Globalprotect Admin Guide

GlobalProtect
Administrators
Guide
Version8.0
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandGlobalProtect8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.
RevisionDate:February6,2017
2 GlobalProtect8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................14
GetStarted.......................................................... 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21
Authentication....................................................... 25
AboutGlobalProtectUserAuthentication ............................................26
SupportedGlobalProtectAuthenticationMethods .................................26
HowDoestheAgentorAppKnowWhatCredentialstoSupply? ....................28
SetUpExternalAuthentication .....................................................30
SetUpLDAPAuthentication ....................................................31
SetUpSAMLAuthentication ....................................................33
SetUpKerberosAuthentication.................................................35
SetUpRADIUSorTACACS+Authentication ......................................37
SetUpClientCertificateAuthentication..............................................39
DeploySharedClientCertificatesforAuthentication ...............................39
DeployMachineCertificatesforAuthentication...................................40
DeployUserSpecificClientCertificatesforAuthentication.........................43
SetUpTwoFactorAuthentication ..................................................46
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles ......46
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)...............49
EnableTwoFactorAuthenticationUsingSmartCards ..............................53
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients ......................56
EnableAuthenticationUsingaCertificateProfile ..................................56
EnableAuthenticationUsinganAuthenticationProfile .............................58
EnableAuthenticationUsingTwoFactorAuthentication ...........................60
SetUpMultiFactorAuthentication..................................................63
EnableGroupMapping.............................................................66
PaloAltoNetworks,Inc. GlobalProtect8.0AdministratorsGuide 3
TableofContents
GlobalProtectGateways..............................................69
GlobalProtectGatewayConcepts .................................................... 70
GatewayPriorityinaMultipleGatewayConfiguration .............................. 70
GlobalProtectMIBSupport...................................................... 71
PrerequisiteTasksforConfiguringtheGlobalProtectGateway .......................... 72
ConfigureaGlobalProtectGateway .................................................. 73
GlobalProtectPortals .................................................81
PrerequisiteTasksforConfiguringtheGlobalProtectPortal ............................. 82
SetUpAccesstotheGlobalProtectPortal............................................ 83
DefinetheGlobalProtectClientAuthenticationConfigurations .......................... 84
DefinetheGlobalProtectAgentConfigurations .................................... 86
CustomizetheGlobalProtectAgent .............................................. 93
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages................103
GlobalProtectClients .............................................. 105

DeploytheGlobalProtectClientSoftware ...........................................106
DeploytheGlobalProtectAgentSoftware........................................106
DownloadandInstalltheGlobalProtectMobileApp ...............................112
DownloadandInstalltheGlobalProtectAppforChromeOS........................115
DeployAgentSettingsTransparently................................................119
CustomizableAgentSettings ...................................................120
DeployAgentSettingstoWindowsClients .......................................126
DeployAgentSettingstoMacClients ...........................................135
GlobalProtectClientlessVPN ......................................................139
ClientlessVPNOverview ......................................................139
SupportedTechnologies.......................................................140
ConfigureClientlessVPN ......................................................141
TroubleshootClientlessVPN...................................................147
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer......................152
Reference:GlobalProtectAgentCryptographicFunctions..............................153
MobileEndpointManagement....................................... 155
MobileEndpointManagementOverview............................................156
SetUpaMobileEndpointManagementSystem ......................................157
ManagetheGlobalProtectAppUsingAirWatch......................................158
DeploytheGlobalProtectMobileAppUsingAirWatch.............................158
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................159
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................162
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............166
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................169
ConfiguretheGlobalProtectAppforiOS.........................................169
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................170
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................171
ConfiguretheGlobalProtectAppforAndroid.....................................172
TableofContents
Example:SetVPNConfiguration................................................ 173
Example:RemoveVPNConfiguration........................................... 174
HostInformation ...................................................175
AboutHostInformation ........................................................... 176
WhatDataDoestheGlobalProtectAgentCollect?................................ 176
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?............... 178
HowDoUsersKnowifTheirSystemsareCompliant? ............................. 179
HowDoIGetVisibilityintotheStateoftheEndClients? .......................... 179
ConfigureHIPBasedPolicyEnforcement ........................................... 180
CollectApplicationandProcessDataFromClients ................................... 187
BlockDeviceAccess .............................................................. 192
GlobalProtectQuickConfigs .........................................193
RemoteAccessVPN(AuthenticationProfile)......................................... 194
RemoteAccessVPN(CertificateProfile)............................................. 197
RemoteAccessVPNwithTwoFactorAuthentication................................. 200
AlwaysOnVPNConfiguration..................................................... 204
RemoteAccessVPNwithPreLogon................................................ 205
GlobalProtectMultipleGatewayConfiguration....................................... 211
GlobalProtectforInternalHIPCheckingandUserBasedAccess ....................... 215
MixedInternalandExternalGatewayConfiguration .................................. 219
GlobalProtectReferenceArchitecture .................................225
GlobalProtectReferenceArchitectureTopology...................................... 226
GlobalProtectPortal .......................................................... 226
GlobalProtectGateways ....................................................... 227
GlobalProtectReferenceArchitectureFeatures...................................... 228
EndUserExperience .......................................................... 228
ManagementandLogging ..................................................... 228
MonitoringandHighAvailability ................................................ 229
GlobalProtectReferenceArchitectureConfigurations ................................. 230
GatewayConfiguration ........................................................ 230
PortalConfiguration .......................................................... 230
PolicyConfigurations.......................................................... 231
TableofContents
GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'semployeesworkoutsidethephysicalcorporateboundaries.Thisincreasedworkforcemobilitybrings
increasedproductivityandflexibilitywhilesimultaneouslyintroducingsignificantsecurityrisks.Everytime
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
associatedpoliciesthataredesignedtoprotectboththeuserandthenetwork.GlobalProtectsolvesthe
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses
AbouttheGlobalProtectComponents GlobalProtectOverview
AbouttheGlobalProtectComponents
GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.This
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient
GlobalProtectPortal
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,includinganycustominformationyourequire.YouSetUpAccesstotheGlobalProtectPortal
onaninterfaceonanyPaloAltoNetworksnextgenerationfirewall.
GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
applyingsecuritypolicyforaccesstointernalresources.WhenusedinconjunctionwithUserIDand/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/ordevicestate.Internalgatewaysareusefulinsensitiveenvironments
whereauthenticatedaccesstocriticalresourcesisrequired.Youcanconfigureaninternalgatewayin
eithertunnelmodeornontunnelmode.
YouConfigureaGlobalProtectGatewayonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.Youcanrunbothagatewayandaportalonthesamefirewall,oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.
GlobalProtectOverview AbouttheGlobalProtectComponents
GlobalProtectClient
TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
viatheGlobalProtectportalsandgatewaysyouhavedeployed.TherearetwotypesofGlobalProtectclients:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
GlobalProtectportal.Youconfigurethebehavioroftheagentforexample,whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)youdefineontheportal.See
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,andChromebookdevices.Usersmust
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview
WhatClientOSVersionsareSupportedwithGlobalProtect?
PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,andmobiledevices.WerecommendthatyouconfigureGlobalProtectonfirewallsrunning
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
endpoints.TheminimumGlobalProtectappreleasevariesbyoperatingsystem;todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
systemsandPANOSreleaseswithwhichtheywerereleased.ForminimumPANOSreleasesupportfor
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?
WhatFeaturesDoesGlobalProtectSupport?
ThefollowingtableliststhesupportedfeaturesonGlobalProtectbyOS.Anentryinthetableindicatesthe
firstsupportedreleaseofthefeatureontheOS.Aindicatesthefeatureisnotsupported.For
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?
Feature Android iOS Chrome Windows Windows10 Mac

UWP
Authentication
Agent Login 4.0 4.0 4.0 4.0

Enhancements
Multi-Factor 4.0 4.0 4.0 4.0 4.0 4.0

Authentication
SAML Authentication 4.0 4.0 4.0 4.0 4.0 4.0

(On-Demand
connect
methodonly)
Single Sign-On (SSO)
SSO (Credential 1.2.0

Provider)
Kerberos SSO 3.0.0
Clientless VPN
Clientless VPN
Connect Methods
User-logon (always 1.0.0 3.1.3 1.0.0

on) (AlwaysOn
configured
from
thirdparty
MDM)
Pre-logon (always-on) 1.1.0 1.1.0
Pre-logon (then 3.1.0 3.1.0

on-demand)
On-demand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0
Connection Priority
External Gateway 4.0 4.0 4.0 4.0 4.0 4.0

Priority by Source
Region
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview

UWP
Internal Gateway 4.0 4.0 4.0 4.0 4.0 4.0

Selection by Source IP (ExceptDHCP (ExceptDHCP (ExceptDHCP
Address Options) Options) Options)
Modes
Internal mode 1.0.0 1.0.0 3.1.1 1.0 1.0.0
External mode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0
Networking
IPv6 Support 4.0 4.0 4.0 4.0 4.0 4.0
Split Tunnel to 4.0 4.0 4.0 4.0 4.0 4.0

Exclude by Access
Route
Customization
Restrict Transparent 4.0 4.0 4.0 4.0 4.0 4.0

Agent Upgrades to
Internal Network
Connections
Enforce 3.1.0 3.1.3 3.1.0

GlobalProtect for (VPN
network access Lockdown
configured
from
thirdparty
MDM)
Deployment of SSL 3.0.0 3.0.0

Forward Proxy CA
certificates in the
trust store
HIP reports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0

(Host
information
only;
Notifications
not
supported)
Script actions that run 2.3.0 2.3.0

before and after
sessions
Certificate selection 3.0.0 3.0.0

by OID
Allow users to disable 2.2.0 2.2.0

GlobalProtect
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?

UWP
Welcome and help 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0

pages
Endpoint mobility 1.0.0 1.0.0 3.0.0 3.1.3

management system (Chromebook
(EMM/MDM) Management
Console)
AboutGlobalProtectLicenses GlobalProtectOverview
AboutGlobalProtectLicenses
IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures(suchasHIPchecksandassociatedcontentupdates,
supportfortheGlobalProtectmobileapp,orIPv6support)youneedtopurchaseanannualGlobalProtect
subscription.Thislicensemustbeinstalledoneachfirewallrunningagateway(s)that:
PerformsHIPchecks
SupportstheGlobalProtectapponmobiledevices
ProvidesIPv6connections
ForGlobalProtectClientlessVPN,thisfeaturealsorequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect
Clientless VPNdynamicupdatestousethisfeature.
Feature SubscriptionRequired?
Single, external gateway (Windows and Mac)
Single or multiple internal gateways
Multiple external gateways
HIP Checks
Mobile app for iOS endpoints, Android endpoints,

Chromebooks, and Windows 10 UWP endpoints
IPv6 support
Clientless VPN
SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.
GetStarted
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
communicate.Atabasiclevel,thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
usersconnecttoaccesstheportalandthegatewaystothenetwork.BecausetheGlobalProtectcomponents
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
components.ThefollowingsectionsguideyouthroughthestepstosetuptheGlobalProtectinfrastructure:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents
CreateInterfacesandZonesforGlobalProtect GetStarted
CreateInterfacesandZonesforGlobalProtect
YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbe
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
asDMZ.Atunnelinterfacecanbeinthesamezoneastheinterfaceconnectingtoyourinternal
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,suchascorpvpn.Ifyoucreateaseparatezoneforyourtunnelinterface,youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
InternalgatewaysRequiresaLayer3orloopbackinterfaceinyourtrustzone.Youcanalsocreate
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?
Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.
SetUpInterfacesandZonesforGlobalProtect
Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >

portaland/orgatewayyouplanto Interfaces > Loopbackandthenselecttheinterfaceyouwant
deploy. toconfigureforGlobalProtect.Inthisexample,weare
Ifthegatewayandportalareon configuringethernet1/1astheportalinterface.
thesamefirewall,youcanusea 2. (Ethernetonly)SelectLayer3 fromtheInterface Type
singleinterfaceforboth. dropdown.
AsabestpracticeusestaticIP 3. OntheConfigtab,selectthezonetowhichtheportalor
addressesfortheportaland gatewayinterfacebelongsasfollows:
gateway.
Placeportalsandexternalgatewaysinanuntrustzonefor
accessbyhostsoutsideyournetwork,suchasl3untrust.
Placeinternalgatewaysinaninternalzone,suchasl3trust.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown.IntheZonedialog,definea
NameforthenewzoneandthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. AssignanIPaddresstotheinterface:
ForanIPv4address,selectIPv4andAddtheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
ForanIPv6address,selectIPv6,Enable IPv6 on the
interface,andAddtheIPaddressandnetworkmaskto
assigntotheinterface,forexample
2001:1890:12f2:11::10.1.8.160/80.
6. Tosavetheinterfaceconfiguration,clickOK.
GetStarted CreateInterfacesandZonesforGlobalProtect
SetUpInterfacesandZonesforGlobalProtect(Continued)
Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtectagents. 3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou Touseyourtrustzoneastheterminationpointforthe
requiredynamicrouting.In tunnel,selectthezonefromthedropdown.
addition,assigninganIPaddress (Recommended)TocreateaseparatezoneforVPNtunnel
tothetunnelinterfacecanbe termination,clickNew Zone.IntheZonedialog,definea
usefulfortroubleshooting Namefornewzone(forexample,corpvpn),selectthe
connectivityissues. Enable User Identificationcheckbox,andthenclickOK.
BesuretoenableUserIDinthe 4. IntheVirtual Routerdropdown,selectNone.
zonewheretheVPNtunnels
5. AssignanIPaddresstotheinterface:
terminate.
ForanIPv4address,selectIPv4andAddtheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
ForanIPv6address,selectIPv6,Enable IPv6 on the
interface,andAddtheIPaddressandnetworkmaskto
assigntotheinterface,forexample
2001:1890:12f2:11::10.1.8.160/80.
6. Tosavetheinterfaceconfiguration,clickOK.
Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe

terminationofVPNconnections,create corpvpnzoneandthel3trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.
Step4 Savetheconfiguration. ClickCommit.

