Sei sulla pagina 1di 232

GlobalProtect

Administrators
Guide
Version8.0
ContactInformation

Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport

AboutthisGuide

ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.

Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPANOSandGlobalProtect8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

Palo Alto Networks, Inc.


www.paloaltonetworks.com
2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.

RevisionDate:February6,2017

2 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................14

GetStarted.......................................................... 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21

Authentication....................................................... 25
AboutGlobalProtectUserAuthentication ............................................26
SupportedGlobalProtectAuthenticationMethods .................................26
HowDoestheAgentorAppKnowWhatCredentialstoSupply? ....................28
SetUpExternalAuthentication .....................................................30
SetUpLDAPAuthentication ....................................................31
SetUpSAMLAuthentication ....................................................33
SetUpKerberosAuthentication.................................................35
SetUpRADIUSorTACACS+Authentication ......................................37
SetUpClientCertificateAuthentication..............................................39
DeploySharedClientCertificatesforAuthentication ...............................39
DeployMachineCertificatesforAuthentication...................................40
DeployUserSpecificClientCertificatesforAuthentication.........................43
SetUpTwoFactorAuthentication ..................................................46
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles ......46
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)...............49
EnableTwoFactorAuthenticationUsingSmartCards ..............................53
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients ......................56
EnableAuthenticationUsingaCertificateProfile ..................................56
EnableAuthenticationUsinganAuthenticationProfile .............................58
EnableAuthenticationUsingTwoFactorAuthentication ...........................60
SetUpMultiFactorAuthentication..................................................63
EnableGroupMapping.............................................................66

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 3
TableofContents

GlobalProtectGateways..............................................69
GlobalProtectGatewayConcepts .................................................... 70
GatewayPriorityinaMultipleGatewayConfiguration .............................. 70
GlobalProtectMIBSupport...................................................... 71
PrerequisiteTasksforConfiguringtheGlobalProtectGateway .......................... 72
ConfigureaGlobalProtectGateway .................................................. 73

GlobalProtectPortals .................................................81
PrerequisiteTasksforConfiguringtheGlobalProtectPortal ............................. 82
SetUpAccesstotheGlobalProtectPortal............................................ 83
DefinetheGlobalProtectClientAuthenticationConfigurations .......................... 84
DefinetheGlobalProtectAgentConfigurations .................................... 86
CustomizetheGlobalProtectAgent .............................................. 93
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages................103

GlobalProtectClients .............................................. 105


DeploytheGlobalProtectClientSoftware ...........................................106
DeploytheGlobalProtectAgentSoftware........................................106
DownloadandInstalltheGlobalProtectMobileApp ...............................112
DownloadandInstalltheGlobalProtectAppforChromeOS........................115
DeployAgentSettingsTransparently................................................119
CustomizableAgentSettings ...................................................120
DeployAgentSettingstoWindowsClients .......................................126
DeployAgentSettingstoMacClients ...........................................135
GlobalProtectClientlessVPN ......................................................139
ClientlessVPNOverview ......................................................139
SupportedTechnologies.......................................................140
ConfigureClientlessVPN ......................................................141
TroubleshootClientlessVPN...................................................147
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer......................152
Reference:GlobalProtectAgentCryptographicFunctions..............................153

MobileEndpointManagement....................................... 155
MobileEndpointManagementOverview............................................156
SetUpaMobileEndpointManagementSystem ......................................157
ManagetheGlobalProtectAppUsingAirWatch......................................158
DeploytheGlobalProtectMobileAppUsingAirWatch.............................158
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................159
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................162
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............166
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................169
ConfiguretheGlobalProtectAppforiOS.........................................169
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................170
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................171
ConfiguretheGlobalProtectAppforAndroid.....................................172

4 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

Example:SetVPNConfiguration................................................ 173
Example:RemoveVPNConfiguration........................................... 174

HostInformation ...................................................175
AboutHostInformation ........................................................... 176
WhatDataDoestheGlobalProtectAgentCollect?................................ 176
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?............... 178
HowDoUsersKnowifTheirSystemsareCompliant? ............................. 179
HowDoIGetVisibilityintotheStateoftheEndClients? .......................... 179
ConfigureHIPBasedPolicyEnforcement ........................................... 180
CollectApplicationandProcessDataFromClients ................................... 187
BlockDeviceAccess .............................................................. 192

GlobalProtectQuickConfigs .........................................193
RemoteAccessVPN(AuthenticationProfile)......................................... 194
RemoteAccessVPN(CertificateProfile)............................................. 197
RemoteAccessVPNwithTwoFactorAuthentication................................. 200
AlwaysOnVPNConfiguration..................................................... 204
RemoteAccessVPNwithPreLogon................................................ 205
GlobalProtectMultipleGatewayConfiguration....................................... 211
GlobalProtectforInternalHIPCheckingandUserBasedAccess ....................... 215
MixedInternalandExternalGatewayConfiguration .................................. 219

GlobalProtectReferenceArchitecture .................................225
GlobalProtectReferenceArchitectureTopology...................................... 226
GlobalProtectPortal .......................................................... 226
GlobalProtectGateways ....................................................... 227
GlobalProtectReferenceArchitectureFeatures...................................... 228
EndUserExperience .......................................................... 228
ManagementandLogging ..................................................... 228
MonitoringandHighAvailability ................................................ 229
GlobalProtectReferenceArchitectureConfigurations ................................. 230
GatewayConfiguration ........................................................ 230
PortalConfiguration .......................................................... 230
PolicyConfigurations.......................................................... 231

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 5
TableofContents

6 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'semployeesworkoutsidethephysicalcorporateboundaries.Thisincreasedworkforcemobilitybrings
increasedproductivityandflexibilitywhilesimultaneouslyintroducingsignificantsecurityrisks.Everytime
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
associatedpoliciesthataredesignedtoprotectboththeuserandthenetwork.GlobalProtectsolvesthe
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 7
AbouttheGlobalProtectComponents GlobalProtectOverview

AbouttheGlobalProtectComponents

GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.This
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient

GlobalProtectPortal

TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,includinganycustominformationyourequire.YouSetUpAccesstotheGlobalProtectPortal
onaninterfaceonanyPaloAltoNetworksnextgenerationfirewall.

GlobalProtectGateways

GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
applyingsecuritypolicyforaccesstointernalresources.WhenusedinconjunctionwithUserIDand/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/ordevicestate.Internalgatewaysareusefulinsensitiveenvironments
whereauthenticatedaccesstocriticalresourcesisrequired.Youcanconfigureaninternalgatewayin
eithertunnelmodeornontunnelmode.
YouConfigureaGlobalProtectGatewayonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.Youcanrunbothagatewayandaportalonthesamefirewall,oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.

8 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AbouttheGlobalProtectComponents

GlobalProtectClient

TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
viatheGlobalProtectportalsandgatewaysyouhavedeployed.TherearetwotypesofGlobalProtectclients:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
GlobalProtectportal.Youconfigurethebehavioroftheagentforexample,whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)youdefineontheportal.See
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,andChromebookdevices.Usersmust
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 9
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview

WhatClientOSVersionsareSupportedwithGlobalProtect?

PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,andmobiledevices.WerecommendthatyouconfigureGlobalProtectonfirewallsrunning
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
endpoints.TheminimumGlobalProtectappreleasevariesbyoperatingsystem;todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
systemsandPANOSreleaseswithwhichtheywerereleased.ForminimumPANOSreleasesupportfor
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite.

10 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?

WhatFeaturesDoesGlobalProtectSupport?

ThefollowingtableliststhesupportedfeaturesonGlobalProtectbyOS.Anentryinthetableindicatesthe
firstsupportedreleaseofthefeatureontheOS.Aindicatesthefeatureisnotsupported.For
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?

Feature Android iOS Chrome Windows Windows10 Mac


UWP

Authentication

Agent Login 4.0 4.0 4.0 4.0


Enhancements

Multi-Factor 4.0 4.0 4.0 4.0 4.0 4.0


Authentication

SAML Authentication 4.0 4.0 4.0 4.0 4.0 4.0


(On-Demand
connect
methodonly)

Single Sign-On (SSO)

SSO (Credential 1.2.0


Provider)

Kerberos SSO 3.0.0

Clientless VPN

Clientless VPN

Connect Methods

User-logon (always 1.0.0 3.1.3 1.0.0


on) (AlwaysOn
configured
from
thirdparty
MDM)

Pre-logon (always-on) 1.1.0 1.1.0

Pre-logon (then 3.1.0 3.1.0


on-demand)

On-demand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

Connection Priority

External Gateway 4.0 4.0 4.0 4.0 4.0 4.0


Priority by Source
Region

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 11
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview

Feature Android iOS Chrome Windows Windows10 Mac


UWP

Internal Gateway 4.0 4.0 4.0 4.0 4.0 4.0


Selection by Source IP (ExceptDHCP (ExceptDHCP (ExceptDHCP
Address Options) Options) Options)

Modes

Internal mode 1.0.0 1.0.0 3.1.1 1.0 1.0.0

External mode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

Networking

IPv6 Support 4.0 4.0 4.0 4.0 4.0 4.0

Split Tunnel to 4.0 4.0 4.0 4.0 4.0 4.0


Exclude by Access
Route

Customization

Restrict Transparent 4.0 4.0 4.0 4.0 4.0 4.0


Agent Upgrades to
Internal Network
Connections

Enforce 3.1.0 3.1.3 3.1.0


GlobalProtect for (VPN
network access Lockdown
configured
from
thirdparty
MDM)

Deployment of SSL 3.0.0 3.0.0


Forward Proxy CA
certificates in the
trust store

HIP reports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0


(Host
information
only;
Notifications
not
supported)

Script actions that run 2.3.0 2.3.0


before and after
sessions

Certificate selection 3.0.0 3.0.0


by OID

Allow users to disable 2.2.0 2.2.0


GlobalProtect

12 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?

Feature Android iOS Chrome Windows Windows10 Mac


UWP

Welcome and help 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0


pages

Endpoint mobility 1.0.0 1.0.0 3.0.0 3.1.3


management system (Chromebook
(EMM/MDM) Management
Console)

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 13
AboutGlobalProtectLicenses GlobalProtectOverview

AboutGlobalProtectLicenses

IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures(suchasHIPchecksandassociatedcontentupdates,
supportfortheGlobalProtectmobileapp,orIPv6support)youneedtopurchaseanannualGlobalProtect
subscription.Thislicensemustbeinstalledoneachfirewallrunningagateway(s)that:
PerformsHIPchecks
SupportstheGlobalProtectapponmobiledevices
ProvidesIPv6connections
ForGlobalProtectClientlessVPN,thisfeaturealsorequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect
Clientless VPNdynamicupdatestousethisfeature.

Feature SubscriptionRequired?

Single, external gateway (Windows and Mac)

Single or multiple internal gateways

Multiple external gateways

HIP Checks

Mobile app for iOS endpoints, Android endpoints,


Chromebooks, and Windows 10 UWP endpoints

IPv6 support

Clientless VPN

SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.

14 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
communicate.Atabasiclevel,thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
usersconnecttoaccesstheportalandthegatewaystothenetwork.BecausetheGlobalProtectcomponents
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
components.ThefollowingsectionsguideyouthroughthestepstosetuptheGlobalProtectinfrastructure:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 15
CreateInterfacesandZonesforGlobalProtect GetStarted

CreateInterfacesandZonesforGlobalProtect

YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbe
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
asDMZ.Atunnelinterfacecanbeinthesamezoneastheinterfaceconnectingtoyourinternal
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,suchascorpvpn.Ifyoucreateaseparatezoneforyourtunnelinterface,youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
InternalgatewaysRequiresaLayer3orloopbackinterfaceinyourtrustzone.Youcanalsocreate
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.

FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?

Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.

SetUpInterfacesandZonesforGlobalProtect

Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >


portaland/orgatewayyouplanto Interfaces > Loopbackandthenselecttheinterfaceyouwant
deploy. toconfigureforGlobalProtect.Inthisexample,weare
Ifthegatewayandportalareon configuringethernet1/1astheportalinterface.
thesamefirewall,youcanusea 2. (Ethernetonly)SelectLayer3 fromtheInterface Type
singleinterfaceforboth. dropdown.
AsabestpracticeusestaticIP 3. OntheConfigtab,selectthezonetowhichtheportalor
addressesfortheportaland gatewayinterfacebelongsasfollows:
gateway.
Placeportalsandexternalgatewaysinanuntrustzonefor
accessbyhostsoutsideyournetwork,suchasl3untrust.
Placeinternalgatewaysinaninternalzone,suchasl3trust.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown.IntheZonedialog,definea
NameforthenewzoneandthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. AssignanIPaddresstotheinterface:
ForanIPv4address,selectIPv4andAddtheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
ForanIPv6address,selectIPv6,Enable IPv6 on the
interface,andAddtheIPaddressandnetworkmaskto
assigntotheinterface,forexample
2001:1890:12f2:11::10.1.8.160/80.
6. Tosavetheinterfaceconfiguration,clickOK.

16 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted CreateInterfacesandZonesforGlobalProtect

SetUpInterfacesandZonesforGlobalProtect(Continued)

Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.


gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtectagents. 3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou Touseyourtrustzoneastheterminationpointforthe
requiredynamicrouting.In tunnel,selectthezonefromthedropdown.
addition,assigninganIPaddress (Recommended)TocreateaseparatezoneforVPNtunnel
tothetunnelinterfacecanbe termination,clickNew Zone.IntheZonedialog,definea
usefulfortroubleshooting Namefornewzone(forexample,corpvpn),selectthe
connectivityissues. Enable User Identificationcheckbox,andthenclickOK.
BesuretoenableUserIDinthe 4. IntheVirtual Routerdropdown,selectNone.
zonewheretheVPNtunnels
5. AssignanIPaddresstotheinterface:
terminate.
ForanIPv4address,selectIPv4andAddtheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
ForanIPv6address,selectIPv6,Enable IPv6 on the
interface,andAddtheIPaddressandnetworkmaskto
assigntotheinterface,forexample
2001:1890:12f2:11::10.1.8.160/80.
6. Tosavetheinterfaceconfiguration,clickOK.

Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe


terminationofVPNconnections,create corpvpnzoneandthel3trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.

Step4 Savetheconfiguration. ClickCommit.


Ifyouenabledmanagement
accesstotheinterfacehosting
theportal,youmustadda:4443
totheURL.Forexample,to
accessthewebinterfaceforthe
portalconfiguredinthisexample,
youwouldenterthefollowing:
https://208.80.56.100:4443
Or,ifyouconfiguredaDNS
recordfortheFQDN,suchas
gp.acme.com,youwouldenter:
https://gp.acme.com:4443
Toaccesstheportalloginpage,
youwouldentertheURLwithout
theportnumber:
https://208.80.56.100
or
https://gp.acme.com

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 17
EnableSSLBetweenGlobalProtectComponents GetStarted

EnableSSLBetweenGlobalProtectComponents

AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)intheconfigurations.Thefollowingsectionsdescribethesupported
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents

About GlobalProtect Certificate Deployment

TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
certificatesforalloftheGlobalProtectcomponents.However,thissolutionislesssecurethantheother
optionsandisthereforenotrecommended.Ifyoudochoosethisoption,enduserswillseeacertificate
errorthefirsttimetheyconnecttotheportal.Topreventthis,youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).

GlobalProtect Certificate Best Practices

ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:

Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices

CA certificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto


totheGlobalProtect generateaCAcertificateontheportalandthenusethat
components. certificatetoissuetherequiredGlobalProtectcertificates.

18 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents

Certificate Usage IssuingProcess/BestPractices

Portal server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.


certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththeportal. associatedserviceprofileinaportalconfiguration.
Useacertificatefromawellknown,thirdpartyCA.Thisis
themostsecureoptionandensuresthattheuserendpoints
canestablishatrustrelationshipwiththeportalandwithout
requiringyoutodeploytherootCAcertificate.
Ifyoudonotuseawellknown,publicCA,youshouldexport
therootCAcertificatethatwasusedtogeneratetheportal
servercertificatetoallendpointsthatruntheGlobalProtect
agentorapplication.Exportingthiscertificatepreventsthe
endusersfromseeingcertificatewarningsduringtheinitial
portallogin.
TheCommonName(CN)and,ifapplicable,theSubject
AlternativeName(SAN)fieldsofthecertificatemustmatch
theIPaddressorFQDNoftheinterfacethathoststhe
portal.
Ingeneral,aportalmusthaveitsownservercertificate.
However,ifyouaredeployingasinglegatewayandportal
onthesameinterfaceforbasicVPNaccess,youmustuse
thesamecertificateforboththegatewayandtheportal.

Gateway server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.


certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththegateway. associatedserviceprofileinagatewayconfiguration.
GenerateaCAcertificateontheportalandusethatCA
certificatetogenerateallgatewaycertificates.
TheCNand,ifapplicable,theSANfieldsofthecertificate
mustmatchtheFQDNorIPaddressoftheinterfacewhere
youplantoconfigurethegateway.
TheportaldistributesthegatewayrootCAcertificatesto
agentsintheclientconfiguration,sothegateway
certificatesdonotneedtobeissuedbyapublicCA.
IfyoudonotdeploytherootCAcertificatesforthe
GlobalProtectgatewaysintheclientconfiguration,the
agent/appwillnotperformcertificatecheckswhen
connecting,therebymakingtheconnectionvulnerableto
maninthemiddleattacks.
Ingeneral,eachgatewaymusthaveitsownserver
certificate.However,ifyouaredeployingasinglegateway
andportalonthesameinterfaceforbasicVPNaccess,you
mustuseasingleservercertificateforbothcomponents.As
abestpractice,useacertificatethatapublicCAsigned.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 19
EnableSSLBetweenGlobalProtectComponents GetStarted

Certificate Usage IssuingProcess/BestPractices

(Optional) Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure


certificate authenticationinestablishing theportaltodeploytheclientcertificatetotheagentsupon
anHTTPSsessionbetweenthe successfulloginusingeitherofthefollowingmethods:
GlobalProtectagentsandthe UseasingleclientcertificateacrossallGlobalProtect
gateways/portal.Thisensures agentsthatreceivethesameconfiguration.Youassign
thatonlydeviceswithvalid theLocalclientcertificatebyuploadingthecertificate
clientcertificatesareableto totheportalandselectingitinaportalagent
authenticateandconnectto configuration.
thenetwork. Usesimplecertificateenrollmentprotocol(SCEP)to
enabletheGlobalProtectportaltodeployuniqueclient
certificatestoyourGlobalProtectagents.Youenable
thisbyconfiguringaSCEPprofileandthenselecting
thatprofileinaportalagentconfiguration.
Useoneofthefollowingsupporteddigestalgorithmswhen
yougenerateclientcertificatesforGlobalProtectendpoints:
sha1,sha256,orsha384.Sha512isnotsupportedwith
clientcertificates.
Youcanuseothermechanismstodeployuniqueclient
certificatestoeachclientsystemforuseinauthenticating
theenduser.
Considertestingyourconfigurationwithouttheclient
certificatefirst,andthenaddtheclientcertificateafteryou
aresurethatallotherconfigurationsettingsarecorrect.

(Optional) Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen


certificates certificatethatisissuedtoa yougenerateclientcertificatesforGlobalProtectendpoints:
device.Eachmachine sha1,sha256,orsha384.Sha512isnotsupportedwith
certificateidentifiesthedevice clientcertificates.
inthesubjectfield(forexample, Ifyouplantousetheprelogonfeature,useyourownPKI
CN=laptop1.example.com) infrastructuretodeploymachinecertificatestoeachclient
insteadofauser.The systempriortoenablingGlobalProtectaccess.This
certificateensuresthatonly approachisimportantforensuringsecurity.
trustedendpointscanconnect Formoreinformation,seeRemoteAccessVPNwith
togatewaysortheportal. PreLogon.
Machinecertificatesare
requiredforuserswhose
connectmethodisprelogon,
whichenablesGlobalProtectto
establishaVPNtunnelbefore
theuserlogsin.

FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.

20 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents

Deploy Server Certificates to the GlobalProtect Components

ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:

DeploySSLServerCertificatestotheGlobalProtectComponents

Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
GlobalProtectportal.Thispractice Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.

CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 21
EnableSSLBetweenGlobalProtectComponents GetStarted

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >


selfsignedservercertificate. Device Certificates andthenclickGenerate.
Generateservercertificatesforeach 2. UsetheLocalcertificatetype(thedefault).
gatewayyouplantodeployand
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
optionallyforthemanagementinterface
ofthethirdpartymobileendpoint 4. IntheCommon Namefield,entertheFQDN(recommended)
managementsystem(ifthisinterfaceis orIPaddressoftheinterfacewhereyouplantoconfigurethe
wherethegatewaysretrieveHIP gateway.
reports). 5. IntheSigned Byfield,selecttheGlobalProtect_CAyou
Inthegatewayservercertificates,the created.
valuesintheCNandSANfieldsmustbe
6. IntheCertificateAttributessection,Addanddefinethe
identical.Ifthevaluesdiffer,the
attributesthatuniquelyidentifythegateway.Keepinmind
GlobalProtectagentdetectsthe
thatifyouaddaHost Nameattribute(whichpopulatesthe
mismatchanddoesnottrustthe
SANfieldofthecertificate),itmustbethesameasthevalue
certificate.Selfsignedcertificates
youdefinedfortheCommon Name.
containaSANfieldonlyifyouaddaHost
Nameattribute. 7. Configurecryptographicsettingsfortheservercertificate
Asanalternativemethod,youcanUseSimple includingencryptionAlgorithm,keylength(Number of Bits),
CertificateEnrollmentProtocol(SCEP)to DigestalgorithmandExpiration(days).
requestaservercertificatefromyourenterprise 8. ClickOKtogeneratethecertificate.
CA.

22 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GetStarted EnableSSLBetweenGlobalProtectComponents

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor componenttowhichyoudeploytheservercertificate.If
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
deploy.ThenusethespecificSCEP capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe request.UseeitheraFixedchallengepasswordwhichyou
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust choicetotheSCEPServer.ForaDynamicSCEPchallenge,
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
TocomplywiththeU.S.Federal c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL http://10.200.101.1/certsrv/mscep/).
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) bytheSCEPserver.Thesubjectmustincludeacommon
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
settingsintheSCEPprofile.Ifsuccessful,the f. SelecttheSubject Alternative Name Type.Toenterthe
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 Name.Youcanalsoenter
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate Fingerprint.Obtainthis
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
certificate.TheGlobalProtectportalusesthesettingsinthe
SCEPprofiletosubmitaCSRtoyourenterprisePKI.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 23
EnableSSLBetweenGlobalProtectComponents GetStarted

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service


generatedtoanSSL/TLSserviceprofile. ProfileandclickAdd.
2. EnteraNametoidentifytheprofileandselecttheserver
Certificateyouimportedorgenerated.
3. DefinetherangeofSSL/TLSversions(Min VersiontoMax
Version)forcommunicationbetweenGlobalProtect
components.
4. ClickOKtosavetheSSL/TLSserviceprofile.
5. Committhechanges.

Deploytheselfsignedservercertificates. Export the certificate from the portal:


Exporttheselfsignedserver 1. SelectDevice > Certificate Management > Certificates >
certificatesissuedbytherootCAon Device Certificates.
theportalandimportthemontothe
2. Selectthegatewaycertificateyouwanttodeployandclick
gateways.
Export.
Besuretoissueauniqueserver
certificateforeachgateway. 3. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
Ifspecifyingselfsigned
certificates,youmustdistributethe 4. Enter(andreenter)aPassphrasetoencrypttheprivatekey.
RootCAcertificatetotheend 5. ClickOKtodownloadthePKCS12filetoalocationofyour
clientsintheportalclient choice.
configurations.
Import the certificate on the gateway:
1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImport.
3. EnteraCertificate Name.
4. BrowsetofindandselecttheCertificate Fileyou
downloadedinstep5,above.
5. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
6. Enter(andreenter)thePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportal.
7. ClickOKtoimportthecertificateandkey.
8. Committhechangestothegateway.

24 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication
TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
GlobalProtectresources.Youmustconfigureauthenticationmechanismsbeforecontinuingwiththeportal
andgatewaysetup.Thefollowingsectionsdetailthesupportedauthenticationmechanismsandhowto
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
SetUpMultiFactorAuthentication
EnableGroupMapping

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 25
AboutGlobalProtectUserAuthentication Authentication

AboutGlobalProtectUserAuthentication

ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
portal.Ifauthenticationsucceeds,theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
tothegateways.Aftersuccessfullydownloadingandcachingtheconfiguration,theclientattemptsto
connecttooneofthegatewaysspecifiedintheconfiguration.Becausethesecomponentsprovideaccessto
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
resourcesthatthegatewayprotects.GlobalProtectprovidesaflexibleauthenticationframeworkthatallows
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupply?

Supported GlobalProtect Authentication Methods

ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.

AuthenticationMethod Description

Local Authentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe


firewall.Thisauthenticationmechanismisnotscalablebecauseitrequiresanaccountfor
everyGlobalProtectuserandis,therefore,advisableforonlyverysmalldeployments.

External authentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,


TACACS+,SAML,orRADIUSservice(includingsupportfortwofactor,tokenbased
authenticationmechanisms,suchasonetimepassword(OTP)authentication).Toenable
externalauthentication:
Createaserverprofilewithsettingsforaccesstotheexternalauthenticationservice.
Createanauthenticationprofilethatreferstotheserverprofile.
Specifyclientauthenticationintheportalandgatewayconfigurationsandoptionally
specifytheOSoftheendpointthatwillusethesesettings.
YoucanusedifferentauthenticationprofilesforeachGlobalProtectcomponent.SeeSet
UpExternalAuthenticationforinstructions.SeeRemoteAccessVPN(Authentication
Profile)foranexampleconfiguration.

26 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication AboutGlobalProtectUserAuthentication

AuthenticationMethod Description

Client certificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate


authentication toobtaintheusernameandauthenticatetheuserbeforegrantingaccesstothesystem.
Toauthenticatetheuser,oneofthecertificatefields,suchastheSubjectNamefield,
mustidentifytheusername.
Toauthenticatetheendpoint,theSubjectfieldofthecertificatemustidentifythedevice
typeinsteadoftheusername.(Withtheprelogonconnectmethods,theportalor
gatewayauthenticatestheendpointbeforetheuserlogsin.)
Foranagentconfigurationprofilethatspecifiesclientcertificates,eachuserreceivesa
clientcertificate.Themechanismforprovidingthecertificatesdetermineswhethera
certificateisuniquetoeachclientorthesameforallclientsunderthatagentconfiguration:
Todeployclientcertificatesthatareuniquetoeachuseranddevice,useSCEP.Whena
userfirstlogsin,theportalrequestsacertificatefromtheenterprisesPKI.Theportal
obtainsauniquecertificateanddeploysittotheclient.
Todeploythesameclientcertificatetoallusersthatreceiveanagentconfiguration,
deployacertificatethatisLocaltothefirewall.
Useanoptionalcertificateprofiletoverifytheclientcertificatethataclientpresentswith
aconnectionrequest.Thecertificateprofilespecifiesthecontentsoftheusernameand
userdomainfields;listsCAcertificates;criteriaforblockingasession;andofferswaysto
determinetherevocationstatusofCAcertificates.Youmustpredeploycertificatesused
incertificateprofilestotheendpointsbeforetheusersinitialportalloginbecausethe
certificateispartoftheauthenticationoftheendpointoruserforanewsession.
Thecertificateprofilespecifieswhichcertificatefieldcontainstheusername.Ifthe
certificateprofilespecifiesSubjectintheUsernameField,thecertificatepresentedbythe
clientmustcontainacommonnamefortheclienttoconnect.Ifthecertificateprofile
specifiesaSubjectAltwithanEmailorPrincipalNameastheUsernameField,the
certificatefromtheclientmustcontainthecorrespondingfields,whichwillbeusedasthe
usernamewhentheGlobalProtectagentauthenticatestotheportalorgateway.
GlobalProtectalsosupportsauthenticationbycommonaccesscards(CACs)andsmart
cards,whichrelyonacertificateprofile.Withthesecards,thecertificateprofilemust
containtherootCAcertificatethatissuedthecertificatetothesmartcardorCAC.
Ifyouspecifyclientcertificateauthentication,youshouldnotconfigureaclientcertificate
intheportalconfigurationbecausetheclientsystemprovidesitwhentheuserconnects.
Foranexampleofhowtoconfigureclientcertificateauthentication,seeRemoteAccess
VPN(CertificateProfile).

Two-factor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,suchasaonetimepasswordinadditiontoADlogincredentials.You
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
differentmethods.Regardless,withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
profile.Forexample,iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
authenticationservertriestoauthenticatetheuser.Ifyoudonotwanttoforceusersto
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
NonefortheUsernameField.SeeRemoteAccessVPNwithTwoFactorAuthenticationfor
anexampleconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 27
AboutGlobalProtectUserAuthentication Authentication

AuthenticationMethod Description

Multi-Factor Forsensitive,nonHTTPnetworkresources(forexample,financialapplicationsorsoftware
Authentication for developmentapplications)thatmayrequireadditionalauthentication,GlobalProtectclients
non-HTTP applications cannownotifyandprompttheusertoperformthetimely,multifactorauthentication
neededtoaccesstheseresources.

How Does the Agent or App Know What Credentials to Supply?

Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
forportallogin.Inthesimplestcase,wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways

CookieAuthenticationonthePortalorGateway

Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
toeach.Thisimprovestheuserexperiencebyminimizingthenumberoftimesthatusersmustenter
credentials.Inaddition,cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
onthesamecookietoauthenticatetheuser.Whentheagentpresentsthecookie,theportalorgateway
evaluateswhetherthecookieisvalidbasedontheconfiguredcookielifetime.Ifthecookieexpires,
GlobalProtectautomaticallypromptstheusertoauthenticatewiththeportalorgateway.When
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
sensitiveinformationas24hours.Whentheuserfirstauthenticateswiththeportal,theportalissuesthe
authenticationcookie.Ifafterfivedays,theuserattemptedtoconnecttotheportal,theauthentication
cookiewouldstillbevalid.However,ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
receiveareplacementauthenticationcookie.Thenewauthenticationcookiewouldthenbevalidforanother
15daysontheportalandanother24hoursonthegateways.

28 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication AboutGlobalProtectUserAuthentication

Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.

CredentialForwardingtoSomeorAllGateways

Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)thatpromptfortheirownsetofcredentials.Thisoptionspeedsuptheauthenticationprocess
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
allowingyoutocustomizethesecurityfordifferentGlobalProtectcomponents.Forexample,youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 29
SetUpExternalAuthentication Authentication

SetUpExternalAuthentication

ThefollowingworkflowsdescribehowtosetuptheGlobalProtectportalandgatewaystouseanexternal
authenticationservice.ThesupportedauthenticationservicesareLDAP,Kerberos,RADIUS,SAML,or
TACACS+.
Theseworkflowsalsodescribehowtocreateanoptionalauthenticationprofilethataportalorgatewaycan
usetoidentifytheexternalauthenticationservice.Thisstepisoptionalforexternalauthenticationbecause
theauthenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.

GlobalProtectalsosupportslocalauthentication.Touselocalauthentication,createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.

Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.
Theoptionsforsettingupexternalauthenticationinclude:
SetUpLDAPAuthentication
SetUpSAMLAuthentication
SetUpKerberosAuthentication
SetUpRADIUSorTACACS+Authentication

30 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication

Set Up LDAP Authentication

LDAPisoftenusedbyorganizationsasacentralrepositoryforuserinformationandasanauthentication
service.Itcanalsobeusedtostoretheroleinformationforapplicationusers.

SetUpLDAPUserAuthentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheLDAPprofile.


Theserverprofileidentifiestheexternal 2. ClickAddandenteraProfileName,suchasGPUserAuth.
authenticationserviceandinstructsthe
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
firewallhowtoconnecttothat
capability,selectavirtualsystemorSharedastheLocation
authenticationserviceandaccessthe
wheretheprofileisavailable.
authenticationcredentialsforyourusers.
WhenyouuseLDAPtoconnect 4. SelecttheTypeofLDAPserver.
toActiveDirectory(AD),you 5. ClickAddintheServerssectionandthenenterthenecessary
mustcreateaseparateLDAP informationforconnectingtotheauthenticationserver,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. Specifysettingstoenabletheauthenticationserviceto
authenticatethefirewall.EntertheBind DNandPassword.
7. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(selectedbydefault).
TheprotocolthatthedeviceusesdependsontheserverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
AnyotherportThedevicefirstattemptstouseTLS.Ifthe
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
8. Foradditionalsecurity,selecttheVerify Server Certificate for
SSL sessionscheckboxsothatthedeviceverifiesthe
certificatethatthedirectoryserverpresentsforSSL/TLS
connections.Toenableverification,youalsohavetoselect
theRequire SSL/TLS secured connectioncheckbox.For
verificationtosucceed,thecertificatemustmeetoneofthe
followingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
9. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 31
SetUpExternalAuthentication Authentication

SetUpLDAPUserAuthentication(Continued)

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.


profile. 2. EnteraNamefortheprofileandthenselectLDAPasthe
Theauthenticationprofilespecifiesthe authenticationType.
serverprofilefortheportalorgateways
3. SelecttheLDAPauthenticationServer Profilethatyou
tousewhentheyauthenticateusers.On
createdinStep 1fromthedropdown.
aportalorgateway,youcanassignone
ormoreauthenticationprofilesinoneor 4. EntersAMAccountNameastheLogin Attribute.
moreclientauthenticationprofiles.For 5. SetthePassword Expiry Warning tospecifythenumberof
descriptionsofhowanauthentication daysbeforepasswordexpirationthatuserswillbenotified.By
profilewithinaclientauthentication default,userswillbenotifiedsevendayspriortopassword
profilesupportsgranularuser expiration(rangeis1255).Becauseusersmustchangetheir
authentication,seeConfigurea passwordsbeforetheendoftheexpirationperiod,makesure
GlobalProtectGatewayandSetUp youprovideanotificationperiodthatisadequateforyour
AccesstotheGlobalProtectPortal. userbasetoensurecontinuedaccesstotheVPN.Tousethis
Toenableuserstoconnectand feature,youmustspecifyoneofthefollowingtypesofLDAP
changetheirownexpired serversinyourLDAPserverprofile:active-directory,
passwordswithout e-directory,orsun.
administrativeintervention, UserscannotaccesstheVPNiftheirpasswordsexpireunless
considerusingaprelogon youenableprelogon.
connectmethod.SeeRemote
AccessVPNwithPreLogonfor 6. Configureanoptionalcustomexpirymessagetoinclude
details. additionalinstructions,suchashelpdeskcontactinformation
oralinktoapasswordportalwhereuserscanchangetheir
Ifusersallowtheirpasswordsto
passwords(seeCustomizetheGlobalProtectAgent).
expire,youmayassigna
temporaryLDAPpasswordto 7. Specifythedomainnameandusernameformat.Thedevice
enablethemtologintotheVPN. combinestheUser DomainandUsername Modifiervaluesto
Inthiscase,thetemporary modifythedomain/usernamestringthatauserentersduring
passwordmaybeusedto login.Thedeviceusesthemodifiedstringforauthentication
authenticatetotheportal,butthe andusestheUser DomainvalueforUserIDgroupmapping.
gatewayloginmayfailbecause Modifyinguserinputisusefulwhentheauthenticationservice
thesametemporarypassword requiresdomain/usernamestringsinaparticularformatand
cannotbereused.Toprevent youdontwanttorelyonuserstocorrectlyenterthedomain.
this,enableanauthentication Youcanselectfromthefollowingoptions:
overrideintheportal Tosendonlytheunmodifieduserinput,leavetheUser
configuration(Network > Domainblank(thedefault)andsettheUsername Modifier
GlobalProtect > Portal)toenable tothevariable%USERINPUT%(thedefault).
theagenttouseacookieto Toprependadomaintotheuserinput,enteraUser
authenticatetotheportalanduse DomainandsettheUsername Modifierto
thetemporarypasswordto %USERDOMAIN%\%USERINPUT%.
authenticatethegateway. Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
IftheUsername Modifierincludesthe
%USERDOMAIN%variable,theUser Domainvalue
replacesanydomainstringthattheuserenters.If
theUser Domainisblank,thatmeansthedevice
removesanyuserentereddomainstring.

32 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication

SetUpLDAPUserAuthentication(Continued)

8. SelecttheAdvancedtab.
9. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
10. ClickOK.

Step3 Committheconfiguration. ClickCommit.

Set Up SAML Authentication

SecurityAssertionMarkupLanguage(SAML)isanXMLbased,openstandarddataformatforexchanging
authenticationandauthorizationdatabetweenparties,inparticular,betweenanidentityprovider(IdP)and
aserviceprovider.SAMLisaproductoftheOASISSecurityServicesTechnicalCommittee.

SetUpSAMLUserAuthentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheSAML Identity


Theserverprofileidentifiestheexternal Provider profile.
authenticationserviceandinstructsthe 2. ClickAddandenteraProfileName,suchasGPUserAuth.
firewallhowtoconnecttothat
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
authenticationserviceandaccessthe
capability,selectavirtualsystemorSharedastheLocation
authenticationcredentialsforyourusers.
wheretheprofileisavailable.
4. ImporttheIdPmetadatafile.RefertoSAML2.0
Authenticationfordetails.
Alternatively,iftheIdPdoesntprovideametadata
file,Addtheserverprofileandthenenterthe
connectionandregistrationinformation.
5. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 33
SetUpExternalAuthentication Authentication

SetUpSAMLUserAuthentication(Continued)

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.


profile. 2. EnteraNamefortheprofileandthenselectSAMLasthe
Theauthenticationprofilespecifiesthe authenticationType.
serverprofilefortheportalorgateways
3. SelecttheSAMLauthenticationServer Profilethatyou
tousewhentheyauthenticateusers.On
createdinStep 1fromthedropdown.
aportalorgateway,youcanassignone
ormoreauthenticationprofilesinoneor 4. Selectthefollowingtoconfigurecertificateauthentication
moreclientauthenticationprofiles.For betweenthefirewallandtheSAMLidentityprovider.Referto
descriptionsofhowanauthentication SAML2.0Authenticationfordetails.
profilewithinaclientauthentication TheRequest Signing Certificate thatthefirewallusesto
profilesupportsgranularuser signmessagesitsendstotheIdP.
authentication,seeConfigurea TheCertificate Profilethatthefirewallusestovalidatethe
GlobalProtectGatewayandSetUp Identity Provider Certificate.
AccesstotheGlobalProtectPortal.
5. Specifytheusernameandadminroleformats.
SAMLauthenticationdoesnot
supporttheprelogonconnect SpecifytheUsername AttributeandUser Group Attribute.
methodthatenablesusersto Unlikeothertypesofexternalauthentication,there
connectandchangetheirown isnoUser Domainattributeintheauthentication
expiredpasswordswithout profilesforSAML.
administrativeintervention (Optional)Ifyouwillusethisprofiletoauthenticate
(RemoteAccessVPNwith administrativeaccountsthatyoumanageintheIdPidentity
PreLogon). store,specifytheAdmin Role AttributeandAccess
Domain Attributealso.
6. SelecttheAdvancedtab.
7. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
MakesuretheusernameintheAllowListmatchesthe
usernamereturnedfromtheSAMLIdPserver.
8. ClickOK.

Step3 Committheconfiguration. ClickCommit.

34 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication

Set Up Kerberos Authentication

Kerberosisacomputernetworkauthenticationprotocolthatworksonthebasisofticketstoallownodes
communicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.

SetUpKerberosAuthentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheKerberos


Theserverprofileidentifiestheexternal profile.
authenticationserviceandinstructsthe 2. ClickAddandenteraProfileName,suchasGPUserAuth.
firewallhowtoconnecttothat
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
authenticationserviceandaccessthe
capability,selectavirtualsystemorSharedastheLocation
authenticationcredentialsforyourusers.
wheretheprofileisavailable.
4. ClickAddintheServerssectionandthenenterthenecessary
informationforconnectingtotheauthenticationserver,
includingtheserverName,IPaddressorFQDNoftheServer,
andPort.
5. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 35
SetUpExternalAuthentication Authentication

SetUpKerberosAuthentication(Continued)

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.


profile. 2. EnteraNamefortheprofileandthenselectKerberosasthe
Theauthenticationprofilespecifiesthe authenticationType.
serverprofilefortheportalorgateways
3. SelecttheKerberosauthenticationServer Profilethatyou
tousewhentheyauthenticateusers.On
createdinStep 1fromthedropdown.
aportalorgateway,youcanassignone
ormoreauthenticationprofilesinoneor 4. Specifythedomainnameandusernameformat.Thedevice
moreclientauthenticationprofiles.For combinestheUser DomainandUsername Modifiervaluesto
descriptionsofhowanauthentication modifythedomain/usernamestringthatauserentersduring
profilewithinaclientauthentication login.Thedeviceusesthemodifiedstringforauthentication
profilesupportsgranularuser andusestheUser DomainvalueforUserIDgroupmapping.
authentication,seeConfigurea Modifyinguserinputisusefulwhentheauthenticationservice
GlobalProtectGatewayandSetUp requiresdomain/usernamestringsinaparticularformatand
AccesstotheGlobalProtectPortal. youdontwanttorelyonuserstocorrectlyenterthedomain.
Toenableuserstoconnectand Youcanselectfromthefollowingoptions:
changetheirownexpired Tosendonlytheunmodifieduserinput,leavetheUser
passwordswithout Domainblank(thedefault)andsettheUsername Modifier
administrativeintervention, tothevariable%USERINPUT%(thedefault).
considerusingaprelogon Toprependadomaintotheuserinput,enteraUser
connectmethod.SeeRemote DomainandsettheUsername Modifierto
AccessVPNwithPreLogonfor %USERDOMAIN%\%USERINPUT%.
details. Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
IftheUsername Modifierincludesthe
%USERDOMAIN%variable,theUser Domainvalue
replacesanydomainstringthattheuserenters.If
theUser Domainisblank,thatmeansthedevice
removesanyuserentereddomainstring.
5. ConfigureKerberossinglesignon(SSO)ifyournetwork
supportsit:
EntertheKerberos Realm(upto127characters).Thisis
thehostnameportionoftheuserloginname.Forexample,
theuseraccountnameuser@EXAMPLE.LOCALhasthe
realmEXAMPLE.LOCAL.
SpecifyaKerberos Keytabfile:clicktheImportlink,
Browsetothekeytabfile,andclickOK.During
authentication,theendpointfirsttriestousethekeytabto
establishSSO.Ifitsucceeds,andtheuserattempting
accessisintheAllow List,authenticationsucceeds
immediately.Otherwise,theauthenticationprocessfalls
backtomanual(username/password)authenticationofthe
specifiedType.TheTypedoesnthavetobeKerberos.To
changethisbehaviorsothatuserscanauthenticateonly
usingKerberos,setUse Default Authentication on
Kerberos Authentication FailuretoNoinaGlobalProtect
portalagentconfiguration.
6. SelecttheAdvancedtab.
7. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.

36 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpExternalAuthentication

SetUpKerberosAuthentication(Continued)

Step3 Saveyourchangesandcommitthe ClickOK,andthenCommit.


configuration.

Set Up RADIUS or TACACS+ Authentication

RADIUSisaclient/serverprotocolandsoftwarethatenablesremoteaccessserverstocommunicatewitha
centralservertoauthenticatedialinusersandauthorizetheiraccesstotherequestedsystemorservice.
TACACS+isawellestablishedauthenticationprotocolcommontoUNIXnetworksthatallowsaremote
accessservertoforwardauser'slogonpasswordtoanauthenticationservertodeterminewhetheraccess
canbeallowedtoagivensystem.

SetUpRADIUSorTACACS+Authentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselectthetypeofprofile


Theserverprofileidentifiestheexternal (RADIUSorTACACS+).
authenticationserviceandinstructsthe 2. ClickAddandenteraProfileName,suchasGPUserAuth.
firewallhowtoconnecttothat
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
authenticationserviceandaccessthe
capability,selectavirtualsystemorSharedastheLocation
authenticationcredentialsforyourusers.
wheretheprofileisavailable.
IfyouwanttoEnableDeliveryof
GlobalProtectClientVSAstoa 4. ConfigurethefollowingServerSettings.Thesesettingstoall
RADIUSServer,youmustcreate serversyouincludeintheprofile.
aRADIUSserverprofile. Timeout (sec)Thenumberofsecondsbeforeaserver
connectionrequesttimesoutduetolackofresponsefrom
theauthenticationserver.
Authentication ProtocolSelecttheprotocoltousefor
connectionstotheauthenticationserver.Choicesare
CHAP,PAP,orAuto.
(RADIUSonly)RetriesThenumberoftimesthefirewall
trysconnectingtotheauthenticationserverbefore
droppingtherequest.
(TACACS+only)Use single connection for all
authenticationtoallowallTACACS+authentication
requeststooccuroverasingleTCPsessionratherthan
separatesessionsforeachrequest.
5. ClickAddintheServerssectionandthenenterthenecessary
informationforconnectingtotheauthenticationserver,
includingtheserverName,IPaddressorFQDNoftheServer,
andPort.
6. Specifysettingstoenabletheauthenticationserviceto
authenticatethefirewall.EnterthesharedSecretwhen
addingtheserverentry.
7. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 37
SetUpExternalAuthentication Authentication

SetUpRADIUSorTACACS+Authentication(Continued)

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication Profile andAddanewprofile.


profile. 2. EnteraNamefortheprofileandthenselectthe
Theauthenticationprofilespecifiesthe authenticationType(RADIUSorTACACS+).
serverprofilefortheportalorgateways
3. SelecttheRADIUSorTACACS+authenticationServer
tousewhentheyauthenticateusers.On
Profile.thatyoucreatedinStep 1fromthedropdown.
aportalorgateway,youcanassignone
ormoreauthenticationprofilesinoneor 4. (RADIUSonly)EnableRetrieve user group from RADIUS if
moreclientauthenticationprofiles.For youwanttoincludethisinformationintheauthentication
descriptionsofhowanauthentication profile.
profilewithinaclientauthentication 5. Specifythedomainnameandusernameformat.Thedevice
profilesupportsgranularuser combinestheUser DomainandUsername Modifiervaluesto
authentication,seeConfigurea modifythedomain/usernamestringthatauserentersduring
GlobalProtectGatewayandSetUp login.Thedeviceusesthemodifiedstringforauthentication
AccesstotheGlobalProtectPortal. andusestheUser DomainvalueforUserIDgroupmapping.
Toenableuserstoconnectand Modifyinguserinputisusefulwhentheauthenticationservice
changetheirownexpired requiresdomain/usernamestringsinaparticularformatand
passwordswithout youdontwanttorelyonuserstocorrectlyenterthedomain.
administrativeintervention, Youcanselectfromthefollowingoptions:
considerusingaprelogon Tosendonlytheunmodifieduserinput,leavetheUser
connectmethod.SeeRemote Domainblank(thedefault)andsettheUsername Modifier
AccessVPNwithPreLogonfor tothevariable%USERINPUT%(thedefault).
details.
Toprependadomaintotheuserinput,enteraUser
DomainandsettheUsername Modifierto
%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
IftheUsername Modifierincludesthe
%USERDOMAIN%variable,theUser Domainvalue
replacesanydomainstringthattheuserenters.If
theUser Domainisblank,thatmeansthedevice
removesanyuserentereddomainstring.
6. SelecttheAdvancedtab.
7. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
8. ClickOK.

Step3 Committheconfiguration. ClickCommit.

38 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication

SetUpClientCertificateAuthentication

Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
connectionrequesttotheGlobalProtectportalorgateway.Theportalorgatewaycanuseeitherasharedor
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication

Deploy Shared Client Certificates for Authentication

Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
endpointsorgenerateseparatecertificatestodeploywithaparticularagentconfiguration.Usethis
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.

DeploySharedClientCertificatesforAuthentication

Step1 Generateacertificatetodeployto 1. CreatetherootCAcertificateforissuingselfsigned


multipleGlobalProtectclients. certificatesfortheGlobalProtectcomponents.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. UsetheLocalcertificatetype(thedefault).
4. EnteraCertificate Name.Thisnamecannotcontainspaces.
5. IntheCommon Namefieldenteranametoidentifythis
certificateasanagentcertificate,forexample
GP_Windows_clients.Becausethissamecertificatewillbe
deployedtoallagentsusingthesameconfiguration,itdoes
notneedtouniquelyidentifyaspecificuserorendpoint.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. ClickOKtogeneratethecertificate.

Step2 SetUpTwoFactorAuthentication. ConfigureauthenticationsettingsinaGlobalProtectportalagent


configurationtoenabletheportaltotransparentlydeploythe
clientcertificatethatisLocaltothefirewalltoclientsthatreceive
theconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 39
SetUpClientCertificateAuthentication Authentication

Deploy Machine Certificates for Authentication

Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
certificateforexport.Withtheprelogonconnectmethods,amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
toauthenticatetheuser.SeeTwofactorauthentication.
Usethefollowingworkflowtocreatetheclientcertificateandmanuallydeployittoanendpoint.Formore
information,seeAboutGlobalProtectUserAuthentication.Foranexampleconfiguration,seeRemote
AccessVPN(CertificateProfile).

DeployMachineCertificatesforAuthentication

Step1 IssueclientcertificatestoGlobalProtect 1. CreatetherootCAcertificateforissuingselfsigned


clientsandendpoints. certificatesfortheGlobalProtectcomponents.
ThisenablestheGlobalProtectportal 2. SelectDevice > Certificate Management > Certificates >
andgatewaystovalidatethatthedevice Device Certificates andthenclickGenerate.
belongstoyourorganization.
3. EnteraCertificate Name.Thecertificatenamecannotcontain
anyspaces.
4. Configurecryptographicsettingsforthecertificateincluding
theencryptionAlgorithm,keylength(Number of Bits),Digest
algorithm(usesha1,sha256,orsha384;sha512isnot
supportedwithclientcertificates),andExpiration (indays)for
thecertificate.
IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
5. IntheCertificateAttributessection,Addanddefinethe
attributesthatuniquelyidentifytheGlobalProtectclientsas
belongingtoyourorganization.Keepinmindthatifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustbethesameasthevalueyoudefinedfor
theCommon Name.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. (Optional)IntheCertificateAttributessection,clickAddand
definetheattributestoidentifytheGlobalProtectclientsas
belongingtoyourorganizationifrequiredaspartofyour
securityrequirements.
9. ClickOKtogeneratethecertificate.

40 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication

DeployMachineCertificatesforAuthentication(Continued)

Step2 Installcertificatesinthepersonal Forexample,toinstallacertificateonaWindowssystemusingthe


certificatestoreontheendpoints. MicrosoftManagementConsole:
Ifyouareusinguniqueusercertificates 1. Fromthecommandprompt,entermmctolaunchtheconsole.
ormachinecertificates,youmustinstall
2. SelectFile > Add/Remove Snap-in.
eachcertificateinthepersonal
certificatestoreontheendpointpriorto 3. SelectCertificates,clickAddandthenselectoneofthe
thefirstportalorgatewayconnection. following,dependingonwhattypeofcertificateyouare
InstallmachinecertificatestotheLocal importing:
ComputercertificatestoreonWindows Computer accountSelectthisoptionifyouareimportinga
andintheSystemKeychainonMacOS. machinecertificate.
InstallusercertificatestotheCurrent My user accountSelectthisoptionifyouareimportinga
UsercertificatestoreonWindowsandin usercertificate.
thePersonalKeychainonMacOS.

4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.

5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
thePasswordthatyouusedtoencrypttheprivatekey.Select
PersonalastheCertificate store.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 41
SetUpClientCertificateAuthentication Authentication

DeployMachineCertificatesforAuthentication(Continued)

Step3 Verifythatthecertificatehasbeen Navigatetothepersonalcertificatestore:


addedtothepersonalcertificatestore.

Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificateusedtoissuetheclient


issuetheclientcertificatesontothe certificates(Base64format).
firewall. 2. ImporttherootCAcertificatefromtheCAthatgeneratedthe
Thisstepisrequiredonlyifanexternal clientcertificatesontothefirewall:
CAissuedtheclientcertificates,suchas a. SelectDevice > Certificate Management > Certificates >
apublicCAoranenterprisePKICA.If Device Certificates andclickImport.
youareusingselfsignedcertificates,the
b. UsetheLocalcertificatetype(thedefault).
rootCAisalreadytrustedbytheportal
andgateways. c. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
d. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
e. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
f. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
g. SelectTrusted Root CAandthenclickOK.

Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificates > Certificate Management >


Certificate Profile,clickAdd,andenteraprofileName.
2. SelectavaluefortheUsername Fieldtospecifywhichfieldin
thecertificatewillcontaintheusersidentityinformation.
Ifyouplantoconfiguretheportalorgatewaystoauthenticate
userswithcertificatesonly,youmustspecifytheUsername
Field.ThisenablesGlobalProtecttoassociateausernamewith
thecertificate.
Ifyouplantosetuptheportalorgatewayfortwofactor
authentication,youcanleavethedefaultvalueofNone,or,to
addanadditionallayerofsecurity,specifyausername.Ifyou
specifyausername,yourexternalauthenticationservice
verifiesthattheusernameintheclientcertificatematchesthe
usernamerequestingauthentication.Thisensuresthatthe
useristheonetowhichthecertificatewasissued.
Userscannotchangetheusernamethatisincludedinthe
certificate.
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificateyouimportedinStep 4andthenclickOK.

42 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication

DeployMachineCertificatesforAuthentication(Continued)

Step6 Savetheconfiguration. ClickCommit.

Deploy User-Specific Client Certificates for Authentication

Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
deploytheclientcertificatetotheendpointspriortoenablingGlobalProtect.Toautomatethegeneration
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
requestsitandsendsthecertificatetotheportal.Theportalthentransparentlydeploysthecertificatetothe
client.Whenauserrequestsaccess,theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
whethertopermitaccesstotheuser.GlobalProtectblocksaccessifthehostIDisonadeviceblocklistorif
thesessionmatchesanyblockingoptionsspecifiedinacertificateprofile.Ifclientauthenticationfailsdueto
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
settingsintheauthenticationprofileandretrievethecertificate.Iftheclientcannotretrievethecertificate
fromtheportal,thedeviceisnotabletoconnect.

DeployUserSpecificClientCertificatesforAuthentication

Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd


anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.

Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:


certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserverinthePKIinfrastructureandthenenterthe
Afteryouconfigurethismechanism,its passwordintothePasswordfield.
operationisinvisible,andnofurther DynamicEnterausernameandpasswordofyourchoice
inputfromyouisnecessary. (possiblythecredentialsofthePKIadministrator)andtheSCEP
TocomplywiththeU.S.Federal Server URLwheretheportalclientsubmitsthesecredentials.
InformationProcessingStandard(FIPS), TheusesthecredentialstoauthenticatewiththeSCEPserver
useaDynamicSCEPchallengeand whichtransparentlygeneratesanOTPpasswordfortheportal
specifyaServer URLthatusesHTTPS uponeachcertificaterequest.(YoucanseethisOTPchange
(seeStep 7). afterascreenrefreshinThe enrollment challenge password
isfieldaftereachcertificaterequest.)ThePKItransparently
passeseachnewpasswordtotheportal,whichthenusesthe
passwordforitscertificaterequest.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 43
SetUpClientCertificateAuthentication Authentication

DeployUserSpecificClientCertificatesforAuthentication(Continued)

Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe


betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand http://10.200.101.1/certsrv/mscep/).
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Whenauserattemptstologintothe NamefieldtoidentifytheSCEPserver.
portal,theendpointsendsidentifying
3. EntertheSubjectnametouseinthecertificatesgeneratedby
informationaboutitthatincludesitshost
theSCEPserver.Thesubjectmustbeadistinguishednamein
IDvalue.ThehostIDvaluevariesby
the<attribute>=<value>formatandmustincludea
devicetype,eitherGUID(Windows)
commonname(CN)key.TheCNsupportsthefollowing
MACaddressoftheinterface(Mac),
dynamicvariables:$USERNAME,$EMAILADDRESS,and$HOSTID.
AndroidID(Androiddevices),UDID(iOS
Usetheusernameoremailaddressvariabletoensurethatthe
devices),orauniquenamethat
portalrequestscertificatesforaspecificuser.Torequest
GlobalProtectassigns(Chrome).
certificatesforthedeviceonly,specifythehostIDvariable.
Youcanincludeadditionalinformation WhentheGlobalProtectportalpushestheSCEPsettingsto
abouttheclientdeviceoruserby theagent,theCNportionofthesubjectnameisreplacedwith
specifyingtokensintheSubjectnameof theactualvalue(username,hostid,oremailaddress)ofthe
thecertificate. certificateowner(forexample,O=acme,CN=$HOSTID).
Theportalincludesthetokenvalueand
4. SelecttheSubject Alternative Name Type:
hostIDintheCSRrequesttotheSCEP
server. RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.

Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.


settingsforthecertificate. IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):sha1,sha256,orsha384.
Sha512isnotsupportedasadigestalgorithmforclient
certificatesonGlobalProtectendpoints.

Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital


ofthecertificate,eitherforsigningor signature checkbox.Thisenablestheendpointusetheprivate
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.

Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for


connectingtothecorrectSCEPserver, example,http://<hostname or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.

44 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpClientCertificateAuthentication

DeployUserSpecificClientCertificatesforAuthentication(Continued)

Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan


betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicatedon
thefirewallloginpageandinits
statusbar.

Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.


2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.

Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >


profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate Name.Thisnamecannotcontainspaces.
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.

Step10 SetUpTwoFactorAuthentication. AssigntheSCEPprofileaGlobalProtectportalagentconfiguration


toenabletheportaltotransparentlyrequestanddeployclient
certificatestoclientsthatreceivetheconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 45
SetUpTwoFactorAuthentication Authentication

SetUpTwoFactorAuthentication

Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
authenticationscheme.Atwofactorauthenticationschemerequirestwothings:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards

Enable Two-Factor Authentication Using Certificate and Authentication


Profiles

ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
authenticatebothtoacertificateprofileandanauthenticationprofile.Theusermustsuccessfully
authenticateusingbothmethodsinordertoconnecttotheportal/gateway.Formoredetailsonthis
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.

46 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication

EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles

Step1 Createanauthenticationserverprofile. 1. SelectDevice > Server Profilesandaprofiletype(LDAP,


Theauthenticationserverprofile Kerberos,RADIUS,orTACACS+).
determineshowthefirewallconnectsto 2. Addanewserverprofile.
anexternalauthenticationserviceand
3. EnteraProfileNamefortheprofile,suchasGPUserAuth.
retrievestheauthenticationcredentials
foryourusers. 4. (LDAPonly)SelecttheTypeofLDAPserver(active-directory,
IfyouareusingLDAPtoconnect e-directory,sun,orother).
toActiveDirectory(AD),you 5. ClickAddintheServerslistsectionandthenentertherequired
mustcreateaseparateLDAP informationforconnectionstotheauthenticationservice,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. (RADIUS,TACACS+,andLDAPonly)Specifysettingsto
enablethefirewalltoauthenticatetotheauthentication
serviceasfollows:
RADIUSandTACACS+EnterthesharedSecretwhen
addingtheserverentry.
LDAPEntertheBind DNandPassword.
7. (LDAPonly)IfyouwanttheendpointtouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPortinthe Server list:
389(default)TLS(specifically,thedeviceusestheStartTLS
operationtoupgradetheinitialplaintextconnectiontoTLS).
636SSL.
AnyotherportThedevicefirstattemptstouseTLS.Ifthe
directoryserverdoesnotsupportTLS,thedeviceusesSSL.
8. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothattheendpoint
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/TLSconnections.Toenableverification,youalsomust
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,oneofthefollowingconditions
mustbetrue:
Thecertificateisinthelistofdevicecertificates:Device >
Certificate Management > Certificates > Device
Certificates.Importthecertificateintotheendpointif
necessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
9. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 47
SetUpTwoFactorAuthentication Authentication

EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)

Step2 Createanauthenticationprofilethat 1. SelectDevice > Authentication Profile andAddanewprofile.


identifiestheserviceforauthenticating 2. EnteraNamefortheprofile.
users.(Youlaterhavetheoptionof
assigningtheprofileontheportalandon 3. SelecttheLocation.
gateways.) 4. SelecttheTypeofAuthentication(LDAP,Kerberos,RADIUS,
orTACACS+).
5. SelecttheServer ProfileyoucreatedinStep 1.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.
7. ClickOK tosavetheauthenticationprofile.

Step3 Createaclientcertificateprofilethatthe 1. SelectDevice > Certificates > Certificate Management >


portalusestoauthenticatetheclient Certificate ProfileandclickAddandenteraprofileName.
certificatesthatcomefromuserdevices. 2. SelectavaluefortheUsername Field:
Whenyouconfiguretwofactor Ifyouintendfortheclientcertificatetoauthenticate
authenticationtouseclient individualusers,selectthecertificatefieldthatidentifiesthe
certificates,theexternal user.
authenticationserviceusesthe
Ifyouaredeployingtheclientcertificatefromtheportal,
usernamevaluetoauthenticate
leavethisfieldsettoNone.
theuser,ifspecified,intheclient
certificate.Thisensuresthatthe Ifyouaresettingupacertificateprofileforusewitha
userwhoisloggingisinisactually prelogonconnectmethod,leavethefieldsettoNone.
theusertowhomthecertificate 3. IntheCA Certificatesarea,clickAddandthen:
wasissued. a. SelecttheCA certificate,eitheratrustedrootCAcertificate
ortheCAcertificatefromaSCEPserver.(Ifnecessary,
importthecertificate).
b. (Optional)EntertheDefault OCSP URL.
c. (Optional)SelectacertificateforOCSP Verify CA.
4. (Optional)Selectoptionsthatspecifywhentoblocktheusers
requestedsession:
a. Statusofcertificateisunknown.
b. GlobalProtectcomponentdoesnotretrievecertificate
statuswithinthenumberofsecondsinCertificate Status
Timeout.
c. Theauthenticatingdevicethatisconsideringthelogin
requestdidnotissuethecertificatethattheuserisoffering.
5. ClickOK.

Step4 (Optional)Issueclientcertificatesto 1. UseyourenterprisePKIorapublicCAtoissueaclient


GlobalProtectclientsandendpoints. certificatetoeachGlobalProtectuser.
Totransparentlydeployclient 2. Fortheprelogonconnectmethods,installcertificatesinthe
certificates,configureyourportalto personalcertificatestoreontheclientsystems.
distributeasharedclientcertificateto
yourendpointsorconfiguretheportalto
useSCEPtorequestanddeployunique
clientcertificatesforeachuser.

Step5 SavetheGlobalProtectconfiguration. ClickCommit.

48 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
andgateways.Whenauserrequestsaccess,theportalorgatewaypromptstheusertoenteranOTP.The
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,theagentsuppliesthesamecredentialsitusedtologintotheportalandtothegateway.Inthe
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,theusersOTPmayexpire.Toprevent
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
override.Thisenablestheportalsandgatewaystogenerateandacceptasecureencryptedcookieto
authenticatetheuserforaspecifiedamountoftime.Theportalsand/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.

EnableTwoFactorAuthenticationUsingOTPs

Step1 Afteryouhaveconfiguredthebackend Forspecificinstructions,refertothedocumentationforyour


RADIUSservicetogeneratetokensfor RADIUSserver.Inmostcases,youneedtosetupanauthentication
theOTPsandensuredusershaveany agentandaclientconfigurationontheRADIUSservertoenable
necessarydevices(suchasahardware communicationbetweenthefirewallandtheRADIUSserver.You
token),setupaRADIUSserverto alsodefinethesharedsecrettouseforencryptingsessions
interactwiththefirewall. betweenthefirewallandtheRADIUSserver.

Step2 Oneachfirewallthathoststhegateways 1. SelectDevice > Server Profiles > RADIUS.


and/orportal,createaRADIUSserver 2. Addanewprofile.
profile.(Forasmalldeployment,one
firewallcanhosttheportaland 3. EnteraNameforthisRADIUSprofile.
gateways.) 4. EnteraRADIUSDomainname.
WhencreatingtheRADIUS 5. IntheServersarea,AddaRADIUSinstanceandenter:
serverprofile,alwaysentera
AdescriptiveNametoidentifythisRADIUSserver
Domainname.Thisvalueserves
asthedefaultdomainforUserID TheRADIUS ServerIPaddress
mappingifusersdontsupplya ThesharedSecretforencryptingsessionsbetweenthe
UserIDuponlogin. firewallandtheRADIUSserver
ThePortnumberonwhichtheRADIUSserverlistensfor
authenticationrequests(default1812)
6. ClickOKtosavetheprofile.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 49
SetUpTwoFactorAuthentication Authentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step3 Createanauthenticationprofile. 1. SelectDevice > Authentication Profile.


2. Addanewprofile.
3. EnteraNamefortheprofile.Thenamecannotcontainspaces.
4. Select RADIUSastheTypeofauthenticationservice.
5. SelecttheServer Profileyoucreatedforaccessingyour
RADIUSserver.
6. ClickOKtosavetheauthenticationprofile.

Step4 Assigntheauthenticationprofiletothe 1. SelectNetwork > GlobalProtect > Gatewaysandanexisting


GlobalProtectgateway(s)and/orportal. gatewayconfigurationbyname(orAddone).Ifyouareadding
YoucanconfiguremultipleClient anewgateway,specifyitsname,location,andnetwork
Authenticationconfigurationsforthe parameters.
portalandgateways.ForeachClient 2. OntheAuthenticationtab,selectanSSL/TLSserviceprofileor
Authenticationconfigurationyoucan Addanewprofile.
specifytheauthenticationprofileto
3. AddaClientAuthenticationconfigurationandenteritsName.
applytoendpointsofaspecificOS.
Thisstepdescribesonlyhowtoaddthe 4. SelecttheendpointOStowhichthisconfigurationapplies.
authenticationprofiletothegatewayor 5. SelecttheAuthentication ProfileyoucreatedinCreatean
portalconfiguration.Foradditional authenticationprofile.
detailsonsettingupthesecomponents,
6. (Optional)Enteracustomauthenticationmessage.
seeGlobalProtectGatewaysand
GlobalProtectPortals. 7. ToaddadditionalClientAuthenticationconfigurations,repeat
steps3through6.
8. ClickOKtosavetheconfiguration.
9. Toaddothergateways,repeatsteps2through8.
10. Toassigntheauthenticationprofiletotheportal,select
Network > GlobalProtect > Portals andrepeatsteps2
through 8.

Step5 (Optional)Configuretheportalor 1. SelectNetwork > GlobalProtect > Portalsandselectan


gatewaystopromptforausernameand existingportalconfiguration.
passwordoronlyapasswordeachtime 2. SelectAgent.
theuserlogsin.Savingthepasswordis
notsupportedwithtwofactor 3. SelectanexistingagentconfigurationorAddone.
authenticationusingOTPsbecausethe 4. SetSave User CredentialstoSave Username OnlyorNo.This
usermustenteradynamicpassword settingenablesGlobalProtecttopromptfordynamic
eachtimetheylogin. passwordsforeachcomponentyouselectinthefollowing
Thisstepdescribesonlyhowto step.
configurethepasswordsettingina 5. ClickOKtwicetosavetheconfiguration.
portalagentconfiguration.Foradditional
details,seeCustomizetheGlobalProtect
Agent.

50 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step6 SelecttheGlobalProtectcomponents 1. SelectNetwork > GlobalProtect > Portalsandselectan


portalandtypesofgatewaysthat existingportalconfiguration.
promptfordynamicpasswords,suchas 2. SelectAgent.
OTPs,insteadofusingsavedcredentials.
3. SelectanexistingagentconfigurationorAddone.
4. SelecttheAuthenticationtab,andthenselectthe
ComponentsthatRequireDynamicPasswords(TwoFactor
Authentication).Whenselected,theportaland/ortypesof
gatewayspromptforOTPs.
5. ClickOKtwicetosavetheconfiguration.

Step7 Ifsinglesignon(SSO)isenabled,disable 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal


it.Theagentconfigurationspecifies configuration.
RADIUSastheauthenticationserviceso 2. SelectAgentandthenselecttheagentconfiguration(orAdd
KerberosSSOisnotsupported. one).
Thisstepdescribesonlyhowtodisable
3. SelecttheApptab.
SSO.Formoredetails,seeDefinethe
GlobalProtectAgentConfigurations. 4. SetUse Single Sign-ontoNo.
5. ClickOKtwicetosavetheconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 51
SetUpTwoFactorAuthentication Authentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step8 (Optional)Tominimizethenumberof 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand


timesausermustprovidecredentials, selecttheconfiguration(orAddone).
configureanauthenticationoverride. 2. SelectAgent > Client Settings(onthegateway)orAgent(on
Bydefault,theportalorgateways theportal)andthenselecttheconfiguration(orAddone).
authenticatetheuserwithan
3. IntheAuthentication Overridearea,configurethefollowing:
authenticationprofileandoptional
certificateprofile.Withauthentication Generate cookie for authentication overrideEnablethe
override,theportalorgateway portalorgatewaytogenerateencrypted,endpointspecific
authenticatestheuserwithanencrypted cookies.Afteruserssuccessfullyauthenticate,theportalor
cookiethatithasdeployedtothe gatewayissuetheauthenticationcookietotheendpoint.
endpoint.Whilethecookieisvalid,the Accept cookie for authentication overrideSelectthe
usercanloginwithoutenteringregular checkboxtoinstructtheportalorgatewaytoauthenticate
credentialsoranOTP.Formore theuserthroughavalid,encryptedcookie.Whenthe
information,seeCookieAuthentication endpointpresentsavalidcookie,theportalorgateway
onthePortalorGateway. verifiesthatthecookiewasencryptedbytheportalor
Ifyouneedtoimmediatelyblock gateway,decryptsthecookie,andthenauthenticatesthe
accesstoadevicewhosecookie user.
hasnotyetexpired(forexample, Cookie LifetimeSpecifythehours,days,orweeksthatthe
ifthedeviceislostorstolen),you cookieisvalid.Typicallifetimeis24hoursforgateways
canBlockDeviceAccessby whichprotectsensitiveinformationor15daysforthe
addingthedevicetoablocklist. portal.Therangeforhoursis172;forweeks,152;andfor
Formoredetails,see days,1365.Afterthecookieexpiresoneithertheportalor
GlobalProtectGatewaysand gateway(whicheveroccursfirst),theportalorgateway
GlobalProtectPortals. promptstheusertoauthenticateandsubsequently
encryptsanewcookietosendtotheendpoint.
Certificate to Encrypt/Decrypt CookieSelecttheRSA
certificatetousetoencryptanddecryptthecookie.You
mustusethesamecertificateontheportalandgateways.
Asabestpractice,configuretheRSAcertificateto
usethestrongestdigestalgorithmthatyour
networksupports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
4. ClickOKtwicetosavetheconfiguration.

Step9 Committheconfiguration. ClickCommit.

52 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step10 Verifytheconfiguration. FromanendpointrunningtheGlobalProtectagent,trytoconnect


Thegatewayandportalmustbe toagatewayorportalonwhichyouenabledOTPauthentication.
configuredbeforeyoutakehisstep.For Youshouldseetwopromptssimilartothefollowing:
detailsonsettingupthesecomponents, ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
seeGlobalProtectGatewaysand PIN):
GlobalProtectPortals.

ThesecondpromptrequestsyourtokenorOTP:

Enable Two-Factor Authentication Using Smart Cards

Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
cardsontotheportalandgateway.YoucanthencreateacertificateprofilethatincludesthatRootCAand
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.

EnableSmartCardAuthentication

Step1 Setupyoursmartcardinfrastructure. Forspecificinstructions,refertothedocumentationfortheuser


Thisprocedureassumesthatyouhave authenticationprovidersoftware.
deployedsmartcardsandsmartcard Inmostcases,settingupthesmartcardinfrastructureinvolvesthe
readerstoyourendusers. generatingofcertificatesforendusersandfortheparticipating
servers,whicharetheGlobalProtectportalandgateway(s)inthis
usecase.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 53
SetUpTwoFactorAuthentication Authentication

EnableSmartCardAuthentication(Continued)

Step2 ImporttheRootCAcertificatethat Makesurethecertificateisaccessiblefromyourmanagement


issuedtheclientcertificatescontained systemandthencompletethefollowingsteps:
ontheendusersmartcards. 1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImportandenteraCertificate Name.
3. EnterthepathandnametotheCertificate Filereceivedfrom
theCA,orBrowsetofindthefile.
4. SelectBase64 Encoded Certificate (PEM) astheFile Format
andthenclickOKtoimportthecertificate.

Step3 Createthecertificateprofile. Createthecertificateprofileoneachportal/gatewayonwhichyou


Fordetailsonothercertificate plantouseCACorsmartcardauthentication:
profilefields,suchaswhetherto 1. SelectDevice > Certificate Management > Certificate Profile
useCRLorOCSP,refertothe andclickAddandenteraprofileName.
onlinehelp.
2. IntheUsernamefield,selectthecertificatefieldthatPANOS
usestomatchtheIPaddressforUserID,eitherSubjecttouse
acommonname,Subject Alt: Emailtouseanemailaddress,
orSubject Alt: Principal Name tousethePrincipalName.
3. IntheCA Certificatesfield,clickAdd,selectthetrustedroot
CA CertificateyouimportedinStep 2andthenclickOK.
4. ClickOKtosavethecertificateprofile.

Step4 Assignthecertificateprofiletothe 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand


gateway(s)orportal.Thissection selecttheconfiguration(orAddanewone).
describesonlyhowtoaddthecertificate 2. OntheAuthenticationtab,selecttheCertificate Profileyou
profiletothegatewayorportal justcreated.
configuration.Fordetailsonsettingup
thesecomponents,seeGlobalProtect 3. ClickOKtosavetheconfiguration.
GatewaysandGlobalProtectPortals.

Step5 Savetheconfiguration. ClickCommit.

