceduretotesttheagentinstallation.
TesttheAgentInstallation
TesttheAgentInstallation(Continued)
IfyouhaveenabledGlobalProtectClientlessVPNaccess,youwill
seeanapplicationspage(insteadoftheagentdownloadpage)
whenyoulogintotheportal.SelectGlobalProtect Agenttoopen
thedownloadpage.
TesttheAgentInstallation(Continued)
2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
administrativeprivileges.Subsequentagentsoftware
updatesdonotrequireadministrativeprivileges.
TesttheAgentInstallation(Continued)
Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
portaladdress.SeeDefinetheGlobalProtectAgentConfigurations
fordetailsonsettingupagentconfigurations.
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
devices.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecureaccess
toyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappwillautomaticallyconnecttothe
gatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.
ThisworkflowdescribeshowtoinstalltheGlobalProtectappdirectlyonthemobiledevice.Forinstructions
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.
InstalltheGlobalProtectMobileApp
InstalltheGlobalProtectMobileApp(Continued)
2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.
TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
toChromebooks.AswithotherremotehostsrunningtheGlobalProtectagent,theappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Aftertheuserinitiatesaconnection,the
appwillconnecttothegatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
yourcorporatenetwork.LiketheGlobalProtectagent,theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS
InstalltheGlobalProtectAppfromtheChromeWebStore
YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
Store.AsanalternativeyoucanDeploytheGlobalProtectAppUsingtheChromebookManagement
Console.
InstalltheGlobalProtectAppfromtheChromeWebStore
InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,webbasedlocation.Fromtheconsole,youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)
TesttheGlobalProtectappforChromeOS
UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
VPNconnectionsettings.Afteryouinstallandconfiguretheapp,itisnotnecessarytoopentheappto
establishaVPNconnection.Instead,youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.
TesttheGlobalProtectAppforChromeOS
Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
GlobalProtectapp.Themainpagedisplaysconnection
informationand(ifapplicable)anyerrorsorwarnings.
DeployAgentSettingsTransparently
Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
plist.Soifyoudefinesettingsintheregistryorplist,buttheportalconfigurationspecifiesdifferentsettings,
thesettingstheagentreceivesfromtheportalwilloverridethesettingsdefinedontheclient.Thisoverride
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),andwhethertheagentcanconnectiftheportalcertificateisinvalid.Therefore,youshouldavoid
conflictingsettings.Inaddition,theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients
InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
applicationsandprocesses.Youcanthenmonitorthedataandaddittoasecurityruleasmatchingcriteria.
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.
Inadditiontopredeployingtheportaladdress,youcanalsodefinetheagentconfigurationsettings.To
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:CustomizableAgentBehaviorOptionsdescribeseachcustomizableagentsetting.Settingsdefinedin
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.
Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
configuredusingWindowsregistryorMsiexec.Theseadditionalsettingsinclude:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.
AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions
AgentDisplayOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.
Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
UserBehaviorOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizehowtheusercaninteractwiththeGlobalProtectagent.
Table:CustomizableUserBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.
AgentBehaviorOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethebehavioroftheGlobalProtectagent.
Table:CustomizableAgentBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
(WindowsOnly)
Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.
*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.
ScriptDeploymentOptions
ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
aVPNtunnelandbeforedisconnectingaVPNtunnel.Becausetheseoptionsarenotavailableintheportal,
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
pre-vpn-disconnectfromtheWindowsregistryorMacplist.Fordetailedstepstodeployscripts,see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.
Table:CustomizableScriptDeploymentOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
DeployAgentSettingsintheWindowsRegistry
YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
connectiontotheGlobalProtectportalbyusingtheWindowsregistry.Usetheoptionsdescribedinthe
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.
InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
agenttocollectspecificWindowsregistryinformationfromWindowsclients.Youcanthenmonitorthedataand
addittoasecurityruleasmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbe
enforcedaccordingtothesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings
LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)
Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).
DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).
EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.
DeployAgentSettingsfromMsiexec
OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromthecommandline.Onsystems
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
MsiexecExample Description
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.
TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.
DeployScriptsUsingtheWindowsRegistry
YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,andbeforetheagentdisconnectsfromtheVPNtunnel.Usethe
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.
TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsintheWindowsRegistry
DeployScriptsintheWindowsRegistry(Continued)
WindowsOSBatchScriptExamples
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.Thefollowingtopicsshow
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
fromacommandregistryentryforapostvpnconnectevent.Thisenablesyoutoselectivelyexcluderoutes
andtosendallothertrafficthroughtheVPNtunnel.
Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
routes.Inmostcases,whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)theoldnetworkroutesareautomaticallydeleted.Intheeventthattheoldnetworkroutespersist,
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.
Forascriptthatyoucancopyandpaste,gohere.
@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
192.168.24.25 255.255.255.255
REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"
REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end
Example:MountaNetworkShareonWindowsEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\filer1.mycompany.local\share /user:mycompany\user1
DeployScriptsUsingMsiexec
OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromacommandline.Onsystemsrunning
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,andallenvironmentvariableexpansions.Ifyourunbatchfilesfromthe
commandline,thislimitationalsoappliestobatchfileprocessing.
Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Forascriptthatyoucancopyandpaste,gohere.
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents
Forascriptthatyoucancopyandpaste,gohere.
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
toautomaticallyconnecttotheGlobalProtectportalandgateway.IfSSOfails,youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
providerandanotherforthenativeWindowslogin.Thisisusefulwhenathirdpartycredentialprovideradds
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
2. AddanewString Value:
3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.
UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials
Wrapthirdpartycredentialsanddisplaythenativetiletousersatlogin.Usersclickthetileandlogintothe
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.
Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
providerslogontilesothatonlythenativetiledisplays.Inthiscase,boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.
UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints
DeployAgentSettingsintheMacPlist
YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)file.This
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/Preferences.Thetilde
(~)symbolindicatesthatthelocationisinthecurrentuser'shomefolder.TheGlobalProtectagentonaMac
clientfirstchecksfortheGlobalProtectplistsettings.Iftheplistdoesnotexistatthatlocation,the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.
InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
tocollectspecificMacplistinformationfromclients.Youcanthenmonitorthedataandaddittoasecurityrule
asmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingto
thesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.
UsetheMacPlisttoDeployGlobalProtectAgentSettings
OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/com.paloaltonetworks.Global
Protect.settings.plist
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,createit.Thenaddeach
keytotheSettingsdictionaryasastring.
Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
throughtheMacplist.UnderthePanSetupdictionary,configurean
entryforPortal.
DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.
DeployScriptsUsingtheMacPlist
WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Usethefollowingworkflow
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.
TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencetheshellscriptfromacommandplistentryforthatevent.Thefollowingtopicsshow
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
followingscriptfromacommandplistentryforaprevpnconnectevent.Similarly,youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
commandplistentryforapostvpnconnectevent.ThiscanbeusefulifyouwanttoforceallSSHtrafficto
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9
Example:MountaNetworkShareonMacEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:
Forascriptthatyoucancopyandpaste,gohere.
#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@10.101.2.17/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1
GlobalProtectClientlessVPN
GlobalProtectClientlessVPNprovidessecureremoteaccesstocommonenterprisewebapplications.Users
havetheadvantageofsecureaccessfromSSLenabledwebbrowserswithoutinstallingGlobalProtectclient
software.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccesstoapplications,andtosafely
enableunmanagedassets,includingpersonaldevices.YoucanconfiguretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalsoallowsinglesignonto
SAMLenabledapplications.Thefollowingtopicsprovideinformationonhowtoconfigureandtroubleshoot
ClientlessVPN.
Thisfeatureisavailableasapublicbetarelease.
ClientlessVPNOverview
SupportedTechnologies
ConfigureClientlessVPN
TroubleshootClientlessVPN
WhenyouconfigureClientlessVPN,remoteuserscanlogintotheGlobalProtectportalusingawebbrowser
andlaunchthewebapplicationsyoupublishfortheuser.Basedonusersorusergroups,youcanallowusers
toaccessasetofapplicationsthatyoumakeavailabletothem,orallowthemtoaccessadditionalcorporate
applicationsbyenteringacustomapplicationURL.
Afterloggingintotheportal,usersseeapublishedapplicationspagewithalistofwebapplicationstheycan
launch.(YoucanusethedefaultapplicationslandingpageontheGlobalProtectportalorcreateacustom
landingpageforyourenterprise.)
Figure:ApplicationsLandingPageforClientlessVPN
Becausethispagereplacesthedefaultportallandingpage,itincludesalinktotheGlobalProtectagent
downloadpage.Ifconfigured,userscanalsoselectApplication URL andenterURLstolaunchadditional,
unpublishedcorporatewebapplications.