Ifyouenabledmanagement
accesstotheinterfacehosting
theportal,youmustadda:4443
totheURL.Forexample,to
accessthewebinterfaceforthe
portalconfiguredinthisexample,
youwouldenterthefollowing:
https://208.80.56.100:4443
Or,ifyouconfiguredaDNS
recordfortheFQDN,suchas
gp.acme.com,youwouldenter:
https://gp.acme.com:4443
Toaccesstheportalloginpage,
youwouldentertheURLwithout
theportnumber:
https://208.80.56.100
or
https://gp.acme.com
EnableSSLBetweenGlobalProtectComponents GetStarted
EnableSSLBetweenGlobalProtectComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)intheconfigurations.Thefollowingsectionsdescribethesupported
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents
About GlobalProtect Certificate Deployment
TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
certificatesforalloftheGlobalProtectcomponents.However,thissolutionislesssecurethantheother
optionsandisthereforenotrecommended.Ifyoudochoosethisoption,enduserswillseeacertificate
errorthefirsttimetheyconnecttotheportal.Topreventthis,youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).
GlobalProtect Certificate Best Practices
ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:
Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices
CA certificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto

totheGlobalProtect generateaCAcertificateontheportalandthenusethat
components. certificatetoissuetherequiredGlobalProtectcertificates.
GetStarted EnableSSLBetweenGlobalProtectComponents
Portal server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththeportal. associatedserviceprofileinaportalconfiguration.
Useacertificatefromawellknown,thirdpartyCA.Thisis
themostsecureoptionandensuresthattheuserendpoints
canestablishatrustrelationshipwiththeportalandwithout
requiringyoutodeploytherootCAcertificate.
Ifyoudonotuseawellknown,publicCA,youshouldexport
therootCAcertificatethatwasusedtogeneratetheportal
servercertificatetoallendpointsthatruntheGlobalProtect
agentorapplication.Exportingthiscertificatepreventsthe
endusersfromseeingcertificatewarningsduringtheinitial
portallogin.
TheCommonName(CN)and,ifapplicable,theSubject
AlternativeName(SAN)fieldsofthecertificatemustmatch
theIPaddressorFQDNoftheinterfacethathoststhe
portal.
Ingeneral,aportalmusthaveitsownservercertificate.
However,ifyouaredeployingasinglegatewayandportal
onthesameinterfaceforbasicVPNaccess,youmustuse
thesamecertificateforboththegatewayandtheportal.
Gateway server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththegateway. associatedserviceprofileinagatewayconfiguration.
GenerateaCAcertificateontheportalandusethatCA
certificatetogenerateallgatewaycertificates.
TheCNand,ifapplicable,theSANfieldsofthecertificate
mustmatchtheFQDNorIPaddressoftheinterfacewhere
youplantoconfigurethegateway.
TheportaldistributesthegatewayrootCAcertificatesto
agentsintheclientconfiguration,sothegateway
certificatesdonotneedtobeissuedbyapublicCA.
IfyoudonotdeploytherootCAcertificatesforthe
GlobalProtectgatewaysintheclientconfiguration,the
agent/appwillnotperformcertificatecheckswhen
connecting,therebymakingtheconnectionvulnerableto
maninthemiddleattacks.
Ingeneral,eachgatewaymusthaveitsownserver
certificate.However,ifyouaredeployingasinglegateway
andportalonthesameinterfaceforbasicVPNaccess,you
mustuseasingleservercertificateforbothcomponents.As
abestpractice,useacertificatethatapublicCAsigned.
(Optional) Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure

certificate authenticationinestablishing theportaltodeploytheclientcertificatetotheagentsupon
anHTTPSsessionbetweenthe successfulloginusingeitherofthefollowingmethods:
GlobalProtectagentsandthe UseasingleclientcertificateacrossallGlobalProtect
gateways/portal.Thisensures agentsthatreceivethesameconfiguration.Youassign
thatonlydeviceswithvalid theLocalclientcertificatebyuploadingthecertificate
clientcertificatesareableto totheportalandselectingitinaportalagent
authenticateandconnectto configuration.
thenetwork. Usesimplecertificateenrollmentprotocol(SCEP)to
enabletheGlobalProtectportaltodeployuniqueclient
certificatestoyourGlobalProtectagents.Youenable
thisbyconfiguringaSCEPprofileandthenselecting
thatprofileinaportalagentconfiguration.
Useoneofthefollowingsupporteddigestalgorithmswhen
yougenerateclientcertificatesforGlobalProtectendpoints:
sha1,sha256,orsha384.Sha512isnotsupportedwith
clientcertificates.
Youcanuseothermechanismstodeployuniqueclient
certificatestoeachclientsystemforuseinauthenticating
theenduser.
Considertestingyourconfigurationwithouttheclient
certificatefirst,andthenaddtheclientcertificateafteryou
aresurethatallotherconfigurationsettingsarecorrect.
(Optional) Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen

certificates certificatethatisissuedtoa yougenerateclientcertificatesforGlobalProtectendpoints:
device.Eachmachine sha1,sha256,orsha384.Sha512isnotsupportedwith
certificateidentifiesthedevice clientcertificates.
inthesubjectfield(forexample, Ifyouplantousetheprelogonfeature,useyourownPKI
CN=laptop1.example.com) infrastructuretodeploymachinecertificatestoeachclient
insteadofauser.The systempriortoenablingGlobalProtectaccess.This
certificateensuresthatonly approachisimportantforensuringsecurity.
trustedendpointscanconnect Formoreinformation,seeRemoteAccessVPNwith
togatewaysortheportal. PreLogon.
Machinecertificatesare
requiredforuserswhose
connectmethodisprelogon,
whichenablesGlobalProtectto
establishaVPNtunnelbefore
theuserlogsin.
FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.
Deploy Server Certificates to the GlobalProtect Components
ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:
DeploySSLServerCertificatestotheGlobalProtectComponents
Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
GlobalProtectportal.Thispractice Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.
CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >

selfsignedservercertificate. Device Certificates andthenclickGenerate.
Generateservercertificatesforeach 2. UsetheLocalcertificatetype(thedefault).
gatewayyouplantodeployand
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
optionallyforthemanagementinterface
ofthethirdpartymobileendpoint 4. IntheCommon Namefield,entertheFQDN(recommended)
managementsystem(ifthisinterfaceis orIPaddressoftheinterfacewhereyouplantoconfigurethe
wherethegatewaysretrieveHIP gateway.
reports). 5. IntheSigned Byfield,selecttheGlobalProtect_CAyou
Inthegatewayservercertificates,the created.
valuesintheCNandSANfieldsmustbe
6. IntheCertificateAttributessection,Addanddefinethe
identical.Ifthevaluesdiffer,the
attributesthatuniquelyidentifythegateway.Keepinmind
GlobalProtectagentdetectsthe
thatifyouaddaHost Nameattribute(whichpopulatesthe
mismatchanddoesnottrustthe
SANfieldofthecertificate),itmustbethesameasthevalue
certificate.Selfsignedcertificates
youdefinedfortheCommon Name.
containaSANfieldonlyifyouaddaHost
Nameattribute. 7. Configurecryptographicsettingsfortheservercertificate
Asanalternativemethod,youcanUseSimple includingencryptionAlgorithm,keylength(Number of Bits),
CertificateEnrollmentProtocol(SCEP)to DigestalgorithmandExpiration(days).
requestaservercertificatefromyourenterprise 8. ClickOKtogeneratethecertificate.
CA.
UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor componenttowhichyoudeploytheservercertificate.If
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
deploy.ThenusethespecificSCEP capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe request.UseeitheraFixedchallengepasswordwhichyou
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust choicetotheSCEPServer.ForaDynamicSCEPchallenge,
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
TocomplywiththeU.S.Federal c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL http://10.200.101.1/certsrv/mscep/).
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) bytheSCEPserver.Thesubjectmustincludeacommon
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
settingsintheSCEPprofile.Ifsuccessful,the f. SelecttheSubject Alternative Name Type.Toenterthe
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 Name.Youcanalsoenter
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate Fingerprint.Obtainthis
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
certificate.TheGlobalProtectportalusesthesettingsinthe
SCEPprofiletosubmitaCSRtoyourenterprisePKI.
Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service

generatedtoanSSL/TLSserviceprofile. ProfileandclickAdd.
2. EnteraNametoidentifytheprofileandselecttheserver
Certificateyouimportedorgenerated.
3. DefinetherangeofSSL/TLSversions(Min VersiontoMax
Version)forcommunicationbetweenGlobalProtect
components.
4. ClickOKtosavetheSSL/TLSserviceprofile.
5. Committhechanges.
Deploytheselfsignedservercertificates. Export the certificate from the portal:

Exporttheselfsignedserver 1. SelectDevice > Certificate Management > Certificates >
certificatesissuedbytherootCAon Device Certificates.
theportalandimportthemontothe
2. Selectthegatewaycertificateyouwanttodeployandclick
gateways.
Export.
Besuretoissueauniqueserver
certificateforeachgateway. 3. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
Ifspecifyingselfsigned
certificates,youmustdistributethe 4. Enter(andreenter)aPassphrasetoencrypttheprivatekey.
RootCAcertificatetotheend 5. ClickOKtodownloadthePKCS12filetoalocationofyour
clientsintheportalclient choice.
configurations.
Import the certificate on the gateway:
Device Certificates.
2. ClickImport.
3. EnteraCertificate Name.
4. BrowsetofindandselecttheCertificate Fileyou
downloadedinstep5,above.
5. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
6. Enter(andreenter)thePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportal.
7. ClickOKtoimportthecertificateandkey.
8. Committhechangestothegateway.
Authentication
TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
GlobalProtectresources.Youmustconfigureauthenticationmechanismsbeforecontinuingwiththeportal
andgatewaysetup.Thefollowingsectionsdetailthesupportedauthenticationmechanismsandhowto
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
SetUpMultiFactorAuthentication
EnableGroupMapping
AboutGlobalProtectUserAuthentication Authentication
AboutGlobalProtectUserAuthentication
ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
portal.Ifauthenticationsucceeds,theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
tothegateways.Aftersuccessfullydownloadingandcachingtheconfiguration,theclientattemptsto
connecttooneofthegatewaysspecifiedintheconfiguration.Becausethesecomponentsprovideaccessto
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
resourcesthatthegatewayprotects.GlobalProtectprovidesaflexibleauthenticationframeworkthatallows
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupply?
Supported GlobalProtect Authentication Methods
ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.
AuthenticationMethod Description
Local Authentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe

firewall.Thisauthenticationmechanismisnotscalablebecauseitrequiresanaccountfor
everyGlobalProtectuserandis,therefore,advisableforonlyverysmalldeployments.
External authentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,

TACACS+,SAML,orRADIUSservice(includingsupportfortwofactor,tokenbased
authenticationmechanisms,suchasonetimepassword(OTP)authentication).Toenable
externalauthentication:
Createaserverprofilewithsettingsforaccesstotheexternalauthenticationservice.
Createanauthenticationprofilethatreferstotheserverprofile.
Specifyclientauthenticationintheportalandgatewayconfigurationsandoptionally
specifytheOSoftheendpointthatwillusethesesettings.
YoucanusedifferentauthenticationprofilesforeachGlobalProtectcomponent.SeeSet
UpExternalAuthenticationforinstructions.SeeRemoteAccessVPN(Authentication
Profile)foranexampleconfiguration.
Authentication AboutGlobalProtectUserAuthentication
Client certificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate

authentication toobtaintheusernameandauthenticatetheuserbeforegrantingaccesstothesystem.
Toauthenticatetheuser,oneofthecertificatefields,suchastheSubjectNamefield,
mustidentifytheusername.
Toauthenticatetheendpoint,theSubjectfieldofthecertificatemustidentifythedevice
typeinsteadoftheusername.(Withtheprelogonconnectmethods,theportalor
gatewayauthenticatestheendpointbeforetheuserlogsin.)
Foranagentconfigurationprofilethatspecifiesclientcertificates,eachuserreceivesa
clientcertificate.Themechanismforprovidingthecertificatesdetermineswhethera
certificateisuniquetoeachclientorthesameforallclientsunderthatagentconfiguration:
Todeployclientcertificatesthatareuniquetoeachuseranddevice,useSCEP.Whena
userfirstlogsin,theportalrequestsacertificatefromtheenterprisesPKI.Theportal
obtainsauniquecertificateanddeploysittotheclient.
Todeploythesameclientcertificatetoallusersthatreceiveanagentconfiguration,
deployacertificatethatisLocaltothefirewall.
Useanoptionalcertificateprofiletoverifytheclientcertificatethataclientpresentswith
aconnectionrequest.Thecertificateprofilespecifiesthecontentsoftheusernameand
userdomainfields;listsCAcertificates;criteriaforblockingasession;andofferswaysto
determinetherevocationstatusofCAcertificates.Youmustpredeploycertificatesused
incertificateprofilestotheendpointsbeforetheusersinitialportalloginbecausethe
certificateispartoftheauthenticationoftheendpointoruserforanewsession.
Thecertificateprofilespecifieswhichcertificatefieldcontainstheusername.Ifthe
certificateprofilespecifiesSubjectintheUsernameField,thecertificatepresentedbythe
clientmustcontainacommonnamefortheclienttoconnect.Ifthecertificateprofile
specifiesaSubjectAltwithanEmailorPrincipalNameastheUsernameField,the
certificatefromtheclientmustcontainthecorrespondingfields,whichwillbeusedasthe
usernamewhentheGlobalProtectagentauthenticatestotheportalorgateway.
GlobalProtectalsosupportsauthenticationbycommonaccesscards(CACs)andsmart
cards,whichrelyonacertificateprofile.Withthesecards,thecertificateprofilemust
containtherootCAcertificatethatissuedthecertificatetothesmartcardorCAC.
Ifyouspecifyclientcertificateauthentication,youshouldnotconfigureaclientcertificate
intheportalconfigurationbecausetheclientsystemprovidesitwhentheuserconnects.
Foranexampleofhowtoconfigureclientcertificateauthentication,seeRemoteAccess
VPN(CertificateProfile).
Two-factor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,suchasaonetimepasswordinadditiontoADlogincredentials.You
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
differentmethods.Regardless,withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
profile.Forexample,iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
authenticationservertriestoauthenticatetheuser.Ifyoudonotwanttoforceusersto
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
NonefortheUsernameField.SeeRemoteAccessVPNwithTwoFactorAuthenticationfor
anexampleconfiguration.
AboutGlobalProtectUserAuthentication Authentication
Multi-Factor Forsensitive,nonHTTPnetworkresources(forexample,financialapplicationsorsoftware
Authentication for developmentapplications)thatmayrequireadditionalauthentication,GlobalProtectclients
non-HTTP applications cannownotifyandprompttheusertoperformthetimely,multifactorauthentication
neededtoaccesstheseresources.
How Does the Agent or App Know What Credentials to Supply?
Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
forportallogin.Inthesimplestcase,wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways
CookieAuthenticationonthePortalorGateway
Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
toeach.Thisimprovestheuserexperiencebyminimizingthenumberoftimesthatusersmustenter
credentials.Inaddition,cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
onthesamecookietoauthenticatetheuser.Whentheagentpresentsthecookie,theportalorgateway
evaluateswhetherthecookieisvalidbasedontheconfiguredcookielifetime.Ifthecookieexpires,
GlobalProtectautomaticallypromptstheusertoauthenticatewiththeportalorgateway.When
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
sensitiveinformationas24hours.Whentheuserfirstauthenticateswiththeportal,theportalissuesthe
authenticationcookie.Ifafterfivedays,theuserattemptedtoconnecttotheportal,theauthentication
cookiewouldstillbevalid.However,ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
receiveareplacementauthenticationcookie.Thenewauthenticationcookiewouldthenbevalidforanother
15daysontheportalandanother24hoursonthegateways.
Authentication AboutGlobalProtectUserAuthentication
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
CredentialForwardingtoSomeorAllGateways
Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)thatpromptfortheirownsetofcredentials.Thisoptionspeedsuptheauthenticationprocess
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
allowingyoutocustomizethesecurityfordifferentGlobalProtectcomponents.Forexample,youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
SetUpExternalAuthentication Authentication
SetUpExternalAuthentication
ThefollowingworkflowsdescribehowtosetuptheGlobalProtectportalandgatewaystouseanexternal
authenticationservice.ThesupportedauthenticationservicesareLDAP,Kerberos,RADIUS,SAML,or
TACACS+.
Theseworkflowsalsodescribehowtocreateanoptionalauthenticationprofilethataportalorgatewaycan
usetoidentifytheexternalauthenticationservice.Thisstepisoptionalforexternalauthenticationbecause
theauthenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.
GlobalProtectalsosupportslocalauthentication.Touselocalauthentication,createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.
Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.
Theoptionsforsettingupexternalauthenticationinclude:
SetUpLDAPAuthentication
SetUpSAMLAuthentication
SetUpKerberosAuthentication
SetUpRADIUSorTACACS+Authentication
Authentication SetUpExternalAuthentication
Set Up LDAP Authentication
LDAPisoftenusedbyorganizationsasacentralrepositoryforuserinformationandasanauthentication
service.Itcanalsobeusedtostoretheroleinformationforapplicationusers.
SetUpLDAPUserAuthentication
Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheLDAPprofile.