54 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpTwoFactorAuthentication

EnableSmartCardAuthentication(Continued)

Step6 Verifytheconfiguration. FromaclientsystemrunningtheGlobalProtectagent,tryto


Thegatewayandportalmustbe connecttoagatewayorportalonwhichyouenabledOTP
configuredbeforeyoutakehisstep.For authentication.Youshouldseetwopromptssimilartothe
detailsonsettingupthesecomponents, following:
seeGlobalProtectGatewaysand ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
GlobalProtectPortals. PIN):

ThesecondpromptrequestsyourtokenorOTP:

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 55
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication

SetUpAuthenticationforstrongSwanUbuntuandCentOS
Clients

ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.

ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.

ToconnecttotheGlobalProtectgateway,theusermustsuccessfullyauthenticate.Thefollowingworkflows
showexamplesofhowtoenableauthenticationforstrongSwanclients.Forcompleteinformationabout
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication

Enable Authentication Using a Certificate Profile

ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.

EnableAuthenticationUsingaCertificateProfile

Step1 ConfigureanIPSectunnelfortheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysandthen


gatewayforcommunicatingwithastrongSwan selectthegatewayname.
client. 2. SelecttheCertificate Profileyouwanttousefor
authenticationintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesettings.

56 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients

EnableAuthenticationUsingaCertificateProfile(Continued)

Step2 Verifythatthedefaultconnectionsettingsinthe Modifythefollowingsettingsintheconn %default


conn %defaultsectionoftheIPSectunnel sectionoftheipsec.conffiletotheserecommended
configurationfile(ipsec.conf)arecorrectly settings.
definedforthestrongSwanclient. ikelifetime=20m
Theipsec.conffileisusuallyfoundinthe/etc reauth=yes
folder. rekey=yes
Theconfigurationsinthisprocedureare keylife=10m
testedandverifiedforthefollowing rekeymargin=3m
releases: rekeyfuzz=0%
Ubuntu14.0.4withstrongSwan5.1.2 keyingtries=1
andCentOS6.5withstrongSwan5.1.3 type=tunnel
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.

Step3 ModifythestrongSwanclientsIPSec Modifythefollowingitemsintheipsec.conffiletothese


configurationfile(ipsec.conf)andtheIPSec recommendedsettings.
passwordfile(ipsec.secrets)touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=rsasig
Theipsec.secrets fileisusuallyfoundinthe ike=aes-sha1-modp1024,aes256
/etc folder. left=<strongSwan/Linux-client-IP-address>
leftcert=<client certificate with the
UsethestrongSwanclientusernameasthe strongSwan client username used as the
certificatescommonname. certificates common name>
leftsourceip=%config
leftauth2=xauth
right=<GlobalProtect-Gateway-IP-address>
rightid=CN=<Subject-name-of-gateway-certifica
te>
rightsubnet=0.0.0.0/0
auto=add
Modifythefollowingitemsintheipsec.conffiletothese
recommendedsettings.
:RSA <private key file> <passphrase if used>

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntu clients:


theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOS clients:
Usetheconfig <name>variabletonamethe
tunnelconfiguration. strongSwan start
strongswan up <name>

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 57
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication

EnableAuthenticationUsingaCertificateProfile(Continued)

Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific


VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > Gateways.Then,in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
client.ThestrongSwanclientshouldbelistedunder
Current Users.

Enable Authentication Using an Authentication Profile

ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
profile.TheauthenticationprofilespecifieswhichserverprofiletousewhenauthenticatingstrongSwan
clients.

EnableAuthenticationUsinganAuthenticationProfile

Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand


gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheAuthentication Profileyouwanttousein
theAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
EnteraGroup NameandGroup Passwordifthey
arenotalreadyconfigured.
ClickOKtosavethesetunnelsettings.

58 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients

EnableAuthenticationUsinganAuthenticationProfile(Continued)

Step2 Verifythatthedefaultconnectionsettingsinthe Intheconn %defaultsectionofthe ipsec.conf file,


conn %defaultsectionoftheIPSectunnel configurethefollowingrecommendedsettings:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileisusuallyfoundinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.

Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe


configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
passwordfile(ipsec.secrets)touse conn <connection name>
recommendedsettings. keyexchange=ikev1
ikelifetime=1440m
Theipsec.secretsfileisusuallyfoundinthe keylife=60m
/etcfolder. aggressive=yes
ike=aes-sha1-modp1024,aes256
UsethestrongSwanclientusernameasthe esp=aes-sha1
certificatescommonname. xauth=client
left=<strongSwan/Linux-client-IP-address>
leftid=@#<hex of Group Name configured in the
GlobalProtect gateway>
leftsourceip=%modeconfig
leftauth=psk
rightauth=psk
leftauth2=xauth
right=<gateway-IP-address>
rightsubnet=0.0.0.0/0
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
:PSK <Group Name configured in the gateway>
<username> :XAUTH <user password>

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntu clients:


theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOS clients:
strongSwan start
strongswan up <name>

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 59
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication

EnableAuthenticationUsinganAuthenticationProfile(Continued)

Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific


VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > Gateways.Then,in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
client.ThestrongSwanclientshouldbelistedunder
Current Users.

Enable Authentication Using Two-Factor Authentication

Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
certificateprofileandanauthenticationprofiletoconnecttotheGlobalProtectgateway.Thefollowing
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.

EnableAuthenticationUsingTwoFactorAuthentication

Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand


gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheCertificate Profile andAuthentication
Profile youwanttouseintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesetunnelsettings.

60 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients

EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Step2 Verifythatthedefaultconnectionsettingsinthe Configurethefollowingrecommendedsettingsinthe


conn %defaultsectionoftheIPSectunnel ipsec.conffile:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileusuallyresidesinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Usetheconfigurationsinthisprocedure
asareferenceifyouareusingadifferent
versionofstrongSwan.Refertothe
strongSwanwikiformoreinformation.

Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe


configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
passwordfile(ipsec.secrets)touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=xauthrsasig
Theipsec.secretsfileisusuallyfoundinthe ike=aes-sha1-modp1024
/etcfolder. esp=aes-sha1
xauth=client
UsethestrongSwanclientusernameasthe left=<strongSwan/Linux-client-IP-address>
certificatescommonname. leftcert=<client-certificate-without-password>
leftsourceip=%config
right=<GlobalProtect-gateway-IP-address>
rightid=%anyCN=<Subject-name-of-gateway-cert>
rightsubnet=0.0.0.0/0
leftauth2=xauth
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
<username> :XAUTH <user password>
:RSA <private key file> <passphrase if used>

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntu clients:


theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOS clients:
strongSwan start
strongswan up <name>

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 61
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication

EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific


VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > Gateways.Then,in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
client.ThestrongSwanclientshouldbelistedunder
Current Users.

62 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpMultiFactorAuthentication

SetUpMultiFactorAuthentication

YoucanleverageAuthenticationFeatureswithinGlobalProtecttosupportaccesstononHTTPapplications
thatrequiremultifactorauthentication.GlobalProtectcannotifyandprompttheusertoperformthetimely,
multifactorauthenticationneededtoaccesssensitivenetworkresources.
Whenmatchingpolicyagainstuserrequestsforresources,thefirewallfirstevaluatesAuthenticationpolicy
andthenSecuritypolicy.UponmatchinganAuthenticationpolicyrule,thefirewallfirstinvokestheprimary
authenticationserviceassociatedwiththerule.Theprimaryservicecanusesinglefactorauthentication
(suchasSAML2.0authenticationorclientcertificateauthentication)orMFAthatyouconfiguredthrougha
RADIUSserver.ThenthefirewallinvokeseachMFAservicethatyouconfiguredthroughanAPIintegration.
EachMFAservicecanprompttheusertoselectoneauthenticationmethodfromalistofseveral.
GlobalProtectsupportsthefollowingmethods:
PushAnendpointdevice(suchasaphoneortablet)promptstheusertoallowordenyauthentication.
Shortmessageservice(SMS)AnSMSmessagepromptstheusertoallowordenyauthentication.
VoiceAnautomatedphonecallpromptstheusertoauthenticatebypressingakey.
Onetimepassword(OTP)Theuserreceivesanautomaticallygeneratedalphanumericstringthat
enablesauthenticationforasingletransactionorsession.
AGlobalProtectclientisarequirementformultifactorauthenticationonnonHTTPapplications.For
browserbasedapplicationsthatrequiremultifactorauthentication,usersareautomaticallypresentedwith
AuthenticationPortalpage(previouslycalledtheCaptivePortalpage).FornonHTTPapplications,ifa
sessionmatchesanAuthenticationpolicyrule,thenthefirewallwillsendaUDPnotificationtothe
GlobalProtectclientwithanembeddedURLlinktotheAuthenticationPortalpage.GlobalProtectdisplays
thismessageasapopupnotificationtotheuser.

YoucancustomizethemessagethatGlobalProtectusersseewhenpromptedtoauthenticate.Clickingthis
linksendstheusertotheAuthenticationPortalpagewheretheycanstartthemultifactorauthentication
process(thesameaswithbrowserbasedHTTPapplications).

ForGlobalProtecttosupportmultifactorauthenticationonexternalgateways,youmust
configurearesponsepageonthetunnelinterface.RefertoConfigureMultiFactor
AuthenticationformoreinformationonhowtoconfigureanMFALoginresponsepage.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 63
SetUpMultiFactorAuthentication Authentication

64 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication SetUpMultiFactorAuthentication

ConfigureGlobalProtecttoSupportMultiFactorAuthentication

Step1 BeforeyouconfigureGlobalProtect, Tousemultifactorauthenticationforprotectingsensitive


configuremultifactorauthenticationon resources,theeasiestsolutionistointegratethefirewallwithan
thefirewall. MFAvendorthatisalreadyestablishedinyournetwork.When
yourMFAstructureisready,youcanstartconfiguringthe
componentsofyourauthenticationpolicy.Formoreinformation,
refertoConfigureMultiFactorAuthentication.
EnableCaptivePortaltorecordauthenticationtimestampsand
updateusermappings.
Createserverprofilesthatdefinehowthefirewallwillconnect
totheservicesthatauthenticateusers.
AssigntheserverprofilestoanAuthenticationprofilewhich
specifiesauthenticationparameters.
ConfigureaSecuritypolicyrulethatallowsuserstoaccessthe
resourcesthatrequireauthentication.

Step2 ConfigureGlobalProtectclientsto 1. SelectNetwork > GlobalProtect > Portalsandselectaportal


supportmultifactorauthenticationfor configuration(orAddone).
nonHTTPapplications. 2. SelectAgentandthenselectanexistingagentconfigurationor
Addone.
3. IntheApptab,specifythefollowing:
SetEnable Inbound Authentication Prompts from MFA
GatewaystoYes.Tosupportmultifactorauthentication
(MFA),aGlobalProtectclientmustreceiveand
acknowledgeUDPpromptsthatareinboundfromthe
gateway.SelectYes toenableaGlobalProtectclientto
receiveandacknowledgetheprompt.Bydefault,thevalue
issettoNo meaningGlobalProtectwillblockUDPprompts
fromthegateway.
InNetwork Port for Inbound Authentication Prompts
(UDP),specifytheportnumberaGlobalProtectclientuses
toreceiveinboundauthenticationpromptsfromMFA
gateways.Thedefaultportis4501.Tochangetheport,
specifyanumberfrom1to65535.
InTrusted MFA Gateways,specifythelistofauthentication
gatewaysaGlobalProtectclientwilltrustformultifactor
authentication.WhenaGlobalProtectclientreceivesa
UDPmessageonthespecifiednetworkport,GlobalProtect
displaysanauthenticationmessageonlyiftheUDPprompt
comesfromatrustedgateway.
ConfiguretheDefault Message for Inbound
Authentication Prompts (forexample:You have
attempted to access a protected resource
that requires additional authentication.
Proceed to authenticate at \\server1\myapp).
Whenuserstrytoaccessaresourcethatrequiresadditional
authentication,GlobalProtectreceivesaninbound
authenticationpromptanddisplaysthismessage.Thislink
shoulddirectuserstotheAuthenticationPortalpageyou
specifiedinConfigureMultiFactorAuthentication.

Step3 Savetheagentconfiguration. 1. ClickOKtwice.


2. Commityourchanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 65
EnableGroupMapping Authentication

EnableGroupMapping

Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,theidentityofeachGlobalProtectuserisknown.However,if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
directoryserver.Thisisknownasgroupmapping.
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
information.AfterthefirewallconnectstotheLDAPserverandretrievesthegroupmappings,youcanselect
groupswhenyoudefinetheagentconfigurationsandsecuritypolicies.Thefirewallsupportsavarietyof
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:

66 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
Authentication EnableGroupMapping

MapUserstoGroups

Step1 CreateanLDAPServerProfilethat 1. SelectDevice > Server Profiles > LDAPandclickAdd.


specifieshowtoconnecttothe 2. EnteraProfile Nametoidentifytheserverprofile.
directoryserverstowhichthefirewall
shouldconnecttoobtaingroupmapping 3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
information. capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
4. ForeachLDAPserver(uptofour),AddandenteraName(to
identifytheserver),serverIPaddress(LDAP Serverfield),and
serverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(itisselectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
AnyotherportThedevicefirstattemptstouseTLS.Ifthe
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. Foradditionalsecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthedeviceverifiesthecertificatethatthe
directoryserverpresentsforSSL/TLSconnections.Toenable
verification,youalsohavetoselecttheRequire SSL/TLS
secured connectioncheckbox.Forverificationtosucceed,
thecertificatemustmeetoneofthefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
8. ClickOK.

Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 67
EnableGroupMapping Authentication

MapUserstoGroups(Continued)

Step3 (Optional)Limitwhichgroupscanbe 1. Addexistinggroupsfromthedirectoryservice:


selectedinpolicyrules. a. SelecttheGroup Include Listtab.
Bydefault,ifyoudontspecifygroups,all b. IntheAvailableGroupslist,selectthegroupsyouwantto
groupsareavailableinpolicyrules. appearinpolicyrulesandclicktheAddicon .
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters,
thenclickOK.ThefirewalldoesntvalidateLDAPfilters.
TooptimizeLDAPsearchesandminimizethe
performanceimpactontheLDAPdirectoryserver,
useonlyindexedattributesinthefilter.

Step4 Commityourchanges. ClickOKandCommit.

68 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways
BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
EnforcesecuritypolicyfortheGlobalProtectagentsandappsthatconnecttoit.YoucanalsoenableHIP
collectiononthegatewayforenhancedsecuritypolicygranularity.FormoreinformationonenablingHIP
checks,seeHostInformation.
Providevirtualprivatenetwork(VPN)accesstoyourinternalnetwork.VPNaccessisprovidedthrough
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.

YoucanalsoconfigureGlobalProtectgatewaysonVMSeriesfirewallsdeployedintheAWScloud.Bydeploying
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
resources.Fordetails,seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.

GlobalProtectGatewayConcepts
PrerequisiteTasksforConfiguringtheGlobalProtectGateway
ConfigureaGlobalProtectGateway

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 69
GlobalProtectGatewayConcepts GlobalProtectGateways

GlobalProtectGatewayConcepts

Thesesectionsprovideinformationaboutgatewayconnectionpriorityinamultiplegatewayconfiguration
andMIBsupportforGlobalProtectgateways.
GatewayPriorityinaMultipleGatewayConfiguration
GlobalProtectMIBSupport

Gateway Priority in a Multiple Gateway Configuration

Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
gateways.Todeterminethepreferredgatewaytowhichyouragentsconnect,addthegatewaystoaportal
agentconfigurationandassigneachgatewayaconnectionpriority.SeeDefinetheGlobalProtectAgent
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
connecttoallgatewayslistedinitsagentconfiguration.Theagentwillthenusepriorityandresponsetime
astodeterminethegatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyifthe
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:

Name Priority ResponseTime

gw1 Highest 80ms

gw2 High 25ms

Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,connectstogw2.Inthis
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:

Name Priority ResponseTime

gw1 Highest 30ms

gw2 High 25ms

gw3 Medium 50ms

Inthisexample,theaverageresponsetimeforallgatewaysis35ms.Theagentwouldthenevaluatewhich
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
responsetimes.Theagentwouldthenconnecttowhichevergatewayhadthehighestpriority.Inthis
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.

70 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways GlobalProtectGatewayConcepts

Inadditiontogatewaypriority,youaddoneormoresourceregionstoanexternalgatewayconfiguration,
GlobalProtectrecognizesthedeviceregionandonlyallowsusestoconnecttogatewaysthatareconfigured
forthatregion.Forgatewaychoices,sourceregionisconsideredfirst,thengatewaypriority.

GlobalProtect MIB Support

PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)Framework.YoumustloadtheseMIBsintoyourSNMPmanagertomonitor
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS8.0AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
group.ThefollowingtabledescribestheobjectsthatmakeupthepanGlobalProtectobjectgroup.

Object Description

panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway

panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed

panGPGWUtilizationActiveTunnels Numberofactivetunnels

UsetheseSNMPobjectstomonitorutilizationofGlobalProtectgatewaysandmakechangesasneeded.For
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 71
PrerequisiteTasksforConfiguringtheGlobalProtectGateway GlobalProtectGateways

PrerequisiteTasksforConfiguringtheGlobalProtect
Gateway

BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)fortheinterfacewhereyouplantoconfigureeachgateway.For
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
tunnelinterface.SeeCreateInterfacesandZonesforGlobalProtect.
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
toestablishanSSLconnectionwiththegateway.SeeEnableSSLBetweenGlobalProtectComponents.
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
GlobalProtectusers.SeeAuthentication.

72 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway

ConfigureaGlobalProtectGateway

Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:

ConfiguretheGateway

Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.


2. IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.

Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatclientswilluseforcommunication


enablesclientstoconnecttothe withthegateway.
gateway. 2. SpecifytheIP Address TypeandIP address forthegateway
Ifyouhaventcreatedthenetwork webservice:
interfaceforthegateway,seeCreate TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
InterfacesandZonesforGlobalProtect (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
forinstructions. yournetworksupportsdualstackconfigurations,where
IPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddress
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. ClickOKtosavechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 73
ConfigureaGlobalProtectGateway GlobalProtectGateways

ConfiguretheGateway(Continued)

Step3 Specifyhowthegatewayauthenticates SelectAuthenticationandthenconfigureanyofthefollowing:


users. Tosecurecommunicationbetweenthegatewayandtheagents,
IfyouhaventcreatedanSSL/TLSservice selecttheSSL/TLS Service Profileforthegateway.
profileforthegateway,seeDeploy Toauthenticateuserswithalocaluserdatabaseoranexternal
ServerCertificatestotheGlobalProtect authenticationservice,suchasLDAP,Kerberos,TACACS+,
Components. SAML,orRADIUS(includingOTP),AddaClientAuthentication
Ifyouhaventsetuptheauthentication configurationwiththefollowingsettings:
profilesorcertificateprofiles,see EnteraNametoidentifytheclientauthentication
Authenticationforinstructions. configuration.
Identifythetypeofclienttowhichthisconfiguration
applies.Bydefault,theconfigurationappliestoAnyclient,
butyoucancustomizethetypeofendpointbyOS (Android,
Chrome,iOS,Mac,Windows,orWindowsUWP)orby
thirdpartyIPSecVPNclients(X-Auth).
SelectoraddanAuthentication Profiletoauthenticatean
endpointseekingaccesstothegateway.
EnteranAuthentication Message tohelpendusers
understandwhichcredentialstousewhenloggingin.The
messagecanbeupto100charactersinlength(defaultis
Enter login credentials).
Toauthenticateusersbasedonaclientcertificateora
smartcard/CAC,selectthecorrespondingCertificate
Profile.
Tousetwofactorauthentication,selectbothanauthentication
profileandacertificateprofile.Keepinmindthattheusermust
successfullyauthenticateusingbothmethodstobegranted
access.

74 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway

ConfiguretheGateway(Continued)

Step4 Enabletunnelingandconfigurethe 1. OntheGlobalProtectGatewayConfigurationdialog,select


tunnelparameters. Agent > Tunnel Settings.
Thetunnelparametersarerequiredif 2. SelecttheTunnel Modecheckboxtoenabletunneling.
youaresettingupanexternalgateway.If
3. SelecttheTunnel InterfaceyoudefinedinStep 2inCreate
youareconfiguringaninternalgateway,
InterfacesandZonesforGlobalProtect.
theyareoptional.
Ifyouwanttoforceuseof 4. (Optional)SpecifyMax User forthemaximumnumberof
SSLVPNtunnelmode,clearthe usersthatcanaccessthegatewayatthesametimefor
Enable IPSeccheckbox.By authentication,HIPupdates,andGlobalProtectagentupdates
default,SSLVPNwillonlybe (rangevariesbasedontheplatformandisdisplayedwhenthe
usediftheendpointfailsto fieldisempty).
establishanIPSectunnel. 5. SelectaGlobalProtect IPSec CryptoprofiletosecuretheVPN
Extendedauthentication tunnelsbetweenGlobalProtectagentsandgateways.The
(XAuth)isonlysupportedon defaultprofileusesAES128CBCencryptionandsha1
IPSectunnels. authentication.
IfyouEnable X-Auth Support, YoucanalsocreateanewIPSeccryptoprofile.Tocreatea
GlobalProtectIPSecCrypto newprofile,selectNewGlobalProtect IPSec Cryptointhe
profilesarenotapplicable. samedropdownandconfigurethefollowing:
Formoreinformationon a. EnteraNametoidentifytheprofile.
supportedcryptographic b. AddtheAuthenticationandEncryptionalgorithmsthatthe
algorithms,seeReference: VPNpeerscanusetonegotiatethekeysforsecuringthe
GlobalProtectAgent datainthetunnel:
CryptographicFunctions. EncryptionIfyouarenotcertainofwhattheVPNpeers
support,youcanaddmultipleencryptionalgorithmsin
toptobottomorderofmosttoleastsecure,asfollows:
aes-256-gcm,aes-128-gcm,aes-128-cbc.Thepeers
negotiatethestrongestalgorithmtoestablishthetunnel.
AuthenticationSelecttheauthenticationalgorithm
(sha1)toprovidedataintegrityandauthenticity
protection.Althoughtheauthenticationalgorithmis
requiredfortheprofile,thissettingonlyappliestothe
AESCBCcipher(aes-128-cbc).IfyouuseanAESGCM
encryptionalgorithm(aes-256-gcmor aes-128-gcm),
thesettingisignoredbecausetheseciphersnatively
provideESPintegrityprotection.
c. ClickOKtosavetheprofile.
6. (Optional)SelectEnable X-Auth Support ifanyendpoint
needstoconnecttothegatewaybyusingathirdpartyVPN
(forexample,aVPNCclientrunningonLinux).Ifyouenable
XAuth,youmustprovidetheGroupnameandGroup
Passwordiftheendpointrequiresit.Bydefault,theuserisnot
requiredtoreauthenticateifthekeyusedtoestablishthe
IPSectunnelexpires.Torequireuserstoreauthenticate,clear
theoptiontoSkip Auth on IKE Rekey.
AlthoughXAuthaccessissupportedoniOSand
Androidendpoints,itprovideslimitedGlobalProtect
functionalityontheseendpoints.Instead,usethe
GlobalProtectappforsimplifiedaccesstoallthe
securityfeaturesthatGlobalProtectprovidesoniOS
andAndroidendpoints.TheGlobalProtectappforiOS
isavailableattheAppleAppStore.TheGlobalProtect
appforAndroidisavailableatGooglePlay.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 75
ConfigureaGlobalProtectGateway GlobalProtectGateways

ConfiguretheGateway(Continued)

Step5 (Optional)Modifythedefaulttimeout OntheGlobalProtectGatewayConfigurationdialog,selectAgent


settingsforendpoints. > Timeout Settingsandthenconfigurethefollowingsettings:
ModifythemaximumLogin Lifetimeforasinglegatewaylogin
session.Thedefaultloginlifetimeis30daysduringthe
lifetime,theuserstaysloggedinaslongasthegatewayreceives
aHIPcheckfromtheendpointwithintheInactivity Logout
period.Afterthistime,theloginsessionautomaticallylogsout.
Modifytheamountoftimeafterwhichaninactivesessionis
automaticallyloggedout.ThedefaultInactivity Logoutperiodis
3hours.AuserisloggedoutofGlobalProtectifthegateway
doesnotreceiveaHIPcheckfromtheendpointduringthe
configuredamountoftime.
Modifythenumberofminutesafterwhichidleusersarelogged
outofGlobalProtect.ThedefaultperiodforDisconnect on Idle
is180minutes.UsersareloggedoutofGlobalProtectifthe
GlobalProtectagenthasnotroutedtrafficthroughtheVPN
tunnelintheconfiguredamountoftime.Thissettingappliesto
GlobalProtectagentsthatusetheondemandconnectmethod
only.

76 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway

ConfiguretheGateway(Continued)

Step6 (Optional)Configureauthentication 1. OntheGlobalProtectGatewayConfigurationdialog,select


overridesettingstoenablethegateway Agent > Client Settings.
togenerateandacceptsecure, 2. Addanewagentconfigurationorselectanexisting
encryptedcookiestoauthenticatethe configuration.
user.Thiscapabilityallowstheuserto
providelogincredentialsonlyonce 3. EnteraNametoidentifytheagentconfiguration.
duringaspecifiedperiodoftime(for 4. ConfigurethefollowingsettingsintheAuthentication
example,every24hours). Override section:
Bydefault,agatewayauthenticatesthe Generate cookie for authentication overrideEnablethe
userwithanauthenticationprofileand gatewaytogenerateencrypted,endpointspecificcookies
optionalcertificateprofile.When andissuetheauthenticationcookiestotheendpoint.
authenticationoverrideisenabled, Accept cookie for authentication overrideEnablethe
GlobalProtectcachestheresultofa gatewaytoauthenticateuserswithavalid,encrypted
successfulloginandusesthecookieto cookie.Whentheagentpresentsavalidcookie,the
authenticatetheuserinsteadof gatewayverifiesthatthecookiewasencryptedbythe
promptingtheuserforcredentials.For portalorgateway,decryptsthecookie,andthen
moreinformation,seeCookie authenticatestheuser.
AuthenticationonthePortalorGateway.
Cookie LifetimeSpecifythehours,days,orweeksthatthe
Ifclientcertificatesarerequired,the
cookieisvalid.Defaultis24hours.Therangeforhoursis
endpointmustalsoprovideavalid
172;forweeks,152;andfordays,1365.Afterthe
certificatetobegrantedaccess.
cookieexpires,theusermustenterlogincredentials,and
Intheeventthatyouneedto thegatewaysubsequentlyencryptsanewcookietosendto
immediatelyblockaccesstoa theagent.Thisvaluecanbethesameasordifferentfrom
devicewhosecookiehasnotyet theCookie Lifetimeyouconfigurefortheportal.
expired(forexample,ifthe
Certificate to Encrypt/Decrypt CookieSelecttheRSA
deviceislostorstolen),youcan
certificatetousetoencryptanddecryptthecookie.You
immediatelyBlockDeviceAccess
mustusethesamecertificateontheportalandgateways.
byaddingthedevicetoablock
list. Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 77
ConfigureaGlobalProtectGateway GlobalProtectGateways

ConfiguretheGateway(Continued)

Step7 Configuretheuserorusergroupandthe Inagatewayagentconfiguration,selecttheUser/User Grouptab


endpointOStowhichtheagent andconfigurethefollowingsettings:
configurationapplies. Todeliverthisconfigurationtoagentsorappsrunningon
Thegatewayusestheuser/usergroup specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
settingsyouspecifytodeterminewhich Mac,Windows,orWindowsUWP)towhichthisconfiguration
configurationtodelivertothe applies.OrleavethevalueinthissectionsettoAnytodeploy
GlobalProtectagentsthatconnect. theconfigurationbasedonuser/grouponly.
Therefore,ifyouhavemultiple Torestrictthisconfigurationtoaspecificuserand/orgroup,
configurations,youmustmakesureto clickAddintheUser/UserGroupsectionofthewindowand
orderthemproperly.Assoonasthe thenselecttheuserorgroupyouwanttoreceivethis
gatewayfindsamatch,itwilldeliverthe configurationfromthedropdown.Repeatthisstepforeach
configuration.Therefore,morespecific user/groupyouwanttoadd.
configurationsmustprecedemore Beforeyoucanrestricttheconfigurationtospecific
generalones.SeeStep 10for groups,youmustmapuserstogroupsasdescribedin
instructionsonorderingthelistofagent EnableGroupMapping.
configurations.
Torestricttheconfigurationtouserswhohavenotyetlogged
Networksettingsarenot intotheirsystems,selectpre-logonfromtheUser/UserGroup
requiredininternalgateway dropdown.
configurationsinnontunnel
Toapplytheconfigurationtoanyuserregardlessofloginstatus
mode,becauseagentsusethe
(bothprelogonandloggedinusers),selectanyfromthe
networksettingsassignedtothe
User/UserGroupdropdown.
physicalnetworkadapter.

Step8 (TunnelModeonly)Configuretheip Inagatewayagentconfiguration,selectAgent > IP Pools and


poolsavailabletoassigntothevirtual configureanyofthefollowingsettingsandthenclickOK:
networkadapterontheendpointwhen TospecifytheauthenticationserverIPaddresspooltoassign
anagentestablishesatunnelwiththe addressestoendpointsthatrequirestaticIPaddresses,select
gateway. theRetrieve Framed-IP-Address attribute from
IPpoolsandsplittunnelsettings authentication server checkboxandthenAddthesubnetorIP
arenotrequiredininternal addressrangetousetoassigntoremoteusersinthe
gatewayconfigurationsin Authentication Server IP Poolarea.Whenthetunnelis
nontunnelmodebecauseagents established,aninterfaceiscreatedontheremoteusers
usethenetworksettings computerwithanaddressinthesubnetorIPrangethatmatches
assignedtothephysicalnetwork theFramedIPattributeoftheauthenticationserver.
adapter. TheauthenticationserverIPaddresspoolmustbelarge
Youcanoptionallyuseaddress enoughtosupportallconcurrentconnections.IP
objectswhichallowyouto addressassignmentisstaticandisretainedaftertheuser
groupspecificsourceor disconnects.
destinationaddresseswhen TospecifytheIP PooltousetoassignIPaddresses,clickAdd
configuringgatewayIPaddress andthenspecifytheIPaddressrangeoraddressobjecttouse.
poolsoraccessroutes. YoucanconfigureIPv6orIPv4addresses.Asabestpractice,
useadifferentrangeofIPaddressesfromthoseassignedto
endpointsthatarephysicallyconnectedtoyourLANtoensure
properroutingbacktothegateway.

78 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectGateways ConfigureaGlobalProtectGateway

ConfiguretheGateway(Continued)

Step9 (TunnelModeonly)Configurethesplit TorouteonlysometrafficlikelytrafficdestinedforyourLANto


tunnelsettingstoassigntothevirtual GlobalProtect,specifythedestinationsubnetsoraddressobject
networkadapterontheendpointwhen (oftypeIP Netmask)thatmustbeincludedorexcludedfromthe
anagentestablishesatunnelwiththe tunnel.Inthiscase,trafficthatisnotdestinedforaspecifiedaccess
gateway. routewillberoutedthroughtheendpointsphysicaladapterrather
thanthroughthevirtualadapter(thetunnel).Thefirewallsupports
upto100accessroutes.
Inagatewayagentconfiguration,selectAgent > Split Tunnel and
configureanyofthefollowingsettingsandthenclickOK:
Todisablesplittunnelingincludingdirectaccesstolocal
networksonWindowsandMacOSsystems,enableNo direct
access to local network.Inthiscase,userscannotsendtraffic
toproxiesorlocalresourceswhileconnectedtoGlobalProtect.
Todefinewhatdestinationsubnetstoroutethroughthetunnel
clickAddintheAccess Routeareaandthenentertheroutesas
follows:
(Optional)IntheIncludesarea,Addthedestination
subnetsoraddressobject(oftypeIP Netmask)toroute
onlysometrafficlikelytrafficdestinedforyourLANto
GlobalProtect.Thesearetheroutesthegatewaypushesto
theremoteusersendpointandtherebydetermineswhat
traffictheusersendpointcansendthroughtheVPN
connection.YoucanincludeIPv6orIPv4subnets.
(Optional)IntheExcludesarea,Addthedestination
subnetsoraddressobject(oftypeIP Netmask)thatyou
wanttheclienttoexclude.Theserouteswillbesent
throughtheendpointsphysicaladapterratherthan
throughthevirtualadapter(thetunnel).Excludedroutes
shouldbemorespecificthantheincludedroutes;
otherwise,youmayexcludemoretrafficthanyouintended.
YoucanexcludeIPv6orIPv4subnets.
ExcludingroutesisnotsupportedonAndroid.Only
IPv4routesaresupportedonChrome.

Step10 Arrangethegatewayagent Tomoveagatewayconfigurationuponthelistofconfigurations,


configurationssothattheproper selecttheconfigurationandclickMove Up.
configurationisdeployedtoeachagent. Tomoveagatewayconfigurationdownonthelistof
Whenanagentconnects,thegateway configurations,selecttheconfigurationandclickMove Down.
willcomparethesourceinformationin
thepacketagainsttheagent
configurationsyouhavedefined.Aswith
securityruleevaluation,thegateway
looksforamatchstartingfromthetopof
thelist.Whenitfindsamatch,itdelivers
thecorrespondingconfigurationtothe
agentorapp.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 79
ConfigureaGlobalProtectGateway GlobalProtectGateways

ConfiguretheGateway(Continued)

Step11 (TunnelModeonly)Specifythenetwork InaGlobalProtectGatewayConfiguration,selecttheAgent >


configurationsettingsfortheendpoints. Network Servicestabandconfigurethesettingsforendpointsin
Networksettingsarenot oneofthefollowingways:
requiredininternalgateway IfthefirewallhasaninterfacethatisconfiguredasaDHCP
configurationsinnontunnel client,settheInheritance Sourcetothatinterfaceandthe
modebecauseinthiscaseagents GlobalProtectagentwillbeassignedthesamesettingsreceived
usethenetworksettingsassigned bytheDHCPclient.YoucanalsoInherit DNS Suffixesfromthe
tothephysicalnetworkadapter. inheritancesource.
ManuallyassigntheDNSserver(s)andsuffix,andWINSservers
bycompletingthecorrespondingfields.

Step12 (Optional)Definethenotification InaGlobalProtectGatewayConfiguration,selecttheAgent > HIP


messagesenduserswillseewhena NotificationtabandAddanewHIPNotificationconfiguration:
securityrulewithahostinformation 1. FromtheHost Informationdropdown,selecttheHIPobject
profile(HIP)isenforced. orprofiletowhichthismessageapplies.
Thissteponlyappliesifyouhavecreated
2. SelectMatch MessageorNot Match Messageandthen
hostinformationprofilesandadded
Enablenotifications,dependingonwhetheryouwantto
themtoyoursecuritypolicies.Fordetails
displaythemessagewhenthecorrespondingHIPprofileis
onconfiguringtheHIPfeatureandfor
matchedinpolicyorwhenitisnotmatched.Insomecases,
moredetailedinformationaboutcreating
youmightwanttocreatemessagesforbothamatchanda
HIPnotificationmessages,seeHost
nonmatch,dependingontheobjectsonwhichyouare
Information.
matchingandwhatyourobjectivesareforthepolicy.Forthe
MatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App Listtoindicatewhatapplicationscantriggerthe
HIPmatch.
3. SelectwhetheryouwanttodisplaythemessageasaSystem
Tray BalloonorasaPop Up Message.
4. EnterandformatthetextofyourmessageintheTemplate
textboxandthenclickOK.
5. Repeatthesestepsforeachmessageyouwanttodefine.

Step13 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect


GatewayConfigurationdialog.
2. Committhechanges.

80 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals
TheGlobalProtectPortalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
connecttothegateways.Inaddition,theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.

TheportaldoesnotdistributetheGlobalProtectappforuseonmobiledevices.TogettheGlobalProtectappfor
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,orMicrosoftStoreforWindows10UWP.However,theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
haveaccess.Formoredetailsonsupportedversions,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?

InadditiontodistributingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portal
to providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,and
Javascripttechnologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowserswithout
installingGlobalProtectclientsoftware.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccess
toapplications,andtosafelyenableunmanagedassets,includingpersonaldevices.RefertoGlobalProtect
ClientlessVPN.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 81
PrerequisiteTasksforConfiguringtheGlobalProtectPortal GlobalProtectPortals

PrerequisiteTasksforConfiguringtheGlobalProtectPortal

BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)forthefirewallinterfacewhereyouplantoconfiguretheportal.See
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
services.SeeEnableSSLBetweenGlobalProtectComponents.
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
authenticateGlobalProtectusers.SeeAuthentication.
ConfigureaGlobalProtectGatewayandunderstandGatewayPriorityinaMultipleGateway
Configuration.

82 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals SetUpAccesstotheGlobalProtectPortal

SetUpAccesstotheGlobalProtectPortal

AfteryouhavecompletedthePrerequisiteTasksforConfiguringtheGlobalProtectPortal,configurethe
GlobalProtectPortalasfollows:

SetUpAccesstothePortal

Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > Portals andclickAdd.