Whenyouconfigureonlyonewebapplication(anddisableaccesstounpublishedapplications),insteadof
takingtheusertothepublishedapplicationspage,theapplicationwilllaunchautomaticallyassoonasthe
userlogsin.IfyoudonotconfigureGlobalProtectClientlessVPN,userswillseetheagentsoftware
downloadpagewhentheylogintotheportal.
WhenyouconfigureGlobalProtectClientlessVPN,youneedsecuritypoliciestoallowtrafficfrom
GlobalProtectendpointstothesecurityzoneassociatedwiththeGlobalProtectportalthathoststhe
publishedapplicationslandingpageandsecuritypoliciestoallowuserbasedtrafficfromtheGlobalProtect
portalzonetothesecurityzonewherethepublishedapplicationserversarehosted.Thesecuritypolicies
youdefinecontrolwhichusershavepermissiontouseeachpublishedapplication.
Figure:ZonesandSecurityPolicyforClientlessVPN
Supported Technologies
ClientlessVPNisavailableasapublicbetarelease.MakesureyouthroughlytestyourClientlessVPN
applicationsinacontrolledenvironmentbeforedeployingthemormakingthemavailabletoalargenumber
ofusers.
YoucanconfiguretheGlobalProtect portalto providesecureremoteaccesstocommonenterpriseweb
applicationsthatuseHTML,HTML5,andJavascripttechnologies.Othertechnologies(suchasAdobe
FlashorMicrosoftSliverlight)arenotsupported.
SupportedoperatingsystemsareWindows,Mac,iOS,Android,Chrome,andLinux.
SupportedbrowsersarethelatestversionsofChrome,InternetExplorer,Safari,andFirefox.
ThetablebelowshowsapplicationsthatPaloAltoNetworkshasspecificallyqualifiedforpublicbeta,butyou
cantestanyapplicationthatusesHTML,HTML5,orJavascript.
QualifiedApplicationsforClientlessVPN
MicrosoftOutlookWebAccess2014 APD
MicrosoftSharePoint2013 Box
GoogleGmailforBusiness Drupal
ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthefirewallthathoststheClientless
VPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect Clientless VPNdynamicupdatestouse
thisfeature.RefertoActiveLicensesandSubscriptionsandInstallContentandSoftwareUpdates.Asabest
practice,configureaseparateFQDNfortheGlobalProtectportalthathostsClientlessVPN.Donotusethe
sameFQDNasthePANOSWebInterface.
ConfigureClientlessVPN
ConfigureClientlessVPN(Continued)
ConfigureClientlessVPN(Continued)
ConfigureClientlessVPN(Continued)
ConfigureClientlessVPN(Continued)
ConfigureClientlessVPN(Continued)
WhenyouconfigureaproxyservertoaccessClientlessVPN
applications,makesureyouincludetheproxyIPaddressand
portinthesecuritypolicydefinition.Whenapplicationsare
accessedthroughaproxyserver,onlysecuritypoliciesdefined
fortheproxyIPaddressandportareapplied.
GlobalProtectClientlessVPNisafeaturethatiscurrentlyavailableinpublicbeta.Becausethisfeature
involvesdynamicrewritingofHTMLapplications,theHTMLcontentforsomeapplicationsmaynot
rewritecorrectlyandbreaktheapplication.Ifissuesoccur,usethecommandsinthefollowingtabletohelp
youidentifythelikelycause:
Table:UsefulCommandstoTroubleshootClientlessVPN
Action Command
CLI Commands
Action Command
Enable debug logs on the debug dataplane packet-diag set log feature ssl all
firewall running Clientless debug dataplane packet-diag set log feature misc all
VPN Portal debug dataplane packet-diag set log feature proxy all
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
Table:RewriteEngineStatistics
Statistic Description
initiate_connection_failure Connectioninitiationfailedtobackendhost
setup_connection_failure Connectionsetupfailed
setup_connection_duplicate Duplicatepeersessionexists
session_notify_mismatch Mostlyinvalidsession
packet_mismatch_session Failedtofindrightsessionforincomingpacket
peer_queue_update_rcvd_failure Sessionwasinvalidwhenpacketupdatereceivedbypeer
peer_queue_update_sent_failure Failedtosendpacketupdatestopeerorfailedtosendpacketqueuelength
updatestopeer
exceed_pkt_queue_limit Toomanypacketsqueued
proxy_connection_failure Proxyconnectionfailed
setup_connection_r Installingthepeersessiontotheapplicationserver.Thisvalueshouldmatchthe
valuesforinitiate_connectionandsetup_connection.