Theserverprofileidentifiestheexternal 2. ClickAddandenteraProfileName,suchasGPUserAuth.
authenticationserviceandinstructsthe
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
firewallhowtoconnecttothat
capability,selectavirtualsystemorSharedastheLocation
authenticationserviceandaccessthe
wheretheprofileisavailable.
authenticationcredentialsforyourusers.
WhenyouuseLDAPtoconnect 4. SelecttheTypeofLDAPserver.
toActiveDirectory(AD),you 5. ClickAddintheServerssectionandthenenterthenecessary
mustcreateaseparateLDAP informationforconnectingtotheauthenticationserver,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. Specifysettingstoenabletheauthenticationserviceto
authenticatethefirewall.EntertheBind DNandPassword.
7. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(selectedbydefault).
TheprotocolthatthedeviceusesdependsontheserverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
AnyotherportThedevicefirstattemptstouseTLS.Ifthe
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
8. Foradditionalsecurity,selecttheVerify Server Certificate for
SSL sessionscheckboxsothatthedeviceverifiesthe
certificatethatthedirectoryserverpresentsforSSL/TLS
connections.Toenableverification,youalsohavetoselect
theRequire SSL/TLS secured connectioncheckbox.For
verificationtosucceed,thecertificatemustmeetoneofthe
followingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
9. ClickOKtosavetheserverprofile.
SetUpLDAPUserAuthentication(Continued)
Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.

profile. 2. EnteraNamefortheprofileandthenselectLDAPasthe
Theauthenticationprofilespecifiesthe authenticationType.
serverprofilefortheportalorgateways
3. SelecttheLDAPauthenticationServer Profilethatyou
tousewhentheyauthenticateusers.On
createdinStep 1fromthedropdown.
aportalorgateway,youcanassignone
ormoreauthenticationprofilesinoneor 4. EntersAMAccountNameastheLogin Attribute.
moreclientauthenticationprofiles.For 5. SetthePassword Expiry Warning tospecifythenumberof
descriptionsofhowanauthentication daysbeforepasswordexpirationthatuserswillbenotified.By
profilewithinaclientauthentication default,userswillbenotifiedsevendayspriortopassword
profilesupportsgranularuser expiration(rangeis1255).Becauseusersmustchangetheir
authentication,seeConfigurea passwordsbeforetheendoftheexpirationperiod,makesure
GlobalProtectGatewayandSetUp youprovideanotificationperiodthatisadequateforyour
AccesstotheGlobalProtectPortal. userbasetoensurecontinuedaccesstotheVPN.Tousethis
Toenableuserstoconnectand feature,youmustspecifyoneofthefollowingtypesofLDAP
changetheirownexpired serversinyourLDAPserverprofile:active-directory,
passwordswithout e-directory,orsun.
administrativeintervention, UserscannotaccesstheVPNiftheirpasswordsexpireunless
considerusingaprelogon youenableprelogon.
connectmethod.SeeRemote
AccessVPNwithPreLogonfor 6. Configureanoptionalcustomexpirymessagetoinclude
details. additionalinstructions,suchashelpdeskcontactinformation
oralinktoapasswordportalwhereuserscanchangetheir
Ifusersallowtheirpasswordsto
passwords(seeCustomizetheGlobalProtectAgent).
expire,youmayassigna
temporaryLDAPpasswordto 7. Specifythedomainnameandusernameformat.Thedevice
enablethemtologintotheVPN. combinestheUser DomainandUsername Modifiervaluesto
Inthiscase,thetemporary modifythedomain/usernamestringthatauserentersduring
passwordmaybeusedto login.Thedeviceusesthemodifiedstringforauthentication
authenticatetotheportal,butthe andusestheUser DomainvalueforUserIDgroupmapping.
gatewayloginmayfailbecause Modifyinguserinputisusefulwhentheauthenticationservice
thesametemporarypassword requiresdomain/usernamestringsinaparticularformatand
cannotbereused.Toprevent youdontwanttorelyonuserstocorrectlyenterthedomain.
this,enableanauthentication Youcanselectfromthefollowingoptions:
overrideintheportal Tosendonlytheunmodifieduserinput,leavetheUser
configuration(Network > Domainblank(thedefault)andsettheUsername Modifier
GlobalProtect > Portal)toenable tothevariable%USERINPUT%(thedefault).
theagenttouseacookieto Toprependadomaintotheuserinput,enteraUser
authenticatetotheportalanduse DomainandsettheUsername Modifierto
thetemporarypasswordto %USERDOMAIN%\%USERINPUT%.
authenticatethegateway. Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
IftheUsername Modifierincludesthe
%USERDOMAIN%variable,theUser Domainvalue
replacesanydomainstringthattheuserenters.If
theUser Domainisblank,thatmeansthedevice
removesanyuserentereddomainstring.
SetUpLDAPUserAuthentication(Continued)
8. SelecttheAdvancedtab.
9. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
10. ClickOK.
Step3 Committheconfiguration. ClickCommit.
Set Up SAML Authentication
SecurityAssertionMarkupLanguage(SAML)isanXMLbased,openstandarddataformatforexchanging
authenticationandauthorizationdatabetweenparties,inparticular,betweenanidentityprovider(IdP)and
aserviceprovider.SAMLisaproductoftheOASISSecurityServicesTechnicalCommittee.
SetUpSAMLUserAuthentication
Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheSAML Identity

Theserverprofileidentifiestheexternal Provider profile.
authenticationserviceandinstructsthe 2. ClickAddandenteraProfileName,suchasGPUserAuth.
4. ImporttheIdPmetadatafile.RefertoSAML2.0
Authenticationfordetails.
Alternatively,iftheIdPdoesntprovideametadata
file,Addtheserverprofileandthenenterthe
connectionandregistrationinformation.
SetUpSAMLUserAuthentication(Continued)

profile. 2. EnteraNamefortheprofileandthenselectSAMLasthe
3. SelecttheSAMLauthenticationServer Profilethatyou
ormoreauthenticationprofilesinoneor 4. Selectthefollowingtoconfigurecertificateauthentication
moreclientauthenticationprofiles.For betweenthefirewallandtheSAMLidentityprovider.Referto
descriptionsofhowanauthentication SAML2.0Authenticationfordetails.
profilewithinaclientauthentication TheRequest Signing Certificate thatthefirewallusesto
profilesupportsgranularuser signmessagesitsendstotheIdP.
authentication,seeConfigurea TheCertificate Profilethatthefirewallusestovalidatethe
GlobalProtectGatewayandSetUp Identity Provider Certificate.
AccesstotheGlobalProtectPortal.
5. Specifytheusernameandadminroleformats.
SAMLauthenticationdoesnot
supporttheprelogonconnect SpecifytheUsername AttributeandUser Group Attribute.
methodthatenablesusersto Unlikeothertypesofexternalauthentication,there
connectandchangetheirown isnoUser Domainattributeintheauthentication
expiredpasswordswithout profilesforSAML.
administrativeintervention (Optional)Ifyouwillusethisprofiletoauthenticate
(RemoteAccessVPNwith administrativeaccountsthatyoumanageintheIdPidentity
PreLogon). store,specifytheAdmin Role AttributeandAccess
Domain Attributealso.
authenticate.
MakesuretheusernameintheAllowListmatchesthe
usernamereturnedfromtheSAMLIdPserver.
8. ClickOK.
Set Up Kerberos Authentication
Kerberosisacomputernetworkauthenticationprotocolthatworksonthebasisofticketstoallownodes
communicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
SetUpKerberosAuthentication
Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheKerberos

Theserverprofileidentifiestheexternal profile.
4. ClickAddintheServerssectionandthenenterthenecessary
informationforconnectingtotheauthenticationserver,
includingtheserverName,IPaddressorFQDNoftheServer,
andPort.
SetUpKerberosAuthentication(Continued)

profile. 2. EnteraNamefortheprofileandthenselectKerberosasthe
3. SelecttheKerberosauthenticationServer Profilethatyou
ormoreauthenticationprofilesinoneor 4. Specifythedomainnameandusernameformat.Thedevice
moreclientauthenticationprofiles.For combinestheUser DomainandUsername Modifiervaluesto
descriptionsofhowanauthentication modifythedomain/usernamestringthatauserentersduring
profilewithinaclientauthentication login.Thedeviceusesthemodifiedstringforauthentication
profilesupportsgranularuser andusestheUser DomainvalueforUserIDgroupmapping.
authentication,seeConfigurea Modifyinguserinputisusefulwhentheauthenticationservice
GlobalProtectGatewayandSetUp requiresdomain/usernamestringsinaparticularformatand
AccesstotheGlobalProtectPortal. youdontwanttorelyonuserstocorrectlyenterthedomain.
Toenableuserstoconnectand Youcanselectfromthefollowingoptions:
changetheirownexpired Tosendonlytheunmodifieduserinput,leavetheUser
passwordswithout Domainblank(thedefault)andsettheUsername Modifier
administrativeintervention, tothevariable%USERINPUT%(thedefault).
considerusingaprelogon Toprependadomaintotheuserinput,enteraUser
connectmethod.SeeRemote DomainandsettheUsername Modifierto
AccessVPNwithPreLogonfor %USERDOMAIN%\%USERINPUT%.
details. Toappendadomaintotheuserinput,enteraUser Domain
5. ConfigureKerberossinglesignon(SSO)ifyournetwork
supportsit:
EntertheKerberos Realm(upto127characters).Thisis
thehostnameportionoftheuserloginname.Forexample,
theuseraccountnameuser@EXAMPLE.LOCALhasthe
realmEXAMPLE.LOCAL.
SpecifyaKerberos Keytabfile:clicktheImportlink,
Browsetothekeytabfile,andclickOK.During
authentication,theendpointfirsttriestousethekeytabto
establishSSO.Ifitsucceeds,andtheuserattempting
accessisintheAllow List,authenticationsucceeds
immediately.Otherwise,theauthenticationprocessfalls
backtomanual(username/password)authenticationofthe
specifiedType.TheTypedoesnthavetobeKerberos.To
changethisbehaviorsothatuserscanauthenticateonly
usingKerberos,setUse Default Authentication on
Kerberos Authentication FailuretoNoinaGlobalProtect
portalagentconfiguration.
authenticate.
SetUpKerberosAuthentication(Continued)
Step3 Saveyourchangesandcommitthe ClickOK,andthenCommit.

configuration.
Set Up RADIUS or TACACS+ Authentication
RADIUSisaclient/serverprotocolandsoftwarethatenablesremoteaccessserverstocommunicatewitha
centralservertoauthenticatedialinusersandauthorizetheiraccesstotherequestedsystemorservice.
TACACS+isawellestablishedauthenticationprotocolcommontoUNIXnetworksthatallowsaremote
accessservertoforwardauser'slogonpasswordtoanauthenticationservertodeterminewhetheraccess
canbeallowedtoagivensystem.
SetUpRADIUSorTACACS+Authentication
Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselectthetypeofprofile

Theserverprofileidentifiestheexternal (RADIUSorTACACS+).
IfyouwanttoEnableDeliveryof
GlobalProtectClientVSAstoa 4. ConfigurethefollowingServerSettings.Thesesettingstoall
RADIUSServer,youmustcreate serversyouincludeintheprofile.
aRADIUSserverprofile. Timeout (sec)Thenumberofsecondsbeforeaserver
connectionrequesttimesoutduetolackofresponsefrom
theauthenticationserver.
Authentication ProtocolSelecttheprotocoltousefor
connectionstotheauthenticationserver.Choicesare
CHAP,PAP,orAuto.
(RADIUSonly)RetriesThenumberoftimesthefirewall
trysconnectingtotheauthenticationserverbefore
droppingtherequest.
(TACACS+only)Use single connection for all
authenticationtoallowallTACACS+authentication
requeststooccuroverasingleTCPsessionratherthan
separatesessionsforeachrequest.
5. ClickAddintheServerssectionandthenenterthenecessary
informationforconnectingtotheauthenticationserver,
includingtheserverName,IPaddressorFQDNoftheServer,
andPort.
6. Specifysettingstoenabletheauthenticationserviceto
authenticatethefirewall.EnterthesharedSecretwhen
addingtheserverentry.
SetUpRADIUSorTACACS+Authentication(Continued)
Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication Profile andAddanewprofile.

profile. 2. EnteraNamefortheprofileandthenselectthe
Theauthenticationprofilespecifiesthe authenticationType(RADIUSorTACACS+).
3. SelecttheRADIUSorTACACS+authenticationServer
Profile.thatyoucreatedinStep 1fromthedropdown.
ormoreauthenticationprofilesinoneor 4. (RADIUSonly)EnableRetrieve user group from RADIUS if
moreclientauthenticationprofiles.For youwanttoincludethisinformationintheauthentication
descriptionsofhowanauthentication profile.
profilewithinaclientauthentication 5. Specifythedomainnameandusernameformat.Thedevice
profilesupportsgranularuser combinestheUser DomainandUsername Modifiervaluesto
authentication,seeConfigurea modifythedomain/usernamestringthatauserentersduring
GlobalProtectGatewayandSetUp login.Thedeviceusesthemodifiedstringforauthentication
AccesstotheGlobalProtectPortal. andusestheUser DomainvalueforUserIDgroupmapping.
Toenableuserstoconnectand Modifyinguserinputisusefulwhentheauthenticationservice
changetheirownexpired requiresdomain/usernamestringsinaparticularformatand
passwordswithout youdontwanttorelyonuserstocorrectlyenterthedomain.
administrativeintervention, Youcanselectfromthefollowingoptions:
considerusingaprelogon Tosendonlytheunmodifieduserinput,leavetheUser
connectmethod.SeeRemote Domainblank(thedefault)andsettheUsername Modifier
AccessVPNwithPreLogonfor tothevariable%USERINPUT%(thedefault).
details.
Toprependadomaintotheuserinput,enteraUser
DomainandsettheUsername Modifierto
%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser Domain
authenticate.
8. ClickOK.
Authentication SetUpClientCertificateAuthentication
SetUpClientCertificateAuthentication
Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
connectionrequesttotheGlobalProtectportalorgateway.Theportalorgatewaycanuseeitherasharedor
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication
Deploy Shared Client Certificates for Authentication
Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
endpointsorgenerateseparatecertificatestodeploywithaparticularagentconfiguration.Usethis
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.
DeploySharedClientCertificatesforAuthentication
Step1 Generateacertificatetodeployto 1. CreatetherootCAcertificateforissuingselfsigned

multipleGlobalProtectclients. certificatesfortheGlobalProtectcomponents.
Device Certificates andthenclickGenerate.
3. UsetheLocalcertificatetype(thedefault).
5. IntheCommon Namefieldenteranametoidentifythis
certificateasanagentcertificate,forexample
GP_Windows_clients.Becausethissamecertificatewillbe
deployedtoallagentsusingthesameconfiguration,itdoes
notneedtouniquelyidentifyaspecificuserorendpoint.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
Step2 SetUpTwoFactorAuthentication. ConfigureauthenticationsettingsinaGlobalProtectportalagent

configurationtoenabletheportaltotransparentlydeploythe
clientcertificatethatisLocaltothefirewalltoclientsthatreceive
theconfiguration.
SetUpClientCertificateAuthentication Authentication
Deploy Machine Certificates for Authentication
Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
certificateforexport.Withtheprelogonconnectmethods,amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
toauthenticatetheuser.SeeTwofactorauthentication.
Usethefollowingworkflowtocreatetheclientcertificateandmanuallydeployittoanendpoint.Formore
information,seeAboutGlobalProtectUserAuthentication.Foranexampleconfiguration,seeRemote
AccessVPN(CertificateProfile).
DeployMachineCertificatesforAuthentication
Step1 IssueclientcertificatestoGlobalProtect 1. CreatetherootCAcertificateforissuingselfsigned