2. OntheGeneralpage,enteraNamefortheportal.Thename
cannotcontainspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.

Step2 Specifynetworksettingstoenable 1. SelecttheInterface.


agentstocommunicatewiththeportal. 2. SpecifytheIP Address TypeandIP address fortheportalweb
Ifyouhavenotyetcreatedthenetwork service:
interfacefortheportal,seeCreate TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
InterfacesandZonesforGlobalProtect (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
forinstructions.Ifyouhavenotyet yournetworksupportsdualstackconfigurations,where
createdanSSL/TLSserviceprofilefor IPv4andIPv6runatthesametime.
theportal,seeDeployServerCertificates
TheIPaddressmustbecompatiblewiththeIPaddress
totheGlobalProtectComponents.
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. SelectanSSL/TLS Service Profile.

Step3 Disabletheloginpageentirelyorchoose ChooseaPortal Login Pageforuseraccesstotheportalor


yourownloginpageorhelppage. importanewone,orDisableaccesstotheGlobalProtectportal
Althoughoptional,acustomloginorhelp loginpagefromawebbrowser.
pageletsyoudecideonthelookand ChooseaApp Help PagetoassisttheuserwithGlobalProtector
contentofthepages.SeeCustomizethe importanewone.
GlobalProtectPortalLogin,Welcome,
andHelpPages.

Step4 Specifyhowtheportalauthenticatesthe OntheGlobalProtectPortalConfigurationdialog,select


users. Authentication,andthenconfigureanyofthefollowing:
Ifyouhavenotyetcreatedaserver Tosecurecommunicationbetweentheportalandtheagents,
certificatefortheportalandissued selecttheSSL/TLS Service Profileyouconfiguredforthe
gatewaycertificates,seeDeployServer portal.
CertificatestotheGlobalProtect Toauthenticateusersusingalocaluserdatabaseoranexternal
Components. authenticationservice,suchasLDAP,Kerberos,TACACS+,
SAML,orRADIUS(includingOTP),DefinetheGlobalProtect
ClientAuthenticationConfigurations.

Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect


PortalConfigurationdialog.
2. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 83
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

DefinetheGlobalProtectClientAuthentication
Configurations

EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
authenticatewiththeGlobalProtectportal.YoucancustomizethesettingsforeachOSoryoucanconfigure
thesettingstoapplytoalldevices.Forexample,youcanconfigureAndroiduserstouseRADIUS
authenticationandWindowsuserstouseLDAPauthentication.Youcanalsocustomizetheclient
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.

DefinetheGlobalProtectClientAuthenticationConfigurations

Step1 SetUpAccesstotheGlobalProtect 1. SelectNetwork > GlobalProtect > Portals.


Portal. 2. Selecttheportalconfigurationtowhichyouareaddingthe
clientconfigurationandthenselecttheAuthenticationtab.

Step2 Specifyhowtheportalauthenticatesthe IntheClientAuthenticationarea,Addanewconfigurationwiththe


users. followingsettings:
YoucanconfiguretheGlobalProtect EnteraNametoidentifytheclientauthenticationconfiguration.
portaltoauthenticateusersusingalocal Specifytheendpointstowhichtodeploythisconfiguration.By
userdatabaseoranexternal default,theconfigurationappliestoallendpoints.Otherwise,
authenticationservice,suchasLDAP, youcanapplytheconfigurationtoendpointsrunningaspecific
Kerberos,TACACS+,SAML,orRADIUS OS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP)or
(includingOTP).Ifyouhavenotyetset toendpointsthataccesstheportalfromawebBrowserwith
uptheauthenticationprofilesand/or theintentofdownloadingtheGlobalProtectagentortocreate
certificateprofiles,seeAuthentication anewclientauthenticationspecificallyforGlobalProtect
forinstructions. ClientlessVPN.
SelectoraddanAuthentication Profileforauthenticatingan
endpointthattriestoaccessthegateway.
EnteranAuthentication Messagetohelpendusersunderstand
whichcredentialstousewhenloggingin.Themessagecanbe
upto100charactersinlength(defaultisEnter login
credentials).

Step3 Arrangetheclientauthentication Tomoveaclientauthenticationconfigurationuponthelistof


configurationswithOSspecific configurations,selecttheconfigurationandclickMove Up.
configurationsatthetopofthelist,and Tomoveaclientauthenticationconfigurationdownonthelistof
configurationsthatapplytoAnyOSat configurations,selecttheconfigurationandclickMove Down.
thebottomofthelist.Aswithsecurity
ruleevaluation,theportallooksfora
matchstartingfromthetopofthelist.
Whenitfindsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.

Step4 (Optional)Toenabletwofactor SelectthecorrespondingCertificate Profiletoauthenticateusers


authenticationusinganauthentication basedonaclientcertificateorsmartcard.
profileandacertificateprofile,configure TheCommonName(CN)and,ifapplicable,theSubject
bothinthisportalconfiguration. AlternativeName(SAN)fieldsofthecertificatemust
Keepinmindtheportalmust exactlymatchtheIPaddressorFQDNoftheinterface
authenticatetheclientbyusingboth whereyouconfiguretheportalorHTTPSconnectionsto
methodsbeforetheusercangainaccess. theportalwillfail.

84 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

DefinetheGlobalProtectClientAuthenticationConfigurations(Continued)

Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect


PortalConfigurationdialog.
2. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 85
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

Define the GlobalProtect Agent Configurations

AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,basedonthesettingsyoudefined.Ifyouhavedifferent
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
eachusertypeorusergroup.TheportalusestheOSoftheendpointandtheusernameorgroupnameto
determinetheagentconfigurationtodeploy.Aswithothersecurityruleevaluations,theportalstartsto
searchforamatchatthetopofthelist.Whenitfindsamatch,theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
Theclientcertificatethattheendpointshouldpresenttothegatewaywhenitconnects.This
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.

Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.

86 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

Usethefollowingproceduretocreateanagentconfiguration.

CreateaGlobalProtectAgentConfiguration

Step1 AddthetrustedRootCAcertificates 1. SelectNetwork > GlobalProtect > Portals.


thattheclientwillusetoperform 2. Selecttheportalconfigurationtowhichyouareaddingthe
certificatecheckswhenitconnectsto agentconfigurationandthenselecttheAgent tab.
theGlobalProtectgateway(s).Ifyoudo
notaddatrustedrootCAcertificateto 3. IntheTrusted Root CAfield,AddandthenselecttheCA
theagentconfiguration,theassociated certificatethatwasusedtoissuethegatewayserver
clientdoesnotperformcertificate certificates.Asabestpractice,allofyourgatewaysshoulduse
checkswhenitconnects. thesameissuer.
Asabestpractice,alwaysdeploy
thetrustedrootCAcertificatesin
theagentconfiguration.This
certificatedeploymentensures
thattheagentsorappsperforma
certificatechecktovalidatethe
identityofthegatewaybeforeit
connects.Thiscertificate
installationprotectstheagentor
appfrommaninthemiddle
attacks.

Step2 (Optional)AddthetrustedRootCA 1. AddthecertificateasdescribedinStep 1.


certificatethatthefirewallwillusefor 2. Totherightofthecertificate,selecttheInstall in Local Root
SSLforwardproxydecryption.The Certificate Storeoption.
firewallusesthiscertificate(onWindows
Theportalautomaticallysendsthecertificatewhentheuser
andMacendpointsonly)toterminatethe
logsintotheportalandinstallsitintheclient'slocalstorethus
HTTPSconnection,inspectthetrafficfor
eliminatingtheneedforyoutoinstallthecertificatemanually.
policycompliance,andreestablishthe
HTTPSconnectiontoforwardthe
encryptedtraffic.

Step3 Addanagentconfiguration. 1. IntheAgentarea,Addanewconfiguration.


Theagentconfigurationspecifiesthe 2. EnteraNametoidentifytheconfiguration.Ifyouplanto
GlobalProtectconfigurationsettingsto createmultipleconfigurations,makesurethenameyoudefine
deploytotheconnectingagents/apps. foreachisdescriptiveenoughtoallowyoutodistinguishthem.
Youmustdefineatleastoneagent
configuration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 87
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CreateaGlobalProtectAgentConfiguration(Continued)

Step4 (Optional)Configuresettingstospecify OntheAuthenticationtab,configureanyofthefollowing


howuserswiththisconfigurationwill authenticationsettings:
authenticatewiththeportal. Toenableuserstoauthenticatewiththeportalusingclient
Ifthegatewayistoauthenticatethe certificates,selecttheClient Certificatesource(SCEP,Local,or
clientsbyusingaclientcertificate,you None)thatdistributesthecertificateanditsprivatekeytoan
mustselectthesourcethatdistributes endpoint.IfyouuseaninternalCAtodistributecertificatesto
thecertificate. clients,selectNone(default).Toenabletheportaltogenerate
andsendamachinecertificatetotheagentforstorageinthe
localcertificatestoreandusethecertificateforportaland
gatewayauthentication,selectSCEPandtheassociatedSCEP
profile.Thesecertificatesaredevicespecificandcanonlybe
usedontheendpointtowhichitwasissued.Tousethesame
certificateforallendpoints,selectacertificatethatisLocalto
theportal.WithNone,theportaldoesnotpushacertificateto
theclient,butyoucanusecanotherwaystogetacertificateto
theclientsendpoint.
SpecifywhethertoSave User Credentials.SelectYestosave
theusernameandpassword(default),Save Username Onlyto
saveonlytheusername,orNotoneversavecredentials.
Ifyouconfiguretheportalorgatewaystopromptforadynamic
passwordsuchasaonetimepassword(OTP),theusermust
enteranewpasswordateachlogin.Inthiscase,the
GlobalProtectagent/appignorestheselectiontosaveboththe
usernameandpassword,ifspecified,andsavesonlythe
username.Formoreinformation,seeEnableTwoFactor
AuthenticationUsingOneTimePasswords(OTPs).

Step5 IftheGlobalProtectendpointdoesnot 1. OntheInternaltab,selecttheInternal Host Detectioncheck


requiretunnelconnectionswhenitison box.
theinternalnetwork,configureinternal 2. EntertheIP Addressofahostthatcanbereachedfromthe
hostdetection. internalnetworkonly.YoucanconfigureIPv4orIPv6
addressingforInternal Host Detection.TheIPaddressyou
specifymustbecompatiblewiththeIPaddresstype.For
example,172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
3. EntertheDNSHostnamefortheIPaddressyouentered.
ClientsthattrytoconnecttoGlobalProtectattempttodoa
reverseDNSlookuponthespecifiedaddress.Ifthelookup
fails,theclientdeterminesthatitisontheexternalnetwork
andtheninitiatesatunnelconnectiontoagatewayonitslist
ofexternalgateways.

Step6 Setupaccesstoathirdpartymobile 1. EntertheIPaddressorFQDNofthedevicecheckininterface


endpointmanagementsystem. associatedwithyourmobileendpointmanagementsystem.
Thisstepisrequiredifthemobiledevices Thevalueyouenterheremustexactlymatchthevalueofthe
usingthisconfigurationwillbemanaged servercertificateassociatedwiththedevicecheckin
byathirdpartymobileendpoint interface.YoucanspecifyanIPv6orIPv4address.
managementsystem.Alldeviceswill 2. SpecifytheEnrollment Portonwhichthemobileendpoint
initiallyconnecttotheportaland,ifa managementsystemwillbelisteningforenrollmentrequests.
thirdpartymobileendpoint Thisvaluemustmatchthevaluesetonthemobileendpoint
managementsystemisconfiguredonthe managementsystem(default=443).
correspondingportalagent
configuration,thedevicewillbe
redirectedtoitforenrollment.

88 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CreateaGlobalProtectAgentConfiguration(Continued)

Step7 Configuretheuserorusergroupandthe SelecttheUser/User Grouptabandthenspecifyanyusers,user


endpointOStowhichtheagent groups,and/oroperatingsystemstowhichthisconfiguration
configurationapplies. shouldapply:
Theportalusestheuser/usergroup Todeliverthisconfigurationtoagentsorappsrunningon
settingsyouspecifytodeterminewhich specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
configurationtodelivertothe Mac,Windows,orWindowsUWP)towhichthisconfiguration
GlobalProtectagentsthatconnect. applies.OrleavethevalueinthissectionsettoAnytodeploythe
Therefore,ifyouhavemultiple configurationbasedonuser/grouponly.
configurations,youmustmakesureto Torestrictthisconfigurationtoaspecificuserand/orgroup,
orderthemproperly.Assoonasthe clickAddintheUser/UserGroupsectionofthewindowand
portalfindsamatch,itwilldeliverthe thenselecttheuserorgroupyouwanttoreceivethis
configuration.Therefore,morespecific configurationfromthedropdown.Repeatthisstepforeach
configurationsmustprecedemore user/groupyouwanttoadd.
generalones.SeeStep 13for Beforeyoucanrestricttheconfigurationtospecific
instructionsonorderingthelistofagent groups,youmustmapuserstogroupsasdescribedin
configurations. EnableGroupMapping.
Torestricttheconfigurationtouserswhohavenotyetloggedin
totheirsystems,selectpre-logonfromtheUser/UserGroup
dropdown.
Toapplytheconfigurationtoanyuserregardlessofloginstatus
(bothprelogonandloggedinusers),selectanyfromthe
User/UserGroupdropdown.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 89
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CreateaGlobalProtectAgentConfiguration(Continued)

Step8 Specifytheexternalgatewaystowhich 1. ClickAddontheExternaltab.


userswiththisconfigurationcan 2. EnteradescriptiveNameforthegateway.Thenameyouenter
connect. hereshouldmatchthenameyoudefinedwhenyouconfigured
Considerthefollowingbest thegatewayandshouldbedescriptiveenoughforusersto
practiceswhenyouconfigurethe knowthelocationofthegatewaytheyareconnectedto.
gateways:
3. EntertheFQDNorIPaddressoftheinterfacewherethe
Ifyouareaddingbothinternal gatewayisconfiguredintheAddressfield.Youcanconfigure
andexternalgatewaystothe anIPv4orIPv6address.Theaddressyouspecifymustexactly
sameconfiguration,makesureto matchtheCommonName(CN)inthegatewayserver
enableInternalHostDetection. certificate.
SeeStep 5inDefinethe
GlobalProtectAgent 4. AddoneormoreSource Regionsforthegateway,orselect
Configurationsforinstructions. Anytomakethegatewayavailabletoallregions.Whenusers
connect,GlobalProtectrecognizesthedeviceregionandonly
Tolearnmoreabouthowa
allowsusestoconnecttogatewaysthatareconfiguredforthat
GlobalProtectclientdetermines
region.Forgatewaychoices,sourceregionisconsideredfirst,
thegatewaytowhichitshould
thengatewaypriority.
connect,seeGatewayPriorityin
aMultipleGateway 5. SetthePriorityofthegatewaybyclickinginthefieldand
Configuration. selectingavalue:
Ifyouhaveonlyoneexternalgateway,youcanleavethe
valuesettoHighest(thedefault).
Ifyouhavemultipleexternalgateways,youcanmodifythe
priorityvalues(rangingfromHighesttoLowest)toindicate
apreferenceforthespecificusergrouptowhichthis
configurationapplies.Forexample,ifyoupreferthatthe
usergroupconnectstoalocalgatewayyouwouldsetthe
priorityhigherthanthatofmoregeographicallydistant
gateways.Thepriorityvalueisthenusedtoweightthe
agentsgatewayselectionalgorithm.
Ifyoudonotwantagentstoautomaticallyestablishtunnel
connectionswiththegateway,selectManual only.This
settingisusefulintestingenvironments.
6. SelecttheManualcheckboxifyouwanttoallowuserstobe
abletomanuallyswitchtothegateway.

90 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CreateaGlobalProtectAgentConfiguration(Continued)

Step9 Specifytheinternalgatewaystowhich 1. OntheInternaltab,clickAddintheInternal Gateways


userswiththisconfigurationcan section.
connect. 2. EnteradescriptiveNameforthegateway.Thenameyouenter
Makesureyoudonotuse hereshouldmatchthenameyoudefinedwhenyouconfigured
ondemandastheconnect thegatewayandshouldbedescriptiveenoughforusersto
methodifyourconfiguration knowthelocationofthegatewaytheyareconnectedto.
includesinternalgateways.
3. EntertheFQDNorIPaddressoftheinterfacewherethe
gatewayisconfiguredintheAddressfield.Youcanconfigure
anIPv4orIPv6address.Theaddressyouspecifymustexactly
matchtheCommonName(CN)inthegatewayserver
certificate.
4. (Optional)AddoneormoreSource Addresses tothegateway
configuration.ThesourceaddresscanbeanIPsubnetor
range.Itcanalsobeapredefinedaddress.GlobalProtect
supportsbothIPv6andIPv4addresses.Whenusersconnect,
GlobalProtectrecognizesthesourceaddressofthedeviceand
onlyallowsuserstoconnecttogatewaysthatareconfigured
forthataddress.
5. ClickOKtosaveyourchanges.
6. (Optional)AddaDHCP Option 43 Codetothegateway
configuration.Youcanincludeoneormoresuboptioncodes
associatedwiththevendorspecificinformation(Option43)
thattheDHCPserverhasbeenconfiguredtooffertheclient.
Forexample,youmighthaveasuboptioncode100thatis
associatedwithanIPaddressof192.168.3.1.
Whenauserconnects,theGlobalProtectportalsendsthelist
ofoptioncodesintheportalconfigurationtothe
GlobalProtectagentandtheagentselectsgatewaysindicated
bytheoptions.
WhenboththesourceaddressandDHCPoptionsare
configured,thelistofavailablegatewayspresentedtothe
clientisbasedonthecombination(union)ofthetwo
configurations.
DHCPoptionsaresupportedonWindowsandMac
endpointsonly.DHCPoptionscannotbeusedtoselect
gatewaysthatuseIPv6addressing.
7. (Optional)SelectInternal Host Detectiontoallowthe
GlobalProtectagenttodetermineifitisinsidetheenterprise
network.Whentheuserattemptstologin,theagentdoesa
reverseDNSlookupoftheinternalHostnametothespecified
IP Address.
Thehostservesasareferencepointthatisreachableifthe
endpointisinsidetheenterprisenetwork.Iftheagentfindsthe
host,theendpointisinsidethenetworkandtheagent
connectstoaninternalgateway;iftheagentfailstofindthe
internalhost,theendpointisoutsidethenetworkandthe
agentestablishesatunneltooneoftheexternalgateways.
YoucanconfigureIPv4orIPv6addressingforInternal Host
Detection.TheIPaddressyouspecifymustbecompatiblewith
theIPaddresstype.Forexample,172.16.1.0forIPv4or
21DA:D3:0:2F3bforIPv6.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 91
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CreateaGlobalProtectAgentConfiguration(Continued)

Step10 Customizethebehaviorofthe SelecttheApptabandthenmodifytheagentsettingsasdesired.


GlobalProtectagentforuserswiththis Formoredetailsabouteachoption,seeCustomizethe
configuration. GlobalProtectAgent.

Step11 (Optional)Defineanycustomhost 1. SelectData Collection andenabletheGlobalProtectagentto


informationprofile(HIP)datathatyou Collect HIP Data.
wanttheagenttocollectand/orexclude 2. SelectExclude Categoriestoexcludespecificcategories
HIPcategoriesfromcollection. and/orvendors,applications,orversionswithinacategory.For
Thissteponlyappliesifyouplantouse moredetails,seeStep 3inConfigureHIPBasedPolicy
theHIPfeatureandthereisinformation Enforcement.
youwanttocollectthatcannotbe
3. SelectCustom Checkstodefineanycustomdatayouwantto
collectedusingthestandardHIPobjects
collectfromhostsrunningthisagentconfiguration,andadd
orifthereisHIPinformationthatyouare
thecategoryandvendor.Formoredetails,seeStep 2inHost
notinterestedincollecting.SeeHost
Information.
Informationfordetailsonsettingupand
usingtheHIPfeature.

Step12 Savetheagentconfiguration. 1. ClickOKtosavethesettingsandclosetheConfigsdialog.


2. Ifyouwanttoaddanotheragentconfiguration,repeatStep 3
throughStep 12.

Step13 Arrangetheagentconfigurationssothat Tomoveanagentconfigurationuponthelistofconfigurations,


theproperconfigurationisdeployedto selecttheconfigurationandclickMove Up.
eachagent. Tomoveanagentconfigurationdownonthelistof
Whenanagentconnects,theportalwill configurations,selecttheconfigurationandclickMove Down.
comparethesourceinformationinthe
packetagainsttheagentconfigurations
youhavedefined.Aswithsecurityrule
evaluation,theportallooksforamatch
startingfromthetopofthelist.Whenit
findsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.

Step14 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtectPortal


Configurationdialog.
2. Committhechanges.

92 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

Customize the GlobalProtect Agent

TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
agentsinstalledontheirsystemsortheGlobalProtectappinstalledontheirmobiledevices.Youcandefine
differentagentsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.Formore
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Youcancustomizethedisplayandbehavioroftheagent.Forexample,youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
Whethertodisplayawelcomepageuponsuccessfullogin.Youcanalsoconfigurewhetherornotthe
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
touseGlobalProtectwithinyourenvironment.SeeCustomizetheGlobalProtectPortalLogin,Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.
Promptusersifmultifactorauthenticationisneededtoaccesssensitivenetworkresources.

YoucanalsodefineagentsettingsdirectlyfromtheWindowsregistryortheglobalMacplist.For
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/MsiexecortheMacplist.Formoredetails,seeDeploy
AgentSettingsTransparently.

AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 93
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

UsethefollowingproceduretocustomizetheGlobalProtectagent.

CustomizetheAgent

Step1 SelecttheAgenttabintheagent 1. SelectNetwork > GlobalProtect > Portals andselecttheportal


configurationyouwanttocustomize. configurationforwhichyouwanttoaddanagent
Youcanalsoconfiguremost configuration(orAddanewconfiguration).
settingsthatareontheApptab 2. SelecttheAgent tabandselecttheconfigurationyouwantto
fromagrouppolicybyadding modify(orAddanewconfiguration).
settingstotheWindows
3. SelecttheApptab.
registry/Macplist.OnWindows
systems,youcanalsosetthem TheAppConfigurationsareadisplaystheoptionswithdefault
usingtheMsiexecutilityonthe valuesthatyoucancustomizeforeachagentconfiguration.
commandlineduringtheagent Whenyouchangethedefaultbehavior,thewebinterface
installation.However,settings changesthecolorfromgraytothedefaulttextcolor.
definedinthewebinterfaceor
theCLItakeprecedenceover
registry/plistsettings.See
DeployAgentSettings
Transparentlyfordetails.

94 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CustomizetheAgent(Continued)

Step2 SpecifytheConnect Method thatan IntheAppConfigurationsarea,configureanyofthefollowing


agentorappusesforitsGlobalProtect options:
connection. SelectaConnect Method:
Considerthefollowingbest User-logon (Always On)TheGlobalProtectagent
practiceswhenyouconfigurethe automaticallyconnectstotheportalassoonastheuserlogs
Connect Method: intotheendpoint(ordomain).Whenusedinconjunction
UseonlytheOn-demand withSSO(Windowsusersonly),GlobalProtectloginis
option(default)ifyouareusing transparenttotheenduser.
GlobalProtectforVPNaccessto OniOSendpoints,thissettingpreventsonetime
externalgateways. password(OTP)applicationsfromworkingbecause
DonotusetheOn-demand GlobalProtectforcesalltraffictogothroughthe
optionifyouplantorunthe tunnel.
GlobalProtectagentinhidden Pre-logon (Always On)Authenticatestheuserand
mode. establishesaVPNtunneltotheGlobalProtectgateway
Forfasterconnectiontimes,use beforetheuserlogsintotheclient.Thisoptionrequiresthat
internalhostdetectionin youuseanexternalPKIsolutiontopredeployamachine
configurationswhereyouhave certificatetoeachendpointthatreceivesthisconfiguration.
enabledSSO. SeeRemoteAccessVPNwithPreLogonfordetailsabout
prelogon.
On-demand (Manual user initiated connection)Userswill
havetomanuallylaunchtheagenttoconnectto
GlobalProtect.Usethisconnectmethodforexternal
gatewaysonly.
Pre-logon then On-demandSimilartothePre-logon
(Always On)connectmethod,thisconnectmethod(which
requiresContentReleaseversion5903397orlater)
enablestheGlobalProtectagenttoauthenticatetheuser
andestablishaVPNtunneltotheGlobalProtectgateway
beforetheuserlogsintotheclient.Unliketheprelogon
connectionmethod,aftertheuserlogsintotheclient,users
mustmanuallylaunchtheagenttoconnecttoGlobalProtect
iftheconnectionisterminatedforanyreason.Thebenefit
ofthisoptionisthatyoucanallowausertospecifyanew
passwordafterpasswordexpirationorauserforgetstheir
passwordbutstillrequiretheusertomanuallyinitiatethe
connectionaftertheuserlogsin.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 95
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CustomizetheAgent(Continued)

Step3 Specifywhethertoenforce IntheAppConfigurationsarea,configureanyofthefollowing


GlobalProtectconnectionsfornetwork options:
access. ToforceallnetworktraffictotraverseaGlobalProtecttunnel,
ToenforceGlobalProtectfor setEnforce GlobalProtect Connection for Network Accessto
networkaccess,werecommend Yes.Bydefault,GlobalProtectisnotrequiredfornetworkaccess
thatyouenablethisfeatureonly meaninguserscanstillaccesstheinternetifGlobalProtectis
forusersthatconnectin disabledordisconnected.Toprovideinstructionstousersbefore
User-logonorPre-logonmodes. trafficisblocked,configureaTraffic Blocking Notification
Usersthatconnectin Messageandoptionallyspecifywhentodisplaythemessage
On-demandmodemaynotbe (Traffic Blocking Notification Delay).
abletoestablishaconnection Topermittrafficrequiredtoestablishaconnectionwitha
withinthepermittedgrace captiveportal,specifyaCaptive Portal Exception Timeout.The
periods. usermustauthenticatewiththeportalbeforethetimeout
expires.Toprovideadditionalinstructions,configureaCaptive
Portal Detection Message.
ThesefeaturesrequireContentReleaseversion6073486
orlater.

Step4 SpecifyadditionalGlobalProtect IntheAppConfigurationsarea,configureanyofthefollowing


connectionsettings. options:
Withsinglesignon(SSO) (Windowsonly)SetUse Single Sign-OntoNotodisallow
enabled(thedefault),the GlobalProtecttousetheWindowslogincredentialsto
GlobalProtectagentusesthe automaticallyauthenticatetheuseruponlogintoActive
usersWindowslogincredentials Directory.
toautomaticallyauthenticateto EntertheMaximum Internal Gateway Connection Attemptsto
andconnecttotheGlobalProtect specifythenumberoftimestheGlobalProtectagentshould
portalandgateway. retrytheconnectiontoaninternalgatewayafterthefirst
GlobalProtectwithSSOenabled attemptfails(rangeis0100;4or5isrecommended;defaultis
alsoallowsfortheGlobalProtect 0,whichmeanstheGlobalProtectagentdoesnotretrythe
agenttowrapthirdparty connection).Byincreasingthevalue,youenabletheagentto
credentialstoensurethat connecttoaninternalgatewaythatistemporarilydownor
Windowsuserscanauthenticate unreachableduringthefirstconnectionattemptbutcomesback
andconnect,evenwhena upbeforethespecifiednumberofretriesareexhausted.
thirdpartycredentialprovideris Increasingthevaluealsoensuresthattheinternalgateway
beingusedtowraptheWindows receivesthemostuptodateuserandhostinformation.
logincredentials. EntertheGlobalProtect App Config Refresh Interval (hours) to
specifythenumberofhourstheGlobalProtectportalwaits
beforeitinitiatesthenextrefreshofaclientsconfiguration
(rangeis1168;defaultis24).
SpecifywhethertoRetain Connection on Smart Card Removal.
Bydefault,theoptionissettoYes,meaningGlobalProtect
retainsthetunnelwhenauserremovesasmartcardcontaining
aclientcertificate.Toterminatethetunnel,setthisoptiontoNo.
Thedecisiononwhethertoretaintheconnectiondependson
yoursecurityrequirements.
ThisfeaturerequiresContentReleaseversion5903397
oralaterversion.

96 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CustomizetheAgent(Continued)

Step5 ConfigurethemenusandUIviewsthat Configureanyorallofthefollowingoptions:


areavailabletouserswhohavethis Ifyouwantuserstobeabletoseeonlybasicstatusinformation
agentconfiguration. withintheapplication,setEnable Advanced ViewtoNo.By
default,theadvancedviewisenabled.Itallowsuserstosee
detailedstatistical,host,andtroubleshootinginformationandto
performcertaintasks,suchaschangingtheirpassword.
IfyouwanthidetheGlobalProtectagentonendusersystems,
setDisplay GlobalProtect IcontoNo.Whentheiconishidden,
userscannotperformothertaskssuchaschangingpasswords,
rediscoveringthenetwork,resubmittinghostinformation,
viewingtroubleshootinginformation,orperformingan
ondemandconnection.However,HIPnotificationmessages,
loginprompts,andcertificatedialogswillstilldisplayas
necessaryforinteractingwiththeenduser.
Topreventusersfromperforminganetworkrediscovery,setthe
Enable Rediscover Network OptiontoNo.Whenyoudisablethe
option,itisgrayedoutintheGlobalProtectmenu.
TopreventusersfrommanuallyresubmittingHIPdatatothe
gateway,setEnable Resubmit Host Profile Option toNo.This
optionisenabledbydefault,andisusefulincaseswhere
HIPbasedsecuritypolicypreventsusersfromaccessing
resourcesbecauseitallowstheusertofixthecomplianceissue
onthecomputerandthenresubmittheHIP.
(Windowsonly)ToallowGlobalProtecttodisplaynotifications
inthenotificationarea(systemtray),setShow System Tray
NotificationstoYes.
Tocreateacustommessagetodisplaytouserswhentheir
passwordisabouttoexpireconfiguretheCustom Password
Expiration Message (LDAP Authentication Only).Themaximum
messagelengthis200characters.

Step6 Definewhattheenduserswiththis SetAllow User to Change PortalAddresstoNotodisablethe


configurationcandointheirclient. PortalfieldontheHometabintheGlobalProtectagent.Because
theuserwillthenbeunabletospecifyaportaltowhichto
connect,youmustsupplythedefaultportaladdressinthe
Windowsregistry(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal)orthe
Macplist
(/Library/Preferences/com.paloaltonetworks.GlobalProt
ect.settings.plistwithkeyPortalunderdictionary
PanSetup).Formoreinformation,seeDeployAgentSettings
Transparently.
Topreventusersfromdismissingthewelcomepage,setAllow
User to Dismiss Welcome Page toNo.Otherwise,whensetto
Yes,theusercandismissthewelcomepageandprevent
GlobalProtectfromdisplayingthepageaftersubsequentlogins.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 97
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CustomizetheAgent(Continued)

Step7 Specifywhetheruserscandisablethe Topreventuserswiththeuserlogonconnectmethodfrom


GlobalProtectagent. disablingGlobalProtect,setAllow User to Disable GlobalProtect
TheAllow User to Disable GlobalProtect to Disallow.
optionappliestoagentconfigurations ToallowuserstodisableGlobalProtectiftheyprovidea
thathavetheConnect Methodsetto passcode,setAllow User to Disable GlobalProtect to Allow with
User-Logon (Always On).Inuserlogon Passcode.Then,intheDisableGlobalProtectApparea,enter
mode,theagentorappautomatically (andconfirm)thePasscodethattheendusersmustsupply.
connectstoGlobalProtectassoonasthe Toallowuserstodisconnectiftheyprovideaticket,setAllow
userlogsintotheendpoint.Thismodeis User to Disable GlobalProtect toAllow with Ticket.Withthis
sometimesreferredtoasalwayson, option,thedisconnectactiontriggerstheagenttogeneratea
whichiswhytheusermustoverridethis RequestNumber.Theendusermustthencommunicatethe
behaviortodisableGlobalProtectclient. RequestNumbertotheadministrator.Theadministratorthen
Bydefault,thisoptionissettoAllow clicksGenerate TicketontheNetwork > GlobalProtect > Portals
whichpermitsuserstodisable pageandenterstherequestnumberfromtheusertogenerate
GlobalProtectwithoutprovidinga theticket.Theadministratorthenprovidesthetickettotheend
comment,passcode,orticketnumber. user,whoentersitintotheDisableGlobalProtectdialogtoenable
Iftheagenticonisnotvisible, theagenttodisconnect.
usersarenotabletodisablethe
GlobalProtectclient.SeeStep 5
fordetails.

TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.

98 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CustomizetheAgent(Continued)

Step8 Configurethecertificatesettingsand Client Certificate Store LookupSelectwhichstoretheagent


behaviorfortheusersthatreceivethis shouldusetolookupclientcertificates.Usercertificatesare
configuration. storedintheCurrentUsercertificatestoreonWindowsandin
thePersonalKeychainonMacOS.Machinecertificatesare
storedintheLocalComputercertificatestoreonWindowsandin
theSystemKeychainonMacOS.Bydefault,theagentlooksfor
User and machinecertificatesinbothplaces.
SCEP Certificate Renewal Period (days)WithSCEP,theportal
canrequestanewclientcertificatebeforethecertificateexpires.
ThistimebeforethecertificateexpiresistheoptionalSCEP
certificaterenewalperiod.Duringaconfigurablenumberofdays
beforeaclientcertificateexpires,theportalcanrequestanew
certificatefromtheSCEPserverinyourenterprisePKI(rangeis
030;defaultis7).Avalueof0meanstheportaldoesnot
automaticallyrenewtheclientcertificatewhenitrefreshesthe
agentconfiguration.
Foranagentorapptoobtainthenewcertificateduringthe
renewalperiod,theusermustlogintotheGlobalProtectclient.
Forexample,ifaclientcertificatehasalifespanof90days,the
certificaterenewalperiodis7days,andtheuserlogsinduringthe
final7daysofthecertificatelifespan,theportalacquiresanew
certificateanddeploysitalongwithafreshagentconfiguration.
Formoreinformation,seeDeployUserSpecificClient
CertificatesforAuthentication.
Extended Key Usage OID for Client CertificateEnterthe
extendedkeyusageofaclientcertificatebyspecifyingitsobject
identifier(OID).ThissettingensuresthattheGlobalProtectagent
selectsonlyacertificatethatisintendedforclientauthentication
whenmultiplecertificatetypesarepresentandenables
GlobalProtecttosavetheselectionforfutureuse.Thisoptionis
supportedonWindowsandMacendpointsonly.
Ifyoudonotwanttheagenttoestablishaconnectionwiththe
portalwhentheportalcertificateisnotvalid,setAllow User to
Continue with Invalid Portal Server CertificatetoNo.Keepin
mindthattheportalprovidestheagentconfigurationonly;itdoes
notprovidenetworkaccessandthereforesecuritytotheportalis
lesscriticalthansecuritytothegateway.However,ifyouhave
deployedatrustedservercertificatefortheportal,deselecting
thisoptioncanhelppreventmaninthemiddle(MITM)attacks.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 99
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CustomizetheAgent(Continued)

Step9 Specifywhetherusersreceivelogin SetEnable Inbound Authentication Prompts from MFA


promptswhenmultifactor GatewaystoYes.Tosupportmultifactorauthentication(MFA),a
authenticationisrequiredtoaccess GlobalProtectclientmustreceiveandacknowledgeUDP
sensitivenetworkresources. promptsthatareinboundfromthegateway.SelectYes toenable
Forinternalgatewayconnections, aGlobalProtectclienttoreceiveandacknowledgetheprompt.By
sensitivenetworkresources(for default,thevalueissettoNo meaningGlobalProtectwillblock
example,financialapplicationsor UDPpromptsfromthegateway.
softwaredevelopmentapplications)may InNetwork Port for Inbound Authentication Prompts (UDP),
requireadditionalauthentication.You specifytheportnumberaGlobalProtectclientusestoreceive
canconfigureGlobalProtectclientsto inboundauthenticationpromptsfromMFAgateways.The
displaytheauthenticationprompts defaultportis4501.Tochangetheport,specifyanumberfrom
requiredtoaccesstheseresources.Refer 1to65535.
toSetUpMultiFactorAuthentication InTrusted MFA Gateways,specifythelistofauthentication
formoreinformation. gatewaysaGlobalProtectclientwilltrustformultifactor
authentication.WhenaGlobalProtectclientreceivesaUDP
messageonthespecifiednetworkport,GlobalProtectdisplaysan
authenticationmessageonlyiftheUDPpromptcomesfroma
trustedgateway.
ConfiguretheDefault Message for Inbound Authentication
Prompts (forexample:You have attempted to access a
protected resource that requires additional
authentication. Proceed to authenticate at
\\server1\myapp).Whenuserstrytoaccessaresourcethat
requiresadditionalauthentication,GlobalProtectreceivesan
inboundauthenticationpromptanddisplaysthismessage.