setup_connection_duplicate_r Duplicatesessionsalreadyinproxy
setup_connection_failure_r Failedtosetupthepeersession
session_notify_mismatch_r Peersessionnotfound
packet_mismatch_session_r Peersessionnotfoundwhentryingtogetthepacket
exceed_pkt_queue_limit_r Toomanypacketsheld
unknown_dest Failedtofinddestinationhost
pkt_no_dest Nodestinationforthispacket
cookie_suspend Suspendedsessiontofetchcookies
cookie_resume ReceivedresponsefromMPwithupdatedcookies.Thisvaluegenerallymatches
thevalueofcookie_suspend.
decompress_failure Failedtodecompress
memory_alloc_failure Failedtoallocatememory
wait_for_dns_resolve SuspendedsessiontoresolveDNSrequests
dns_resolve_reschedule RescheduledDNSqueryduetonoresponse(retrybeforetimeout)
dns_resolve_timeout DNSquerytimeout
setup_site_conn_failure Failedtosetupconnectiontosite(proxy,DNS)
site_dns_invalid DNSresolvefailed
multiple_multipart Multipartcontenttypeprocessed
site_from_referer Receivedthebackendhostfromreferrer.Thiscanindicatefailedrewritelinks
fromflashorothercontentwhichClientlessVPNdoesnotrewrite.
Statistic Description
received_fin_for_pending_req ReceivedFINfromserverforpendingrequestfromclient
unmatched_http_state UnexpectedHTTPcontent.Thiscanindicateanissueparsingthehttpheadersor
body.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server
WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
version.YoucanenablethefirewalltosendthisinformationasVendorSpecificAttributes(VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
administratorscanthenperformadministrativetasksbasedonthoseVSAs.Forexample,RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
Step1 LogintothefirewallCLI.
Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.
Reference:GlobalProtectAgentCryptographicFunctions
TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
GlobalProtectportalandGlobalProtectgateways.ThefollowingtablelistseachGlobalProtectagent
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:
MobileEndpointManagementOverview
Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
protectionagainstthreatsandvulnerabilities.Byusingathirdpartymobileendpointmanagementsystem
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).
Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
automaticallydeployyourcorporateaccountconfigurationandVPNsettingstocompliantendpoints.You
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
withanendpointthathasbeencompromised.Thisprotectsbothcorporatedataaswellaspersonalenduser
data.Forexample,ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,
youusehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthrough
theGlobalProtectgateway.YoucanalsousethemonitoringtoolsthatarebuiltintothePaloAlto
nextgenerationfirewalltomonitormobileendpointtraffic.
SetUpaMobileEndpointManagementSystem
Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:
SetUpanEndpointManagementSystem
ManagetheGlobalProtectAppUsingAirWatch
DeploytheGlobalProtectMobileAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
endpoints.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappconnectstothegatewaythat
isclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
AirWatch.EndpointsrunningiOSorAndroidmustdownloadtheAirWatchagenttoenrollwiththeAirWatch
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
theendpoint.Afteryoudeploytheapp,configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.
DeploytheGlobalProtectAppfromAirWatch
Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).
Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.
Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOShttps://itunes.apple.com/us/app/globalprotect/id592489989?mt=8&uo=4
Androidhttps://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect
Windows Phonehttps://www.microsoft.com/store/apps/9NBLGGH6BZL3
DeploytheGlobalProtectAppfromAirWatch(Continued)
Step6 ClickNext.Ifyouchosetosearchfortheapptheappstorefortheendpoint,youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.
Step10 Nextsteps:
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
fromacentralconsole.TheGlobalProtectappprovidesasecureconnectionbetweenAirWatchmanaged
mobileendpointsandthefirewallateitherthedeviceorapplicationlevel.UsingGlobalProtectasthesecure
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
accessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
AuthenticationChoosethemethodtoauthenticateendusers.Followtherelatedpromptstoentera
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforiOS:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
Step3 ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.
Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.
Step6 Configuretheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
https://itunes.apple.com/us/app/boxforiphoneandipad/id290853822?mt=8&uo=4),andthenclick
Next.IfyouchoosetosearchtheAppStore,youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
YoucanusetheGlobalProtectAppforAndroidwithAirWatchagent6.0andlaterreleases.TheAirWatch
agentinterfaceswithAirWatchtomanageAndroidendpoints.UsingtheGlobalProtectappforAndroidas
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
enforcementofnetworksecuritypolicyforthreatprevention.TheGlobalProtectappcanprovideasecure
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
configuringVPNaccessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add
Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. Selecttheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
https://play.google.com/store/apps/details?id=com.box.android).