clientsandendpoints. certificatesfortheGlobalProtectcomponents.
ThisenablestheGlobalProtectportal 2. SelectDevice > Certificate Management > Certificates >
andgatewaystovalidatethatthedevice Device Certificates andthenclickGenerate.
belongstoyourorganization.
3. EnteraCertificate Name.Thecertificatenamecannotcontain
anyspaces.
4. Configurecryptographicsettingsforthecertificateincluding
theencryptionAlgorithm,keylength(Number of Bits),Digest
algorithm(usesha1,sha256,orsha384;sha512isnot
supportedwithclientcertificates),andExpiration (indays)for
thecertificate.
IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
5. IntheCertificateAttributessection,Addanddefinethe
attributesthatuniquelyidentifytheGlobalProtectclientsas
belongingtoyourorganization.Keepinmindthatifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustbethesameasthevalueyoudefinedfor
theCommon Name.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. (Optional)IntheCertificateAttributessection,clickAddand
definetheattributestoidentifytheGlobalProtectclientsas
belongingtoyourorganizationifrequiredaspartofyour
securityrequirements.
DeployMachineCertificatesforAuthentication(Continued)
Step2 Installcertificatesinthepersonal Forexample,toinstallacertificateonaWindowssystemusingthe

certificatestoreontheendpoints. MicrosoftManagementConsole:
Ifyouareusinguniqueusercertificates 1. Fromthecommandprompt,entermmctolaunchtheconsole.
ormachinecertificates,youmustinstall
2. SelectFile > Add/Remove Snap-in.
eachcertificateinthepersonal
certificatestoreontheendpointpriorto 3. SelectCertificates,clickAddandthenselectoneofthe
thefirstportalorgatewayconnection. following,dependingonwhattypeofcertificateyouare
InstallmachinecertificatestotheLocal importing:
ComputercertificatestoreonWindows Computer accountSelectthisoptionifyouareimportinga
andintheSystemKeychainonMacOS. machinecertificate.
InstallusercertificatestotheCurrent My user accountSelectthisoptionifyouareimportinga
UsercertificatestoreonWindowsandin usercertificate.
thePersonalKeychainonMacOS.
4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.
5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
thePasswordthatyouusedtoencrypttheprivatekey.Select
PersonalastheCertificate store.
Step3 Verifythatthecertificatehasbeen Navigatetothepersonalcertificatestore:

addedtothepersonalcertificatestore.
Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificateusedtoissuetheclient

issuetheclientcertificatesontothe certificates(Base64format).
firewall. 2. ImporttherootCAcertificatefromtheCAthatgeneratedthe
Thisstepisrequiredonlyifanexternal clientcertificatesontothefirewall:
CAissuedtheclientcertificates,suchas a. SelectDevice > Certificate Management > Certificates >
apublicCAoranenterprisePKICA.If Device Certificates andclickImport.
youareusingselfsignedcertificates,the
b. UsetheLocalcertificatetype(thedefault).
rootCAisalreadytrustedbytheportal
andgateways. c. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
d. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
e. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
f. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
g. SelectTrusted Root CAandthenclickOK.
Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificates > Certificate Management >

Certificate Profile,clickAdd,andenteraprofileName.
2. SelectavaluefortheUsername Fieldtospecifywhichfieldin
thecertificatewillcontaintheusersidentityinformation.
Ifyouplantoconfiguretheportalorgatewaystoauthenticate
userswithcertificatesonly,youmustspecifytheUsername
Field.ThisenablesGlobalProtecttoassociateausernamewith
thecertificate.
Ifyouplantosetuptheportalorgatewayfortwofactor
authentication,youcanleavethedefaultvalueofNone,or,to
addanadditionallayerofsecurity,specifyausername.Ifyou
specifyausername,yourexternalauthenticationservice
verifiesthattheusernameintheclientcertificatematchesthe
usernamerequestingauthentication.Thisensuresthatthe
useristheonetowhichthecertificatewasissued.
Userscannotchangetheusernamethatisincludedinthe
certificate.
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificateyouimportedinStep 4andthenclickOK.
Deploy User-Specific Client Certificates for Authentication
Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
deploytheclientcertificatetotheendpointspriortoenablingGlobalProtect.Toautomatethegeneration
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
requestsitandsendsthecertificatetotheportal.Theportalthentransparentlydeploysthecertificatetothe
client.Whenauserrequestsaccess,theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
whethertopermitaccesstotheuser.GlobalProtectblocksaccessifthehostIDisonadeviceblocklistorif
thesessionmatchesanyblockingoptionsspecifiedinacertificateprofile.Ifclientauthenticationfailsdueto
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
settingsintheauthenticationprofileandretrievethecertificate.Iftheclientcannotretrievethecertificate
fromtheportal,thedeviceisnotabletoconnect.
DeployUserSpecificClientCertificatesforAuthentication
Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserverinthePKIinfrastructureandthenenterthe
Afteryouconfigurethismechanism,its passwordintothePasswordfield.
operationisinvisible,andnofurther DynamicEnterausernameandpasswordofyourchoice
inputfromyouisnecessary. (possiblythecredentialsofthePKIadministrator)andtheSCEP
TocomplywiththeU.S.Federal Server URLwheretheportalclientsubmitsthesecredentials.
InformationProcessingStandard(FIPS), TheusesthecredentialstoauthenticatewiththeSCEPserver
useaDynamicSCEPchallengeand whichtransparentlygeneratesanOTPpasswordfortheportal
specifyaServer URLthatusesHTTPS uponeachcertificaterequest.(YoucanseethisOTPchange
(seeStep 7). afterascreenrefreshinThe enrollment challenge password
isfieldaftereachcertificaterequest.)ThePKItransparently
passeseachnewpasswordtotheportal,whichthenusesthe
passwordforitscertificaterequest.
DeployUserSpecificClientCertificatesforAuthentication(Continued)
Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand http://10.200.101.1/certsrv/mscep/).
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Whenauserattemptstologintothe NamefieldtoidentifytheSCEPserver.
portal,theendpointsendsidentifying
3. EntertheSubjectnametouseinthecertificatesgeneratedby
informationaboutitthatincludesitshost
theSCEPserver.Thesubjectmustbeadistinguishednamein
IDvalue.ThehostIDvaluevariesby
the<attribute>=<value>formatandmustincludea
devicetype,eitherGUID(Windows)
commonname(CN)key.TheCNsupportsthefollowing
MACaddressoftheinterface(Mac),
dynamicvariables:$USERNAME,$EMAILADDRESS,and$HOSTID.
AndroidID(Androiddevices),UDID(iOS
Usetheusernameoremailaddressvariabletoensurethatthe
devices),orauniquenamethat
portalrequestscertificatesforaspecificuser.Torequest
GlobalProtectassigns(Chrome).
certificatesforthedeviceonly,specifythehostIDvariable.
Youcanincludeadditionalinformation WhentheGlobalProtectportalpushestheSCEPsettingsto
abouttheclientdeviceoruserby theagent,theCNportionofthesubjectnameisreplacedwith
specifyingtokensintheSubjectnameof theactualvalue(username,hostid,oremailaddress)ofthe
thecertificate. certificateowner(forexample,O=acme,CN=$HOSTID).
Theportalincludesthetokenvalueand
4. SelecttheSubject Alternative Name Type:
hostIDintheCSRrequesttotheSCEP
server. RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.

settingsforthecertificate. IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):sha1,sha256,orsha384.
Sha512isnotsupportedasadigestalgorithmforclient
certificatesonGlobalProtectendpoints.
Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor signature checkbox.Thisenablestheendpointusetheprivate
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.
Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

connectingtothecorrectSCEPserver, example,http://<hostname or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.
DeployUserSpecificClientCertificatesforAuthentication(Continued)
Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan

betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicatedon
thefirewallloginpageandinits
statusbar.
Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.
Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate Name.Thisnamecannotcontainspaces.
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.
Step10 SetUpTwoFactorAuthentication. AssigntheSCEPprofileaGlobalProtectportalagentconfiguration

toenabletheportaltotransparentlyrequestanddeployclient
certificatestoclientsthatreceivetheconfiguration.
SetUpTwoFactorAuthentication Authentication
SetUpTwoFactorAuthentication
Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
authenticationscheme.Atwofactorauthenticationschemerequirestwothings:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
Enable Two-Factor Authentication Using Certificate and Authentication

Profiles
ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
authenticatebothtoacertificateprofileandanauthenticationprofile.Theusermustsuccessfully
authenticateusingbothmethodsinordertoconnecttotheportal/gateway.Formoredetailsonthis
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.
Authentication SetUpTwoFactorAuthentication
Step1 Createanauthenticationserverprofile. 1. SelectDevice > Server Profilesandaprofiletype(LDAP,

Theauthenticationserverprofile Kerberos,RADIUS,orTACACS+).
determineshowthefirewallconnectsto 2. Addanewserverprofile.
anexternalauthenticationserviceand
3. EnteraProfileNamefortheprofile,suchasGPUserAuth.
retrievestheauthenticationcredentials
foryourusers. 4. (LDAPonly)SelecttheTypeofLDAPserver(active-directory,
IfyouareusingLDAPtoconnect e-directory,sun,orother).
toActiveDirectory(AD),you 5. ClickAddintheServerslistsectionandthenentertherequired
mustcreateaseparateLDAP informationforconnectionstotheauthenticationservice,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. (RADIUS,TACACS+,andLDAPonly)Specifysettingsto
enablethefirewalltoauthenticatetotheauthentication
serviceasfollows:
RADIUSandTACACS+EnterthesharedSecretwhen
addingtheserverentry.
LDAPEntertheBind DNandPassword.
7. (LDAPonly)IfyouwanttheendpointtouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPortinthe Server list:
389(default)TLS(specifically,thedeviceusestheStartTLS
operationtoupgradetheinitialplaintextconnectiontoTLS).
636SSL.
directoryserverdoesnotsupportTLS,thedeviceusesSSL.
8. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothattheendpoint
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/TLSconnections.Toenableverification,youalsomust
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,oneofthefollowingconditions
mustbetrue:
Thecertificateisinthelistofdevicecertificates:Device >
Certificate Management > Certificates > Device
Certificates.Importthecertificateintotheendpointif
necessary.
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)
Step2 Createanauthenticationprofilethat 1. SelectDevice > Authentication Profile andAddanewprofile.

identifiestheserviceforauthenticating 2. EnteraNamefortheprofile.
users.(Youlaterhavetheoptionof
assigningtheprofileontheportalandon 3. SelecttheLocation.
gateways.) 4. SelecttheTypeofAuthentication(LDAP,Kerberos,RADIUS,
orTACACS+).
5. SelecttheServer ProfileyoucreatedinStep 1.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.
7. ClickOK tosavetheauthenticationprofile.
Step3 Createaclientcertificateprofilethatthe 1. SelectDevice > Certificates > Certificate Management >

portalusestoauthenticatetheclient Certificate ProfileandclickAddandenteraprofileName.
certificatesthatcomefromuserdevices. 2. SelectavaluefortheUsername Field:
Whenyouconfiguretwofactor Ifyouintendfortheclientcertificatetoauthenticate
authenticationtouseclient individualusers,selectthecertificatefieldthatidentifiesthe
certificates,theexternal user.
authenticationserviceusesthe
Ifyouaredeployingtheclientcertificatefromtheportal,
usernamevaluetoauthenticate
leavethisfieldsettoNone.
theuser,ifspecified,intheclient
certificate.Thisensuresthatthe Ifyouaresettingupacertificateprofileforusewitha
userwhoisloggingisinisactually prelogonconnectmethod,leavethefieldsettoNone.
theusertowhomthecertificate 3. IntheCA Certificatesarea,clickAddandthen:
wasissued. a. SelecttheCA certificate,eitheratrustedrootCAcertificate
ortheCAcertificatefromaSCEPserver.(Ifnecessary,
importthecertificate).
b. (Optional)EntertheDefault OCSP URL.
c. (Optional)SelectacertificateforOCSP Verify CA.
4. (Optional)Selectoptionsthatspecifywhentoblocktheusers
requestedsession:
a. Statusofcertificateisunknown.
b. GlobalProtectcomponentdoesnotretrievecertificate
statuswithinthenumberofsecondsinCertificate Status
Timeout.
c. Theauthenticatingdevicethatisconsideringthelogin
requestdidnotissuethecertificatethattheuserisoffering.
5. ClickOK.
Step4 (Optional)Issueclientcertificatesto 1. UseyourenterprisePKIorapublicCAtoissueaclient

GlobalProtectclientsandendpoints. certificatetoeachGlobalProtectuser.
Totransparentlydeployclient 2. Fortheprelogonconnectmethods,installcertificatesinthe
certificates,configureyourportalto personalcertificatestoreontheclientsystems.
distributeasharedclientcertificateto
yourendpointsorconfiguretheportalto
useSCEPtorequestanddeployunique
clientcertificatesforeachuser.
Step5 SavetheGlobalProtectconfiguration. ClickCommit.
Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
andgateways.Whenauserrequestsaccess,theportalorgatewaypromptstheusertoenteranOTP.The
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,theagentsuppliesthesamecredentialsitusedtologintotheportalandtothegateway.Inthe
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,theusersOTPmayexpire.Toprevent
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
override.Thisenablestheportalsandgatewaystogenerateandacceptasecureencryptedcookieto
authenticatetheuserforaspecifiedamountoftime.Theportalsand/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.
EnableTwoFactorAuthenticationUsingOTPs
Step1 Afteryouhaveconfiguredthebackend Forspecificinstructions,refertothedocumentationforyour

RADIUSservicetogeneratetokensfor RADIUSserver.Inmostcases,youneedtosetupanauthentication
theOTPsandensuredusershaveany agentandaclientconfigurationontheRADIUSservertoenable
necessarydevices(suchasahardware communicationbetweenthefirewallandtheRADIUSserver.You
token),setupaRADIUSserverto alsodefinethesharedsecrettouseforencryptingsessions
interactwiththefirewall. betweenthefirewallandtheRADIUSserver.
Step2 Oneachfirewallthathoststhegateways 1. SelectDevice > Server Profiles > RADIUS.

and/orportal,createaRADIUSserver 2. Addanewprofile.
profile.(Forasmalldeployment,one
firewallcanhosttheportaland 3. EnteraNameforthisRADIUSprofile.
gateways.) 4. EnteraRADIUSDomainname.
WhencreatingtheRADIUS 5. IntheServersarea,AddaRADIUSinstanceandenter:
serverprofile,alwaysentera
AdescriptiveNametoidentifythisRADIUSserver
Domainname.Thisvalueserves
asthedefaultdomainforUserID TheRADIUS ServerIPaddress
mappingifusersdontsupplya ThesharedSecretforencryptingsessionsbetweenthe
UserIDuponlogin. firewallandtheRADIUSserver
ThePortnumberonwhichtheRADIUSserverlistensfor
authenticationrequests(default1812)
6. ClickOKtosavetheprofile.
EnableTwoFactorAuthenticationUsingOTPs(Continued)
Step3 Createanauthenticationprofile. 1. SelectDevice > Authentication Profile.