Step10 (Windowsonly)Configuresettingsfor Update DNS Settings at ConnectSelectYestoflushtheDNS


Windowsbasedendpointsthatreceive cacheandforcealladapterstousetheDNSsettingsinthe
thisconfiguration. configuration.SelectNo(thedefault)tousetheDNSsettings
fromthephysicaladapterontheendpoint.
Send HIP Report Immediately if Windows Security Center
(WSC) State ChangesSelectNotopreventtheGlobalProtect
agentfromsendingHIPdatawhenthestatusoftheWindows
SecurityCenter(WSC)changes.SelectYes(default)to
immediatelysendHIPdatawhenthestatusoftheWSCchanges.
Detect Proxy for Each ConnectionSelectNotoautodetectthe
proxyfortheportalconnectionandusethatproxyfor
subsequentconnections.SelectYes(default)toautodetectthe
proxyateveryconnection.
Clear Single Sign-On Credentials on LogoutSelectNotokeep
singlesignoncredentialswhentheuserlogsout.SelectYes
(default)toclearthemandforcetheusertoentercredentials
uponthenextlogin.
Use Default Authentication on Kerberos Authentication
FailureSelectNotouseonlyKerberosauthentication.Select
Yes(default)toretryusingthedefaultauthenticationmethod
afterauthenticationusingKerberosfails.

100 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

CustomizetheAgent(Continued)

Step11 Ifyourendpointsfrequentlyexperience Configurevaluesforanyofthefollowingoptions:


latencyorslownesswhenconnectingto Portal Connection Timeout (sec)Thenumberofseconds
theGlobalProtectportalorgateways, beforeaconnectionrequesttotheportaltimesoutduetono
consideradjustingtheportalandTCP responsefromtheportal(rangeis1600;defaultis30).
timeoutvalues. TCP Connection Timeout (sec)Thenumberofsecondsbefore
Toallowmoretimeforyourendpointsto aTCPconnectionrequesttimesoutduetounresponsiveness
connecttoorreceivedatafromthe fromeitherendoftheconnection(rangeis1600;defaultis60).
portalorgateway,increasethetimeout TCP Receive Timeout (sec)Thenumberofsecondsbeforea
values,asneeded.Keepinmindthat TCPconnectiontimesoutduetotheabsenceofsomepartial
increasingthevaluescanresultinlonger responseofaTCPrequest(rangeis1600;defaultis30).
waittimesiftheGlobalProtectagentis
unabletoestablishtheconnection.In
contrast,decreasingthevaluescan
preventtheGlobalProtectagentfrom
establishingaconnectionwhenthe
portalorgatewaydoesnotrespond
beforethetimeoutexpires.

Step12 Specifywhetherremotedesktop Bydefault,theUser Switch Tunnel Rename Timeoutfieldissetto


connectionsarepermittedoverexisting 0meaningtheGlobalProtectgatewayterminatestheconnectionif
VPNtunnelsbyspecifyingtheUser anewuserauthenticatesovertheVPNtunnel.Tomodifythis
Switch Tunnel Rename Timeout.When behavior,configureatimeoutvaluefrom1to600seconds.Ifthe
anewuserconnectstoaWindows newuserdoesnotlogintothegatewaybeforethetimeoutvalue
machineusingRemoteDesktopProtocol expires,theGlobalProtectgatewayterminatestheVPNtunnel
(RDP),thegatewayreassignstheVPN assignedtothefirstuser.
tunneltothenewuser.Thegatewaycan ChangingtheUser Switch Tunnel Rename Timeoutvalue
thenenforcesecuritypoliciesonthenew onlyaffectstheRDPtunnelanddoesnotrenamea
user. prelogontunnelwhenconfigured.
Allowingremotedesktopconnections
overVPNtunnelscanbeusefulin
situationswhereanITadministrator
needstoaccessaremoteenduser
systemusingRDP.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 101


DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CustomizetheAgent(Continued)

Step13 SpecifyhowGlobalProtectagent Bydefault,theAllow User to Upgrade GlobalProtect App fieldis


upgradesoccur. settoprompttheendusertoupgrade.Tomodifythisbehavior,
Ifyouwanttocontrolwhenuserscan selectoneofthefollowingoptions:
upgrade,youcancustomizetheagent Allow TransparentlyUpgradesoccurautomaticallywithout
upgradeonaperconfigurationbasis.For interactionwiththeuser.Upgradescanoccurwhentheuseris
example,ifyouwanttotestareleaseon workingremotelyorconnectedfromwithinthecorporate
asmallgroupofusersbeforedeployingit network.
toyourentireuserbase,youcancreatea InternalUpgradesoccurautomaticallywithoutinteraction
configurationthatappliestousersin withtheuser,providedtheuserisconnectedfromwithinthe
yourITgrouponly,thusallowingthemto corporatenetwork.Thissettingisrecommendedtopreventslow
upgradeandtestanddisableupgradein upgradesinlowbandwidthsituations.Whenauserconnects
allotheruser/groupconfigurations. outsidethecorporatenetwork,theupgradeispostponedand
Then,afteryouhavethoroughlytested reactivatedlaterwhentheuserconnectsfromwithinthe
thenewversion,youcanmodifythe corporatenetwork.Youmustconfigureinternalgatewaysand
agentconfigurationsfortherestofyour internalhostdetectiontousethisoption.
userstoallowtheupgrade. Topreventagentupgrades,selectDisallow.
Toallowenduserstoinitiateagentupgrades,selectAllow
Manually.Inthiscase,theuserwouldselecttheCheck Version
optionintheagenttodetermineifthereisanewagentversion
andthenupgradeifdesired.Notethatthisoptionwillnotwork
iftheGlobalProtectagentishiddenfromtheuser.SeeStep 5for
detailsontheDisplay GlobalProtect Iconoption.
UpgradesforAllow Transparently andInternaloccuronly
iftheGlobalProtectsoftwareversionontheportalismore
recentthantheGlobalProtectsoftwareversiononthe
endpoint.Forexample,aGlobalProtect3.1.3agent
connectingtoaGlobalProtect3.1.1portalisnotupgraded.

Step14 Specifywhethertodisplayawelcome Todisplayawelcomepageafterasuccessfulloginselect


pageuponsuccessfullogin. factory-default fromtheWelcome Page dropdownontheright.
Awelcomepagecanbeausefulwayto GlobalProtectdisplaysthewelcomepageinthedefaultbrowseron
directuserstointernalresourcesthat Windows,Mac,andChromebookendpoints,orwithinthe
theycanonlyaccesswhenconnectedto GlobalProtectapponmobiledevices.Youcanalsoselectacustom
GlobalProtect,suchasyourIntranetor welcomepagethatprovidesinformationspecifictoyourusers,or
otherinternalservers. toaspecificgroupofusers(basedonwhichportalconfiguration
Bydefault,theonlyindicationthatthe getsdeployed).Fordetailsoncreatingcustompages,see
agenthassuccessfullyconnectedto CustomizetheGlobalProtectPortalLogin,Welcome,andHelp
GlobalProtectisaballoonmessagethat Pages.
displaysinthesystemtray/menubar.

Step15 Savetheagentconfigurationsettings. 1. Ifyouaredonecreatingagentconfigurations,clickOKtoclose


theConfigsdialog.Otherwise,forinstructionsoncompleting
theagentconfigurations,returntoDefinetheGlobalProtect
AgentConfigurations.
2. Ifyouaredoneconfiguringtheportal,clickOKtoclosethe
GlobalProtectPortalConfigurationdialog.
3. Whenyoufinishtheportalconfiguration,Committhechanges.

102 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

GlobalProtectprovidesdefaultlogin,welcome,and/orhelppages.However,youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.

Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configurethe Portal Login Page > Disable optionfromNetwork
> GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninstead
useasoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.

CustomizethePortalLogin,Welcome,andHelpPages

Step1 Exportthedefaultportallogin,welcome, 1. SelectDevice > Response Pages.


orhelppage. 2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. SelecttheDefaultpredefinedpageandclickExport.

Step2 Edittheexportedpage. 1. UsetheHTMLtexteditorofyourchoicetoeditthepage.


2. Ifyouwanttoeditthelogoimagethatisdisplayed,hostthe
newlogoimageonawebserverthatisaccessiblefromthe
remoteGlobalProtectclients.Forexample,editthefollowing
lineintheHTMLtopointtothenewlogoimage:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
3. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.

Step3 Importthenewpage(s). 1. SelectDevice > Response Pages.


2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4. (Optional)Selectthevirtualsystemonwhichthispagewillbe
usedfromtheDestinationdropdownorselectshared
(default)tomakeitavailabletoallvirtualsystems.
5. ClickOKtoimportthefile.

Step4 Configuretheportaltousethenew Portal Login PageandApp Help Page:


page(s). 1. SelectNetwork > GlobalProtect > Portals andselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheGeneral tab,selectthenewpagefromtherelevant
dropdownintheAppearancearea.
Custom Welcome Page:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheAgent tab,selecttheagentconfigurationtowhichyou
wanttoaddthewelcomepage.
3. SelecttheApptab,andselectthenewpagefromtheWelcome
Pagedropdown.
4. ClickOKtosavetheagentconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 103


DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals

CustomizethePortalLogin,Welcome,andHelpPages(Continued)

Step5 Savetheportalconfiguration. ClickOKandthenCommityourchanges.

Step6 Verifythatthenewpagedisplays. TesttheloginpageOpenabrowser,gototheURLforyour


portal(besureyoudonotaddthe:4443portnumbertotheend
oftheURLoryouwillbedirectedtothewebinterfaceforthe
firewall).Forexample,enterhttps://myportalratherthan
https://myportal:4443.
Thenewportalloginpagewilldisplay.

TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectHelp.Thenewhelp
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome Page.The
newwelcomepagewilldisplay.

104 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients
DeploytheGlobalProtectClientSoftware
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
DeployAgentSettingsTransparently
GlobalProtectClientlessVPN
Reference:GlobalProtectAgentCryptographicFunctions
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 105


DeploytheGlobalProtectClientSoftware GlobalProtectClients

DeploytheGlobalProtectClientSoftware

InordertoconnecttoGlobalProtect,anendhostmustberunningGlobalProtectclientsoftware.The
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
distributedbytheGlobalProtectportal.Toenablethesoftwarefordistribution,youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
thenactivatethesoftwarefordownload.Forinstructionsonhowtodownloadandactivatetheagent
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
Windows10phoneandWindows10UWPendpointsRequiretheGlobalProtectapp.Aswithother
mobiledeviceapps,theendusermustdownloadtheGlobalProtectappfromtheMicrosoftStore.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
iOSandAndroidendpointsRequiretheGlobalProtectapp.Aswithothermobiledeviceapps,theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
ChromebooksRequiretheGlobalProtectappforChromeOS.Similartothedownloadprocessfor
mobiledeviceapps,theendusercandownloadtheGlobalProtectappfromtheChromeWebStore.You
canalsodeploytheapptoamanagedChromebookusingtheChromebookManagementConsole.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?

AsanalternativetodeployingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portalto
providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,andJavascript
technologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowsers withoutinstalling
GlobalProtectclientsoftware.RefertoGlobalProtectClientlessVPN.

Deploy the GlobalProtect Agent Software

ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
sothatenduserscaninstalltheupdateswhentheyconnecttotheportal.Thisoptionprovidesflexibility
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/oroperatingsystem.However,ifyouhavealargenumber
ofagentsthatrequireupdates,itcouldputextraloadonyourportal.SeeHostAgentUpdatesonthe
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
youmustfirstuninstalltheexistingagent.Inaddition,Msiexecallowsfordeploymentofagentsettings
directlyontheendpointsbysettingvaluesintheWindowsregistryorMacplist.SeeDeployAgent
SettingsTransparently.

106 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,usingactivedirectorygrouppolicy.ADGrouppoliciesallowmodificationof
Windowshostcomputersettingsandsoftwareautomatically.Refertothearticleat
http://support.microsoft.com/kb/816102formoreinformationonhowtouseGroupPolicyto
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
GlobalProtectapp.SeeMobileEndpointManagement.

HostAgentUpdatesonthePortal

ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
connectingtotheportal.Todothisautomatically,thefirewallmusthaveaserviceroutethatenablesitto
accessthePaloAltoNetworksUpdateServer.IfthefirewalldoesnothaveaccesstotheInternet,youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.

YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto
https://www.paloaltonetworks.com/support/tabs/overview.html.)

Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
version.Fordetailsoncreatinganagentconfiguration,seeDefinetheGlobalProtectAgentConfigurations.

HosttheGlobalProtectAgentonthePortal

Step1 Launchthewebinterfaceonthefirewall SelectDevice > GlobalProtect Client.


hostingtheGlobalProtectportalandgo
totheGlobalProtectClientpage.

Step2 Checkfornewagentsoftwareimages. IfthefirewallhasaccesstotheUpdateServer,clickCheck Now


tocheckforthelatestupdates.IfthevalueintheActioncolumn
isDownloaditindicatesthatanupdateisavailable.
IfthefirewalldoesnothaveaccesstotheUpdateServer,goto
thePaloAltoNetworksSoftwareUpdatessupportsiteand
Downloadthefiletoyourcomputer.Thengobacktothefirewall
tomanuallyUploadthefile.
YoumusthaveavalidPaloAltoNetworksaccounttolog
intoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto:
https://www.paloaltonetworks.com/support/tabs/overvi
ew.html)

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 107


DeploytheGlobalProtectClientSoftware GlobalProtectClients

HosttheGlobalProtectAgentonthePortal(Continued)

Step3 Downloadtheagentsoftwareimage. LocatetheagentversionyouwantandthenclickDownload.When


Ifyourfirewalldoesnothave thedownloadcompletes,thevalueintheActioncolumnchangesto
Internetaccessfromthe Activate.
managementport,youcan Ifyoumanuallyuploadedtheagentsoftwareasdetailedin
downloadtheagentupdatefrom Step 2,theActioncolumnwillnotupdate.Continuetothe
thePaloAltoNetworksSupport nextstepforinstructionsonactivatinganimagethatwas
Site: manuallyuploaded.
(https://www.paloaltonetworks.
com/support/tabs/overview.htm
l).
YoucanthenmanuallyUpload
theupdatetoyourfirewalland
thenactivateActivate From File.

Step4 Activatetheagentsoftwareimageso IfyoudownloadedtheimageautomaticallyfromtheUpdate


thatenduserscandownloaditfromthe Server,clickActivate.
portal. Ifyoumanuallyuploadedtheimagetothefirewall,clickActivate
Onlyoneversionofagent From FileandthenselecttheGlobalProtect Client Fileyou
softwareimagecanbeactivated uploadedfromthedropdown.ClickOKtoactivatetheselected
atatime.Ifyouactivateanew image.Youmayneedtorefreshthescreenbeforetheversion
version,buthavesomeagents displaysasCurrently Activated.
thatrequireapreviously
activatedversion,youwillhave
toactivatetherequiredversion
againtoenableitfordownload.

HostAgentUpdatesonaWebServer

Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,considerhostingtheGlobalProtectagentsoftwareimagesonanexternalwebserver.Thishelps
reducetheloadonthefirewallwhenusersconnecttodownloadtheagent.Tousethisfeature,thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.

HostGlobalProtectAgentImagesonaWebServer

Step1 Downloadtheversionofthe Followthestepsfordownloadingandactivatingtheagentsoftware


GlobalProtectagentthatyouplanto onthefirewallasdescribedinHosttheGlobalProtectAgentonthe
hostonthewebservertothefirewall Portal.
andactivateit.

Step2 DownloadtheGlobalProtectagent Fromabrowser,gotothePaloAltoNetworksSoftwareUpdates


imageyouwanttohostonyourweb siteandDownloadthefiletoyourcomputer.
server.
Youshoulddownloadthesameimage
thatyouactivatedontheportal.

Step3 Publishthefilestoyourwebserver. Uploadtheimagefile(s)toyourwebserver.

108 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

HostGlobalProtectAgentImagesonaWebServer(Continued)

Step4 Redirecttheenduserstothewebserver. Onthefirewallhostingtheportal,logintotheCLIandenterthe


followingoperationalmodecommands:
> set global-protect redirect on
> set global-protect redirect location
<path>
where<path>isthepathistheURLtothefolderhostingtheimage,
forexamplehttps://acme/GP.

Step5 Testtheredirect. 1. LaunchyourwebbrowserandgotothefollowingURL:


https://<portal address or name>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.Aftersuccessfullogin,theportalshould
redirectyoutothedownload.

TesttheAgentInstallation

Usethefollowingproceduretotesttheagentinstallation.

TesttheAgentInstallation

Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa


theagentinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
Wheninitiallyinstallingthe responsibleforadministeringthefirewall:
GlobalProtectagentsoftwareon 1. SelectNetwork > GlobalProtect > Portals andselecttheportal
theendpoint,theendusermust configurationtoedit.
beloggedintothesystemusing
2. SelecttheAgent tabandeitherselectanexistingconfiguration
anaccountthathas
orAddanewconfigurationtodeploytothetestusers/group.
administrativeprivileges.
Subsequentagentsoftware 3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
updatesdonotrequire section,selecttheuserorgroupwhowillbetestingtheagent,
administrativeprivileges. andthenclickOK.
4. OntheAgenttab,makesureAgent Upgradeissettoprompt
andthenclickOKtosavetheconfiguration.
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
6. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 109


DeploytheGlobalProtectClientSoftware GlobalProtectClients

TesttheAgentInstallation(Continued)

Step2 LogintotheGlobalProtectportal. 1. LaunchyourwebbrowserandgotothefollowingURL:


https://<portaladdressorname>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.

Step3 Navigatetotheagentdownloadpage. Inmostcases,youwillseeanagentdownloadpagewhenyoulog


intotheportal.Usethispagetodownloadthelatestagentsoftware
package.

IfyouhaveenabledGlobalProtectClientlessVPNaccess,youwill
seeanapplicationspage(insteadoftheagentdownloadpage)
whenyoulogintotheportal.SelectGlobalProtect Agenttoopen
thedownloadpage.

110 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

TesttheAgentInstallation(Continued)

Step4 Downloadtheagent. 1. Clickthelinkthatcorrespondstotheoperatingsystemyouare


runningonyourcomputertobeginthedownload.

2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
administrativeprivileges.Subsequentagentsoftware
updatesdonotrequireadministrativeprivileges.

Step5 CompletetheGlobalProtectagentsetup. 1. FromtheGlobalProtectSetupWizard,clickNext.


2. ClickNexttoacceptthedefaultinstallationfolder
(C:\Program Files\Palo Alto Networks\GlobalProtect)
orBrowsetochooseanewlocationandthenclickNexttwice.
3. Aftertheinstallationsuccessfullycompletes,clickClose.The
GlobalProtectagentwillautomaticallystart.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 111


DeploytheGlobalProtectClientSoftware GlobalProtectClients

TesttheAgentInstallation(Continued)

Step6 LogintoGlobalProtect. EntertheFQDNorIPaddressofthePortalandConnect.If


prompted,enteryourUsernameandPasswordandConnect.If
authenticationissuccessful,theagentwillconnectto
GlobalProtect.Usetheagenttoaccessresourcesonthecorporate
networkaswellasexternalresources,asdefinedinthe
correspondingsecuritypolices.

Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
portaladdress.SeeDefinetheGlobalProtectAgentConfigurations
fordetailsonsettingupagentconfigurations.

Download and Install the GlobalProtect Mobile App

TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
devices.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecureaccess
toyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappwillautomaticallyconnecttothe
gatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.

112 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

ThisworkflowdescribeshowtoinstalltheGlobalProtectappdirectlyonthemobiledevice.Forinstructions
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.

InstalltheGlobalProtectMobileApp

Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa


theappinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
responsibleforadministeringthefirewall:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
configurationtoedit.
2. SelecttheAgenttabandeitherselectanexistingconfiguration
orAddanewconfigurationtodeploytothetestusers/group.
3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
sectionandthenselecttheuserorgroupwhowillbetesting
theagent.
4. IntheOSsection,selecttheappyouaretesting(iOS,Android,
orWindowsUWP).
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
6. Committhechanges.

Step2 Fromthemobiledevice,followthe OnAndroiddevices,searchfortheapponGooglePlay.


promptstodownloadandinstalltheapp. OniOSdevices,searchfortheappattheAppStore.
OnWindows10UWPdevices,searchfortheappatthe
MicrosoftStore.

Step3 Launchtheapp. Whensuccessfullyinstalled,theGlobalProtectappicondisplayson


thedevicesHomescreen.Tolaunchtheapp,taptheicon.When
promptedtoenableGlobalProtectVPNfunctionality,tapOK.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 113


DeploytheGlobalProtectClientSoftware GlobalProtectClients

InstalltheGlobalProtectMobileApp(Continued)

Step4 Connecttotheportal. 1. Whenprompted,enterthePortalnameoraddress,


Username,andPassword.TheportalnamemustbeanFQDN
anditshouldnotincludethehttps://atthebeginning.

2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.

114 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

Download and Install the GlobalProtect App for Chrome OS

TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
toChromebooks.AswithotherremotehostsrunningtheGlobalProtectagent,theappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Aftertheuserinitiatesaconnection,the
appwillconnecttothegatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
yourcorporatenetwork.LiketheGlobalProtectagent,theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS

InstalltheGlobalProtectAppfromtheChromeWebStore

YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
Store.AsanalternativeyoucanDeploytheGlobalProtectAppUsingtheChromebookManagement
Console.

InstalltheGlobalProtectAppfromtheChromeWebStore

Step1 Createanagentconfigurationfortesting 1. SelectNetwork > GlobalProtect > Portals andselecttheportal


theappinstallation. configurationtoedit.
Asabestpractice,createan 2. SelecttheAgent tabandeitherselectanexistingconfiguration
agentconfigurationthatis orAddanewconfigurationtodeploytothetestusers/group.
limitedtoasmallgroupofusers,
3. OntheUser/User Grouptab,clickAddintheUser/User
suchasadministratorsintheIT
Groupsectionandthenselecttheuserorgroupthatwilltest
departmentandwhoresponsible
theagent.
foradministeringthefirewall.
4. IntheOSarea,selecttheappyouaretesting(Chrome)and
clickOK.
5. (Optional)Selecttheagentconfigurationyoujustcreatedor
modifiedandclickMove Upsothatitisbeforeanymore
genericconfigurationsyouhavecreated.
6. Committhechanges.

Step2 InstalltheGlobalProtectappforChrome 1. FromtheChromebook,searchfortheappintheChromeWeb


OS. StoreorgodirectlytotheGlobalProtectapppage.
Youcanalsoforceinstalltheappon 2. ClickAdd to Chromeandthenfollowthepromptstodownload
managedChromebooksusingthe andinstalltheapp.
ChromebookManagementConsole.See
DeploytheGlobalProtectAppUsingthe
ChromebookManagementConsole.

Step3 Launchtheapp. Whensuccessfullyinstalled,theChromeAppLauncherdisplaysthe


GlobalProtectappiconinthelistofapps.Tolaunchtheapp,click
theicon.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 115


DeploytheGlobalProtectClientSoftware GlobalProtectClients

InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)

Step4 Configuretheportal. 1. Whenprompted,entertheIPaddressorFQDNofthePortal.


Theportalshouldnotincludethehttps://atthebeginning.
2. ClickAdd ConnectiontoaddtheGlobalProtectVPN
configuration.
TheappdisplaysthehomescreenafteritaddstheVPN
configurationtotheInternetconnectionsettingsofyour
Chromebookbutdoesnotinitiateaconnection.

Step5 Testtheconnection. TesttheGlobalProtectappforChromeOS

DeploytheGlobalProtectAppUsingtheChromebookManagementConsole

TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,webbasedlocation.Fromtheconsole,youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:

ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole

Step1 Viewtheusersettingsforthe 1. FromtheChromebookManagementConsole,selectDevice


GlobalProtectapp. management > Chrome management > App management.
Theconsoledisplaysthelistofappsconfiguredinall
organization(org)unitsinyourdomainanddisplaysthestatus
ofeachapp.ClickanappStatustodisplaytheorgunitsto
whichthatstatusisapplied.
2. SelecttheGlobalProtectappandthenselectUser settings.
Iftheappisnotpresent,SEARCHforGlobalProtectinthe
ChromeWebStore.

116 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeploytheGlobalProtectClientSoftware

ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)

Step2 Configurepoliciesandsettingsfor 1. Selecttheorgunitwhereyouwanttoconfiguresettingsand


everyoneinanorgunit. configureanyofthefollowingoptions:
Selectingthetoplevelorgunitappliessettingsto
everyoneinthatunit;selectingachildorgunitapplies
settingsonlytouserswithinthatchildorgunit.
Allow installationAllowusersinstallthisappfromthe
ChromeWebStore.Bydefault,anorgunitinheritsthe
settingsofitsparentorganization.Tooverridethedefault
settings,selectInherit,whichtogglestheOverridesetting.
Force installationInstallthisappautomaticallyand
preventsusersfromremovingit.
Pin to taskbarIftheappisinstalled,pintheapptothe
taskbar(inChromeOSonly).
Add to Chrome Web Store collectionRecommendthis
apptoyourusersintheChromeWebStore.
2. Ifyouhavenotalreadydoneso,createatextfileinJSON
formatthatusesthefollowingsyntaxandincludestheFQDN
orIPaddressofyourGlobalProtectportal:
{
"PortalAddress": {
"Value": "192.0.2.191"
}
}
3. OntheUser settingspage,selectUPLOAD CONFIGURATION
FILEandthenBrowsetotheGlobalProtectsettingsfile.
4. SAVEyourchanges.Settingstypicallytakeeffectwithin
minutes,butitmighttakeuptoanhourtopropagatethrough
yourorganization.

Step3 Testtheconnection. AfterChromeManagementConsolesuccessfullydeploystheapp,


TesttheGlobalProtectappforChromeOS

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 117


DeploytheGlobalProtectClientSoftware GlobalProtectClients

TesttheGlobalProtectappforChromeOS

UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
VPNconnectionsettings.Afteryouinstallandconfiguretheapp,itisnotnecessarytoopentheappto
establishaVPNconnection.Instead,youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.

TesttheGlobalProtectAppforChromeOS

Step1 LogintoGlobalProtect. 1. Clickthestatusareaatthebottomrightcornerofthe


Chromebook.
2. SelectVPN disconnectedandthenselecttheportalthatyou
enteredwhenconfiguringtheGlobalProtectVPNsettings.
ToviewVPNsettingsbeforeconnecting,selecttheportal
fromSettings > Private network,andthenclickConnect.
3. EntertheUsernameandPassword fortheportalandclick
Connect.RepeatthissteptoentertheUsernameand
Passwordforthegateway.Ifauthenticationissuccessful,
GlobalProtectconnectsyoutoyourcorporatenetwork.If
enabled,theGlobalProtectwelcomepagewilldisplay.

Step2 Viewtheconnectionstatus.Whenthe Toviewtheportaltowhichyouareconnected,clickthestatus


appisconnected,thestatusareadisplays area.
theVPNiconalongthebottomofthe
WiFiicon( ).

Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
GlobalProtectapp.Themainpagedisplaysconnection
informationand(ifapplicable)anyerrorsorwarnings.

118 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

DeployAgentSettingsTransparently

Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
plist.Soifyoudefinesettingsintheregistryorplist,buttheportalconfigurationspecifiesdifferentsettings,
thesettingstheagentreceivesfromtheportalwilloverridethesettingsdefinedontheclient.Thisoverride
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),andwhethertheagentcanconnectiftheportalcertificateisinvalid.Therefore,youshouldavoid
conflictingsettings.Inaddition,theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients

InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
applicationsandprocesses.Youcanthenmonitorthedataandaddittoasecurityruleasmatchingcriteria.
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 119


DeployAgentSettingsTransparently GlobalProtectClients

Customizable Agent Settings

Inadditiontopredeployingtheportaladdress,youcanalsodefinetheagentconfigurationsettings.To
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:CustomizableAgentBehaviorOptionsdescribeseachcustomizableagentsetting.Settingsdefinedin
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.

Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
configuredusingWindowsregistryorMsiexec.Theseadditionalsettingsinclude:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.

AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions

AgentDisplayOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.

Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Enable Advanced View enable-advanced-view yes | no ENABLEADVANCEDVIEW=yes | no yes

Display GlobalProtect Icon show-agent-icon yes | no SHOWAGENTICON=yes | no yes

Enable Rediscover Network rediscover-network yes | n REDISCOVERNETWORK=yes | no yes


Option

Enable Resubmit Host Profile resubmit-host-info yes | no RESUBMITHOSTINFO=yes | no yes


Option

Show System Tray Notifications show-system-tray-notifications SHOWSYSTEMTRAYNOTIFICATIONS=yes | yes


yes | no no

120 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

UserBehaviorOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizehowtheusercaninteractwiththeGlobalProtectagent.

Table:CustomizableUserBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Allow User to Change Portal can-change-portal yes | no CANCHANGEPORTAL=yes | no yes


Address

Allow User to Dismiss Welcome enable-hide-welcome-page yes | ENABLEHIDEWELCOMEPAGE=yes | no yes


no
Page

Allow User to Continue with can-continue-if-portal-cert- CANCONTINUEIFPORTALCERTINVALID= yes


invalid yes | no yes | no
Invalid Portal Server
Certificate

Allow User to Disable disable-allowed yes | no DISABLEALLOWED="yes | no" no


GlobalProtect App

Save User Credentials save-user-credentials 0 | 1 | 2 SAVEUSERCREDENTIALS 0 | 1 | 2

Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.

Notinportal can-save-password yes | no CANSAVEPASSWORD=yes | no yes

TheAllow user to save


passwordsettingisdeprecated
inthewebinterfaceinPANOS
7.1andlaterreleasesbutis
configurablefromtheWindows
registryandMacplist.Anyvalue
specifiedintheSave User
Credentialsfieldoverwritesa
valuespecifiedhere.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 121


DeployAgentSettingsTransparently GlobalProtectClients

AgentBehaviorOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethebehavioroftheGlobalProtectagent.

Table:CustomizableAgentBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Connect Method connect-method on-demand | CONNECTMETHOD=on-demand | user-logon


pre-logon | user-logon pre-logon | user-logon

GlobalProtect App Config refresh-config-interval <hours> REFRESHCONFIGINTERVAL=<hours> 24


Refresh Interval (hours)

Update DNS Settings at flushdns yes | no FLUSHDNS=yes | no no


Connect (Windows Only)

Send HIP Report Immediately if wscautodetect yes | no WSCAUTODETECT=yes | no no


Windows Security Center
(WSC) State Changes (Windows
Only)

Detect Proxy for Each ProxyMultipleAutoDetection yes PROXYMULTIPLEAUTODETECTION=yes | no


| no no
Connection (Windows Only)

Clear Single Sign-On LogoutRemoveSSO yes | no LOGOUTREMOVESSO=yes | no yes


Credentials on Logout
(Windows Only)

Use Default Authentication on krb-auth-fail-fallback yes | no KRBAUTHFAILFALLBACK=yes | no no


Kerberos Authentication
Failure (Windows Only)

Custom Password Expiration PasswordExpiryMessage <message> PASSWORDEXPIRYMESSAGE <message>


Message (LDAP Authentication
Only)

Portal Connection Timeout PortalTimeout <portaltimeout> PORTALTIMEOUT=<portaltimeout> 30


(sec)

TCP Connection Timeout (sec) ConnectTimeout <connecttimeout> CONNECTTIMEOUT=<connecttimeout> 60

TCP Receive Timeout (sec) ReceiveTimeout <receivetimeout> RECEIVETIMEOUT=<receivetimeout> 30

Client Certificate Store Lookup certificate-store-lookup user | CERTIFICATESTORELOOKUP="user | user and


machine | user and machine | machine | user and machine | machine
invalid invalid"

SCEP Certificate Renewal scep-certificate-renewal-period n/a 7


<renewalPeriod>
Period (days)

Maximum Internal Gateway max-internal-gateway-connection MIGCA="<maxValue>" 0


-attempts <maxValue>
Connection Attempts

Extended Key Usage OID for ext-key-usage-oid-for-client-ce EXTCERTOID=<oidValue> n/a


rt <oidValue>
Client Certificate

User Switch Tunnel Rename user-switch-tunnel-rename-timeo n/a 0


ut <renameTimeout>
Timeout (sec)

122 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Use Single Sign-On use-sso yes | no USESSO="yes | no" yes

(WindowsOnly)

Notinportal portal <IPaddress> PORTAL="<IPaddress>" n/a


Thissettingspecifiesthedefault
portalIPaddress(orhostname).

Notinportal prelogon 1 PRELOGON="1" 1

Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.

Windowsonly/Notinportal can-prompt-user-credential yes CANPROMPTUSERCREDENTIAL=yes | no yes


| no
Thissettingisusedin
conjunctionwithsinglesignon
(SSO)andindicateswhetheror
nottoprompttheuserfor
credentialsifSSOfails.

Windowsonly/Notinportal wrap-cp-guid {third party WRAPCPGUID={guid_value] no


credential provider guid} FILTERNONGPCP=yes | no
Thissettingfiltersthe
thirdpartycredentialproviders
tilefromtheWindowslogin
pagesothatonlythenative
Windowstileisdisplayed.*

Windowsonly/Notinportal filter-non-gpcp no n/a n/a


Thissettingisanadditional
optionforthesetting
wrap-cp-guid,andallowsthe
thirdpartycredentialprovider
tiletobedisplayedonthe
Windowsloginpage,inaddition
tothenativeWindowslogon
tile.*

*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 123


DeployAgentSettingsTransparently GlobalProtectClients

ScriptDeploymentOptions

ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
aVPNtunnelandbeforedisconnectingaVPNtunnel.Becausetheseoptionsarenotavailableintheportal,
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
pre-vpn-disconnectfromtheWindowsregistryorMacplist.Fordetailedstepstodeployscripts,see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.

Table:CustomizableScriptDeploymentOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Executethescriptspecifiedin command <parameter1> PREVPNCONNECTCOMMAND=<parameter1> n/a


<parameter2> [...] <parameter2> [...]
thecommandsetting(including
anyparameterspassedtothe Windows example: POSTVPNCONNECTCOMMAND=<parameter1
> <parameter2> [...]
script). command
%userprofile%\vpn_script.bat c:
PREVPNDISCONNECTCOMMAND=<paramete
Environmentalvariables test_user
r1> <parameter2> [...]
aresupported. Mac example:
Specifythefullpathin command $HOME/vpn_script.sh
/Users/test_user test_user
commands.

(Optional)Specifytheprivileges context admin | user PREVPNCONNECTCONTEXT=admin | user


user
underwhichthecommand(s)
canrun(defaultisuser:ifyoudo POSTVPNCONNECTCONTEXT=admin |
user
notspecifythecontext,the
commandrunsasthecurrent PREVPNDISCONNECTCONTEXT=admin |
user
activeuser).

(Optional)Specifythenumber timeout <value> PREVPNCONNECTTIMEOUT=<value> 0


ofsecondstheGlobalProtect POSTVPNCONNECTTIMEOUT=<value>
clientwaitsforthecommandto Example:
PREVPNDISCONNECTTIMEOUT=<value>
execute(rangeis0120).Ifthe timeout 60
commanddoesnotcomplete
beforethetimeout,theclient
proceedstoestablishor
disconnectfromtheVPNtunnel.
Avalueof0(thedefault)means
theclientwillnotwaitto
executethecommand.
Notsupportedfor
postvpnconnect.

(Optional)Specifythefullpath file <path_file> PREVPNCONNECTFILE=<path_file> n/a


ofafileusedinacommand.The POSTVPNCONNECTFILE=<path_file>
GlobalProtectclientwillverify
PREVPNDISCONNECTFILE=<path_file>
theintegrityofthefileby
checkingitagainstthevalue
specifiedinthechecksumkey.
Environmentalvariables
aresupported.

124 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

(Continued)PortalAgent WindowsRegistry/MacPlist MsiexecParameter Default

(Optional)Specifythesha256 checksum <value> PREVPNCONNECTCHECKSUM=<value> n/a


checksumofthefilereferredto
inthefilekey.Ifthechecksum POSTVPNCONNECTCHECKSUM=<value>
isspecified,theGlobalProtect PREVPNDISCONNECTCHECKSUM=<value>
clientexecutesthecommand(s)
onlyifthechecksumgenerated
bytheGlobalProtectclient
matchesthechecksumvalue
specifiedhere.

(Optional)Specifyanerror error-msg <message> PREVPNCONNECTERRORMSG=<message> n/a


messagetoinformtheuserthat Example: POSTVPNCONNECTERRORMSG=<message>
thecommand(s)cannotexecute error-msg Failed executing
PREVPNDISCONNECTERRORMSG=<message
orifthecommand(s)exitedwith pre-vpn-connect action! >
anonzeroreturncode.
Themessagemustbe
1,024orfewerANSI
characters.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 125


DeployAgentSettingsTransparently GlobalProtectClients

Deploy Agent Settings to Windows Clients

UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

DeployAgentSettingsintheWindowsRegistry

YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
connectiontotheGlobalProtectportalbyusingtheWindowsregistry.Usetheoptionsdescribedinthe
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.

InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
agenttocollectspecificWindowsregistryinformationfromWindowsclients.Youcanthenmonitorthedataand
addittoasecurityruleasmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbe
enforcedaccordingtothesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings

LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\

126 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)

Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).

DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).

EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.

DeployAgentSettingsfromMsiexec

OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"

Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromthecommandline.Onsystems
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.

MsiexecExample Description

msiexec.exe /i GlobalProtect.msi /quiet InstallGlobalProtectinquietmode(nouserinteraction)


PORTAL=portal.acme.com andconfiguretheportaladdress.

msiexec.exe /i GlobalProtect.msi InstallGlobalProtectwiththeoptiontopreventusers


CANCONTINUEIFPORTALCERTINVALID=no fromconnectingtotheportalifthecertificateisnotvalid.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 127


DeployAgentSettingsTransparently GlobalProtectClients

Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.

TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.

DeployScriptsUsingtheWindowsRegistry

YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,andbeforetheagentdisconnectsfromtheVPNtunnel.Usethe
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.

TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.

DeployScriptsintheWindowsRegistry

Step1 OpentheWindowsregistry,andlocate OpentheWindowsregistry(enterregeditinthecommand


theGlobalProtectagentcustomization prompt)andgotothelocationofthekeydependingonwhenyou
settings. wanttoexecutescripts(pre/postconnectorpredisconnect):
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\pre-vpn-connect
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\post-vpn-connect
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\pre-vpn-disconne
ct
IfthekeydoesnotexistwithintheSettingskey,createit
(rightclickSettingsandselectNew > Key).

128 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

DeployScriptsintheWindowsRegistry(Continued)

Step1 EnabletheGlobalProtectagenttorun 1. Ifthecommandstringdoesnotalreadyexist,createit


scriptsbycreatinganewStringValue (rightclickthepre-vpn-connect,post-vpn-connect,or
namedcommand. pre-vpn-disconnectkey,selectNew > String Value,and
Thebatchfilespecifiedhereshould nameitcommand).
containthespecificscript(includingany 2. RightclickcommandandselectModify.
parameterspassedtothescript)thatyou
3. EnterthecommandsorscriptthattheGlobalProtectagent
wantrunonthedevice.Forexamples,
shouldrun.Forexample:
seeWindowsOSBatchScriptExamples.
%userprofile%\pre_vpn_connect.bat c: test_user

Step2 (Optional)Addadditionalregistryentries Createormodifyregistrystringsandtheircorrespondingvalues,


asneededforeachcommand. includingcontext,timeout,file,checksum,orerror-msg.For
additionalinformation,seeCustomizableAgentSettings.

WindowsOSBatchScriptExamples

YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.Thefollowingtopicsshow
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:

Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints

ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
fromacommandregistryentryforapostvpnconnectevent.Thisenablesyoutoselectivelyexcluderoutes
andtosendallothertrafficthroughtheVPNtunnel.

Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
routes.Inmostcases,whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)theoldnetworkroutesareautomaticallydeleted.Intheeventthattheoldnetworkroutespersist,
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.

Forascriptthatyoucancopyandpaste,gohere.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 129


DeployAgentSettingsTransparently GlobalProtectClients

@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
192.168.24.25 255.255.255.255

REM Initialize 'DefaultGateway'


set "DefaultGateway="

REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"

REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end

Example:MountaNetworkShareonWindowsEndpoints

TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\filer1.mycompany.local\share /user:mycompany\user1

DeployScriptsUsingMsiexec

OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"

Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromacommandline.Onsystemsrunning
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,andallenvironmentvariableexpansions.Ifyourunbatchfilesfromthe
commandline,thislimitationalsoappliestobatchfileprocessing.

130 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events

Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent

Forascriptthatyoucancopyandpaste,gohere.

msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents

Forascriptthatyoucancopyandpaste,gohere.

msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 131


DeployAgentSettingsTransparently GlobalProtectClients

SSOWrappingforThirdPartyCredentialProvidersonWindowsClients

OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
toautomaticallyconnecttotheGlobalProtectportalandgateway.IfSSOfails,youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
providerandanotherforthenativeWindowslogin.Thisisusefulwhenathirdpartycredentialprovideradds
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.

132 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry

UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials

Step1 OpentheWindowsregistryandlocate 1. Fromthecommandprompt,enterthecommandregeditto


thegloballyuniqueidentifier(GUID)for opentheWindowsregistry.
thethirdpartycredentialproviderthat 2. Locatecurrentlyinstalledcredentialprovidersatthefollowing
youwanttowrap. location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\Credential Providers.
3. CopytheGUIDkeyforthecredentialproviderthatyouwant
towrap(includingthecurlybrackets{ and} oneitherend
oftheGUID):

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 133


DeployAgentSettingsTransparently GlobalProtectClients

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)

Step2 EnableSSOwrappingforthirdparty 1. GotothefollowingWindowsregistrylocation:


credentialprovidersbyaddingthe HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\
settingwrap-cp-guidtothe GlobalProtect:
GlobalProtectregistry.

2. AddanewString Value:

3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.

Step3 NextSteps: YoucanconfigureSSOwrappingforthirdpartycredential


providerssuccessfullybycompletingsteps1and2.Withthis
setup,thenativeWindowslogontileisdisplayedtousers.Users
clickthetileandlogintothesystemwiththeirWindows
credentialsandthatsingleloginauthenticatestheusersto
Windows,GlobalProtect,andthethirdpartycredentialprovider.
(Optional)Ifyouwanttodisplaytwotilestousersatlogin,the
nativeWindowstileandthetileforthethirdpartycredential
provider,continuetoStep 4.

134 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)

Step4 (Optional)Allowthethirdparty AddasecondString Value withtheName filter-non-gpcpand


credentialprovidertiletobedisplayedto enternoforthestringsValue data:
usersatlogin.

WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.

EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.

UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials

Wrapthirdpartycredentialsanddisplaythenativetiletousersatlogin.Usersclickthetileandlogintothe
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.

Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
providerslogontilesothatonlythenativetiledisplays.Inthiscase,boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.

Deploy Agent Settings to Mac Clients

UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 135


DeployAgentSettingsTransparently GlobalProtectClients

DeployAgentSettingsintheMacPlist

YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)file.This
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/Preferences.Thetilde
(~)symbolindicatesthatthelocationisinthecurrentuser'shomefolder.TheGlobalProtectagentonaMac
clientfirstchecksfortheGlobalProtectplistsettings.Iftheplistdoesnotexistatthatlocation,the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.

InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
tocollectspecificMacplistinformationfromclients.Youcanthenmonitorthedataandaddittoasecurityrule
asmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingto
thesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.

UsetheMacPlisttoDeployGlobalProtectAgentSettings

OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/com.paloaltonetworks.Global
Protect.settings.plist
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,createit.Thenaddeach
keytotheSettingsdictionaryasastring.

Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
throughtheMacplist.UnderthePanSetupdictionary,configurean
entryforPortal.

DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.

136 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients DeployAgentSettingsTransparently

DeployScriptsUsingtheMacPlist

WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Usethefollowingworkflow
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.

TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.

DeployScriptsUsingtheMacPlist

Step1 (ClientsrunningMacOSX10.9ora Toclearthedefaultpreferencescache,runthekillall cfprefsd


laterOS)Flushthesettingscache.This commandfromaMacterminal.
preventstheOSfromusingthecached
preferencesaftermakingchangestothe
plist.

Step2 OpentheGlobalProtectplistfile,and UseXcodeoranalternateplisteditortoopentheplistfile


locateorcreatetheGlobalProtect (/Library/Preferences/com.paloaltonetworks.GlobalProte
dictionaryassociatedwiththeconnect ct.settings.plist)andgotothelocationofthedictionary:
ordisconnectevent.Thedictionary /Palo Alto
underwhichyouwilladdthesettingswill Networks/GlobalProtect/Settings/pre-vpn-connect
determinewhentheGlobalProtectagent /Palo Alto
runsthescript(s). Networks/GlobalProtect/Settings/post-vpn-connect
/Palo Alto
Networks/GlobalProtect/Settings/pre-vpn-disconnect
IfSettingsdictionarydoesnotexist,createit.Then,in
Settings,createanewdictionaryfortheeventorevents
atwhichyouwanttorunscripts.

Step3 EnabletheGlobalProtectagenttorun Ifthecommandstringdoesnotalreadyexist,addittothedictionary


scriptsbycreatinganewStringnamed andspecifythescriptandparametersintheValuefield,for
command. example:
Thevaluespecifiedhereshould $HOME\pre_vpn_connect.sh /Users/username username
referencetheshellscript(andthe Environmentalvariablesaresupported.
parameterstopasstothescript)thatyou
wantrunonyourdevices.SeeMacOS
Asabestpractice,specifythefullpathincommands.
ScriptExamples.

Step4 (Optional)Addadditionalsettings Createormodifyadditionalstringsintheplist(context,timeout,


relatedtothecommand,including file,checksum,and/orerror-msg) andentertheir
administratorprivileges,atimeoutvalue correspondingvalues.Foradditionalinformation,see
forthescript,checksumvalueforthe CustomizableAgentSettings.
batchfile,andanerrormessageto
displayifthecommandfailstoexecute
successfully.

Step5 Savethechangestotheplistfile. Savetheplist.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 137


DeployAgentSettingsTransparently GlobalProtectClients

MacOSScriptExamples

YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencetheshellscriptfromacommandplistentryforthatevent.Thefollowingtopicsshow
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

Example:TerminateAllEstablishedSSHSessionsonMacEndpoints

ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
followingscriptfromacommandplistentryforaprevpnconnectevent.Similarly,youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
commandplistentryforapostvpnconnectevent.ThiscanbeusefulifyouwanttoforceallSSHtrafficto
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9

Example:MountaNetworkShareonMacEndpoints

TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:

Forascriptthatyoucancopyandpaste,gohere.

#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@10.101.2.17/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1

138 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

GlobalProtectClientlessVPN

GlobalProtectClientlessVPNprovidessecureremoteaccesstocommonenterprisewebapplications.Users
havetheadvantageofsecureaccessfromSSLenabledwebbrowserswithoutinstallingGlobalProtectclient
software.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccesstoapplications,andtosafely
enableunmanagedassets,includingpersonaldevices.YoucanconfiguretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalsoallowsinglesignonto
SAMLenabledapplications.Thefollowingtopicsprovideinformationonhowtoconfigureandtroubleshoot
ClientlessVPN.

Thisfeatureisavailableasapublicbetarelease.

ClientlessVPNOverview
SupportedTechnologies
ConfigureClientlessVPN
TroubleshootClientlessVPN

Clientless VPN Overview

WhenyouconfigureClientlessVPN,remoteuserscanlogintotheGlobalProtectportalusingawebbrowser
andlaunchthewebapplicationsyoupublishfortheuser.Basedonusersorusergroups,youcanallowusers
toaccessasetofapplicationsthatyoumakeavailabletothem,orallowthemtoaccessadditionalcorporate
applicationsbyenteringacustomapplicationURL.
Afterloggingintotheportal,usersseeapublishedapplicationspagewithalistofwebapplicationstheycan
launch.(YoucanusethedefaultapplicationslandingpageontheGlobalProtectportalorcreateacustom
landingpageforyourenterprise.)

Figure:ApplicationsLandingPageforClientlessVPN

Becausethispagereplacesthedefaultportallandingpage,itincludesalinktotheGlobalProtectagent
downloadpage.Ifconfigured,userscanalsoselectApplication URL andenterURLstolaunchadditional,
unpublishedcorporatewebapplications.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 139


GlobalProtectClientlessVPN GlobalProtectClients

Whenyouconfigureonlyonewebapplication(anddisableaccesstounpublishedapplications),insteadof
takingtheusertothepublishedapplicationspage,theapplicationwilllaunchautomaticallyassoonasthe
userlogsin.IfyoudonotconfigureGlobalProtectClientlessVPN,userswillseetheagentsoftware
downloadpagewhentheylogintotheportal.
WhenyouconfigureGlobalProtectClientlessVPN,youneedsecuritypoliciestoallowtrafficfrom
GlobalProtectendpointstothesecurityzoneassociatedwiththeGlobalProtectportalthathoststhe
publishedapplicationslandingpageandsecuritypoliciestoallowuserbasedtrafficfromtheGlobalProtect
portalzonetothesecurityzonewherethepublishedapplicationserversarehosted.Thesecuritypolicies
youdefinecontrolwhichusershavepermissiontouseeachpublishedapplication.

Figure:ZonesandSecurityPolicyforClientlessVPN

Supported Technologies

ClientlessVPNisavailableasapublicbetarelease.MakesureyouthroughlytestyourClientlessVPN
applicationsinacontrolledenvironmentbeforedeployingthemormakingthemavailabletoalargenumber
ofusers.
YoucanconfiguretheGlobalProtect portalto providesecureremoteaccesstocommonenterpriseweb
applicationsthatuseHTML,HTML5,andJavascripttechnologies.Othertechnologies(suchasAdobe
FlashorMicrosoftSliverlight)arenotsupported.
SupportedoperatingsystemsareWindows,Mac,iOS,Android,Chrome,andLinux.
SupportedbrowsersarethelatestversionsofChrome,InternetExplorer,Safari,andFirefox.

140 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

ThetablebelowshowsapplicationsthatPaloAltoNetworkshasspecificallyqualifiedforpublicbeta,butyou
cantestanyapplicationthatusesHTML,HTML5,orJavascript.

QualifiedApplicationsforClientlessVPN

MicrosoftOutlookWebAccess2014 APD

MicrosoftSharePoint2013 Box

Google Drive Bugzilla

GoogleGmailforBusiness Drupal

Atlassian Confluence Jive!

Atlassian JIRA Joomla

Configure Clientless VPN

ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthefirewallthathoststheClientless
VPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect Clientless VPNdynamicupdatestouse
thisfeature.RefertoActiveLicensesandSubscriptionsandInstallContentandSoftwareUpdates.Asabest
practice,configureaseparateFQDNfortheGlobalProtectportalthathostsClientlessVPN.Donotusethe
sameFQDNasthePANOSWebInterface.

ConfigureClientlessVPN

Step1 Configuretheapplicationsthatare 1. SelectNetwork > GlobalProtect > Clientless AppsandAdd


availableusingGlobalProtectClientless oneormoreapplications.Foreachapplication,specifythe
VPN.TheGlobalProtectportaldisplays following:
theseapplicationsonthelandingpage NameAdescriptivenamefortheapplication(upto31
thatusersseewhentheylogin(the characters).Thenameiscasesensitiveandmustbeunique.
applicationslandingpage). Useonlyletters,numbers,spaces,hyphens,and
underscores.
Location(forafirewallthatisinmultiplevirtualsystem
mode)thevirtualsystem(vsys)wheretheClientlessVPN
applicationsareavailable.Forafirewallthatisnotin
multivsysmode,theLocationfielddoesnotappear.
Application Home URLTheURLwheretheweb
applicationislocated(upto4095characters).
Application Description(Optional)Abriefdescriptionof
theapplication(upto255characters).
Application Icon (Optional)Anicontoidentifythe
applicationonthepublishedapplicationpage.Youcan
browsetouploadtheicon.
2. ClickOK.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 141


GlobalProtectClientlessVPN GlobalProtectClients

ConfigureClientlessVPN(Continued)

Step2 (Optional).Creategroupstomanagesets 1. SelectNetwork > GlobalProtect > Clientless App Groups.Add


ofwebapplications. anewClientlessVPNapplicationgroupandspecifythe
ClientlessAppGroupsareusefulifyou following:
wanttomanagemultiplecollectionsof NameAdescriptivenamefortheapplicationgroup(upto
applicationsandprovideaccessbasedon 31characters).Thenameiscasesensitiveandmustbe
usergroups.Forexample,financial unique.Useonlyletters,numbers,spaces,hyphens,and
applicationsfortheG&Ateamor underscores.
developerapplicationsforthe Location(forafirewallthatisinmultiplevirtualsystem
Engineeringteam. mode)thevirtualsystem(vsys)wheretheClientlessVPN
applicationgroupisavailable.Forafirewallthatisnotin
multivsysmode,theLocationfielddoesnotappear.
2. IntheApplicationsarea,Addapplicationstothegroup.You
canselectfromthelistofexistingClientlessVPNapplications
ordefineaNew Clientless App.
3. ClickOK.

142 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

ConfigureClientlessVPN(Continued)

Step3 ConfiguretheGlobalProtectportalto 1. SelectNetwork > GlobalProtect > Portalandselectan


providetheClientlessVPNservice. existingportalconfigurationorAddanewportal.RefertoSet
UpAccesstotheGlobalProtectPortal.
2. IntheAuthenticationtab,youcan:
(Optional)Createanewclientauthenticationspecifically
forClientlessVPN.Inthiscase,chooseBrowserastheOS
forClient Authentication.
Useanexistingclientauthentication.
3. InClientless > General,selectClientless VPNtoenablethe
portalserviceandconfigurethefollowing:
SpecifyaHostname(IPaddressorfullyqualifieddomain
name)fortheGlobalProtectportalthathoststhe
applicationslandingpage.Thishostnameisusedfor
rewritingapplicationURLs.(FormoreinformationonURL
rewriting,refertoStep 7).
IfyouuseNetworkAddressTranslation(NAT)to
provideaccesstotheGlobalProtectportal,theIP
addressorFQDNyouentermustmatch(orresolve
to)theNATIPaddressfortheGlobalProtectportal
(thepublicIPaddress).
SpecifyaSecurity Zone.Thiszoneisusedasasourcezone
forthetrafficbetweenthefirewallandtheapplications.
Securityrulesdefinedfromthiszonetotheapplication
zonedeterminewhichapplicationscanbeaccessed.
SelectaDNS ProxyserverorconfigureaNew DNS Proxy.
GlobalProtectwillusethisproxytoresolveapplication
names.RefertoDNSProxyObject.
Login LifetimeSpecifythemaximumhoursorminutes
thataClientlessVPNsessionisvalid.Thetypicalsession
timeis3hours.Therangeforhoursis124;therangefor
minutesis601440.Afterthesessionexpires,usersmust
reauthenticateandstartanewClientlessVPNsession.
Inactivity TimeoutSpecifythenumberofhoursor
minutesthataClientlessVPNsessioncanremainidle.The
typicalinactivitytimeoutis30minutes.Therangeforhours
is124;therangeforminutesis5to1440.Ifthereisno
useractivityduringthespecifiedamountoftime,users
mustreauthenticateandstartanewClientlessVPN
session.
Max UserSpecifythemaximumnumberofuserswhocan
beloggedintotheportalatthesametime.Ifnovalueis
specified,thenendpointcapacityisassumed.Ifthe
endpointcapacityisunknown,thenacapacityof50users
isassumed.Whenthemaximumnumberofusersis
reached,additionalClientlessVPNuserscannotloginto
theportal.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 143


GlobalProtectClientlessVPN GlobalProtectClients

ConfigureClientlessVPN(Continued)

Step4 Mapusersandusergroupsto 1. IntheApplicationstab,AddanApplications to User Mapping


applications. tomatchuserswithpublishedapplications.
Thismappingcontrolswhich NameEnteranameforthemapping(upto31characters).
applicationsusersorusergroupscan Thenameiscasesensitiveandmustbeunique.Useonly
launchfromaGlobalProtectClientless letters,numbers,spaces,hyphens,andunderscores.
VPNsession. Allow user to launch unpublished applicationsSelect
Publishinganapplicationtoauseror thisoptiontoallowuserstolaunchapplicationsthatarenot
grouporallowingthemtolaunch publishedontheapplicationslandingpage.(Userscanclick
unpublishedapplicationsdoesnotimply theApplication URL linkonthepageandspecifyaURL.)
thattheycanaccessthoseapplications. 2. SpecifytheSource Users.YoucanAddindividualusersor
Controllingaccesstoapplications usergroupstowhichthecurrentapplicationconfiguration
(publishedornot)isdoneusingsecurity applies.Theseusershavepermissiontolaunchtheconfigured
policies. applicationsusingaGlobalProtectClientlessVPN.Inaddition
Youmustconfiguregroup tousersandgroups,youcanspecifywhenthesesettingsapply
mapping(Device > User totheusersorgroups:
Identification > Group Mapping anyTheapplicationconfigurationappliestoallusers(no
Settings)beforeyoucanselect needtoAddusersorusergroups).
thegroups.
selectTheapplicationconfigurationappliesonlytousers
andusergroupsyouAddtothislist.
3. Addindividualapplicationsorapplicationgroupstothe
mapping.TheSource Usersyouincludedintheconfiguration
canuseGlobalProtectClientlessVPNtolinktothe
applicationsyouadd.

144 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

ConfigureClientlessVPN(Continued)

Step5 Specifythesecuritysettingsfora 1. IntheCrypto Settingstab,specifytheauthenticationand


ClientlessVPNsession. encryptionalgorithmsfortheSSLsessionsbetweenthe
firewallandthepublishedapplications.
Protocol VersionsSelecttherequiredminimumand
maximumTLS/SSLversions.ThehighertheTLSversion,
themoresecuretheconnection.ChoicesincludeSSLv3,
TLSv1.0,TLSv1.1,orTLSv1.2.
Key Exchange AlgorithmsSelectthesupportedalgorithm
typesforkeyexchange.Choicesare:RSA,DiffieHellman
(DHE),orEllipticCurveEphemeralDiffieHellman(ECDHE).
Encryption AlgorithmsSelectthesupportedencryption
algorithms.AES128orhigherisrecommended.
Authentication AlgorithmsSelectthesupported
authenticationalgorithms.Choicesare:MD5,SHA1,
SHA256,orSHA384.SHA256orhigherisrecommended.
2. Selecttheactiontotakewhenthefollowingissuesoccurwith
aservercertificatepresentedbyanapplication:
Block sessions with expired certificateIftheserver
certificatehasexpired,blockaccesstotheapplication.
Block sessions with untrusted issuersIftheserver
certificateisissuedfromanuntrustedcertificateauthority,
blockaccesstotheapplication.
Block sessions with unknown certificate statusIfthe
OSCPorCRLservicereturnsacertificaterevocationstatus
ofunknown,blockaccesstotheapplication.
Block sessions on certificate status check timeoutIfthe
certificatestatuschecktimesoutbeforereceivinga
responsefromanycertificatestatusservice,blockaccessto
theapplication.

Step6 (Optional)Specifyoneormoreproxy Ifusersneedtoreachtheapplicationsthroughaproxyserver,


serverconfigurationstoaccessthe specifya Proxy Server.Youcanaddmultipleproxyserver
applications. configurations,oneforeachsetofdomains.
Onlybasicauthenticationtothe NameAlabel(upto31characters)toidentifytheproxyserver
proxyissupported(username configuration.Thenameiscasesensitiveandmustbeunique.
andpassword). Useonlyletters,numbers,spaces,hyphens,andunderscores.
DomainsAddthedomainsservedbytheproxyserver.Youcan
useawildcardcharacter(*)atthebeginningofthedomainname
toindicatemultipledomains.
Use ProxySelecttoassignaproxyservertoprovideaccessto
thedomains.
ServerSpecifytheIPaddressorhostnameoftheproxy
server.
PortSpecifyaportnumberforcommunicationwiththeserver.
UserandPasswordSpecifytheUserandPassword
credentialsneededtologintotheproxyserver.Specifythe
passwordagainforverification.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 145


GlobalProtectClientlessVPN GlobalProtectClients

ConfigureClientlessVPN(Continued)

Step7 (Optional)Specifyanyspecialtreatment Insomecases,theapplicationmayhavepagesthatdonotneedto


forapplicationdomains. beaccessedthroughtheportal(forexample,theapplicationmay
TheClientlessVPNactsasareverse includeastocktickerfromyahoo.finance.com).Youcanexclude
proxyandmodifieswebpagesreturned thesepages.
bythepublishedwebapplications.It IntheAdvanced Settingstab,Adddomainnames,hostnames,or
rewritesallURLsandpresentsa IPaddressestotheRewrite Exclude Domain List. Thesedomains
rewrittenpagetoremoteuserssuchthat areexcludedfromrewriterulesandcannotberewritten.
whentheyaccessanyofthoseURLs,the Pathsarenotsupportedinhostanddomainnames.Thewildcard
requestsgothroughGlobalProtect character(*)forhostnamesanddomainnamescanonlyappearat
portal. thebeginningofthename(forexample,*.etrade.com).

Step8 Savetheportalconfiguration. 1. ClickOKtwice.


2. Commityourchanges.

Step9 ConfigureaSecuritypolicyruletoenable Youneedsecuritypoliciesforthefollowing:


userstoaccessthepublished AllowtrafficfromGlobalProtectendpointstothesecurityzone
applications. associatedwiththeGlobalProtectportalthathoststhe
publishedapplicationslandingpage.
AllowuserbasedtrafficfromtheGlobalProtectportalzoneto
thesecurityzone(trustzone)wherethepublishedapplication
serversarehosted.Thesecuritypoliciesyoudefinecontrol
whichusershavepermissiontouseeachpublishedapplication.
Forthesecurityzonewherethepublishedapplicationservers
arehosted,makesureEnable User Identificationissetinorder
tocreateuserbasedrulesforaccessingpublishedapplications.
BydefaultService/URLinSecurity Policy Ruleisset
application-default.ClientlessVPNwillnotworkforHTTPS
siteswiththisdefaultsetting.ChangeService/URLtoinclude
bothservice-http andservice-https.

WhenyouconfigureaproxyservertoaccessClientlessVPN
applications,makesureyouincludetheproxyIPaddressand
portinthesecuritypolicydefinition.Whenapplicationsare
accessedthroughaproxyserver,onlysecuritypoliciesdefined
fortheproxyIPaddressandportareapplied.

146 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

Troubleshoot Clientless VPN

GlobalProtectClientlessVPNisafeaturethatiscurrentlyavailableinpublicbeta.Becausethisfeature
involvesdynamicrewritingofHTMLapplications,theHTMLcontentforsomeapplicationsmaynot
rewritecorrectlyandbreaktheapplication.Ifissuesoccur,usethecommandsinthefollowingtabletohelp
youidentifythelikelycause:

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 147


GlobalProtectClientlessVPN GlobalProtectClients

Table:UsefulCommandstoTroubleshootClientlessVPN

Action Command

CLI Commands

List the version of pancpe@cagp> show system setting ssl-decrypt memory


Clientless VPN dynamic proxy uses shared allocator
content being used SSL certificate cache:
Youcanalsoview Current Entries: 61
thedynamicupdate Allocated 2077, Freed 2016
versionfromthe Current CRE (58-13) : 2432 KB (Actual 2296 KB)
Device > Dynamic Last CRE (58-12) : 2432 KB (Actual 2291 KB)
Updates >
GlobalProtect
Inthisexample,thecurrentdynamicupdateisversion5813,andthelastinstalled
Clientless VPN.
dynamicupdateisversion5812.

List active (current) users pancpe@cagp> show global-protect-portal current-user portal


of Clientless VPN GPClientLessPortal filter-user all-users

GlobalProtect Portal : GPClientlessPortal


Vsys-Id : 1
User : paloaltonetworks.com\johndoe
Session-id :
1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP : 199.167.55.50
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1630
Login Lifetime : 10800
Seconds before login lifetime : 10629

Total number of user sessions: 1


Show DNS resolution pancpe@cagp> show system setting ssl-decrypt dns-cache
results
This can be useful to Total DNS cache entries: 89
determine if there are DNS Site IP Expire(secs)
issues. If there is a DNS Interface
issue, you will notice bugzilla.paloaltonetworks.local 10.0.2.15 querying
querying against an FQDN 0
that was not resolvable in www.google.com 216.58.216.4 Expired 0
the CLI output.
stats.g.doubleclick.net 74.125.199.154 Expired
0
ShowallClientlessVPN pancpe@cagp> show system setting ssl-decrypt gp-cookie-cache
usersessionsandcookies
stored User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0,
Client-ip: 199.167.55.50

148 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

Action Command

Show rewrite-stats pancpe@cagp> show system setting ssl-decrypt rewrite-stats


Thisisusefultoidentify
thehealthoftheClientless Rewrite Statistics
VPNrewriteengine. initiate_connection : 11938
RefertoTable:Rewrite setup_connection : 11909
EngineStatisticsfor session_notify_mismatch : 1
informationonrewrite reuse_connection : 37
statisticsandtheirmeaning file_end : 4719
orpurpose.
packet : 174257
packet_mismatch_session : 1
peer_queue_update_rcvd : 167305
peer_queue_update_sent : 167305
peer_queue_update_rcvd_failure: 66
setup_connection_r : 11910
packet_mismatch_session_r : 22
pkt_no_dest : 23
cookie_suspend : 2826
cookie_resume : 2826
decompress : 26
decompress_freed : 26
dns_resolve_timeout : 27
stop_openend_response : 43
received_fin_for_pending_req : 26
Destination Statistics
To mp : 4015
To site : 12018
To dp : 17276
Return Codes Statistics
ABORT : 18
RESET : 30
PROTOCOL_UNSUPPORTED : 7
DEST_UNKNOWN : 10
CODE_DONE : 52656
DATA_GONE : 120359
SWITCH_PARSER : 48
INSERT_PARSER : 591
SUSPEND : 2826
Total Rewrite Bytes : 611111955
Total Rewrite Useconds : 6902825
Total Rewrite Calls : 176545
Debug Commands

Enable debug logs on the debug dataplane packet-diag set log feature ssl all
firewall running Clientless debug dataplane packet-diag set log feature misc all
VPN Portal debug dataplane packet-diag set log feature proxy all
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 149


GlobalProtectClientlessVPN GlobalProtectClients

Table:RewriteEngineStatistics

Statistic Description

initiate_connection_failure Connectioninitiationfailedtobackendhost

setup_connection_failure Connectionsetupfailed

setup_connection_duplicate Duplicatepeersessionexists

session_notify_mismatch Mostlyinvalidsession

packet_mismatch_session Failedtofindrightsessionforincomingpacket

peer_queue_update_rcvd_failure Sessionwasinvalidwhenpacketupdatereceivedbypeer

peer_queue_update_sent_failure Failedtosendpacketupdatestopeerorfailedtosendpacketqueuelength
updatestopeer

exceed_pkt_queue_limit Toomanypacketsqueued

proxy_connection_failure Proxyconnectionfailed

setup_connection_r Installingthepeersessiontotheapplicationserver.Thisvalueshouldmatchthe
valuesforinitiate_connectionandsetup_connection.

setup_connection_duplicate_r Duplicatesessionsalreadyinproxy

setup_connection_failure_r Failedtosetupthepeersession

session_notify_mismatch_r Peersessionnotfound

packet_mismatch_session_r Peersessionnotfoundwhentryingtogetthepacket

exceed_pkt_queue_limit_r Toomanypacketsheld

unknown_dest Failedtofinddestinationhost

pkt_no_dest Nodestinationforthispacket

cookie_suspend Suspendedsessiontofetchcookies

cookie_resume ReceivedresponsefromMPwithupdatedcookies.Thisvaluegenerallymatches
thevalueofcookie_suspend.

decompress_failure Failedtodecompress

memory_alloc_failure Failedtoallocatememory

wait_for_dns_resolve SuspendedsessiontoresolveDNSrequests

dns_resolve_reschedule RescheduledDNSqueryduetonoresponse(retrybeforetimeout)

dns_resolve_timeout DNSquerytimeout

setup_site_conn_failure Failedtosetupconnectiontosite(proxy,DNS)

site_dns_invalid DNSresolvefailed

multiple_multipart Multipartcontenttypeprocessed

site_from_referer Receivedthebackendhostfromreferrer.Thiscanindicatefailedrewritelinks
fromflashorothercontentwhichClientlessVPNdoesnotrewrite.

150 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients GlobalProtectClientlessVPN

Statistic Description

received_fin_for_pending_req ReceivedFINfromserverforpendingrequestfromclient

unmatched_http_state UnexpectedHTTPcontent.Thiscanindicateanissueparsingthehttpheadersor
body.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 151


EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer GlobalProtectClients

EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server

WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
version.YoucanenablethefirewalltosendthisinformationasVendorSpecificAttributes(VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
administratorscanthenperformadministrativetasksbasedonthoseVSAs.Forexample,RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.

EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer

Step1 LogintothefirewallCLI.

Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.

152 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectClients Reference:GlobalProtectAgentCryptographicFunctions

Reference:GlobalProtectAgentCryptographicFunctions

TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
GlobalProtectportalandGlobalProtectgateways.ThefollowingtablelistseachGlobalProtectagent
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:

CryptoFunction Key Usage

Winhttp (Windows) and Dynamickeynegotiatedbetween UsedtoestablishtheHTTPSconnection


NSURLConnection (MAC) theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
GlobalProtectportaland/orgateway GlobalProtectportalandGlobalProtect
aes256sha
forestablishingtheHTTPS gatewayforauthentication.
connection.

OpenSSL Dynamickeynegotiatedbetween UsedtoestablishtheSSLconnection


theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
aes256sha
GlobalProtectgatewayduringthe GlobalProtectgatewayforHIPreport
SSLhandshake. submission,SSLtunnelnegotiation,and
networkdiscovery.

IPSec encryption and authentication Thesessionkeysentfromthe UsedtoestablishtheIPSectunnel


GlobalProtectgateway. betweentheGlobalProtectagentandthe
aes128sha1,aes128cbc,
GlobalProtectgateway.Usethestrongest
aes128gcm,andaes256gcm algorithmsupportedbyyournetwork
(AESGCMisrecommended).
Toprovidedataintegrityandauthenticity
protection,theaes128cbccipher
requiresthesha1authentication
algorithm.BecauseAESGCMencryption
algorithms(aes128gcmand
aes256gcm)nativelyprovideESP
integrityprotection,thesha1
authenticationalgorithmisignoredfor
thesecipherseventhoughitisrequired
duringconfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 153


Reference:GlobalProtectAgentCryptographicFunctions GlobalProtectClients

154 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement
MobileEndpointManagementOverview
SetUpaMobileEndpointManagementSystem
DeploytheGlobalProtectMobileAppUsingAirWatch
ManagetheGlobalProtectAppUsingAirWatch
ManagetheGlobalProtectAppUsingaThirdPartyMDM

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 155


MobileEndpointManagementOverview MobileEndpointManagement

MobileEndpointManagementOverview

Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
protectionagainstthreatsandvulnerabilities.Byusingathirdpartymobileendpointmanagementsystem
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).

Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
automaticallydeployyourcorporateaccountconfigurationandVPNsettingstocompliantendpoints.You
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
withanendpointthathasbeencompromised.Thisprotectsbothcorporatedataaswellaspersonalenduser
data.Forexample,ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,
youusehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthrough
theGlobalProtectgateway.YoucanalsousethemonitoringtoolsthatarebuiltintothePaloAlto
nextgenerationfirewalltomonitormobileendpointtraffic.

156 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement SetUpaMobileEndpointManagementSystem

SetUpaMobileEndpointManagementSystem

Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:

SetUpanEndpointManagementSystem

Step1 SetuptheGlobalProtectInfrastructure. 1. CreateInterfacesandZonesforGlobalProtect.


2. EnableSSLBetweenGlobalProtectComponents.
3. SetupGlobalProtectUserAuthentication.Referto
AboutGlobalProtectUserAuthentication.
4. EnableGroupMapping.
5. ConfigureaGlobalProtectGateway.
6. ActivateLicensesforeachfirewallrunninga
gateway(s)thatsupportstheGlobalProtectappon
mobileendpoints.
7. SetUpAccesstotheGlobalProtectPortal.

Step2 Setupthemobileendpointmanagementsystem Seetheinstructionsforyourmobileendpoint


anddecidewhethertosupportonly managementsystem,mobiledevicemanagement(MDM)
corporateissuedendpointsorboth system,orenterprisemobilitymanagement(EMM)
corporateissuedandpersonalendpoints. system.

Step3 ObtaintheGlobalProtectappformobile AppstoreDownloadandInstalltheGlobalProtect


endpoints. MobileApp
AirWatchDeploytheGlobalProtectMobileAppUsing
AirWatch
Otherthirdpartymobileendpointmanagement
systemSeetheinstructionsfromyourvendoronhow
todeployappstomanagedendpoints.

Step4 ConfigureVPNsettingsfortheGlobalProtect ManagetheGlobalProtectAppUsingAirWatch


app. ManagetheGlobalProtectAppUsingaThirdParty
MDM

Step5 Configurepolicesthattargetmobileendpoints ConfigureHIPBasedPolicyEnforcementformanaged


usinghostinformation. endpoints.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 157


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ManagetheGlobalProtectAppUsingAirWatch

DeploytheGlobalProtectMobileAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

Deploy the GlobalProtect Mobile App Using AirWatch

TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
endpoints.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappconnectstothegatewaythat
isclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
AirWatch.EndpointsrunningiOSorAndroidmustdownloadtheAirWatchagenttoenrollwiththeAirWatch
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
theendpoint.Afteryoudeploytheapp,configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.

DeploytheGlobalProtectAppfromAirWatch

Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).

Step2 FromAirWatch,selectApps & Books > Public > Add Application.

Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.

Step4 SelectthePlatform,eitherApple iOS,Android,orWindows Phone.

Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOShttps://itunes.apple.com/us/app/globalprotect/id592489989?mt=8&uo=4
Androidhttps://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect
Windows Phonehttps://www.microsoft.com/store/apps/9NBLGGH6BZL3

158 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

DeploytheGlobalProtectAppfromAirWatch(Continued)

Step6 ClickNext.Ifyouchosetosearchfortheapptheappstorefortheendpoint,youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.

Step7 OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.

Step8 OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.

Step9 SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe


Assignmentsection.

Step10 Nextsteps:
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

Configure the GlobalProtect App for iOS Using AirWatch

AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
fromacentralconsole.TheGlobalProtectappprovidesasecureconnectionbetweenAirWatchmanaged
mobileendpointsandthefirewallateitherthedeviceorapplicationlevel.UsingGlobalProtectasthesecure
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch

YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
accessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 159


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.

Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
AuthenticationChoosethemethodtoauthenticateendusers.Followtherelatedpromptstoentera
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.

Step5 Save & Publishyourchanges.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforiOS:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

160 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).

Step3 ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.

Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.

Step6 Configuretheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.

Step7 SelecteitherManualorAuto Proxytypeandenterthespecificinformationneeded.

Step8 ClickSave & Publish.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 161


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
https://itunes.apple.com/us/app/boxforiphoneandipad/id290853822?mt=8&uo=4),andthenclick
Next.IfyouchoosetosearchtheAppStore,youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.

9. SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe


Assignmentsection.

Configure the GlobalProtect App for Android Using AirWatch

YoucanusetheGlobalProtectAppforAndroidwithAirWatchagent6.0andlaterreleases.TheAirWatch
agentinterfaceswithAirWatchtomanageAndroidendpoints.UsingtheGlobalProtectappforAndroidas
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
enforcementofnetworksecuritypolicyforthreatprevention.TheGlobalProtectappcanprovideasecure
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch

YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
configuringVPNaccessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

162 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.

Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 Save and PublishthisprofiletotheassignedSmartGroups.

Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.

Step6 ConfigureConnection Info,including:


Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.

Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.

Step8 Save & PublishthisprofiletotheassignedSmartGroups.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 163


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add
Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.

Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 Save and PublishthisprofiletotheassignedSmartGroups.

Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. Selecttheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.

164 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)

Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
https://play.google.com/store/apps/details?id=com.box.android).
6. ClickNext.IfyouchosetoimporttheappfromGooglePlayinthepreviousstep,youmustSelecttheapp
fromthelistofapprovedcompanyapps.Ifyoudonotseetheappinthelist,contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.

10.Save & PublishtheconfigurationtotheassignedSmartGroups.

Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.

Step8 Save & PublishthisprofiletotheassignedSmartGroups.

EnableAppScanIntegrationwithWildFire

ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
malwareonAndroidendpoints.Whenenabled,theAirWatchagentsendsthelistofappsthatareinstalled
ontheAndroidendpointtoAirWatch.Thisoccursduringenrollmentandsubsequentlyonanydevice
checkin.AirWatchthenperiodicallyqueriesWildFireforverdictsandcantakecomplianceactiononthe
endpointbasedontheverdict.

EnableAppScanIntegrationwithWildFire

Step1 Beforeyoubegin,obtainaWildFireAPIkey.IfyoudonotalreadyhaveanAPIkey,contactSupport.

Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.

Step3 SelectCurrent Setting: Override.

Step4 Select Enable Third Party App Scan AnalysistoenablecommunicationbetweenAirWatchandWildFire.

Step5 ChoosePalo Alto Networks WildFirefromtheChoose App Scan Vendordropdown.

Step6 EnteryourWildFireAPIkey.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 165


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

EnableAppScanIntegrationwithWildFire(Continued)

Step7 ClickTest ConnectiontoensurethatAirWatchcancommunicatewithWildFire.Ifthetestisnotsuccessful,


verifyconnectivitytotheInternet,reentertheAPIkey,andthentryagain.

Step8 Saveyourchanges.AirWatchschedulesasynchronizationtasktocommunicatewithWildFiretoobtainthe
latestverdictsforapplicationhashesandrunsthetaskatregularintervals.ClickSync Nowtoinitiateamanual
syncwithWildFire.

Configure the GlobalProtect App for Windows 10 UWP Using AirWatch

UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
tunnel.UnmanagedappswillcontinuetoconnectdirectlytotheInternetinsteadofthroughthesecure
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
VPNirrespectiveofapp.DevicelevelVPNconfigurationsalsosupporttheabilitytoforcethesecure
connectiontobeAlwaysOn.Foreventightersecurityrequirements,youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
accesswhentheappisnotconnected.ThisconfigurationissimilartotheEnforce GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.

BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.

166 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

Step1 DownloadtheGlobalProtectappforWindows10UWP:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.

Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.

Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.

Step4 SelectConfigureConnection Info,including:


Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
Connection TypeSelectanalternateprovider(donotselectIKEv2,L2TP,PPTP,orAutomaticasthesedo
nothavetheassociatedvendorsettingsrequiredfortheGlobalProtectVPNprofile).
YoumustselectthealternatevendorbecauseAirWatchdoesnotyetlistGlobalProtectasanofficial
connectionproviderforWindowsendpoints.

ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.

Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.

Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps(typically.exefiles)ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
VPNconnectionwhentheappislaunchedandwhethertosendapptrafficthroughtheVPN.Youcanalso
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
theVPN.Theserulesarenotboundbyapplicationandareevaluatedacrosstheendpoint.Ifthetraffic
matchesthematchcriteria,itisroutedthroughtheVPN.

Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
accesswhentheappisnotconnected.TheVPN LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 167


ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)

Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
theconfiguration.IfyouneedtochangeasettingafteryouexporttheVPNprofile,youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> XMLatthetopofthetable.AirWatchopenstheXMLviewoftheprofile.
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View.
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.

Step9 Cleanuptheoriginalprofile:SelecttheoriginalprofilefromtheDevices > Profiles > List View,selectMore


Actions > Deactivate.AirWatchmovestheprofiletotheInactivelist.

Step10 Testtheconfiguration.

168 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

ManagetheGlobalProtectAppUsingaThirdPartyMDM

Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration

Configure the GlobalProtect App for iOS

WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
connectionbetweenthemobileendpointandservicesitconnectsto.Toenabletheclienttoestablishsecure
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.

Setting Description Value

Connection Type Typeofconnectionenabledbythepolicy. Custom SSL

Identifier IdentifierforthecustomSSLVPNin com.paloaltonetworks.GlobalPro


reverseDNSformat. tect.vpnplugin
Server HostnameorIPaddressofthe <hostname or IP address>
GlobalProtectportal. Forexample:gp.paloaltonetworks.com

Account Useraccountforauthenticatingthe <username>


connection.

User Authentication Authenticationtypefortheconnection. Certificate | Password


Credential (CertificateUserAuthenticationonly) <credential>
Credentialforauthenticatingthe Forexample:clientcredial.p12
connection.

Enable VPN On Demand (Optional)Domainandhostnamethatwill <domain and hostname and the


establishtheconnectionandthe on-demand action>
ondemandaction: Forexample:gp.acme.com; Never
Alwaysestablishaconnection establish
Neverestablishaconnection
Establishaconnectionifneeded

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 169


ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.

Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration

<?xml version="1.0" encoding="UTF-8"?>


<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample Device Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN.vpn</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011d</string>
<key>UserDefinedName</key>
<string>Sample Device Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>AllowPortalProfile</key>
<integer>0</integer>
<key>FromAspen</key>
<integer>1</integer>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Sample Device Level VPN</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadDescription</key>
<string>Profile Description</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

170 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

Example:GlobalProtectiOSAppAppLevelVPNConfiguration

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.

Example:GlobalProtectiOSAppAppLevelVPNConfiguration

<?xml version="1.0" encoding="UTF-8"?>


<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample App Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample App Level VPN.vpn</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>VPNUUID</key>
<string>cGFuU2FtcGxlIEFwcCBMZXZlbCBWUE52cG5TYW1wbGUgQXBwIExldmVsIFZQTg==</string>
<key>SafariDomains</key>
<array>
<string>*.paloaltonetworks.com</string>
</array>
<key>PayloadUUID</key>
<string>54370008-205f-7c59-0000-01a1</string>
<key>UserDefinedName</key>
<string>Sample App Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>OnDemandMatchAppEnabled</key>
<integer>1</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>OnlyAppLevel</key>
<integer>1</integer>
<key>AllowPortalProfile</key>
<integer>0</integer>
<key>FromAspen</key>
<integer>1</integer>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Sample App Level VPN</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadDescription</key>
<string>Profile Description</string>
<key>PayloadIdentifier</key>
<string>Sample App Level VPN</string>
<key>PayloadType</key>
<string>Configuration</string>

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 171


ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)

<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

Configure the GlobalProtect App for Android

YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
theGlobalProtectgateway.FromyourthirdpartyMDMthatmanagesAndroidforWorkdevices,youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
includingalltheappsinstalledonthatdevice.Bydefault,allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
Profiletoseparatebusinessandpersonalapps.BydefaultonlymanagedappsintheWorkProfilecansend
trafficthroughtheVPNtunnelaccordingtotheaccessroutesdefinedonthegateway.Appsinstalledonthe
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
routestrafficfromspecificmanagedapps.ForPerAppVPN,youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,youcanalsospecifyhowtheuserconnectstotheVPN.Whenyou
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
automatically.WhenyouconfiguretheVPNconnectionmethodason-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.

TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.

RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.

Key ValueType Example

portal String 10.1.8.190

username String john

password String Passwd!234

certificate String(inBase64) DAFDSaweEWQ23wDSAFD.

172 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

Key ValueType Example

client_certificate_passphrase String PA$$W0RD$123

app_list* String whiltelist | blacklist: com.google.calendar;


com.android.email; com.android.chrome

connect_method String user-logon | on-demand

remove_vpn_config_via_restricti Boolean true | false


on

*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,andfollowitwithanarrayofappnamesseparatedbysemicolon.Thewhitelistspecifiestheapps
thatwillusetheVPNtunnelfornetworkcommunication.Thenetworktrafficforanyotherappthatisnot
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.

Example:SetVPNConfiguration

private static String RESTRICTION_PORTAL = "portal";


private static String RESTRICTION_USERNAME = "username";
private static String RESTRICTION_PASSWORD = "password";
private static String RESTRICTION_CONNECT_METHOD = "connect_method";
private static String RESTRICTION_CLIENT_CERTIFICATE = "client_certificate";
private static String RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE =
"client_certificate_passphrase";
private static String RESTRICTION_APP_LIST = "app_list";
private static String RESTRICTION_REMOVE_CONFIG = "remove_vpn_config_via_restriction";

Bundle config = new Bundle();


config.putString(RESTRICTION_PORTAL, "192.168.1.1");
config.putString(RESTRICTION_USERNAME, "john");
config.putString(RESTRICTION_PASSWORD, "Passwd!234");
config.putString(RESTRICTION_CONNECT_METHOD, "user-logon");
config.putString(RESTRICTION_CLIENT_CERTIFICATE, "DAFDSaweEWQ23wDSAFD.");
config.putString(RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE, "PA$$W0RD$123");
config.putString(RESTRICTION_APP_LIST,
"whitelist:com.android.chrome;com.android.calendar");

DevicePolicyManager dpm = (DevicePolicyManager)


getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),
"com.paloaltonetworks.globalprotect", config);

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 173


ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

Example:RemoveVPNConfiguration

Bundle config = new Bundle();


config.putBoolean(RESTRICTION_REMOVE_CONFIG, true );
DevicePolicyManager dpm = (DevicePolicyManager)
getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),"com
.paloaltonetworks.globalprotect", config);

174 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation
Althoughyoumayhavestringentsecurityatyourcorporatenetworkborder,yournetworkisreallyonlyas
secureastheenddevicesthatareaccessingit.Withtodaysworkforcebecomingmoreandmoremobile,
oftenrequiringaccesstocorporateresourcesfromavarietyoflocationsairports,coffeeshops,hotelsand
fromavarietyofdevicesbothcompanyprovisionedandpersonalyoumustlogicallyextendyour
networkssecurityouttoyourendpointstoensurecomprehensiveandconsistentsecurityenforcement.The
GlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthesecurity
statusofyourendhostssuchaswhethertheyhavethelatestsecuritypatchesandantivirusdefinitions
installed,whethertheyhavediskencryptionenabled,whetherthedeviceisjailbrokenorrooted(mobile
devicesonly),orwhetheritisrunningspecificsoftwareyourequirewithinyourorganization,including
customapplicationsandbasethedecisionastowhethertoallowordenyaccesstoaspecifichostbased
onadherencetothehostpoliciesyoudefine.
Thefollowingtopicsprovideinformationabouttheuseofhostinformationinpolicyenforcement.Itincludes
thefollowingsections:
AboutHostInformation
ConfigureHIPBasedPolicyEnforcement
CollectApplicationandProcessDataFromClients
BlockDeviceAccess

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 175


AboutHostInformation HostInformation

AboutHostInformation

OneofthejobsoftheGlobalProtectagentistocollectinformationaboutthehostitisrunningon.Theagent
thensubmitsthishostinformationtotheGlobalProtectgatewayuponsuccessfullyconnecting.Thegateway
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
defined.Ifitfindsamatch,itgeneratesanentryintheHIPMatchlog.Additionally,ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
securitystandardsbeforetheyareallowedaccesstoyournetworkresources.Forexample,beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
encryptionenabledontheirharddrives.Youcanenforcethispolicybycreatingasecurityrulethatonly
allowsaccesstotheapplicationiftheclientsystemhasencryptionenabled.Inaddition,forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?

What Data Does the GlobalProtect Agent Collect?

Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
certainresources.Inthiscase,youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:

176 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation AboutHostInformation

Table:DataCollectionCategories
Category DataCollected

General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).

Patch Management Informationaboutanypatchmanagementsoftwarethatisenabledand/or


installedonthehostandwhetherthereareanymissingpatches.

Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.

Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
applicationsontheendpoint.ByintegratingwiththeOPSWATOESISframework,
GlobalProtectenablesyoutoassessthecompliancestateoftheendpoint.For
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.

Anti-Spyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.

Disk Backup Informationaboutwhetherdiskbackupsoftwareisinstalled,thelastbackuptime,


andthevendorandproductnameofthesoftware.

Disk Encryption Informationaboutwhetherdiskencryptionsoftwareisinstalled,whichdrives


and/orpathsareconfiguredforencryption,andthevendorandproductnameof
thesoftware.

Data Loss Prevention Informationaboutwhetherdatalossprevention(DLP)softwareisinstalledand/or


enabledforthepreventionsensitivecorporateinformationfromleavingthe
corporatenetworkorfrombeingstoredonapotentiallyinsecuredevice.This
informationisonlycollectedfromWindowsclients.

Mobile Devices Identifyinginformationaboutthemobiledevice,suchasthemodelnumber,


phonenumber,serialnumberandInternationalMobileEquipmentIdentity(IMEI)
number.Inaddition,theagentcollectsinformationaboutspecificsettingsonthe
device,suchaswhetherornotapasscodeisset,whetherthedeviceisjailbroken,
alistofappsinstalledonthedevicethataremanagedbyathirdpartymobile
devicemanager,ifthedevicecontainsappsthatareknowntohavemalware
(Androiddevicesonly),and,optionally,theGPSlocationofthedeviceandalistof
appsthatarenotmanagedbythethirdpartymobiledevicemanager.Notethat
foriOSdevices,someinformationiscollectedbytheGlobalProtectappandsome
informationisreporteddirectlybytheoperatingsystem.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 177


AboutHostInformation HostInformation

Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
categoriesyouarenotinterestedin.Forexample,ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
privacy.Thiscanincludeexcludingdevicelocationandalistofappsinstalledonthedevicethatarenot
managedbyathirdpartymobiledevicemanager.

How Does the Gateway Use the Host Information to Enforce Policy?

Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
toenforcepolicyfromtherawdatareportedbytheagent.Forexample,whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
interestedinoneparticularapplicationthatyourequirewithinyourorganization.Inthiscase,youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
informationyoucollecttoenforcepolicy.KeepinmindthattheHIPobjectsthemselvesaremerely
buildingblocksthatallowyoutocreatetheHIPprofilesthatareusedinyoursecuritypolicies.Therefore,
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,orthepresenceofaspecificclientOS.By
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
securitypolicyenforcement.WhenyoucreateyourHIPprofiles,youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
evaluatedagainsttheresultingHIPprofileitwilleithermatchornotmatch.Ifthereisamatch,the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
defined.ThismakestheHIPMatchlogagoodresourceformonitoringthestateofthehostsonyournetwork
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
whatpoliciesyoubelieveneedenforcement.SeeConfigureHIPBasedPolicyEnforcementfordetailson
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.

178 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation AboutHostInformation

How Do Users Know if Their Systems are Compliant?

Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
enforcementofaHIPenabledsecurityrule.However,youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)meansfortheuser.Thatis,doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
packagesarenotinstalled.Inthiscase,youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.

How Do I Get Visibility into the State of the End Clients?

WheneveranendhostconnectstoGlobalProtect,theagentpresentsitsHIPdatatothegateway.The
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/orHIPprofilesthehostmatches.Foreach
match,itgeneratesaHIPMatchlogentry.Unlikeatrafficlogwhichonlycreatesalogentryifthereisa
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/oraHIPprofileyouhavedefined.ThismakestheHIPMatchlogagoodresourcefor
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
softwareinstalledfromconnectingtothenetwork.InthiscaseyouwouldcreateaHIPobjectthatmatches
hoststhathaveaparticularAntivirussoftwareinstalled.ByincludingthisobjectinaHIPprofileandattaching
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
compliancewiththisrequirement.IfyouwantedtoalsoseealogforhoststhatdonothaveAntivirus
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
theconditionwheretheAntivirussoftwareisnotinstalled.Becausethisobjectisonlyneededforlogging
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 179


ConfigureHIPBasedPolicyEnforcement HostInformation

ConfigureHIPBasedPolicyEnforcement

Toenabletheuseofhostinformationinpolicyenforcementyoumustcompletethefollowingsteps.For
moreinformationontheHIPfeature,seeAboutHostInformation.

EnableHIPChecking

Step1 VerifyproperlicensingforHIPchecks. TousetheHIPfeature,youmusthavepurchasedandinstalleda


GlobalProtectsubscriptionlicenseoneachgatewaythatwill
performHIPchecks.Toverifythestatusofyourlicensesoneach
portalandgateway,selectDevice > Licenses.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
donothavetherequiredlicenses.Formoreinformationon
licensing,seeAboutGlobalProtectLicenses.

Step2 (Optional)Defineanycustomhost 1. OnthefirewallthatishostingyourGlobalProtectportal,select


informationthatyouwanttheagentto Network > GlobalProtect > Portals.
collect.Forexample,ifyouhaveany 2. SelectyourportalconfigurationtoopentheGlobalProtect
requiredapplicationsthatarenot Portaldialog.
includedintheVendorand/orProduct
listsforcreatingHIPobjects,youcould 3. SelecttheAgent tabandthenselecttheagentconfiguration
createacustomcheckthatwillallowyou towhichyouwanttoaddacustomHIPcheck,orclickAddto
todeterminewhetherthatapplicationis createanewagentconfiguration.
installed(hasacorrespondingregistryor 4. SelecttheData Collectiontab.
plistkey)orisrunning(hasa
5. EnabletheoptiontoCollect HIP Data.
correspondingrunningprocess).
Step 2andStep 3assumethatyou 6. SelectCustom Checksanddefinethedatayouwanttocollect
havealreadycreatedaPortal fromhostsrunningthisagentconfigurationasfollows:
Configuration.Ifyouhavenotyet Tocollectinformationaboutspecificregistrykeys:Onthe
configuredyourportal,seeSetUp Windowstab,AddthenameofaRegistry Keyforwhichto
AccesstotheGlobalProtectPortal collectdataintheRegistryKeyarea.Optionally,torestrict
forinstructions. datacollectiontoaspecificRegistryValue,Addandthen
definethespecificRegistryValueorvalues.ClickOKto
savethesettings.
Tocollectinformationaboutrunningprocesses:Selectthe
appropriatetab(WindowsorMac)andthenAddaprocess
totheProcessList.Enterthenameoftheprocessthatyou
wanttheagenttocollectinformationabout.
Tocollectinformationaboutspecificpropertylists:Onthe
Mactab,clickAddinthePlistsection.EnterthePlistfor
whichtocollectdata.Optionally,clickAddtorestrictthe
datacollectiontospecificKeyvalues.ClickOKtosavethe
settings.
7. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Forinstructions,seeDefinethe
GlobalProtectAgentConfigurations.
8. ClickOKtosavetheclientconfiguration.
9. Committhechanges.

180 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step3 (Optional)Excludecategoriesfrom 1. OnthefirewallthatishostingyourGlobalProtectportal,select


collection. Network > GlobalProtect > Portals.
2. SelectyourportalconfigurationtoopentheGlobalProtect
Portaldialog.
3. OntheAgent tab,selecttheAgentconfigurationfromwhich
toexcludecategories,orAddanewone.
4. SelectData Collection,andthenverifythatCollect HIP Data
isenabled.
5. OntheExclude Categories tab,clickAdd.TheEditExclude
Categorydialogdisplays.
6. SelecttheCategoryyouwanttoexcludefromthedropdown
list.
7. (Optional)Ifyouwanttoexcludespecificvendorsand/or
productsfromcollectionwithintheselectedcategoryrather
thanexcludingtheentirecategory,clickAdd.Youcanthen
selecttheVendortoexcludefromthedropdownontheEdit
Vendordialogand,optionally,clickAddtoexcludespecific
productsfromthatvendor.Whenyouaredonedefiningthat
vendor,clickOK.Youcanaddmultiplevendorsandproducts
totheexcludelist.
8. RepeatStep6andStep7foreachcategoryyouwantto
exclude.
9. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Formoreinformationondefining
clientconfigurations,seeDefinetheGlobalProtectAgent
Configurations.
10. ClickOKtosavetheclientconfiguration.
11. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 181


ConfigureHIPBasedPolicyEnforcement HostInformation

EnableHIPChecking(Continued)

Step4 CreatetheHIPobjectstofiltertheraw 1. Onthegateway(oronPanoramaifyouplantosharetheHIP


hostdatacollectedbytheagents. objectsamongmultiplegateways),selectObjects >
ThebestwaytodeterminewhatHIP GlobalProtect > HIP ObjectsandclickAdd.
objectsyouneedistodeterminehow 2. OntheGeneraltab,enteraNamefortheobject.
youwillusethehostinformationyou
3. Selectthetabthatcorrespondstothecategoryofhost
collecttoenforcepolicy.Keepinmind
informationyouareinterestedinmatchingagainstandselect
thattheHIPobjectsthemselvesare
thecheckboxtoenabletheobjecttomatchagainstthe
merelybuildingblocksthatallowyouto
category.Forexample,tocreateanobjectthatlooksfor
createtheHIPprofilesthatareusedin
informationaboutAntivirussoftware,selecttheAntivirustab
yoursecuritypolicies.Therefore,you
andthenselecttheAntiviruscheckboxtoenablethe
maywanttokeepyourobjectssimple,
correspondingfields.Completethefieldstodefinethedesired
matchingononething,suchasthe
matchingcriteria.Forexample,thefollowingscreenshot
presenceofaparticulartypeofrequired
showshowtocreateanobjectthatwillmatchiftheSymantec
software,membershipinaspecific
NortonAntiVirus2004Professionalapplicationisinstalled,
domain,orthepresenceofaspecific
hasRealTimeProtectionenabled,andhasvirusdefinitions
clientOS.Bydoingthis,youwillhavethe
thathavebeenupdatedwithinthelast5days.
flexibilitytocreateaverygranular(and
verypowerful)HIPaugmentedpolicy.
FordetailsonaspecificHIP
categoryorfield,refertotheonline
help.

Repeatthisstepforeachcategoryyouwanttomatchagainst
inthisobject.Formoreinformation,seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.
6. Committhechanges.

182 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step5 CreatetheHIPprofilesthatyouplanto 1. Onthegateway(oronPanoramaifyouplantosharetheHIP


useinyourpolicies. profilesamongmultiplegateways),selectObjects >
WhenyoucreateyourHIPprofiles,you GlobalProtect > HIP ProfilesandclickAdd.
cancombinetheHIPobjectsyou 2. EnteradescriptiveNamefortheprofileandoptionallya
previouslycreated(aswellasotherHIP Description.
profiles)usingBooleanlogicsuchthat
3. ClickAdd Match CriteriatoopentheHIPObjects/Profiles
whenatrafficflowisevaluatedagainst
Builder.
theresultingHIPprofileitwilleither
matchornotmatch.Ifthereisamatch, 4. SelectthefirstHIPobjectorprofileyouwanttouseasmatch
thecorrespondingpolicyrulewillbe criteriaandthenclickadd tomoveitovertotheMatchtext
enforced;ifthereisnotamatch,theflow boxontheHIPProfiledialog.Keepinmindthatifyouwant
willbeevaluatedagainstthenextrule,as theHIPprofiletoevaluatetheobjectasamatchonlywhenthe
withanyotherpolicymatchingcriteria. criteriaintheobjectisnottrueforaflow,selecttheNOTcheck
boxbeforeaddingtheobject.

5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
logicyouintend.Forexample,thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:

7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.
9. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 183


ConfigureHIPBasedPolicyEnforcement HostInformation

EnableHIPChecking(Continued)

Step6 VerifythattheHIPobjectsandHIP Onthegateway(s)thatyourGlobalProtectusersareconnectingto,


profilesyoucreatedarematchingyour selectMonitor > Logs > HIP Match.Thislogshowsallofthe
GlobalProtectclienttrafficasexpected. matchesthegatewayidentifiedwhenevaluatingtherawHIPdata
ConsidermonitoringHIPobjects reportedbytheagentsagainstthedefinedHIPobjectsandHIP
andprofilesasameanstomonitor profiles.Unlikeotherlogs,aHIPmatchdoesnotrequireasecurity
thesecuritystateandactivityof policymatchinordertobelogged.
yourhostendpoints.Bymonitoring
thehostinformationovertimeyou
willbebetterabletounderstand
whereyoursecurityand
complianceissuesareandyoucan
usethisinformationtoguideyouin
creatingusefulpolicy.Formore
details,seeHowDoIGetVisibility
intotheStateoftheEndClients?

Step7 EnableUserIDonthesourcezonesthat 1. SelectNetwork > Zones.


containtheGlobalProtectusersthatwill 2. ClickontheNameofthezoneinwhichyouwanttoenable
besendingrequeststhatrequire UserIDtoopentheZonedialog.
HIPbasedaccesscontrols.Youmust
enableUserIDevenifyoudontplanon 3. EnableUserIDbyselectingtheEnabledcheckboxandthen
usingtheuseridentificationfeatureor clickOK.
thefirewallwillnotgenerateanyHIP
Matchlogsentries.

Step8 CreatetheHIPenabledsecurityruleson 1. SelectPolicies > Securityandselecttheruletowhichyou


yourgateway(s). wanttoaddaHIPprofile.
Asabestpractice,youshouldcreate 2. OntheSourcetab,makesuretheSource Zoneisazonefor
yoursecurityrulesandtestthatthey whichyouenabledUserIDinStep 7.
matchtheexpectedflowsbasedonthe
3. OntheUsertab,clickAddintheHIP Profilessectionand
sourceanddestinationcriteriaas
selecttheHIPprofile(s)youwanttoaddtotherule(youcan
expectedbeforeaddingyourHIP
addupto63HIPprofilestoarule).
profiles.Bydoingthisyouwillalsobe
betterabletodeterminetheproper 4. ClickOKtosavetherule.
placementoftheHIPenabledrules 5. Committhechanges.
withinthepolicy.

184 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step9 Definethenotificationmessagesend 1. OnthefirewallthatishostingyourGlobalProtectgateway(s),


userswillseewhenasecurityrulewitha selectNetwork > GlobalProtect > Gateways.
HIPprofileisenforced. 2. Selectapreviouslydefinedgatewayconfigurationtoopenthe
Thedecisionastowhentodisplaya GlobalProtectGatewaydialog.
message(thatis,whethertodisplayit
3. SelectClient Configuration > HIP Notification andthenclick
whentheusersconfigurationmatchesa
Add.
HIPprofileinthepolicyorwhenit
doesntmatchit),dependslargelyon 4. SelecttheHIP Profilethismessageappliestofromthe
yourpolicyandwhataHIPmatch(or dropdown.
nonmatch)meansfortheuser.Thatis, 5. SelectMatch MessageorNot Match Message,dependingon
doesamatchmeantheyaregrantedfull whetheryouwanttodisplaythemessagewhenthe
accesstoyournetworkresources?Or correspondingHIPprofileismatchedinpolicyorwhenitisnot
doesitmeantheyhavelimitedaccess matched.Insomecasesyoumightwanttocreatemessages
duetoanoncomplianceissue? forbothamatchandanonmatch,dependingonwhatobjects
Forexample,supposeyoucreateaHIP youarematchingonandwhatyourobjectivesareforthe
profilethatmatchesiftherequired policy.FortheMatchMessage,youcanalsoenabletheoption
corporateantivirusandantispyware toInclude matched application list in messagetoindicate
softwarepackagesarenotinstalled.In whatapplicationstriggeredtheHIPmatch.
thiscase,youmightwanttocreateaHIP
6. SelecttheEnablecheckboxandselectwhetheryouwantto
notificationmessageforuserswho
displaythemessageasaPop Up MessageorasaSystem Tray
matchtheHIPprofiletellingthemthat
Balloon.
theyneedtoinstallthesoftware.
Alternatively,ifyourHIPprofilematched 7. EnterthetextofyourmessageintheTemplatetextboxand
ifthosesameapplicationsareinstalled, thenclickOK.ThetextboxprovidesbothaWYSIWYGviewof
youmightwanttocreatethemessage thetextandanHTMLsourceview,whichyoucantoggle
foruserswhodonotmatchtheprofile. betweenusingtheSourceEdit icon.Thetoolbaralso
providesmanyoptionsforformattingyourtextandfor
creatinghyperlinks toexternaldocuments,forexampleto
linkusersdirectlytothedownloadURLforarequired
softwareprogram.

8. Repeatthisprocedureforeachmessageyouwanttodefine.
9. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 185


ConfigureHIPBasedPolicyEnforcement HostInformation

EnableHIPChecking(Continued)

Step10 VerifythatyourHIPprofilesareworking YoucanmonitorwhattrafficishittingyourHIPenabledpolicies


asexpected. usingtheTrafficlogasfollows:
1. Fromthegateway,selectMonitor > Logs > Traffic.
2. Filterthelogtodisplayonlytrafficthatmatchestherulethat
hastheHIPprofileyouareinterestedinmonitoringattached.
Forexample,tosearchfortrafficthatmatchesasecurityrule
namediOSAppsyouwouldenter( rule eq 'iOS Apps' )
inthefiltertextboxasfollows:

186 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation CollectApplicationandProcessDataFromClients

CollectApplicationandProcessDataFromClients

TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,respectively.Youcancreateacustomcheckthatwillallowyoutodetermine
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)onaWindowsorMacclient.Enablingcustomchecksinstructsthe
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
TomonitorthedatacollectedwithcustomchecksyoucancreateaHIPobject.YoucanthenaddtheHIP
objecttoaHIPprofiletousethecollecteddatatomatchtodevicetrafficandenforcesecurityrules.The
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
hostinformationsubmittedbytheagent.WhenthegatewaymatchestheclientdatatoaHIPobject,aHIP
Matchlogentryisgeneratedforthedata.AHIPprofileallowsthegatewaytoalsomatchthecollecteddata
toasecurityrule.IftheHIPprofileisusedascriteriaforasecuritypolicyrule,thegatewaywillenforcethat
securityruleonthematchingtraffic.
UsethefollowingtasktoenablecustomcheckstocollectdatafromWindowsandMacclients.Thistask
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.

FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.

EnableandVerifyCustomChecksforWindowsorMacClients

Step1 EnabletheGlobalProtectagentto Collect data from a Windows client:


collectWindowsRegistryinformation 1. SelectNetwork > GlobalProtect > Portals andthenselectthe
fromWindowsclientsorPlist portalconfigurationyouwanttomodifyorAddanewone.
informationfromMacclients.Thetype
ofinformationcollectedcaninclude 2. SelecttheAgenttabandthenselecttheAgentconfiguration
whetherornotanapplicationisinstalled youwanttomodifyorAddanewone.
ontheclient,orspecificattributesor 3. Select Data Collection,andthenverifythatCollect HIP Datais
propertiesofthatapplication. enabled.
Thisstepenablestheagenttoreport 4. Select Custom Checks > Windows.
dataontheapplicationsandclient
settings.(Step 5andStep 6willshow 5. AddtheRegistryKeythatyouwanttocollectinformation
youhowtomonitorandusethereported about.Ifyouwanttorestrictdatacollectiontoavalue
datatoidentifyortakeactiononcertain containedwithinthatRegistryKey,addthecorresponding
devicetraffic). Registry Value.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 187


CollectApplicationandProcessDataFromClients HostInformation

EnableandVerifyCustomChecksforWindowsorMacClients(Continued)

Collect data from a Mac client:


1. SelectNetwork > GlobalProtect > Portals andthenselectthe
portalconfigurationyouwanttomodifyorAddanewone.
2. SelecttheAgenttabandthenselecttheAgentconfiguration
youwanttomodifyorAddanewone.
3. Select Data Collection,andthenverifythatCollect HIP Datais
enabled.
4. Select Custom Checks > Mac.
5. AddthePlistthatyouwanttocollectinformationaboutand
thecorrespondingPlistKeytodetermineiftheapplicationis
installed:
.

Forexample,Add thePlistcom.apple.screensaverandthe
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:

ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:

Step2 (Optional)Checkifaspecificprocessis 1. ContinuefromStep 1ontheCustom Checkstab(Network >


runningontheclient. GlobalProtect > Portals > <portalconfig> > Agent >
<agentconfig>> Data Collection)andselecttheWindows tab
orMactab.
2. Addthenameoftheprocessthatyouwanttocollect
informationabouttotheProcess List.

Step3 Savethecustomcheck. ClickOKandCommitthechanges.

188 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation CollectApplicationandProcessDataFromClients

EnableandVerifyCustomChecksforWindowsorMacClients(Continued)

Step4 VerifythattheGlobalProtectagentis For Windows clients:


collectingthedatadefinedinthecustom OntheWindowsclient,doubleclicktheGlobalProtecticononthe
checkfromtheclient. taskbarandclicktheHost Statetabtoviewtheinformationthat
theGlobalProtectagentiscollectingfromtheMacclient.Underthe
customchecksdropdown,verifythatthedatathatyoudefinedfor
collectioninStep 7isdisplayed:

For Mac clients:


OntheMacclient,clicktheGlobalProtecticonontheMenubar,
clickAdvanced View,andclickHost Statetoviewtheinformation
thattheGlobalProtectagentiscollectingfortheMacclient.Under
thecustomchecksdropdown,verifythatthedatayoudefinedfor
collectioninStep 7isdisplayed:

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 189


CollectApplicationandProcessDataFromClients HostInformation

EnableandVerifyCustomChecksforWindowsorMacClients(Continued)

Step5 (Optional)CreateaHIPObjecttomatch For Windows and Mac clients:


toaRegistryKey(Windows)orPlist 1. SelectObjects > GlobalProtect > HIP ObjectsandAddaHIP
(Mac).Thiscanallowyoutofiltertheraw Object.
hostinformationcollectedfromthe
GlobalProtectagentinordertomonitor 2. SelectandenableCustom Checks.
thedataforthecustomcheck. For Windows clients only:
WithaHIPobjectdefinedforthecustom 1. TocheckWindowsclientsforaspecificregistrykey,select
checkdata,thegatewaywillmatchthe Registry KeyandAddtheregistrytomatchon.Toonlyidentify
rawdatasubmittedfromtheagenttothe clientsthatdonothavethespecifiedregistrykey,selectKey
HIPobjectandaHIPMatchlogentryis does not exist or match the specified value data.
generatedforthedata(Monitor > HIP
Match). 2. TomatchonspecificvalueswithintheRegistrykey,clickAdd
andthenentertheregistryvalueandvaluedata.Toidentify
clientsthatexplicitlydonothavethespecifiedvalueorvalue
data,selecttheNegate checkbox.

3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
For Mac clients only:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).

3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.

190 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


HostInformation CollectApplicationandProcessDataFromClients

EnableandVerifyCustomChecksforWindowsorMacClients(Continued)

Step6 (Optional)CreateaHIPprofiletoallow 1. SelectObjects > GlobalProtect > HIP Profile.


theHIPobjectyoucreatedinStep 5to 2. ClickAdd Match Criteria toopentheHIP Objects/Profiles
beevaluatedagainsttraffic. Builder.
TheHIPprofilecanbeaddedtoa
3. SelecttheHIP objectyouwanttouseasmatchcriteriaand
securitypolicyasanadditionalcheckfor
thenmoveitovertotheMatchboxontheHIPProfiledialog.
trafficmatchingthatpolicy.Whenthe
trafficismatchedtotheHIPprofile,the 4. WhenyouhavefinishedaddingtheobjectstothenewHIP
securitypolicyrulewillbeenforcedon profile,click OKandCommit.
thetraffic.
FormoredetailsoncreatingaHIP
profiles,seeConfigureHIPBasedPolicy
Enforcement.

Step7 AddtheHIPprofiletoasecuritypolicyso SelectPolicies > Security,andAdd ormodifyasecuritypolicy.Go


thatthedatacollectedwiththecustom totheUsertabtoaddaHIPprofiletothepolicy.Formoredetails
checkcanbeusedtomatchtoandacton onsecuritypoliciescomponentsandusingsecuritypoliciesto
traffic. matchtoandactontraffic,seeSecurityPolicy.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 191


BlockDeviceAccess HostInformation

BlockDeviceAccess

IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
devicesperlocation.Therefore,youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.