6. ClickNext.IfyouchosetoimporttheappfromGooglePlayinthepreviousstep,youmustSelecttheapp
fromthelistofapprovedcompanyapps.Ifyoudonotseetheappinthelist,contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
EnableAppScanIntegrationwithWildFire
ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
malwareonAndroidendpoints.Whenenabled,theAirWatchagentsendsthelistofappsthatareinstalled
ontheAndroidendpointtoAirWatch.Thisoccursduringenrollmentandsubsequentlyonanydevice
checkin.AirWatchthenperiodicallyqueriesWildFireforverdictsandcantakecomplianceactiononthe
endpointbasedontheverdict.
EnableAppScanIntegrationwithWildFire
Step1 Beforeyoubegin,obtainaWildFireAPIkey.IfyoudonotalreadyhaveanAPIkey,contactSupport.
Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.
Step6 EnteryourWildFireAPIkey.
EnableAppScanIntegrationwithWildFire(Continued)
Step8 Saveyourchanges.AirWatchschedulesasynchronizationtasktocommunicatewithWildFiretoobtainthe
latestverdictsforapplicationhashesandrunsthetaskatregularintervals.ClickSync Nowtoinitiateamanual
syncwithWildFire.
UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
tunnel.UnmanagedappswillcontinuetoconnectdirectlytotheInternetinsteadofthroughthesecure
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
VPNirrespectiveofapp.DevicelevelVPNconfigurationsalsosupporttheabilitytoforcethesecure
connectiontobeAlwaysOn.Foreventightersecurityrequirements,youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
accesswhentheappisnotconnected.ThisconfigurationissimilartotheEnforce GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.
BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
Step1 DownloadtheGlobalProtectappforWindows10UWP:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.
Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.
Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.
Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps(typically.exefiles)ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
VPNconnectionwhentheappislaunchedandwhethertosendapptrafficthroughtheVPN.Youcanalso
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
theVPN.Theserulesarenotboundbyapplicationandareevaluatedacrosstheendpoint.Ifthetraffic
matchesthematchcriteria,itisroutedthroughtheVPN.
Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
accesswhentheappisnotconnected.TheVPN LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)
Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
theconfiguration.IfyouneedtochangeasettingafteryouexporttheVPNprofile,youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> XMLatthetopofthetable.AirWatchopenstheXMLviewoftheprofile.
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View.
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.
Step10 Testtheconfiguration.
ManagetheGlobalProtectAppUsingaThirdPartyMDM
Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
connectionbetweenthemobileendpointandservicesitconnectsto.Toenabletheclienttoestablishsecure
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>
YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
theGlobalProtectgateway.FromyourthirdpartyMDMthatmanagesAndroidforWorkdevices,youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
includingalltheappsinstalledonthatdevice.Bydefault,allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
Profiletoseparatebusinessandpersonalapps.BydefaultonlymanagedappsintheWorkProfilecansend
trafficthroughtheVPNtunnelaccordingtotheaccessroutesdefinedonthegateway.Appsinstalledonthe
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
routestrafficfromspecificmanagedapps.ForPerAppVPN,youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,youcanalsospecifyhowtheuserconnectstotheVPN.Whenyou
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
automatically.WhenyouconfiguretheVPNconnectionmethodason-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.
TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.
RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.
*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,andfollowitwithanarrayofappnamesseparatedbysemicolon.Thewhitelistspecifiestheapps
thatwillusetheVPNtunnelfornetworkcommunication.Thenetworktrafficforanyotherappthatisnot
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
AboutHostInformation
OneofthejobsoftheGlobalProtectagentistocollectinformationaboutthehostitisrunningon.Theagent
thensubmitsthishostinformationtotheGlobalProtectgatewayuponsuccessfullyconnecting.Thegateway
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
defined.Ifitfindsamatch,itgeneratesanentryintheHIPMatchlog.Additionally,ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
securitystandardsbeforetheyareallowedaccesstoyournetworkresources.Forexample,beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
encryptionenabledontheirharddrives.Youcanenforcethispolicybycreatingasecurityrulethatonly
allowsaccesstotheapplicationiftheclientsystemhasencryptionenabled.Inaddition,forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?
Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
certainresources.Inthiscase,youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:
Table:DataCollectionCategories
Category DataCollected
General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).
Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.
Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
applicationsontheendpoint.ByintegratingwiththeOPSWATOESISframework,
GlobalProtectenablesyoutoassessthecompliancestateoftheendpoint.For
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.
Anti-Spyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.
Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
categoriesyouarenotinterestedin.Forexample,ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
privacy.Thiscanincludeexcludingdevicelocationandalistofappsinstalledonthedevicethatarenot
managedbyathirdpartymobiledevicemanager.
How Does the Gateway Use the Host Information to Enforce Policy?
Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
toenforcepolicyfromtherawdatareportedbytheagent.Forexample,whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
interestedinoneparticularapplicationthatyourequirewithinyourorganization.Inthiscase,youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
informationyoucollecttoenforcepolicy.KeepinmindthattheHIPobjectsthemselvesaremerely
buildingblocksthatallowyoutocreatetheHIPprofilesthatareusedinyoursecuritypolicies.Therefore,
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,orthepresenceofaspecificclientOS.By
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
securitypolicyenforcement.WhenyoucreateyourHIPprofiles,youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
evaluatedagainsttheresultingHIPprofileitwilleithermatchornotmatch.Ifthereisamatch,the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
defined.ThismakestheHIPMatchlogagoodresourceformonitoringthestateofthehostsonyournetwork
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
whatpoliciesyoubelieveneedenforcement.SeeConfigureHIPBasedPolicyEnforcementfordetailson
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.
Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
enforcementofaHIPenabledsecurityrule.However,youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)meansfortheuser.Thatis,doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
packagesarenotinstalled.Inthiscase,youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.
WheneveranendhostconnectstoGlobalProtect,theagentpresentsitsHIPdatatothegateway.The
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/orHIPprofilesthehostmatches.Foreach
match,itgeneratesaHIPMatchlogentry.Unlikeatrafficlogwhichonlycreatesalogentryifthereisa
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/oraHIPprofileyouhavedefined.ThismakestheHIPMatchlogagoodresourcefor
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
softwareinstalledfromconnectingtothenetwork.InthiscaseyouwouldcreateaHIPobjectthatmatches
hoststhathaveaparticularAntivirussoftwareinstalled.ByincludingthisobjectinaHIPprofileandattaching
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
compliancewiththisrequirement.IfyouwantedtoalsoseealogforhoststhatdonothaveAntivirus
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
theconditionwheretheAntivirussoftwareisnotinstalled.Becausethisobjectisonlyneededforlogging
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.
ConfigureHIPBasedPolicyEnforcement
Toenabletheuseofhostinformationinpolicyenforcementyoumustcompletethefollowingsteps.For
moreinformationontheHIPfeature,seeAboutHostInformation.
EnableHIPChecking
EnableHIPChecking(Continued)
EnableHIPChecking(Continued)
Repeatthisstepforeachcategoryyouwanttomatchagainst
inthisobject.Formoreinformation,seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.
6. Committhechanges.
EnableHIPChecking(Continued)
5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
logicyouintend.Forexample,thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:
7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.
9. Committhechanges.
EnableHIPChecking(Continued)
EnableHIPChecking(Continued)
8. Repeatthisprocedureforeachmessageyouwanttodefine.
9. Committhechanges.
EnableHIPChecking(Continued)
CollectApplicationandProcessDataFromClients
TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,respectively.Youcancreateacustomcheckthatwillallowyoutodetermine
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)onaWindowsorMacclient.Enablingcustomchecksinstructsthe
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
TomonitorthedatacollectedwithcustomchecksyoucancreateaHIPobject.YoucanthenaddtheHIP
objecttoaHIPprofiletousethecollecteddatatomatchtodevicetrafficandenforcesecurityrules.The
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
hostinformationsubmittedbytheagent.WhenthegatewaymatchestheclientdatatoaHIPobject,aHIP
Matchlogentryisgeneratedforthedata.AHIPprofileallowsthegatewaytoalsomatchthecollecteddata
toasecurityrule.IftheHIPprofileisusedascriteriaforasecuritypolicyrule,thegatewaywillenforcethat
securityruleonthematchingtraffic.
UsethefollowingtasktoenablecustomcheckstocollectdatafromWindowsandMacclients.Thistask
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.
FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.
EnableandVerifyCustomChecksforWindowsorMacClients
EnableandVerifyCustomChecksforWindowsorMacClients(Continued)
Forexample,Add thePlistcom.apple.screensaverandthe
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:
ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:
EnableandVerifyCustomChecksforWindowsorMacClients(Continued)
EnableandVerifyCustomChecksforWindowsorMacClients(Continued)
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
For Mac clients only:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
EnableandVerifyCustomChecksforWindowsorMacClients(Continued)
BlockDeviceAccess
IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
devicesperlocation.Therefore,youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.