2. Addanewprofile.
3. EnteraNamefortheprofile.Thenamecannotcontainspaces.
4. Select RADIUSastheTypeofauthenticationservice.
5. SelecttheServer Profileyoucreatedforaccessingyour
RADIUSserver.
6. ClickOKtosavetheauthenticationprofile.
Step4 Assigntheauthenticationprofiletothe 1. SelectNetwork > GlobalProtect > Gatewaysandanexisting

GlobalProtectgateway(s)and/orportal. gatewayconfigurationbyname(orAddone).Ifyouareadding
YoucanconfiguremultipleClient anewgateway,specifyitsname,location,andnetwork
Authenticationconfigurationsforthe parameters.
portalandgateways.ForeachClient 2. OntheAuthenticationtab,selectanSSL/TLSserviceprofileor
Authenticationconfigurationyoucan Addanewprofile.
specifytheauthenticationprofileto
3. AddaClientAuthenticationconfigurationandenteritsName.
applytoendpointsofaspecificOS.
Thisstepdescribesonlyhowtoaddthe 4. SelecttheendpointOStowhichthisconfigurationapplies.
authenticationprofiletothegatewayor 5. SelecttheAuthentication ProfileyoucreatedinCreatean
portalconfiguration.Foradditional authenticationprofile.
detailsonsettingupthesecomponents,
6. (Optional)Enteracustomauthenticationmessage.
seeGlobalProtectGatewaysand
GlobalProtectPortals. 7. ToaddadditionalClientAuthenticationconfigurations,repeat
steps3through6.
8. ClickOKtosavetheconfiguration.
9. Toaddothergateways,repeatsteps2through8.
10. Toassigntheauthenticationprofiletotheportal,select
Network > GlobalProtect > Portals andrepeatsteps2
through 8.
Step5 (Optional)Configuretheportalor 1. SelectNetwork > GlobalProtect > Portalsandselectan

gatewaystopromptforausernameand existingportalconfiguration.
passwordoronlyapasswordeachtime 2. SelectAgent.
theuserlogsin.Savingthepasswordis
notsupportedwithtwofactor 3. SelectanexistingagentconfigurationorAddone.
authenticationusingOTPsbecausethe 4. SetSave User CredentialstoSave Username OnlyorNo.This
usermustenteradynamicpassword settingenablesGlobalProtecttopromptfordynamic
eachtimetheylogin. passwordsforeachcomponentyouselectinthefollowing
Thisstepdescribesonlyhowto step.
configurethepasswordsettingina 5. ClickOKtwicetosavetheconfiguration.
portalagentconfiguration.Foradditional
details,seeCustomizetheGlobalProtect
Agent.
Step6 SelecttheGlobalProtectcomponents 1. SelectNetwork > GlobalProtect > Portalsandselectan

portalandtypesofgatewaysthat existingportalconfiguration.
promptfordynamicpasswords,suchas 2. SelectAgent.
OTPs,insteadofusingsavedcredentials.
3. SelectanexistingagentconfigurationorAddone.
4. SelecttheAuthenticationtab,andthenselectthe
ComponentsthatRequireDynamicPasswords(TwoFactor
Authentication).Whenselected,theportaland/ortypesof
gatewayspromptforOTPs.
5. ClickOKtwicetosavetheconfiguration.
Step7 Ifsinglesignon(SSO)isenabled,disable 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

it.Theagentconfigurationspecifies configuration.
RADIUSastheauthenticationserviceso 2. SelectAgentandthenselecttheagentconfiguration(orAdd
KerberosSSOisnotsupported. one).
Thisstepdescribesonlyhowtodisable
3. SelecttheApptab.
SSO.Formoredetails,seeDefinethe
GlobalProtectAgentConfigurations. 4. SetUse Single Sign-ontoNo.
Step8 (Optional)Tominimizethenumberof 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

timesausermustprovidecredentials, selecttheconfiguration(orAddone).
configureanauthenticationoverride. 2. SelectAgent > Client Settings(onthegateway)orAgent(on
Bydefault,theportalorgateways theportal)andthenselecttheconfiguration(orAddone).
authenticatetheuserwithan
3. IntheAuthentication Overridearea,configurethefollowing:
authenticationprofileandoptional
certificateprofile.Withauthentication Generate cookie for authentication overrideEnablethe
override,theportalorgateway portalorgatewaytogenerateencrypted,endpointspecific
authenticatestheuserwithanencrypted cookies.Afteruserssuccessfullyauthenticate,theportalor
cookiethatithasdeployedtothe gatewayissuetheauthenticationcookietotheendpoint.
endpoint.Whilethecookieisvalid,the Accept cookie for authentication overrideSelectthe
usercanloginwithoutenteringregular checkboxtoinstructtheportalorgatewaytoauthenticate
credentialsoranOTP.Formore theuserthroughavalid,encryptedcookie.Whenthe
information,seeCookieAuthentication endpointpresentsavalidcookie,theportalorgateway
onthePortalorGateway. verifiesthatthecookiewasencryptedbytheportalor
Ifyouneedtoimmediatelyblock gateway,decryptsthecookie,andthenauthenticatesthe
accesstoadevicewhosecookie user.
hasnotyetexpired(forexample, Cookie LifetimeSpecifythehours,days,orweeksthatthe
ifthedeviceislostorstolen),you cookieisvalid.Typicallifetimeis24hoursforgateways
canBlockDeviceAccessby whichprotectsensitiveinformationor15daysforthe
addingthedevicetoablocklist. portal.Therangeforhoursis172;forweeks,152;andfor
Formoredetails,see days,1365.Afterthecookieexpiresoneithertheportalor
GlobalProtectGatewaysand gateway(whicheveroccursfirst),theportalorgateway
GlobalProtectPortals. promptstheusertoauthenticateandsubsequently
encryptsanewcookietosendtotheendpoint.
Certificate to Encrypt/Decrypt CookieSelecttheRSA
certificatetousetoencryptanddecryptthecookie.You
mustusethesamecertificateontheportalandgateways.
Asabestpractice,configuretheRSAcertificateto
usethestrongestdigestalgorithmthatyour
networksupports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
Step10 Verifytheconfiguration. FromanendpointrunningtheGlobalProtectagent,trytoconnect

Thegatewayandportalmustbe toagatewayorportalonwhichyouenabledOTPauthentication.
configuredbeforeyoutakehisstep.For Youshouldseetwopromptssimilartothefollowing:
detailsonsettingupthesecomponents, ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
seeGlobalProtectGatewaysand PIN):
GlobalProtectPortals.
ThesecondpromptrequestsyourtokenorOTP:
Enable Two-Factor Authentication Using Smart Cards
Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
cardsontotheportalandgateway.YoucanthencreateacertificateprofilethatincludesthatRootCAand
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.
EnableSmartCardAuthentication
Step1 Setupyoursmartcardinfrastructure. Forspecificinstructions,refertothedocumentationfortheuser

Thisprocedureassumesthatyouhave authenticationprovidersoftware.
deployedsmartcardsandsmartcard Inmostcases,settingupthesmartcardinfrastructureinvolvesthe
readerstoyourendusers. generatingofcertificatesforendusersandfortheparticipating
servers,whicharetheGlobalProtectportalandgateway(s)inthis
usecase.
EnableSmartCardAuthentication(Continued)
Step2 ImporttheRootCAcertificatethat Makesurethecertificateisaccessiblefromyourmanagement

issuedtheclientcertificatescontained systemandthencompletethefollowingsteps:
ontheendusersmartcards. 1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImportandenteraCertificate Name.
3. EnterthepathandnametotheCertificate Filereceivedfrom
theCA,orBrowsetofindthefile.
4. SelectBase64 Encoded Certificate (PEM) astheFile Format
andthenclickOKtoimportthecertificate.
Step3 Createthecertificateprofile. Createthecertificateprofileoneachportal/gatewayonwhichyou

Fordetailsonothercertificate plantouseCACorsmartcardauthentication:
profilefields,suchaswhetherto 1. SelectDevice > Certificate Management > Certificate Profile
useCRLorOCSP,refertothe andclickAddandenteraprofileName.
onlinehelp.
2. IntheUsernamefield,selectthecertificatefieldthatPANOS
usestomatchtheIPaddressforUserID,eitherSubjecttouse
acommonname,Subject Alt: Emailtouseanemailaddress,
orSubject Alt: Principal Name tousethePrincipalName.
3. IntheCA Certificatesfield,clickAdd,selectthetrustedroot
CA CertificateyouimportedinStep 2andthenclickOK.
4. ClickOKtosavethecertificateprofile.
Step4 Assignthecertificateprofiletothe 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

gateway(s)orportal.Thissection selecttheconfiguration(orAddanewone).
describesonlyhowtoaddthecertificate 2. OntheAuthenticationtab,selecttheCertificate Profileyou
profiletothegatewayorportal justcreated.
configuration.Fordetailsonsettingup
thesecomponents,seeGlobalProtect 3. ClickOKtosavetheconfiguration.
GatewaysandGlobalProtectPortals.
EnableSmartCardAuthentication(Continued)
Step6 Verifytheconfiguration. FromaclientsystemrunningtheGlobalProtectagent,tryto

Thegatewayandportalmustbe connecttoagatewayorportalonwhichyouenabledOTP
configuredbeforeyoutakehisstep.For authentication.Youshouldseetwopromptssimilartothe
detailsonsettingupthesecomponents, following:
seeGlobalProtectGatewaysand ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
GlobalProtectPortals. PIN):
ThesecondpromptrequestsyourtokenorOTP:
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients Authentication
SetUpAuthenticationforstrongSwanUbuntuandCentOS
Clients
ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.
ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.
ToconnecttotheGlobalProtectgateway,theusermustsuccessfullyauthenticate.Thefollowingworkflows
showexamplesofhowtoenableauthenticationforstrongSwanclients.Forcompleteinformationabout
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication
Enable Authentication Using a Certificate Profile
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.
EnableAuthenticationUsingaCertificateProfile
Step1 ConfigureanIPSectunnelfortheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysandthen

gatewayforcommunicatingwithastrongSwan selectthegatewayname.
client. 2. SelecttheCertificate Profileyouwanttousefor
authenticationintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesettings.
Authentication SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
EnableAuthenticationUsingaCertificateProfile(Continued)
Step2 Verifythatthedefaultconnectionsettingsinthe Modifythefollowingsettingsintheconn %default

conn %defaultsectionoftheIPSectunnel sectionoftheipsec.conffiletotheserecommended
configurationfile(ipsec.conf)arecorrectly settings.
definedforthestrongSwanclient. ikelifetime=20m
Theipsec.conffileisusuallyfoundinthe/etc reauth=yes
folder. rekey=yes
Theconfigurationsinthisprocedureare keylife=10m
testedandverifiedforthefollowing rekeymargin=3m
releases: rekeyfuzz=0%
Ubuntu14.0.4withstrongSwan5.1.2 keyingtries=1
andCentOS6.5withstrongSwan5.1.3 type=tunnel
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.
Step3 ModifythestrongSwanclientsIPSec Modifythefollowingitemsintheipsec.conffiletothese

configurationfile(ipsec.conf)andtheIPSec recommendedsettings.
passwordfile(ipsec.secrets)touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=rsasig
Theipsec.secrets fileisusuallyfoundinthe ike=aes-sha1-modp1024,aes256
/etc folder. left=<strongSwan/Linux-client-IP-address>
leftcert=<client certificate with the
UsethestrongSwanclientusernameasthe strongSwan client username used as the
certificatescommonname. certificates common name>
leftsourceip=%config
leftauth2=xauth
right=<GlobalProtect-Gateway-IP-address>
rightid=CN=<Subject-name-of-gateway-certifica
te>
rightsubnet=0.0.0.0/0
auto=add
Modifythefollowingitemsintheipsec.conffiletothese
recommendedsettings.
:RSA <private key file> <passphrase if used>
Step4 StartstrongSwanIPSecservicesandconnectto Ubuntu clients:

theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOS clients:
Usetheconfig <name>variabletonamethe
tunnelconfiguration. strongSwan start
strongswan up <name>
EnableAuthenticationUsingaCertificateProfile(Continued)
Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific

VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > Gateways.Then,in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
client.ThestrongSwanclientshouldbelistedunder
Current Users.
Enable Authentication Using an Authentication Profile
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
profile.TheauthenticationprofilespecifieswhichserverprofiletousewhenauthenticatingstrongSwan
clients.
EnableAuthenticationUsinganAuthenticationProfile
Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheAuthentication Profileyouwanttousein
theAuthentication tab.
EnteraGroup NameandGroup Passwordifthey
arenotalreadyconfigured.
ClickOKtosavethesetunnelsettings.
EnableAuthenticationUsinganAuthenticationProfile(Continued)
Step2 Verifythatthedefaultconnectionsettingsinthe Intheconn %defaultsectionofthe ipsec.conf file,

conn %defaultsectionoftheIPSectunnel configurethefollowingrecommendedsettings:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileisusuallyfoundinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.
Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
ikelifetime=1440m
Theipsec.secretsfileisusuallyfoundinthe keylife=60m
/etcfolder. aggressive=yes
ike=aes-sha1-modp1024,aes256
UsethestrongSwanclientusernameasthe esp=aes-sha1
certificatescommonname. xauth=client
left=<strongSwan/Linux-client-IP-address>
leftid=@#<hex of Group Name configured in the
GlobalProtect gateway>
leftsourceip=%modeconfig
leftauth=psk
rightauth=psk
leftauth2=xauth
right=<gateway-IP-address>
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
:PSK <Group Name configured in the gateway>
<username> :XAUTH <user password>

CentOS clients:
strongSwan start
EnableAuthenticationUsinganAuthenticationProfile(Continued)

Ubuntuclients:
CentOSclients:
Current Users.
Enable Authentication Using Two-Factor Authentication
Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
certificateprofileandanauthenticationprofiletoconnecttotheGlobalProtectgateway.Thefollowing
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.
EnableAuthenticationUsingTwoFactorAuthentication
Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheCertificate Profile andAuthentication
Profile youwanttouseintheAuthentication tab.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesetunnelsettings.
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
Step2 Verifythatthedefaultconnectionsettingsinthe Configurethefollowingrecommendedsettingsinthe

conn %defaultsectionoftheIPSectunnel ipsec.conffile:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileusuallyresidesinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
forPANOS7.0.
Usetheconfigurationsinthisprocedure
asareferenceifyouareusingadifferent
versionofstrongSwan.Refertothe
strongSwanwikiformoreinformation.
Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
authby=xauthrsasig
Theipsec.secretsfileisusuallyfoundinthe ike=aes-sha1-modp1024
/etcfolder. esp=aes-sha1
xauth=client
UsethestrongSwanclientusernameasthe left=<strongSwan/Linux-client-IP-address>
certificatescommonname. leftcert=<client-certificate-without-password>
leftsourceip=%config
right=<GlobalProtect-gateway-IP-address>
rightid=%anyCN=<Subject-name-of-gateway-cert>
leftauth2=xauth
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
<username> :XAUTH <user password>
:RSA <private key file> <passphrase if used>