BlockDeviceAccess

Step1 Createadeviceblocklist. 1. SelectNetwork > GlobalProtect > Device Block ListandAdd


YoucannotusePanorama adeviceblocklist.
templatestopushadeviceblock 2. EnteradescriptiveNameforthelist.
listtofirewalls.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.

Step2 Addadevicetoablocklist. 1. Adddevices.EnterthehostID(required)andhostname


(optional)foradeviceyouneedtoblock.
2. Addadditionaldevices,ifneeded.
3. ClickOKtosaveandactivatetheblocklist.
Thedevicelistdoesnotrequireacommitandis
immediatelyactive.

192 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
deployments:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
AlwaysOnVPNConfiguration
RemoteAccessVPNwithPreLogon
GlobalProtectMultipleGatewayConfiguration
GlobalProtectforInternalHIPCheckingandUserBasedAccess
MixedInternalandExternalGatewayConfiguration

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 193


RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs

RemoteAccessVPN(AuthenticationProfile)

IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,sothisisthephysicalinterfacewhereGlobalProtectclientsconnect.Afteraclientconnects
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.31.32.310.31.32.118inthisexample.BecauseGlobalProtectVPNtunnelsterminateina
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.

Figure:GlobalProtectVPNforRemoteAccess

Thefollowingprocedureprovidestheconfigurationstepsforthisexample.Youcanalsowatchthevideo.

QuickConfig:VPNRemoteAccess

Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernet andconfigure


GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustzoneandthedefault
interfaceconfigurationstoavoid virtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
interfaceandaddittoanewzonecalledcorpvpn.Assignittothe
defaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

194 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPN(AuthenticationProfile)

QuickConfig:VPNRemoteAccess(Continued)

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenAddanewrule.


flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPNAccess
SourceZonecorpvpn
DestinationZonel3trust

Step3 Obtainaservercertificateforthe SelectDevice > Certificate Management > Certificates tomanage


interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe Obtainaservercertificate.Becausetheportalandgatewayare
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device


Theserverprofileinstructsthefirewall > Server Profiles > LDAP).
howtoconnecttotheauthentication
service.SupportedmethodsareLocal,
RADIUS,Kerberos,SAML,andLDAP
authentication.Thisexampleshowsan
LDAPauthenticationprofilefor
authenticatingusersagainsttheActive
Directory.

Step5 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device >


profile. Authentication Profile).

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 195


RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs

QuickConfig:VPNRemoteAccess(Continued)

Step6 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


configuration:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by GoDaddy
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118

Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


configuration:
1. SetUpAccesstotheGlobalProtectPortal.Thisexampleuses
thefollowingsettings:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by
GoDaddy
Authentication ProfileCorp-LDAP
2. DefinetheGlobalProtectClientAuthenticationConfigurations
usingthefollowingsettings:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway Addressgp.acme.com

Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectsubscription(Device >


GlobalProtectmobileapp. Licenses)toenableuseoftheapp.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

196 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)

RemoteAccessVPN(CertificateProfile)

Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
GlobalProtectportalorgateway.Inadditiontothecertificateitself,theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
assignedanIPaddressfromtheIPpoolinthegatewaystunnelconfiguration.Tosupportuserbasedpolicy
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
addressthatthegatewayassigned.Also,ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.

Figure:GlobalProtectClientCertificateAuthenticationConfiguration

ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.Theonly
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication

Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernetandconfigure


GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterfor 203.0.113.1andassignittothel3untrustsecurityzoneandthe
allinterfaceconfigurationsto defaultvirtualrouter.
avoidhavingtocreateinterzone CreateaDNSArecordthatmapsIPaddress203.0.113.1to
routing. gp.acme.com.
SelectNetwork > Interfaces > Tunnel.
Addtunnel.2interfacetoanewzonecalledcorp-vpn.Assignthe
interfacetothedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 197


RemoteAccessVPN(CertificateProfile) GlobalProtectQuickConfigs

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenAddanewrule.


flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

Step3 Obtainaservercertificateforthe SelectDevice > Certificate Management > Certificates tomanage


interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe Obtainaservercertificate.Becausetheportalandgatewayare
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient


clientsandendpoints. certificatetoeachGlobalProtectuser.
2. Installcertificatesinthepersonalcertificatestoreonthe
endpoints.

Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile,


clickAddandenteraprofileNamesuchasGP-client-cert.
2. SelectSubjectfromtheUsername Fielddropdown.
3. ClickAddintheCACertificatessection,selecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.

Step6 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing


Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by GoDaddy
Certificate ProfileGP-client-cert
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118

198 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)

Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portals andaddthefollowing


configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by
GoDaddy
Certificate ProfileGP-client-cert
2. DefinetheGlobalProtectAgentConfigurations:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway Addressgp.acme.com

Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectsubscription(Device >


GlobalProtectmobileapp. Licenses)toenableuseoftheapp.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 199


RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs

RemoteAccessVPNwithTwoFactorAuthentication

IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
throughbothprofilesbeforegainingaccess.Forportalauthentication,thismeansthatcertificatesmustbe
predeployedtotheendclientsbeforetheirinitialportalconnection.Additionally,theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
clientcertificatedoesnotneedtohaveausername.Inthiscase,theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
usernameinthecorrespondingfield.Forexample,ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
elsetheauthenticationfails.Inaddition,whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
entercredentialsforauthenticatingtotheauthenticationprofile.Ifyoudonotwantforceusersto
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.

ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.However,
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards

200 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication

UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.

VPNRemoteAccesswithTwoFactorAuthentication

Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernetandconfigure


GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterfor 203.0.113.1andassignittothel3untrustsecurityzoneandthe
allinterfaceconfigurationsto defaultvirtualrouter.
avoidhavingtocreateinterzone CreateaDNSArecordthatmapsIPaddress203.0.113.1to
routing. gp.acme.com.
SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenclickAddtoaddanewrule.


flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

Step3 Obtainaservercertificateforthe SelectDevice > Certificate Management > Certificates tomanage


interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe Obtainaservercertificate.Becausetheportalandgatewayare
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient


clientsandendpoints. certificatetoeachGlobalProtectuser.
2. Installcertificatesinthepersonalcertificatestoreonthe
endpoints.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 201


RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs

VPNRemoteAccesswithTwoFactorAuthentication(Continued)

Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile,


AddandenteraprofileNamesuchasGP-client-cert.
2. Specifywheretogettheusernamethatwillbeusedto
authenticatetheenduser:
FromuserIfyouwanttheendusertosupplyausername
whenauthenticatingtotheservicespecifiedinthe
authenticationprofile,selectNoneastheUsername Field.
FromcertificateIfyouwanttoextracttheusernamefrom
thecertificate,selectSubjectastheUsername Field.Ifyou
usethisoption,theCNcontainedinthecertificatewill
automaticallypopulatedtheusernamefieldwhentheuseris
promptedtologintotheportal/gatewayandtheuserwillbe
requiredtologinusingthatusername.
3. IntheCACertificatessection,Add andthenselecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.

Step6 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device


Theserverprofileinstructsthefirewall > Server Profiles > LDAP).
howtoconnecttotheauthentication
service.Local,RADIUS,Kerberos,SAML,
andLDAPauthenticationmethodsare
supported.ThisexampleshowsanLDAP
authenticationprofileforauthenticating
usersagainsttheActiveDirectory.

Step7 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>


profile. Authentication Profile).

202 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication

VPNRemoteAccesswithTwoFactorAuthentication(Continued)

Step8 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing


Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by GoDaddy
Certificate ProfileGP-client-cert
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118

Step9 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by
GoDaddy
Certificate ProfileGP-client-cert
Authentication ProfileCorp-LDAP
2. DefinetheGlobalProtectAgentConfigurations:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway Addressgp.acme.com

Step10 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step11 (Optional)DeployAgentSettings Asanalternativetodeployingagentsettingsfromtheportal


Transparently. configuration,youcandefinesettingsdirectlyfromtheWindows
registryorglobalMACplist.Examplesofsettingsthatyoucan
deployincludespecifyingtheportalIPaddressorenabling
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsintothe
deviceandconnectstotheGlobalProtectportal.OnWindows
clientsonly,youcanalsoconfiguresettingsusingtheMSIEXEC
installer.Foradditionalinformation,seeCustomizableAgent
Settings.

Step12 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectsubscription(Device >


GlobalProtectmobileapp. Licenses)toenableuseoftheapp.

Step13 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 203


AlwaysOnVPNConfiguration GlobalProtectQuickConfigs

AlwaysOnVPNConfiguration

InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
logontosubmituserandhostinformationandreceivetheclientconfiguration.Itthenautomatically
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.

ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.

SwitchtoanAlwaysOnConfiguration

Step1 SelectNetwork > GlobalProtect > Portalsandselecttheportalconfigurationtoopenit.

Step2 SelecttheAgent tabandthenselecttheagentconfigurationyouwanttomodify.

Step3 SelecttheApptab.

Step4 SelectUser-logon (Always On)astheConnect Method.Repeatthisstepforeachagentconfiguration.

Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.

204 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon

PrelogonisaconnectmethodthatestablishesaVPNtunnelbeforeauserlogsin.Thepurposeofprelogon
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
torunassoonastheendpointpowerson.AmachinecertificateenablestheendpointtohavetheVPNtunnel
tothegateway.AcommonpracticeforITpersonnelistoinstallthemachinecertificatewhilestagingthe
endpointfortheuser.
AprelogonVPNtunnelhasnousernameassociationbecausetheuserhasnotloggedin.Therefore,tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
prelogonuser.Thesepoliciesshouldallowaccesstoonlythebasicservicesforstartingupthesystem,such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).

MacsystemsbehavedifferentlyfromWindowssystemswithprelogon.WithMacOS,thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.

Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
profile.Theportalcanalsouseanoptionalcertificateprofilethatvalidatestheclientcertificate(ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,theportaldeterminesiftheclientsconfigurationiscurrent.Iftheportalsconfiguration
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
orgatewayinstallsanencryptedcookieontheclient.Subsequently,theportalorgatewayusesthecookie
toauthenticateusersandforrefreshingtheclientsconfiguration.Also,ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
firstconnectingtotheportaltodownloadtheprelogonconfiguration.Todothis,youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 205


RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.

RemoteAccessVPNwithPreLogon

Step1 CreateInterfacesandZonesfor Forthisexample,selectNetwork > Interfaces > Ethernetand


GlobalProtect. then:
Usethedefaultvirtualrouterfor Selectethernet1/2.
allinterfaceconfigurationsto Foritsinterfacetype,selectLayer 3.
avoidhavingtocreateinterzone Assign interface to:defaultvirtualrouter,defaultvirtual
routing. system,andl3-untrustsecurityzone.
SelectIPv4andAdd.
Selecttheaddress203.0.113.1(ortheobjectthatmaps
203.0.113.1)oraddaNew Addresstocreateanewobjectand
addressmapping.(LeavetheaddresstypeasStatic.)
CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork > Interfaces > Tunnel.
Addatunnel.2interfacetoanewzonecalledcorp-vpn.Assignit
tothedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

206 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon(Continued)

Step2 Createthesecuritypolicyrules. Thisconfigurationrequiresthefollowingpolicies(Policies >


Security):
1. Createarulethatenablestheprelogonuseraccesstobasic
servicesthatarerequiredforthecomputertocomeup,such
asauthenticationservices,DNS,DHCP,andMicrosoft
Updates.
2. Createaruletoenableaccessbetweenthecorpvpnzoneand
thel3trustzoneforanyknownuseraftertheusersuccessfully
logsin.

Step3 Useoneofthefollowingmethodsto SelectDevice > Certificate Management > Certificates tomanage


obtainaservercertificateforthe certificateswiththefollowingcriteria:
interfacethatishoststheGlobalProtect Obtainaservercertificate.Becausetheportalandgatewayare
portalandgateway: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 Generateamachinecertificateforeach 1. IssueclientcertificatestoGlobalProtectclientsandendpoints.


clientsystemthatwillconnectto 2. Installcertificatesinthepersonalcertificatestoreonthe
GlobalProtectandimportthemintothe endpoints.(LocalComputerstoreonWindowsorSystem
personalcertificatestoreoneach KeychainonMacOS)
machine.
Althoughyoucouldgenerateselfsigned
certificatesforeachclientsystem,asa
bestpractice,useyourownpublickey
infrastructure(PKI)toissueand
distributecertificatestoyourclients.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 207


RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

RemoteAccessVPNwithPreLogon(Continued)

Step5 ImportthetrustedrootCAcertificate 1. DownloadtheCAcertificateinBase64format.


fromtheCAthatissuedthemachine 2. Importthecertificateontoeachfirewallthathostsaportalor
certificatesontotheportaland gateway,asfollows:
gateway(s).
a. SelectDevice > Certificate Management > Certificates >
Youdonothavetoimportthe Device Certificates andclickImport.
privatekey.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.

Step6 Oneachfirewallthathostsa 1. SelectDevice > Certificates > Certificate Management >


GlobalProtectgateway,createa Certificate Profile.
certificateprofiletoidentifytheCA 2. ClickAddandenteraNametouniquelyidentifytheprofile,
certificateforvalidatingthemachine suchasPreLogonCert.
certificates.
3. SetUsernameFieldtoNone.
Optionally,ifyouplantouseclient
certificateauthenticationtoauthenticate 4. (Optional)Ifyouwillalsouseclientcertificateauthentication
userswhentheylogintothesystem, toauthenticateusersuponlogin,addtheCAcertificatethat
makesurethattheCAcertificatethat issuedtheclientcertificatesifitisdifferentfromtheonethat
issuestheclientcertificatesisreferenced issuedthemachinecertificates.
inthecertificateprofileinadditiontothe 5. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificatethatissuedthemachine CAcertificateyouimportedinStep 5andthenclickOK.
certificatesiftheyaredifferent.
6. ClickOKtosavetheprofile.

Step7 ConfigureaGlobalProtectGateway. 1. SelectNetwork > GlobalProtect > Gatewaysandaddthe


Seethetopologydiagramshownin followingconfiguration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Althoughyoumustcreateacertificate Server CertificateGP-server-cert.pem issued by
profileforprelogonaccesstothe GoDaddy
gateway,youcanuseeitherclient Certificate ProfilePreLogonCert
certificateauthenticationor
Authentication ProfileCorp-LDAP
authenticationprofilebased
authenticationforloggedinusers.Inthis Tunnel Interfacetunnel.2
example,thesameLDAPprofileisused IP Pool10.31.32.3 - 10.31.32.118
thatisusedtoauthenticateuserstothe 2. Committhegatewayconfiguration.
portal.

208 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon(Continued)

Step8 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandspecifythefollowing


ConfigureDevicedetails(networking configuration:
parameters,theauthenticationservice SetUpAccesstotheGlobalProtectPortal:
profile,andthecertificateforthe Interfaceethernet1/2
authenticationserver). IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by
GoDaddy
Certificate ProfileNone
Authentication ProfileCorp-LDAP

Step9 DefinetheGlobalProtectAgent SelectAgentandspecifyoneofthefollowingconfigurations:


Configurationsforprelogonusersand Usethesamegatewaybeforeandafterprelogonuserslogin:
forloggedinusers. Use single sign-onenabled
Useasingleagentconfigurationifyou Connect Methodpre-logon
wantprelogonuserstoaccessthesame
External Gateway Addressgp1.acme.com
gatewaysbeforeandaftertheylogin.
User/User Groupany
Otherwise,todirectprelogonusersto
differentgatewaysbeforeandafterthey Authentication OverrideCookieauthenticationfor
login,createtwoagentconfiguration transparentlyauthenticatingusersandforconfigurationrefresh
profiles.Inthisfirstagentconfigurations Useseparategatewaysforprelogonusersbeforeandafterthey
User/User Group,selectthepre-logon login:
filter.Withprelogon,theportalfirst FirstAgentConfiguration:
authenticatestheendpoint,nottheuser, Connect Methodpre-logon
tosetupaVPN(eventhoughthe
External Gateway Addressgp1.acme.com
prelogonparameterisassociatedwith
users).Subsequently,theportal User/User Grouppre-logon
authenticatestheuserwhenheorshe Authentication OverrideCookieauthenticationfor
logsin. transparentlyauthenticatingusersandforconfigurationrefresh
Aftertheportalauthenticatestheuser,it SecondAgentConfiguration:
deploysthesecondagentconfiguration. Use single sign-onenabled
Inthiscase,User/User Groupisany. Connect Methodpre-logon
Asabestpractice,enableSSOin External Gateway Addressgp2.acme.com
thesecondagentconfiguration User/User Groupany
sothatthecorrectusernameis
Authentication OverrideCookieauthenticationfor
immediatelyreportedtothe
transparentlyauthenticatingusersandforconfigurationrefresh
gatewaywhentheuserlogsinto
theendpoint.IfSSOisnot Makesuretheprelogonclientconfigurationisfirstinthelistof
enabled,thesavedusernamein configurations.Ifitisnot,selectitandclickMove Up.
theAgentsettingspanelisused.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 209


RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

RemoteAccessVPNwithPreLogon(Continued)

Step11 (Optional)Ifuserswillneverlogintoa 1. LocatetheGlobalProtectsettingsintheregistry:


device(forexample,aheadlessdevice)or HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
aprelogonconnectionisrequiredona Networks\GlobalProtect\PanSetup
systemthatauserhasnotpreviously
2. CreateaDWORDnamedPrelogonwithavalueof1inthe
loggedinto,createthePrelogonregistry
Value datafieldandHexadecimalastheBase.Thissetting
entryontheclientsystem.
enablesGlobalProtecttoinitiateaVPNconnectionbeforethe
Youmustalsopredeploy userlogsintothelaptop.
additionalagentsettingssuchas
thedefaultportalIPaddressand 3. CreateaString ValuenamedPortalthatspecifiestheIP
connectmethod. addressorhostnameofthedefaultportalforthe
GlobalProtectclient.
Formoreinformationaboutregistry
settings,seeDeployAgentSettings 4. CreateaString Valuenamedconnect-methodwithavalueof
Transparently. pre-logonintheValuedatafield.Thissettingenables
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsinto
thedeviceandconnectstotheGlobalProtectportal.

210 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration

GlobalProtectMultipleGatewayConfiguration

InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
configuration.Multiplegatewaysaresupportedinalloftheprecedingexampleconfigurations.Additional
stepsincludeconfiguringasecondfirewallasaGlobalProtectgateway.Inaddition,whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.

Figure:GlobalProtectMultipleGatewayTopology

Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
listedinitsclientconfiguration.Theagentwillthenusepriorityandresponsetimeastodeterminethe
gatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyiftheresponsetimefor
thehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.Formore
information,seeGatewayPriorityinaMultipleGatewayConfiguration.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 211


GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMultipleGatewayConfiguration

Step1 CreateInterfacesandZonesfor On the firewall hosting the portal/gateway (gw1):


GlobalProtect. SelectNetwork > Interfaces > Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesoneachfirewallhostinga 198.51.100.42andassignittothel3untrustsecurityzoneand
gateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterfor CreateaDNSArecordthatmapsIPaddress198.51.100.42to
allinterfaceconfigurationsto gp1.acme.com.
avoidhavingtocreateinterzone SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
routing. interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
On the firewall hosting the second gateway (gw2):
SelectNetwork > Interfaces > Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
defaultvirtualrouter.
CreateaDNSArecordthatmapsIPaddress192.0.2.4to
gp2.acme.com.
SelectNetwork > Interfaces > Tunnel andaddthetunnel.1
interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionandreceiveyour


subscriptiononeachgatewayifyouhave activationcode,installthelicenseonthefirewallhostingtheportal
userswhowillbeusingtheGlobalProtect asfollows:
appontheirmobiledevicesorifyouplan 1. SelectDevice > Licenses.
touseHIPenabledsecuritypolicy.
2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.

Step3 OneachfirewallhostingaGlobalProtect Thisconfigurationrequirespolicyrulestoenabletrafficflow


gateway,createsecuritypolicy. betweenthecorpvpnzoneandthel3trustzonetoenableaccess
toyourinternalresources(Policies > Security).

212 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration

QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

Step4 Obtainservercertificatesforthe Oneachfirewallhostingaportal/gatewayorgateway,select


interfaceshostingyourGlobalProtect Device > Certificate Management > Certificates tomanage
portalandeachofyourGlobalProtect certificatesasfollows:
gatewaysusingthefollowing Obtainaservercertificatefortheportal/gw1.Becausethe
recommendations: portalandthegatewayareonthesameinterfaceyoumustuse
(Onthefirewallhostingtheportalor thesameservercertificate.TheCNofthecertificatemustmatch
portal/gateway)Importaserver theFQDN,gp1.acme.com.Toenableclientstoconnecttothe
certificatefromawellknown, portalwithoutreceivingcertificateerrors,useaservercertificate
thirdpartyCA. fromapublicCA.
(Onafirewallhostingonlyagateway) Obtainaservercertificatefortheinterfacehostinggw2.
UsetherootCAontheportalto Becausethisinterfacehostsagatewayonlyyoucanusea
generateaselfsignedserver selfsignedcertificate.TheCNofthecertificatemustmatchthe
certificate. FQDN,gp2.acme.com.

Step5 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or


totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
portalandgateways.Portalsandindividualgatewayscanalsouse
differentauthenticationschemes.Seethefollowingsectionsfor
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

Step6 Configurethegateways. Thisexampleshowstheconfigurationforgp1andgp2shownin


Figure:GlobalProtectMultipleGatewayTopology.(SeeConfigurea
GlobalProtectGatewayforstepbystepinstructionsoncreating
thegatewayconfigurations.)
On the firewall hosting gp1, select Network > GlobalProtect >
Gateways and configure the gateway settings as follows:
Interfaceethernet1/2
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by GoDaddy
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118
On the firewall hosting gp2, select Network > GlobalProtect >
Gateways and configure the gateway settings as follows:
Interfaceethernet1/2
IP Address192.0.2.4
Server Certificateself-signed certificate,
GP2-server-cert.pem
Tunnel Interfacetunnel.1
IP Pool10.31.33.3 - 10.31.33.118

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 213


GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by
GoDaddy
2. DefinetheGlobalProtectAgentConfigurations:
Thenumberofclientconfigurationsyoucreatedependson
yourspecificaccessrequirements,includingwhetheryou
requireuser/groupbasedpolicyand/orHIPenabledpolicy
enforcement.

Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 SavetheGlobalProtectconfiguration. ClickCommitonthefirewallhostingtheportalandthegateway(s).

214 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess

GlobalProtectforInternalHIPCheckingandUserBased
Access

WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)services.Internalgatewaysareusefulinsensitiveenvironmentswhere
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
modeisnotsupported.Inaddition,itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
totheCRMapplications.Allauthenticatedusershaveaccesstointernalwebresources.Inaddition,HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.

Figure:GlobalProtectInternalGatewayConfiguration

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 215


GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs

UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.

QuickConfig:GlobalProtectInternalGatewayConfiguration

Step1 CreateInterfacesandZonesfor Oneachfirewallhostingaportal/gateway:


GlobalProtect. 1. SelectanEthernetporttohosttheportal/gatewayandthen
Inthisconfiguration,youmustsetup configureaLayer3interfacewithanIPaddressinthel3trust
interfacesoneachfirewallhostinga securityzone.(Network > Interfaces > Ethernet).
portaland/oragateway.Becausethis
2. Enable User Identificationonthel3trustzone.
configurationusesinternalgateways
only,youmustconfiguretheportaland
gatewaysoninterfacesontheinternal
network.
Usethedefaultvirtualrouterfor
allinterfaceconfigurationsto
avoidhavingtocreateinterzone
routing.

Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionsandreceive


subscriptionforeachfirewallhostingan youractivationcode,installtheGlobalProtectsubscriptionsonthe
internalgatewayifyouhaveuserswho firewallshostingyourgatewaysasfollows:
willbeusingtheGlobalProtectappon 1. SelectDevice > Licenses.
theirmobiledevicesorifyouplantouse
HIPenabledsecuritypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
donothavetherequiredlicenses.Formoreinformationon
licensing,seeAboutGlobalProtectLicenses.

Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:


GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
GlobalProtectgateway.
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.Youcaneither
useaselfsignedcertificateontheportal c. UsetherootCAontheportaltogenerateaselfsigned
anddeploytherootCAcertificatetothe servercertificate.Repeatthisstepforeachgateway.
endclientsbeforethefirstportal 2. Oneachfirewallhostinganinternalgateway:
connection,orobtainaservercertificate a. Deploytheselfsignedservercertificates.
fortheportalfromatrustedCA.
Youcanuseselfsignedcertificateson
thegateways.

216 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess

QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step4 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or


totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
portalandgateways.Portalsandindividualgatewayscanalsouse
differentauthenticationschemes.Seethefollowingsectionsfor
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby


enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeHostInformationformore createaHIPobjecttomatchonwhetherthepatch
informationonHIPmatching. managementsoftwareisinstalledandthatallpatcheswitha
givenseverityareuptodate.

2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 217


GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs

QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step6 Configuretheinternalgateways. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing


settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


Althoughalloftheprevious configuration:
configurationscouldusea 1. SetUpAccesstotheGlobalProtectPortal:
Connect MethodofUser-logon Interfaceethernet1/2
(Always On)orOn-demand
IP Address10.31.34.13
(Manual user initiated
connection),aninternalgateway Server CertificateGP-server-cert.pem issued by
configurationmustalwaysbeon GoDaddywithCN=gp.acme.com
andthereforerequiresaConnect 2. DefinetheGlobalProtectClientAuthentication
MethodofUser-logon (Always Configurations:
On). Use single sign-onenabled
Connect MethodUser-logon (Always On)
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 CreatetheHIPenabledand/or Addthefollowingsecurityrulesforthisexample:


user/groupbasedsecurityrulesonyour 1. SelectPolicies > SecurityandclickAdd.
gateway(s).
2. OntheSourcetab,settheSource Zonetol3-trust.
3. OntheUsertab,addtheHIPprofileanduser/grouptomatch.
ClickAddintheHIP ProfilessectionandselecttheHIP
profileMissingPatch.
ClickAddintheSource Usersectionandselectthegroup
(FinanceorEngineeringdependingonwhichruleyouare
creating).
4. ClickOKtosavetherule.
5. Committhegatewayconfiguration.

218 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

MixedInternalandExternalGatewayConfiguration

InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
VPNaccessandforaccesstoyoursensitiveinternalresources.Withthisconfiguration,agentsperform
internalhostdetectiontodetermineiftheyareontheinternalorexternalnetwork.Iftheagentdetermines
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
resourcesyourexternalandinternalusershaveaccessto.Inaddition,youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
firewalls.Theexternalgatewayatgpvpn.acme.comprovidesremoteVPNaccesstothecorporatenetwork
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
membership.Inaddition,HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.

Figure:GlobalProtectDeploymentwithInternalandExternalGateways

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 219


MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration

Step1 CreateInterfacesandZonesfor On the firewall hosting the portal gateway (gp.acme.com):


GlobalProtect. SelectNetwork > Interfaces > Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesonthefirewallhostingaportal 198.51.100.42andassignittothel3untrustsecurityzoneand
andeachfirewallhostingagateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterfor CreateaDNSArecordthatmapsIPaddress198.51.100.42to
allinterfaceconfigurationsto gp.acme.com.
avoidhavingtocreateinterzone SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
routing. interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
On the firewall hosting the external gateway (gpvpn.acme.com):
SelectNetwork > Interfaces > Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
defaultvirtualrouter.
CreateaDNSArecordthatmapsIPaddress192.0.2.4to
gpvpn.acme.com.
SelectNetwork > Interfaces > Tunnel andaddthetunnel.3
interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
On the firewall hosting the internal gateways (california.acme.com
and newyork.acme.com):
SelectNetwork > Interfaces > EthernetandconfigureLayer3
EthernetinterfacewithIPaddressesontheinternalnetworkand
assignthemtothel3trustsecurityzoneandthedefaultvirtual
router.
CreateaDNSArecordthatmapstheinternalIPaddresses
california.acme.comandnewyork.acme.com.
EnableUserIdentificationonthel3trustzone.

Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionsandreceive


subscriptionforeachfirewallhostinga youractivationcode,installtheGlobalProtectsubscriptionsonthe
gateway(internalandexternal)ifyou firewallshostingyourgatewaysasfollows:
haveuserswhowillbeusingthe 1. SelectDevice > Licenses.
GlobalProtectappontheirmobile
devicesorifyouplantouseHIPenabled 2. SelectActivate feature using authorization code.
securitypolicy. 3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicenseandsubscriptionsweresuccessfully
activated.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
donothavetherequiredlicenses.Formoreinformationon
licensing,seeAboutGlobalProtectLicenses.

220 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:


GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
GlobalProtectgateway.
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.
c. UsetherootCAontheportaltogenerateaselfsigned
Youcanuseselfsignedcertificateson
servercertificate.Repeatthisstepforeachgateway.
thegatewaysanddeploytherootCA
certificatetotheagentsintheclient 2. Oneachfirewallhostinganinternalgateway:
configuration.Thebestpracticeisto Deploytheselfsignedservercertificates.
generateallofthecertificatesonfirewall
hostingtheportalanddeploythemto
thegateways.

Step4 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or


totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
portalandgateways.Portalsandindividualgatewayscanalsouse
differentauthenticationschemes.Seethefollowingsectionsfor
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 221


MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby


enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeHostInformationformore createaHIPobjecttomatchonwhetherthepatch
informationonHIPmatching. managementsoftwareisinstalledandthatallpatcheswitha
givenseverityareuptodate.

2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

Step6 Configuretheinternalgateways. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing


settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

222 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing


Althoughthisexampleshowshowto configuration:
createasingleclientconfigurationtobe 1. SetUpAccesstotheGlobalProtectPortal:
deployedtoallagents,youcouldchoose Interfaceethernet1/2
tocreateseparateconfigurationsfor
IP Address10.31.34.13
differentusesandthendeploythem
basedonuser/groupnameand/orthe Server CertificateGP-server-cert.pem issued by
operatingsystemtheagent/appis GoDaddywithCN=gp.acme.com
runningon(Android,iOS,Mac,or 2. DefinetheGlobalProtectClientAuthentication
Windows). Configurations:
Internal Host Detectionenabled
Use single sign-onenabled
Connect MethodUser-logon (Always On)
External Gateway Addressgpvpn.acme.com
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.


Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 Createsecuritypolicyrulesoneach Createsecuritypolicy(Policies > Security)toenabletrafficflow


gatewaytosafelyenableaccessto betweenthecorpvpnzoneandthel3trustzone.
applicationsforyourVPNusers. CreateHIPenabledanduser/groupbasedpolicyrulestoenable
granularaccesstoyourinternaldatacenterresources.
Forvisibility,createrulesthatallowallofyourusers
webbrowsingaccesstothel3untrustzone,usingthedefault
securityprofilestoprotectyoufromknownthreats.

Step10 SavetheGlobalProtectconfiguration. ClickCommitontheportalandallgateways.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 223


MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

224 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectReferenceArchitecture
ThissectionoutlinesanexamplereferencearchitecturefordeployingGlobalProtectwhichsecures
internettrafficandprovidessecureaccesstocorporateresources.
Thereferencearchitectureandguidelinesdescribedinthissectionprovideacommondeploymentscenario.
Beforeadoptingthisarchitecture,identifyyourcorporatesecurity,infrastructuremanageability,andend
userexperiencerequirementsanddeployGlobalProtectbasedonthoserequirements.
Althoughtherequirementsmaybedifferentforeachenterprise,youcanleveragethecommonprinciples
anddesignconsiderationsoutlinedinthisdocumentalongwithbestpracticeconfigurationguidelinesto
meetyourenterprisesecurityneeds.
GlobalProtectReferenceArchitectureTopology
GlobalProtectReferenceArchitectureFeatures
GlobalProtectReferenceArchitectureConfigurations

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 225


GlobalProtectReferenceArchitectureTopology GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureTopology

GlobalProtectPortal
GlobalProtectGateways

GlobalProtectPortal

Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
cantestfeaturesbeforerollingthemouttoawideruserbase.Anyclientconfigurationcontainingnew
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
TheGlobalProtectportalalsopushesconfigurationstoGlobalProtectsatellites.Thisconfigurationincludes
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.

226 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureTopology

GlobalProtectGateways

ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
MicrosoftAzurepubliccloud.TheregionsorPOPlocationswheretheseAWSandAzuregatewaysare
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)using2FA.ThisgatewayrequiresuserstoprovidetheirActive
DirectorycredentialsandtheirOTP.Becausethisgatewayprotectssensitiveresources,itisconfigured
asamanualonlygateway.Asaresult,usersdonotconnecttothisgatewayautomaticallyandmust
manuallychoosetoconnecttothisgateway.Forexample,whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,somesensitiveinternalresourcesarenotaccessible.Theusermustthen
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
forallsatelliteconnectionsfromgatewaysinAWSandAzure.TheSantaClaraGatewayisalsoconfigured
tosetupanInternetProtocolSecurity(IPSec)tunneltotheITfirewallincorporateheadquarters.Thisis
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
andActiveDirectorycredentials.TheGlobalProtectportaldistributestheclientcertificatethatis
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
ThesegatewaysinthepubliccloudalsoactasGlobalProtectsatellites.Theycommunicatewiththe
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
SantaClaraGateway.GlobalProtectsatellitesinitiallyauthenticateusingserialnumber,andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
asGlobalProtectgateways.Theseareinternalgatewaysanddonotrequireendpointstosetupatunnel.
UsersauthenticatetothesegatewaysusingtheirActiveDirectorycredentials.Theseinternalgateways
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 227


GlobalProtectReferenceArchitectureFeatures GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureFeatures

EndUserExperience
ManagementandLogging
MonitoringandHighAvailability

EndUserExperience

Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
Azure.WhenyouconfiguretheGlobalProtectportalclientconfiguration,assignequalprioritytothe
gateways.Withthisconfiguration,thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,auserinAustraliawouldtypicallyconnecttotheAWSSydneyGateway.Oncetheuseris
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
firewallforinspection.GlobalProtectsendstraffictopublicinternetsitesdirectlyviatheAWSSydney
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
headquarters.Thisarchitectureisdesignedtoreduceanylatencytheusermayexperiencewhenaccessing
theinternet.IftheAWSSydneyGateway(oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
Activedirectoryserversresideinsidethecorporatenetwork.Whenremoteendusersauthenticate,the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
SantaClaraGateway.ThegatewaythenforwardstherequestthroughanIPSecsitetositetunneltothe
ActiveDirectoryServerincorporateheadquarters.

Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.

Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;TheGlobalProtectclientsendstheHIPreporttotheseinternalgateways.Whenusersareinsidethe
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.

ManagementandLogging

Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
configurations.Tosimplifyconfigurationofthegateways,Panoramaalsousesonedevicegroupandone
template.Inthisdeployment,allgatewaysforwardalllogstoPanorama.Thisenablesyoutomonitor
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.

228 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureFeatures

Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.

MonitoringandHighAvailability

Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
monitoringsoftware.ConfigureNagiostoperiodicallyverifytheresponsefromtheportalandthegateways'
preloginpageandsendanalertiftheresponsedoesnotmatchtheexpectations.Youcanalsoconfigure
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
InthisdeploymentthereisonlyoneinstanceoftheGlobalProtectportal.Iftheportalbecomesunavailable,
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
redundancy.Therefore,configuringgatewaysasahighavailability(HA)pairisnotrequired.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 229


GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureConfigurations

Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations

GatewayConfiguration

Disablesplittunneling.Todothis,ensuretherearenoAccessRoutesspecifiedinAgent > Client Settings


> Split Tunnel settings.SeeConfigureaGlobalProtectGateway.
EnableNo direct access to local networkinAgent > Client Settings > Split Tunnel.SeeConfigurea
GlobalProtectGateway.
EnablethegatewaytoAccept cookie for authentication override.SeeConfigureaGlobalProtectGateway.

PortalConfiguration

ConfiguretheConnect MethodasAlways-on (User logon).SeeCustomizetheGlobalProtectAgent.


SetUse Single Sign-On(Windowsonly)toYes.SeeCustomizetheGlobalProtectAgent.
ConfiguretheportaltoSave User Credentials(setthevaluetoYes).SeeDefinetheGlobalProtectAgent
Configurations.
EnabletheportaltoAccept cookie for authentication override.SeeDefinetheGlobalProtectAgent
Configurations.
ConfiguretheCookie Lifetimeas20hours.SeeDefinetheGlobalProtectAgentConfigurations.
Enforce GlobalProtectfornetworkaccess.SeeCustomizetheGlobalProtectAgent.
ConfigureInternal Host Detection.SeeDefinetheGlobalProtectAgentConfigurations.
EnabletheCollect HIP DataoptioninDataCollection.SeeDefinetheGlobalProtectAgent
Configurations.
DistributeandinstalltheSSLForwardProxyCAcertificateusedforSSLDecryption.SeeDefinethe
GlobalProtectAgentConfigurations.

230 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.


GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureConfigurations

PolicyConfigurations

ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
SecurityPolicy.Inthisreferencedeployment,thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
throughtheSantaClaraGateway.Thisensuresthatsiteslikewww.stubhub.comandwww.lowes.com
thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.

PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 231


GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

232 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.