BlockDeviceAccess
RemoteAccessVPN(AuthenticationProfile)
IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,sothisisthephysicalinterfacewhereGlobalProtectclientsconnect.Afteraclientconnects
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.31.32.310.31.32.118inthisexample.BecauseGlobalProtectVPNtunnelsterminateina
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.
Figure:GlobalProtectVPNforRemoteAccess
Thefollowingprocedureprovidestheconfigurationstepsforthisexample.Youcanalsowatchthevideo.
QuickConfig:VPNRemoteAccess
QuickConfig:VPNRemoteAccess(Continued)
QuickConfig:VPNRemoteAccess(Continued)
RemoteAccessVPN(CertificateProfile)
Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
GlobalProtectportalorgateway.Inadditiontothecertificateitself,theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
assignedanIPaddressfromtheIPpoolinthegatewaystunnelconfiguration.Tosupportuserbasedpolicy
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
addressthatthegatewayassigned.Also,ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.
Figure:GlobalProtectClientCertificateAuthenticationConfiguration
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.Theonly
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
RemoteAccessVPNwithTwoFactorAuthentication
IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
throughbothprofilesbeforegainingaccess.Forportalauthentication,thismeansthatcertificatesmustbe
predeployedtotheendclientsbeforetheirinitialportalconnection.Additionally,theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
clientcertificatedoesnotneedtohaveausername.Inthiscase,theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
usernameinthecorrespondingfield.Forexample,ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
elsetheauthenticationfails.Inaddition,whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
entercredentialsforauthenticatingtotheauthenticationprofile.Ifyoudonotwantforceusersto
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.However,
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.
VPNRemoteAccesswithTwoFactorAuthentication
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
AlwaysOnVPNConfiguration
InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
logontosubmituserandhostinformationandreceivetheclientconfiguration.Itthenautomatically
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.
ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.
SwitchtoanAlwaysOnConfiguration
Step3 SelecttheApptab.
Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.
RemoteAccessVPNwithPreLogon
PrelogonisaconnectmethodthatestablishesaVPNtunnelbeforeauserlogsin.Thepurposeofprelogon
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
torunassoonastheendpointpowerson.AmachinecertificateenablestheendpointtohavetheVPNtunnel
tothegateway.AcommonpracticeforITpersonnelistoinstallthemachinecertificatewhilestagingthe
endpointfortheuser.
AprelogonVPNtunnelhasnousernameassociationbecausetheuserhasnotloggedin.Therefore,tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
prelogonuser.Thesepoliciesshouldallowaccesstoonlythebasicservicesforstartingupthesystem,such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).
MacsystemsbehavedifferentlyfromWindowssystemswithprelogon.WithMacOS,thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.
Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
profile.Theportalcanalsouseanoptionalcertificateprofilethatvalidatestheclientcertificate(ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,theportaldeterminesiftheclientsconfigurationiscurrent.Iftheportalsconfiguration
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
orgatewayinstallsanencryptedcookieontheclient.Subsequently,theportalorgatewayusesthecookie
toauthenticateusersandforrefreshingtheclientsconfiguration.Also,ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
firstconnectingtotheportaltodownloadtheprelogonconfiguration.Todothis,youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.
ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.
RemoteAccessVPNwithPreLogon
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
GlobalProtectMultipleGatewayConfiguration
InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
configuration.Multiplegatewaysaresupportedinalloftheprecedingexampleconfigurations.Additional
stepsincludeconfiguringasecondfirewallasaGlobalProtectgateway.Inaddition,whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.
Figure:GlobalProtectMultipleGatewayTopology
Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
listedinitsclientconfiguration.Theagentwillthenusepriorityandresponsetimeastodeterminethe
gatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyiftheresponsetimefor
thehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.Formore
information,seeGatewayPriorityinaMultipleGatewayConfiguration.
QuickConfig:GlobalProtectMultipleGatewayConfiguration
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
GlobalProtectforInternalHIPCheckingandUserBased
Access
WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)services.Internalgatewaysareusefulinsensitiveenvironmentswhere
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
modeisnotsupported.Inaddition,itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
totheCRMapplications.Allauthenticatedusershaveaccesstointernalwebresources.Inaddition,HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.
Figure:GlobalProtectInternalGatewayConfiguration
UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.