CentOS clients:
strongSwan start
EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Ubuntuclients:
CentOSclients:
Current Users.
Authentication SetUpMultiFactorAuthentication
SetUpMultiFactorAuthentication
YoucanleverageAuthenticationFeatureswithinGlobalProtecttosupportaccesstononHTTPapplications
thatrequiremultifactorauthentication.GlobalProtectcannotifyandprompttheusertoperformthetimely,
multifactorauthenticationneededtoaccesssensitivenetworkresources.
Whenmatchingpolicyagainstuserrequestsforresources,thefirewallfirstevaluatesAuthenticationpolicy
andthenSecuritypolicy.UponmatchinganAuthenticationpolicyrule,thefirewallfirstinvokestheprimary
authenticationserviceassociatedwiththerule.Theprimaryservicecanusesinglefactorauthentication
(suchasSAML2.0authenticationorclientcertificateauthentication)orMFAthatyouconfiguredthrougha
RADIUSserver.ThenthefirewallinvokeseachMFAservicethatyouconfiguredthroughanAPIintegration.
EachMFAservicecanprompttheusertoselectoneauthenticationmethodfromalistofseveral.
GlobalProtectsupportsthefollowingmethods:
PushAnendpointdevice(suchasaphoneortablet)promptstheusertoallowordenyauthentication.
Shortmessageservice(SMS)AnSMSmessagepromptstheusertoallowordenyauthentication.
VoiceAnautomatedphonecallpromptstheusertoauthenticatebypressingakey.
Onetimepassword(OTP)Theuserreceivesanautomaticallygeneratedalphanumericstringthat
enablesauthenticationforasingletransactionorsession.
AGlobalProtectclientisarequirementformultifactorauthenticationonnonHTTPapplications.For
browserbasedapplicationsthatrequiremultifactorauthentication,usersareautomaticallypresentedwith
AuthenticationPortalpage(previouslycalledtheCaptivePortalpage).FornonHTTPapplications,ifa
sessionmatchesanAuthenticationpolicyrule,thenthefirewallwillsendaUDPnotificationtothe
GlobalProtectclientwithanembeddedURLlinktotheAuthenticationPortalpage.GlobalProtectdisplays
thismessageasapopupnotificationtotheuser.
YoucancustomizethemessagethatGlobalProtectusersseewhenpromptedtoauthenticate.Clickingthis
linksendstheusertotheAuthenticationPortalpagewheretheycanstartthemultifactorauthentication
process(thesameaswithbrowserbasedHTTPapplications).
ForGlobalProtecttosupportmultifactorauthenticationonexternalgateways,youmust
configurearesponsepageonthetunnelinterface.RefertoConfigureMultiFactor
AuthenticationformoreinformationonhowtoconfigureanMFALoginresponsepage.
SetUpMultiFactorAuthentication Authentication
Authentication SetUpMultiFactorAuthentication
ConfigureGlobalProtecttoSupportMultiFactorAuthentication
Step1 BeforeyouconfigureGlobalProtect, Tousemultifactorauthenticationforprotectingsensitive

configuremultifactorauthenticationon resources,theeasiestsolutionistointegratethefirewallwithan
thefirewall. MFAvendorthatisalreadyestablishedinyournetwork.When
yourMFAstructureisready,youcanstartconfiguringthe
componentsofyourauthenticationpolicy.Formoreinformation,
refertoConfigureMultiFactorAuthentication.
EnableCaptivePortaltorecordauthenticationtimestampsand
updateusermappings.
Createserverprofilesthatdefinehowthefirewallwillconnect
totheservicesthatauthenticateusers.
AssigntheserverprofilestoanAuthenticationprofilewhich
specifiesauthenticationparameters.
ConfigureaSecuritypolicyrulethatallowsuserstoaccessthe
resourcesthatrequireauthentication.
Step2 ConfigureGlobalProtectclientsto 1. SelectNetwork > GlobalProtect > Portalsandselectaportal

supportmultifactorauthenticationfor configuration(orAddone).
nonHTTPapplications. 2. SelectAgentandthenselectanexistingagentconfigurationor
Addone.
3. IntheApptab,specifythefollowing:
SetEnable Inbound Authentication Prompts from MFA
GatewaystoYes.Tosupportmultifactorauthentication
(MFA),aGlobalProtectclientmustreceiveand
acknowledgeUDPpromptsthatareinboundfromthe
gateway.SelectYes toenableaGlobalProtectclientto
receiveandacknowledgetheprompt.Bydefault,thevalue
issettoNo meaningGlobalProtectwillblockUDPprompts
fromthegateway.
InNetwork Port for Inbound Authentication Prompts
(UDP),specifytheportnumberaGlobalProtectclientuses
toreceiveinboundauthenticationpromptsfromMFA
gateways.Thedefaultportis4501.Tochangetheport,
specifyanumberfrom1to65535.
InTrusted MFA Gateways,specifythelistofauthentication
gatewaysaGlobalProtectclientwilltrustformultifactor
authentication.WhenaGlobalProtectclientreceivesa
UDPmessageonthespecifiednetworkport,GlobalProtect
displaysanauthenticationmessageonlyiftheUDPprompt
comesfromatrustedgateway.
ConfiguretheDefault Message for Inbound
Authentication Prompts (forexample:You have
attempted to access a protected resource
that requires additional authentication.
Proceed to authenticate at \\server1\myapp).
Whenuserstrytoaccessaresourcethatrequiresadditional
authentication,GlobalProtectreceivesaninbound
authenticationpromptanddisplaysthismessage.Thislink
shoulddirectuserstotheAuthenticationPortalpageyou
specifiedinConfigureMultiFactorAuthentication.
Step3 Savetheagentconfiguration. 1. ClickOKtwice.

2. Commityourchanges.
EnableGroupMapping Authentication
EnableGroupMapping
Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,theidentityofeachGlobalProtectuserisknown.However,if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
directoryserver.Thisisknownasgroupmapping.
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
information.AfterthefirewallconnectstotheLDAPserverandretrievesthegroupmappings,youcanselect
groupswhenyoudefinetheagentconfigurationsandsecuritypolicies.Thefirewallsupportsavarietyof
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:
Authentication EnableGroupMapping
MapUserstoGroups
Step1 CreateanLDAPServerProfilethat 1. SelectDevice > Server Profiles > LDAPandclickAdd.

specifieshowtoconnecttothe 2. EnteraProfile Nametoidentifytheserverprofile.
directoryserverstowhichthefirewall
shouldconnecttoobtaingroupmapping 3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
information. capability,selectavirtualsystemorSharedastheLocation
4. ForeachLDAPserver(uptofour),AddandenteraName(to
identifytheserver),serverIPaddress(LDAP Serverfield),and
serverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(itisselectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. Foradditionalsecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthedeviceverifiesthecertificatethatthe
directoryserverpresentsforSSL/TLSconnections.Toenable
verification,youalsohavetoselecttheRequire SSL/TLS
secured connectioncheckbox.Forverificationtosucceed,
thecertificatemustmeetoneofthefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
8. ClickOK.
Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.
EnableGroupMapping Authentication
MapUserstoGroups(Continued)
Step3 (Optional)Limitwhichgroupscanbe 1. Addexistinggroupsfromthedirectoryservice:

selectedinpolicyrules. a. SelecttheGroup Include Listtab.
Bydefault,ifyoudontspecifygroups,all b. IntheAvailableGroupslist,selectthegroupsyouwantto
groupsareavailableinpolicyrules. appearinpolicyrulesandclicktheAddicon .
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters,
thenclickOK.ThefirewalldoesntvalidateLDAPfilters.
TooptimizeLDAPsearchesandminimizethe
performanceimpactontheLDAPdirectoryserver,
useonlyindexedattributesinthefilter.
Step4 Commityourchanges. ClickOKandCommit.
BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
EnforcesecuritypolicyfortheGlobalProtectagentsandappsthatconnecttoit.YoucanalsoenableHIP
collectiononthegatewayforenhancedsecuritypolicygranularity.FormoreinformationonenablingHIP
checks,seeHostInformation.
Providevirtualprivatenetwork(VPN)accesstoyourinternalnetwork.VPNaccessisprovidedthrough
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.
YoucanalsoconfigureGlobalProtectgatewaysonVMSeriesfirewallsdeployedintheAWScloud.Bydeploying
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
resources.Fordetails,seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.
GlobalProtectGatewayConcepts
PrerequisiteTasksforConfiguringtheGlobalProtectGateway
ConfigureaGlobalProtectGateway
GlobalProtectGatewayConcepts GlobalProtectGateways
GlobalProtectGatewayConcepts
Thesesectionsprovideinformationaboutgatewayconnectionpriorityinamultiplegatewayconfiguration
andMIBsupportforGlobalProtectgateways.
GatewayPriorityinaMultipleGatewayConfiguration
GlobalProtectMIBSupport
Gateway Priority in a Multiple Gateway Configuration
Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
gateways.Todeterminethepreferredgatewaytowhichyouragentsconnect,addthegatewaystoaportal
agentconfigurationandassigneachgatewayaconnectionpriority.SeeDefinetheGlobalProtectAgent
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
connecttoallgatewayslistedinitsagentconfiguration.Theagentwillthenusepriorityandresponsetime
astodeterminethegatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyifthe
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:
Name Priority ResponseTime
gw1 Highest 80ms
gw2 High 25ms
Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,connectstogw2.Inthis
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:
Name Priority ResponseTime
gw1 Highest 30ms
gw2 High 25ms
gw3 Medium 50ms
Inthisexample,theaverageresponsetimeforallgatewaysis35ms.Theagentwouldthenevaluatewhich
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
responsetimes.Theagentwouldthenconnecttowhichevergatewayhadthehighestpriority.Inthis
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.
GlobalProtectGateways GlobalProtectGatewayConcepts
Inadditiontogatewaypriority,youaddoneormoresourceregionstoanexternalgatewayconfiguration,
GlobalProtectrecognizesthedeviceregionandonlyallowsusestoconnecttogatewaysthatareconfigured
forthatregion.Forgatewaychoices,sourceregionisconsideredfirst,thengatewaypriority.
GlobalProtect MIB Support
PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)Framework.YoumustloadtheseMIBsintoyourSNMPmanagertomonitor
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS8.0AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
group.ThefollowingtabledescribestheobjectsthatmakeupthepanGlobalProtectobjectgroup.
Object Description
panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway
panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed
panGPGWUtilizationActiveTunnels Numberofactivetunnels
UsetheseSNMPobjectstomonitorutilizationofGlobalProtectgatewaysandmakechangesasneeded.For
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.
PrerequisiteTasksforConfiguringtheGlobalProtectGateway GlobalProtectGateways
PrerequisiteTasksforConfiguringtheGlobalProtect
Gateway
BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)fortheinterfacewhereyouplantoconfigureeachgateway.For
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
tunnelinterface.SeeCreateInterfacesandZonesforGlobalProtect.
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
toestablishanSSLconnectionwiththegateway.SeeEnableSSLBetweenGlobalProtectComponents.
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
GlobalProtectusers.SeeAuthentication.
GlobalProtectGateways ConfigureaGlobalProtectGateway
ConfigureaGlobalProtectGateway
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:
ConfiguretheGateway
Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

2. IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatclientswilluseforcommunication

enablesclientstoconnecttothe withthegateway.
gateway. 2. SpecifytheIP Address TypeandIP address forthegateway
Ifyouhaventcreatedthenetwork webservice:
interfaceforthegateway,seeCreate TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
InterfacesandZonesforGlobalProtect (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
forinstructions. yournetworksupportsdualstackconfigurations,where
IPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddress
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. ClickOKtosavechanges.
ConfigureaGlobalProtectGateway GlobalProtectGateways
ConfiguretheGateway(Continued)
Step3 Specifyhowthegatewayauthenticates SelectAuthenticationandthenconfigureanyofthefollowing:

users. Tosecurecommunicationbetweenthegatewayandtheagents,
IfyouhaventcreatedanSSL/TLSservice selecttheSSL/TLS Service Profileforthegateway.
profileforthegateway,seeDeploy Toauthenticateuserswithalocaluserdatabaseoranexternal
ServerCertificatestotheGlobalProtect authenticationservice,suchasLDAP,Kerberos,TACACS+,
Components. SAML,orRADIUS(includingOTP),AddaClientAuthentication
Ifyouhaventsetuptheauthentication configurationwiththefollowingsettings:
profilesorcertificateprofiles,see EnteraNametoidentifytheclientauthentication
Authenticationforinstructions. configuration.
Identifythetypeofclienttowhichthisconfiguration
applies.Bydefault,theconfigurationappliestoAnyclient,
butyoucancustomizethetypeofendpointbyOS (Android,
Chrome,iOS,Mac,Windows,orWindowsUWP)orby
thirdpartyIPSecVPNclients(X-Auth).
SelectoraddanAuthentication Profiletoauthenticatean
endpointseekingaccesstothegateway.
EnteranAuthentication Message tohelpendusers
understandwhichcredentialstousewhenloggingin.The
messagecanbeupto100charactersinlength(defaultis
Enter login credentials).
Toauthenticateusersbasedonaclientcertificateora
smartcard/CAC,selectthecorrespondingCertificate
Profile.
Tousetwofactorauthentication,selectbothanauthentication
profileandacertificateprofile.Keepinmindthattheusermust
successfullyauthenticateusingbothmethodstobegranted
access.
Step4 Enabletunnelingandconfigurethe 1. OntheGlobalProtectGatewayConfigurationdialog,select

tunnelparameters. Agent > Tunnel Settings.
Thetunnelparametersarerequiredif 2. SelecttheTunnel Modecheckboxtoenabletunneling.
youaresettingupanexternalgateway.If
3. SelecttheTunnel InterfaceyoudefinedinStep 2inCreate
youareconfiguringaninternalgateway,
InterfacesandZonesforGlobalProtect.
theyareoptional.
Ifyouwanttoforceuseof 4. (Optional)SpecifyMax User forthemaximumnumberof
SSLVPNtunnelmode,clearthe usersthatcanaccessthegatewayatthesametimefor
Enable IPSeccheckbox.By authentication,HIPupdates,andGlobalProtectagentupdates
default,SSLVPNwillonlybe (rangevariesbasedontheplatformandisdisplayedwhenthe
usediftheendpointfailsto fieldisempty).
establishanIPSectunnel. 5. SelectaGlobalProtect IPSec CryptoprofiletosecuretheVPN
Extendedauthentication tunnelsbetweenGlobalProtectagentsandgateways.The
(XAuth)isonlysupportedon defaultprofileusesAES128CBCencryptionandsha1
IPSectunnels. authentication.
IfyouEnable X-Auth Support, YoucanalsocreateanewIPSeccryptoprofile.Tocreatea
GlobalProtectIPSecCrypto newprofile,selectNewGlobalProtect IPSec Cryptointhe
profilesarenotapplicable. samedropdownandconfigurethefollowing:
Formoreinformationon a. EnteraNametoidentifytheprofile.
supportedcryptographic b. AddtheAuthenticationandEncryptionalgorithmsthatthe
algorithms,seeReference: VPNpeerscanusetonegotiatethekeysforsecuringthe
GlobalProtectAgent datainthetunnel:
CryptographicFunctions. EncryptionIfyouarenotcertainofwhattheVPNpeers
support,youcanaddmultipleencryptionalgorithmsin
toptobottomorderofmosttoleastsecure,asfollows:
aes-256-gcm,aes-128-gcm,aes-128-cbc.Thepeers
negotiatethestrongestalgorithmtoestablishthetunnel.
AuthenticationSelecttheauthenticationalgorithm
(sha1)toprovidedataintegrityandauthenticity
protection.Althoughtheauthenticationalgorithmis
requiredfortheprofile,thissettingonlyappliestothe
AESCBCcipher(aes-128-cbc).IfyouuseanAESGCM
encryptionalgorithm(aes-256-gcmor aes-128-gcm),
thesettingisignoredbecausetheseciphersnatively
provideESPintegrityprotection.
c. ClickOKtosavetheprofile.
6. (Optional)SelectEnable X-Auth Support ifanyendpoint
needstoconnecttothegatewaybyusingathirdpartyVPN
(forexample,aVPNCclientrunningonLinux).Ifyouenable
XAuth,youmustprovidetheGroupnameandGroup
Passwordiftheendpointrequiresit.Bydefault,theuserisnot
requiredtoreauthenticateifthekeyusedtoestablishthe
IPSectunnelexpires.Torequireuserstoreauthenticate,clear
theoptiontoSkip Auth on IKE Rekey.
AlthoughXAuthaccessissupportedoniOSand
Androidendpoints,itprovideslimitedGlobalProtect
functionalityontheseendpoints.Instead,usethe
GlobalProtectappforsimplifiedaccesstoallthe
securityfeaturesthatGlobalProtectprovidesoniOS
andAndroidendpoints.TheGlobalProtectappforiOS
isavailableattheAppleAppStore.TheGlobalProtect
appforAndroidisavailableatGooglePlay.
Step5 (Optional)Modifythedefaulttimeout OntheGlobalProtectGatewayConfigurationdialog,selectAgent

settingsforendpoints. > Timeout Settingsandthenconfigurethefollowingsettings:
ModifythemaximumLogin Lifetimeforasinglegatewaylogin
session.Thedefaultloginlifetimeis30daysduringthe
lifetime,theuserstaysloggedinaslongasthegatewayreceives
aHIPcheckfromtheendpointwithintheInactivity Logout
period.Afterthistime,theloginsessionautomaticallylogsout.
Modifytheamountoftimeafterwhichaninactivesessionis
automaticallyloggedout.ThedefaultInactivity Logoutperiodis
3hours.AuserisloggedoutofGlobalProtectifthegateway
doesnotreceiveaHIPcheckfromtheendpointduringthe
configuredamountoftime.
Modifythenumberofminutesafterwhichidleusersarelogged
outofGlobalProtect.ThedefaultperiodforDisconnect on Idle
is180minutes.UsersareloggedoutofGlobalProtectifthe
GlobalProtectagenthasnotroutedtrafficthroughtheVPN
tunnelintheconfiguredamountoftime.Thissettingappliesto
GlobalProtectagentsthatusetheondemandconnectmethod
only.
Step6 (Optional)Configureauthentication 1. OntheGlobalProtectGatewayConfigurationdialog,select