QuickConfig:GlobalProtectInternalGatewayConfiguration
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
MixedInternalandExternalGatewayConfiguration
InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
VPNaccessandforaccesstoyoursensitiveinternalresources.Withthisconfiguration,agentsperform
internalhostdetectiontodetermineiftheyareontheinternalorexternalnetwork.Iftheagentdetermines
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
resourcesyourexternalandinternalusershaveaccessto.Inaddition,youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
firewalls.Theexternalgatewayatgpvpn.acme.comprovidesremoteVPNaccesstothecorporatenetwork
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
membership.Inaddition,HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.
Figure:GlobalProtectDeploymentwithInternalandExternalGateways
UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
GlobalProtectReferenceArchitectureTopology
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectPortal
Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
cantestfeaturesbeforerollingthemouttoawideruserbase.Anyclientconfigurationcontainingnew
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
TheGlobalProtectportalalsopushesconfigurationstoGlobalProtectsatellites.Thisconfigurationincludes
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.
GlobalProtectGateways
ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
MicrosoftAzurepubliccloud.TheregionsorPOPlocationswheretheseAWSandAzuregatewaysare
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)using2FA.ThisgatewayrequiresuserstoprovidetheirActive
DirectorycredentialsandtheirOTP.Becausethisgatewayprotectssensitiveresources,itisconfigured
asamanualonlygateway.Asaresult,usersdonotconnecttothisgatewayautomaticallyandmust
manuallychoosetoconnecttothisgateway.Forexample,whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,somesensitiveinternalresourcesarenotaccessible.Theusermustthen
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
forallsatelliteconnectionsfromgatewaysinAWSandAzure.TheSantaClaraGatewayisalsoconfigured
tosetupanInternetProtocolSecurity(IPSec)tunneltotheITfirewallincorporateheadquarters.Thisis
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
andActiveDirectorycredentials.TheGlobalProtectportaldistributestheclientcertificatethatis
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
ThesegatewaysinthepubliccloudalsoactasGlobalProtectsatellites.Theycommunicatewiththe
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
SantaClaraGateway.GlobalProtectsatellitesinitiallyauthenticateusingserialnumber,andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
asGlobalProtectgateways.Theseareinternalgatewaysanddonotrequireendpointstosetupatunnel.
UsersauthenticatetothesegatewaysusingtheirActiveDirectorycredentials.Theseinternalgateways
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.
GlobalProtectReferenceArchitectureFeatures
EndUserExperience
ManagementandLogging
MonitoringandHighAvailability
EndUserExperience
Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
Azure.WhenyouconfiguretheGlobalProtectportalclientconfiguration,assignequalprioritytothe
gateways.Withthisconfiguration,thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,auserinAustraliawouldtypicallyconnecttotheAWSSydneyGateway.Oncetheuseris
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
firewallforinspection.GlobalProtectsendstraffictopublicinternetsitesdirectlyviatheAWSSydney
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
headquarters.Thisarchitectureisdesignedtoreduceanylatencytheusermayexperiencewhenaccessing
theinternet.IftheAWSSydneyGateway(oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
Activedirectoryserversresideinsidethecorporatenetwork.Whenremoteendusersauthenticate,the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
SantaClaraGateway.ThegatewaythenforwardstherequestthroughanIPSecsitetositetunneltothe
ActiveDirectoryServerincorporateheadquarters.
Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.
Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;TheGlobalProtectclientsendstheHIPreporttotheseinternalgateways.Whenusersareinsidethe
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.
ManagementandLogging
Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
configurations.Tosimplifyconfigurationofthegateways,Panoramaalsousesonedevicegroupandone
template.Inthisdeployment,allgatewaysforwardalllogstoPanorama.Thisenablesyoutomonitor
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.
Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.
MonitoringandHighAvailability
Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
monitoringsoftware.ConfigureNagiostoperiodicallyverifytheresponsefromtheportalandthegateways'
preloginpageandsendanalertiftheresponsedoesnotmatchtheexpectations.Youcanalsoconfigure
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
InthisdeploymentthereisonlyoneinstanceoftheGlobalProtectportal.Iftheportalbecomesunavailable,
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
redundancy.Therefore,configuringgatewaysasahighavailability(HA)pairisnotrequired.
GlobalProtectReferenceArchitectureConfigurations
Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
SecurityPolicy.Inthisreferencedeployment,thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
throughtheSantaClaraGateway.Thisensuresthatsiteslikewww.stubhub.comandwww.lowes.com
thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.