overridesettingstoenablethegateway Agent > Client Settings.
togenerateandacceptsecure, 2. Addanewagentconfigurationorselectanexisting
encryptedcookiestoauthenticatethe configuration.
user.Thiscapabilityallowstheuserto
providelogincredentialsonlyonce 3. EnteraNametoidentifytheagentconfiguration.
duringaspecifiedperiodoftime(for 4. ConfigurethefollowingsettingsintheAuthentication
example,every24hours). Override section:
Bydefault,agatewayauthenticatesthe Generate cookie for authentication overrideEnablethe
userwithanauthenticationprofileand gatewaytogenerateencrypted,endpointspecificcookies
optionalcertificateprofile.When andissuetheauthenticationcookiestotheendpoint.
authenticationoverrideisenabled, Accept cookie for authentication overrideEnablethe
GlobalProtectcachestheresultofa gatewaytoauthenticateuserswithavalid,encrypted
successfulloginandusesthecookieto cookie.Whentheagentpresentsavalidcookie,the
authenticatetheuserinsteadof gatewayverifiesthatthecookiewasencryptedbythe
promptingtheuserforcredentials.For portalorgateway,decryptsthecookie,andthen
moreinformation,seeCookie authenticatestheuser.
AuthenticationonthePortalorGateway.
Cookie LifetimeSpecifythehours,days,orweeksthatthe
Ifclientcertificatesarerequired,the
cookieisvalid.Defaultis24hours.Therangeforhoursis
endpointmustalsoprovideavalid
172;forweeks,152;andfordays,1365.Afterthe
certificatetobegrantedaccess.
cookieexpires,theusermustenterlogincredentials,and
Intheeventthatyouneedto thegatewaysubsequentlyencryptsanewcookietosendto
immediatelyblockaccesstoa theagent.Thisvaluecanbethesameasordifferentfrom
devicewhosecookiehasnotyet theCookie Lifetimeyouconfigurefortheportal.
expired(forexample,ifthe
Certificate to Encrypt/Decrypt CookieSelecttheRSA
deviceislostorstolen),youcan
certificatetousetoencryptanddecryptthecookie.You
immediatelyBlockDeviceAccess
mustusethesamecertificateontheportalandgateways.
byaddingthedevicetoablock
list. Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
Step7 Configuretheuserorusergroupandthe Inagatewayagentconfiguration,selecttheUser/User Grouptab

endpointOStowhichtheagent andconfigurethefollowingsettings:
configurationapplies. Todeliverthisconfigurationtoagentsorappsrunningon
Thegatewayusestheuser/usergroup specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
settingsyouspecifytodeterminewhich Mac,Windows,orWindowsUWP)towhichthisconfiguration
configurationtodelivertothe applies.OrleavethevalueinthissectionsettoAnytodeploy
GlobalProtectagentsthatconnect. theconfigurationbasedonuser/grouponly.
Therefore,ifyouhavemultiple Torestrictthisconfigurationtoaspecificuserand/orgroup,
configurations,youmustmakesureto clickAddintheUser/UserGroupsectionofthewindowand
orderthemproperly.Assoonasthe thenselecttheuserorgroupyouwanttoreceivethis
gatewayfindsamatch,itwilldeliverthe configurationfromthedropdown.Repeatthisstepforeach
configuration.Therefore,morespecific user/groupyouwanttoadd.
configurationsmustprecedemore Beforeyoucanrestricttheconfigurationtospecific
generalones.SeeStep 10for groups,youmustmapuserstogroupsasdescribedin
instructionsonorderingthelistofagent EnableGroupMapping.
configurations.
Torestricttheconfigurationtouserswhohavenotyetlogged
Networksettingsarenot intotheirsystems,selectpre-logonfromtheUser/UserGroup
requiredininternalgateway dropdown.
configurationsinnontunnel
Toapplytheconfigurationtoanyuserregardlessofloginstatus
mode,becauseagentsusethe
(bothprelogonandloggedinusers),selectanyfromthe
networksettingsassignedtothe
User/UserGroupdropdown.
physicalnetworkadapter.
Step8 (TunnelModeonly)Configuretheip Inagatewayagentconfiguration,selectAgent > IP Pools and

poolsavailabletoassigntothevirtual configureanyofthefollowingsettingsandthenclickOK:
networkadapterontheendpointwhen TospecifytheauthenticationserverIPaddresspooltoassign
anagentestablishesatunnelwiththe addressestoendpointsthatrequirestaticIPaddresses,select
gateway. theRetrieve Framed-IP-Address attribute from
IPpoolsandsplittunnelsettings authentication server checkboxandthenAddthesubnetorIP
arenotrequiredininternal addressrangetousetoassigntoremoteusersinthe
gatewayconfigurationsin Authentication Server IP Poolarea.Whenthetunnelis
nontunnelmodebecauseagents established,aninterfaceiscreatedontheremoteusers
usethenetworksettings computerwithanaddressinthesubnetorIPrangethatmatches
assignedtothephysicalnetwork theFramedIPattributeoftheauthenticationserver.
adapter. TheauthenticationserverIPaddresspoolmustbelarge
Youcanoptionallyuseaddress enoughtosupportallconcurrentconnections.IP
objectswhichallowyouto addressassignmentisstaticandisretainedaftertheuser
groupspecificsourceor disconnects.
destinationaddresseswhen TospecifytheIP PooltousetoassignIPaddresses,clickAdd
configuringgatewayIPaddress andthenspecifytheIPaddressrangeoraddressobjecttouse.
poolsoraccessroutes. YoucanconfigureIPv6orIPv4addresses.Asabestpractice,
useadifferentrangeofIPaddressesfromthoseassignedto
endpointsthatarephysicallyconnectedtoyourLANtoensure
properroutingbacktothegateway.
Step9 (TunnelModeonly)Configurethesplit TorouteonlysometrafficlikelytrafficdestinedforyourLANto

tunnelsettingstoassigntothevirtual GlobalProtect,specifythedestinationsubnetsoraddressobject
networkadapterontheendpointwhen (oftypeIP Netmask)thatmustbeincludedorexcludedfromthe
anagentestablishesatunnelwiththe tunnel.Inthiscase,trafficthatisnotdestinedforaspecifiedaccess
gateway. routewillberoutedthroughtheendpointsphysicaladapterrather
thanthroughthevirtualadapter(thetunnel).Thefirewallsupports
upto100accessroutes.
Inagatewayagentconfiguration,selectAgent > Split Tunnel and
configureanyofthefollowingsettingsandthenclickOK:
Todisablesplittunnelingincludingdirectaccesstolocal
networksonWindowsandMacOSsystems,enableNo direct
access to local network.Inthiscase,userscannotsendtraffic
toproxiesorlocalresourceswhileconnectedtoGlobalProtect.
Todefinewhatdestinationsubnetstoroutethroughthetunnel
clickAddintheAccess Routeareaandthenentertheroutesas
follows:
(Optional)IntheIncludesarea,Addthedestination
subnetsoraddressobject(oftypeIP Netmask)toroute
onlysometrafficlikelytrafficdestinedforyourLANto
GlobalProtect.Thesearetheroutesthegatewaypushesto
theremoteusersendpointandtherebydetermineswhat
traffictheusersendpointcansendthroughtheVPN
connection.YoucanincludeIPv6orIPv4subnets.
(Optional)IntheExcludesarea,Addthedestination
subnetsoraddressobject(oftypeIP Netmask)thatyou
wanttheclienttoexclude.Theserouteswillbesent
throughtheendpointsphysicaladapterratherthan
throughthevirtualadapter(thetunnel).Excludedroutes
shouldbemorespecificthantheincludedroutes;
otherwise,youmayexcludemoretrafficthanyouintended.
YoucanexcludeIPv6orIPv4subnets.
ExcludingroutesisnotsupportedonAndroid.Only
IPv4routesaresupportedonChrome.
Step10 Arrangethegatewayagent Tomoveagatewayconfigurationuponthelistofconfigurations,

configurationssothattheproper selecttheconfigurationandclickMove Up.
configurationisdeployedtoeachagent. Tomoveagatewayconfigurationdownonthelistof
Whenanagentconnects,thegateway configurations,selecttheconfigurationandclickMove Down.
willcomparethesourceinformationin
thepacketagainsttheagent
configurationsyouhavedefined.Aswith
securityruleevaluation,thegateway
looksforamatchstartingfromthetopof
thelist.Whenitfindsamatch,itdelivers
thecorrespondingconfigurationtothe
agentorapp.
Step11 (TunnelModeonly)Specifythenetwork InaGlobalProtectGatewayConfiguration,selecttheAgent >

configurationsettingsfortheendpoints. Network Servicestabandconfigurethesettingsforendpointsin
Networksettingsarenot oneofthefollowingways:
requiredininternalgateway IfthefirewallhasaninterfacethatisconfiguredasaDHCP
configurationsinnontunnel client,settheInheritance Sourcetothatinterfaceandthe
modebecauseinthiscaseagents GlobalProtectagentwillbeassignedthesamesettingsreceived
usethenetworksettingsassigned bytheDHCPclient.YoucanalsoInherit DNS Suffixesfromthe
tothephysicalnetworkadapter. inheritancesource.
ManuallyassigntheDNSserver(s)andsuffix,andWINSservers
bycompletingthecorrespondingfields.
Step12 (Optional)Definethenotification InaGlobalProtectGatewayConfiguration,selecttheAgent > HIP

messagesenduserswillseewhena NotificationtabandAddanewHIPNotificationconfiguration:
securityrulewithahostinformation 1. FromtheHost Informationdropdown,selecttheHIPobject
profile(HIP)isenforced. orprofiletowhichthismessageapplies.
Thissteponlyappliesifyouhavecreated
2. SelectMatch MessageorNot Match Messageandthen
hostinformationprofilesandadded
Enablenotifications,dependingonwhetheryouwantto
themtoyoursecuritypolicies.Fordetails
displaythemessagewhenthecorrespondingHIPprofileis
onconfiguringtheHIPfeatureandfor
matchedinpolicyorwhenitisnotmatched.Insomecases,
moredetailedinformationaboutcreating
youmightwanttocreatemessagesforbothamatchanda
HIPnotificationmessages,seeHost
nonmatch,dependingontheobjectsonwhichyouare
Information.
matchingandwhatyourobjectivesareforthepolicy.Forthe
MatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App Listtoindicatewhatapplicationscantriggerthe
HIPmatch.
3. SelectwhetheryouwanttodisplaythemessageasaSystem
Tray BalloonorasaPop Up Message.
4. EnterandformatthetextofyourmessageintheTemplate
textboxandthenclickOK.
5. Repeatthesestepsforeachmessageyouwanttodefine.
Step13 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

GatewayConfigurationdialog.
GlobalProtectPortals
TheGlobalProtectPortalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
connecttothegateways.Inaddition,theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.
TheportaldoesnotdistributetheGlobalProtectappforuseonmobiledevices.TogettheGlobalProtectappfor
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,orMicrosoftStoreforWindows10UWP.However,theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
haveaccess.Formoredetailsonsupportedversions,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
InadditiontodistributingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portal
to providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,and
Javascripttechnologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowserswithout
installingGlobalProtectclientsoftware.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccess
toapplications,andtosafelyenableunmanagedassets,includingpersonaldevices.RefertoGlobalProtect
ClientlessVPN.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
PrerequisiteTasksforConfiguringtheGlobalProtectPortal GlobalProtectPortals
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)forthefirewallinterfacewhereyouplantoconfiguretheportal.See
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
services.SeeEnableSSLBetweenGlobalProtectComponents.
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
authenticateGlobalProtectusers.SeeAuthentication.
ConfigureaGlobalProtectGatewayandunderstandGatewayPriorityinaMultipleGateway
Configuration.
GlobalProtectPortals SetUpAccesstotheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
AfteryouhavecompletedthePrerequisiteTasksforConfiguringtheGlobalProtectPortal,configurethe
GlobalProtectPortalasfollows:
SetUpAccesstothePortal
Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > Portals andclickAdd.

2. OntheGeneralpage,enteraNamefortheportal.Thename
cannotcontainspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Step2 Specifynetworksettingstoenable 1. SelecttheInterface.

agentstocommunicatewiththeportal. 2. SpecifytheIP Address TypeandIP address fortheportalweb
Ifyouhavenotyetcreatedthenetwork service:
interfacefortheportal,seeCreate TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
InterfacesandZonesforGlobalProtect (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
forinstructions.Ifyouhavenotyet yournetworksupportsdualstackconfigurations,where
createdanSSL/TLSserviceprofilefor IPv4andIPv6runatthesametime.
theportal,seeDeployServerCertificates
TheIPaddressmustbecompatiblewiththeIPaddress
totheGlobalProtectComponents.
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. SelectanSSL/TLS Service Profile.
Step3 Disabletheloginpageentirelyorchoose ChooseaPortal Login Pageforuseraccesstotheportalor

yourownloginpageorhelppage. importanewone,orDisableaccesstotheGlobalProtectportal
Althoughoptional,acustomloginorhelp loginpagefromawebbrowser.
pageletsyoudecideonthelookand ChooseaApp Help PagetoassisttheuserwithGlobalProtector
contentofthepages.SeeCustomizethe importanewone.
GlobalProtectPortalLogin,Welcome,
andHelpPages.
Step4 Specifyhowtheportalauthenticatesthe OntheGlobalProtectPortalConfigurationdialog,select

users. Authentication,andthenconfigureanyofthefollowing:
Ifyouhavenotyetcreatedaserver Tosecurecommunicationbetweentheportalandtheagents,
certificatefortheportalandissued selecttheSSL/TLS Service Profileyouconfiguredforthe
gatewaycertificates,seeDeployServer portal.
CertificatestotheGlobalProtect Toauthenticateusersusingalocaluserdatabaseoranexternal
Components. authenticationservice,suchasLDAP,Kerberos,TACACS+,
SAML,orRADIUS(includingOTP),DefinetheGlobalProtect
ClientAuthenticationConfigurations.
Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
DefinetheGlobalProtectClientAuthenticationConfigurations GlobalProtectPortals
DefinetheGlobalProtectClientAuthentication
Configurations
EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
authenticatewiththeGlobalProtectportal.YoucancustomizethesettingsforeachOSoryoucanconfigure
thesettingstoapplytoalldevices.Forexample,youcanconfigureAndroiduserstouseRADIUS
authenticationandWindowsuserstouseLDAPauthentication.Youcanalsocustomizetheclient
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.
DefinetheGlobalProtectClientAuthenticationConfigurations
Step1 SetUpAccesstotheGlobalProtect 1. SelectNetwork > GlobalProtect > Portals.

Portal. 2. Selecttheportalconfigurationtowhichyouareaddingthe
clientconfigurationandthenselecttheAuthenticationtab.
Step2 Specifyhowtheportalauthenticatesthe IntheClientAuthenticationarea,Addanewconfigurationwiththe

users. followingsettings:
YoucanconfiguretheGlobalProtect EnteraNametoidentifytheclientauthenticationconfiguration.
portaltoauthenticateusersusingalocal Specifytheendpointstowhichtodeploythisconfiguration.By
userdatabaseoranexternal default,theconfigurationappliestoallendpoints.Otherwise,
authenticationservice,suchasLDAP, youcanapplytheconfigurationtoendpointsrunningaspecific
Kerberos,TACACS+,SAML,orRADIUS OS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP)or
(includingOTP).Ifyouhavenotyetset toendpointsthataccesstheportalfromawebBrowserwith
uptheauthenticationprofilesand/or theintentofdownloadingtheGlobalProtectagentortocreate
certificateprofiles,seeAuthentication anewclientauthenticationspecificallyforGlobalProtect
forinstructions. ClientlessVPN.
SelectoraddanAuthentication Profileforauthenticatingan
endpointthattriestoaccessthegateway.
EnteranAuthentication Messagetohelpendusersunderstand
whichcredentialstousewhenloggingin.Themessagecanbe
upto100charactersinlength(defaultisEnter login
credentials).
Step3 Arrangetheclientauthentication Tomoveaclientauthenticationconfigurationuponthelistof

configurationswithOSspecific configurations,selecttheconfigurationandclickMove Up.
configurationsatthetopofthelist,and Tomoveaclientauthenticationconfigurationdownonthelistof
configurationsthatapplytoAnyOSat configurations,selecttheconfigurationandclickMove Down.
thebottomofthelist.Aswithsecurity
ruleevaluation,theportallooksfora
matchstartingfromthetopofthelist.
Whenitfindsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.
Step4 (Optional)Toenabletwofactor SelectthecorrespondingCertificate Profiletoauthenticateusers

authenticationusinganauthentication basedonaclientcertificateorsmartcard.
profileandacertificateprofile,configure TheCommonName(CN)and,ifapplicable,theSubject
bothinthisportalconfiguration. AlternativeName(SAN)fieldsofthecertificatemust
Keepinmindtheportalmust exactlymatchtheIPaddressorFQDNoftheinterface
authenticatetheclientbyusingboth whereyouconfiguretheportalorHTTPSconnectionsto
methodsbeforetheusercangainaccess. theportalwillfail.
GlobalProtectPortals DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectClientAuthenticationConfigurations(Continued)
Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
Define the GlobalProtect Agent Configurations
AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,basedonthesettingsyoudefined.Ifyouhavedifferent
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
eachusertypeorusergroup.TheportalusestheOSoftheendpointandtheusernameorgroupnameto
determinetheagentconfigurationtodeploy.Aswithothersecurityruleevaluations,theportalstartsto
searchforamatchatthetopofthelist.Whenitfindsamatch,theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
Theclientcertificatethattheendpointshouldpresenttothegatewaywhenitconnects.This
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.
Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.
Usethefollowingproceduretocreateanagentconfiguration.
CreateaGlobalProtectAgentConfiguration
Step1 AddthetrustedRootCAcertificates 1. SelectNetwork > GlobalProtect > Portals.

thattheclientwillusetoperform 2. Selecttheportalconfigurationtowhichyouareaddingthe
certificatecheckswhenitconnectsto agentconfigurationandthenselecttheAgent tab.
theGlobalProtectgateway(s).Ifyoudo
notaddatrustedrootCAcertificateto 3. IntheTrusted Root CAfield,AddandthenselecttheCA
theagentconfiguration,theassociated certificatethatwasusedtoissuethegatewayserver
clientdoesnotperformcertificate certificates.Asabestpractice,allofyourgatewaysshoulduse
checkswhenitconnects. thesameissuer.
Asabestpractice,alwaysdeploy
thetrustedrootCAcertificatesin
theagentconfiguration.This
certificatedeploymentensures
thattheagentsorappsperforma
certificatechecktovalidatethe
identityofthegatewaybeforeit
connects.Thiscertificate
installationprotectstheagentor
appfrommaninthemiddle
attacks.
Step2 (Optional)AddthetrustedRootCA 1. AddthecertificateasdescribedinStep 1.

certificatethatthefirewallwillusefor 2. Totherightofthecertificate,selecttheInstall in Local Root
SSLforwardproxydecryption.The Certificate Storeoption.
firewallusesthiscertificate(onWindows
Theportalautomaticallysendsthecertificatewhentheuser
andMacendpointsonly)toterminatethe
logsintotheportalandinstallsitintheclient'slocalstorethus
HTTPSconnection,inspectthetrafficfor
eliminatingtheneedforyoutoinstallthecertificatemanually.
policycompliance,andreestablishthe
HTTPSconnectiontoforwardthe
encryptedtraffic.
Step3 Addanagentconfiguration. 1. IntheAgentarea,Addanewconfiguration.

Theagentconfigurationspecifiesthe 2. EnteraNametoidentifytheconfiguration.Ifyouplanto
GlobalProtectconfigurationsettingsto createmultipleconfigurations,makesurethenameyoudefine
deploytotheconnectingagents/apps. foreachisdescriptiveenoughtoallowyoutodistinguishthem.
Youmustdefineatleastoneagent
configuration.
CreateaGlobalProtectAgentConfiguration(Continued)
Step4 (Optional)Configuresettingstospecify OntheAuthenticationtab,configureanyofthefollowing

howuserswiththisconfigurationwill authenticationsettings:
authenticatewiththeportal. Toenableuserstoauthenticatewiththeportalusingclient
Ifthegatewayistoauthenticatethe certificates,selecttheClient Certificatesource(SCEP,Local,or
clientsbyusingaclientcertificate,you None)thatdistributesthecertificateanditsprivatekeytoan
mustselectthesourcethatdistributes endpoint.IfyouuseaninternalCAtodistributecertificatesto
thecertificate. clients,selectNone(default).Toenabletheportaltogenerate
andsendamachinecertificatetotheagentforstorageinthe
localcertificatestoreandusethecertificateforportaland
gatewayauthentication,selectSCEPandtheassociatedSCEP
profile.Thesecertificatesaredevicespecificandcanonlybe
usedontheendpointtowhichitwasissued.Tousethesame
certificateforallendpoints,selectacertificatethatisLocalto
theportal.WithNone,theportaldoesnotpushacertificateto
theclient,butyoucanusecanotherwaystogetacertificateto
theclientsendpoint.
SpecifywhethertoSave User Credentials.SelectYestosave
theusernameandpassword(default),Save Username Onlyto
saveonlytheusername,orNotoneversavecredentials.
Ifyouconfiguretheportalorgatewaystopromptforadynamic
passwordsuchasaonetimepassword(OTP),theusermust
enteranewpasswordateachlogin.Inthiscase,the
GlobalProtectagent/appignorestheselectiontosaveboththe
usernameandpassword,ifspecified,andsavesonlythe
username.Formoreinformation,seeEnableTwoFactor
AuthenticationUsingOneTimePasswords(OTPs).
Step5 IftheGlobalProtectendpointdoesnot 1. OntheInternaltab,selecttheInternal Host Detectioncheck

requiretunnelconnectionswhenitison box.
theinternalnetwork,configureinternal 2. EntertheIP Addressofahostthatcanbereachedfromthe
hostdetection. internalnetworkonly.YoucanconfigureIPv4orIPv6
addressingforInternal Host Detection.TheIPaddressyou
specifymustbecompatiblewiththeIPaddresstype.For
example,172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
3. EntertheDNSHostnamefortheIPaddressyouentered.
ClientsthattrytoconnecttoGlobalProtectattempttodoa
reverseDNSlookuponthespecifiedaddress.Ifthelookup
fails,theclientdeterminesthatitisontheexternalnetwork
andtheninitiatesatunnelconnectiontoagatewayonitslist
ofexternalgateways.
Step6 Setupaccesstoathirdpartymobile 1. EntertheIPaddressorFQDNofthedevicecheckininterface

endpointmanagementsystem. associatedwithyourmobileendpointmanagementsystem.
Thisstepisrequiredifthemobiledevices Thevalueyouenterheremustexactlymatchthevalueofthe
usingthisconfigurationwillbemanaged servercertificateassociatedwiththedevicecheckin
byathirdpartymobileendpoint interface.YoucanspecifyanIPv6orIPv4address.
managementsystem.Alldeviceswill 2. SpecifytheEnrollment Portonwhichthemobileendpoint
initiallyconnecttotheportaland,ifa managementsystemwillbelisteningforenrollmentrequests.
thirdpartymobileendpoint Thisvaluemustmatchthevaluesetonthemobileendpoint
managementsystemisconfiguredonthe managementsystem(default=443).
correspondingportalagent
configuration,thedevicewillbe
redirectedtoitforenrollment.
Step7 Configuretheuserorusergroupandthe SelecttheUser/User Grouptabandthenspecifyanyusers,user

endpointOStowhichtheagent groups,and/oroperatingsystemstowhichthisconfiguration
configurationapplies. shouldapply:
Theportalusestheuser/usergroup Todeliverthisconfigurationtoagentsorappsrunningon
settingsyouspecifytodeterminewhich specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
configurationtodelivertothe Mac,Windows,orWindowsUWP)towhichthisconfiguration
GlobalProtectagentsthatconnect. applies.OrleavethevalueinthissectionsettoAnytodeploythe
Therefore,ifyouhavemultiple configurationbasedonuser/grouponly.
configurations,youmustmakesureto Torestrictthisconfigurationtoaspecificuserand/orgroup,
orderthemproperly.Assoonasthe clickAddintheUser/UserGroupsectionofthewindowand
portalfindsamatch,itwilldeliverthe thenselecttheuserorgroupyouwanttoreceivethis
configuration.Therefore,morespecific configurationfromthedropdown.Repeatthisstepforeach
configurationsmustprecedemore user/groupyouwanttoadd.
generalones.SeeStep 13for Beforeyoucanrestricttheconfigurationtospecific
instructionsonorderingthelistofagent groups,youmustmapuserstogroupsasdescribedin
configurations. EnableGroupMapping.
Torestricttheconfigurationtouserswhohavenotyetloggedin
totheirsystems,selectpre-logonfromtheUser/UserGroup
dropdown.
Toapplytheconfigurationtoanyuserregardlessofloginstatus
(bothprelogonandloggedinusers),selectanyfromthe
User/UserGroupdropdown.
Step8 Specifytheexternalgatewaystowhich 1. ClickAddontheExternaltab.

userswiththisconfigurationcan 2. EnteradescriptiveNameforthegateway.Thenameyouenter
connect. hereshouldmatchthenameyoudefinedwhenyouconfigured
Considerthefollowingbest thegatewayandshouldbedescriptiveenoughforusersto
practiceswhenyouconfigurethe knowthelocationofthegatewaytheyareconnectedto.
gateways:
3. EntertheFQDNorIPaddressoftheinterfacewherethe
Ifyouareaddingbothinternal gatewayisconfiguredintheAddressfield.Youcanconfigure
andexternalgatewaystothe anIPv4orIPv6address.Theaddressyouspecifymustexactly
sameconfiguration,makesureto matchtheCommonName(CN)inthegatewayserver
enableInternalHostDetection. certificate.
SeeStep 5inDefinethe
GlobalProtectAgent 4. AddoneormoreSource Regionsforthegateway,orselect
Configurationsforinstructions. Anytomakethegatewayavailabletoallregions.Whenusers
connect,GlobalProtectrecognizesthedeviceregionandonly
Tolearnmoreabouthowa
allowsusestoconnecttogatewaysthatareconfiguredforthat
GlobalProtectclientdetermines
region.Forgatewaychoices,sourceregionisconsideredfirst,
thegatewaytowhichitshould
thengatewaypriority.
connect,seeGatewayPriorityin
aMultipleGateway 5. SetthePriorityofthegatewaybyclickinginthefieldand
Configuration. selectingavalue:
Ifyouhaveonlyoneexternalgateway,youcanleavethe
valuesettoHighest(thedefault).
Ifyouhavemultipleexternalgateways,youcanmodifythe
priorityvalues(rangingfromHighesttoLowest)toindicate
apreferenceforthespecificusergrouptowhichthis
configurationapplies.Forexample,ifyoupreferthatthe
usergroupconnectstoalocalgatewayyouwouldsetthe
priorityhigherthanthatofmoregeographicallydistant
gateways.Thepriorityvalueisthenusedtoweightthe
agentsgatewayselectionalgorithm.
Ifyoudonotwantagentstoautomaticallyestablishtunnel
connectionswiththegateway,selectManual only.This
settingisusefulintestingenvironments.
6. SelecttheManualcheckboxifyouwanttoallowuserstobe
abletomanuallyswitchtothegateway.
Step9 Specifytheinternalgatewaystowhich 1. OntheInternaltab,clickAddintheInternal Gateways

userswiththisconfigurationcan section.
connect. 2. EnteradescriptiveNameforthegateway.Thenameyouenter
Makesureyoudonotuse hereshouldmatchthenameyoudefinedwhenyouconfigured
ondemandastheconnect thegatewayandshouldbedescriptiveenoughforusersto
methodifyourconfiguration knowthelocationofthegatewaytheyareconnectedto.
includesinternalgateways.
3. EntertheFQDNorIPaddressoftheinterfacewherethe
gatewayisconfiguredintheAddressfield.Youcanconfigure
anIPv4orIPv6address.Theaddressyouspecifymustexactly
matchtheCommonName(CN)inthegatewayserver
certificate.
4. (Optional)AddoneormoreSource Addresses tothegateway
configuration.ThesourceaddresscanbeanIPsubnetor
range.Itcanalsobeapredefinedaddress.GlobalProtect
supportsbothIPv6andIPv4addresses.Whenusersconnect,
GlobalProtectrecognizesthesourceaddressofthedeviceand
onlyallowsuserstoconnecttogatewaysthatareconfigured
forthataddress.
5. ClickOKtosaveyourchanges.
6. (Optional)AddaDHCP Option 43 Codetothegateway
configuration.Youcanincludeoneormoresuboptioncodes
associatedwiththevendorspecificinformation(Option43)
thattheDHCPserverhasbeenconfiguredtooffertheclient.
Forexample,youmighthaveasuboptioncode100thatis
associatedwithanIPaddressof192.168.3.1.
Whenauserconnects,theGlobalProtectportalsendsthelist
ofoptioncodesintheportalconfigurationtothe
GlobalProtectagentandtheagentselectsgatewaysindicated
bytheoptions.
WhenboththesourceaddressandDHCPoptionsare
configured,thelistofavailablegatewayspresentedtothe
clientisbasedonthecombination(union)ofthetwo
configurations.
DHCPoptionsaresupportedonWindowsandMac
endpointsonly.DHCPoptionscannotbeusedtoselect
gatewaysthatuseIPv6addressing.
7. (Optional)SelectInternal Host Detectiontoallowthe
GlobalProtectagenttodetermineifitisinsidetheenterprise
network.Whentheuserattemptstologin,theagentdoesa
reverseDNSlookupoftheinternalHostnametothespecified
IP Address.
Thehostservesasareferencepointthatisreachableifthe
endpointisinsidetheenterprisenetwork.Iftheagentfindsthe
host,theendpointisinsidethenetworkandtheagent
connectstoaninternalgateway;iftheagentfailstofindthe
internalhost,theendpointisoutsidethenetworkandthe
agentestablishesatunneltooneoftheexternalgateways.
YoucanconfigureIPv4orIPv6addressingforInternal Host
Detection.TheIPaddressyouspecifymustbecompatiblewith
theIPaddresstype.Forexample,172.16.1.0forIPv4or
21DA:D3:0:2F3bforIPv6.
Step10 Customizethebehaviorofthe SelecttheApptabandthenmodifytheagentsettingsasdesired.

GlobalProtectagentforuserswiththis Formoredetailsabouteachoption,seeCustomizethe
configuration. GlobalProtectAgent.
Step11 (Optional)Defineanycustomhost 1. SelectData Collection andenabletheGlobalProtectagentto

informationprofile(HIP)datathatyou Collect HIP Data.
wanttheagenttocollectand/orexclude 2. SelectExclude Categoriestoexcludespecificcategories
HIPcategoriesfromcollection. and/orvendors,applications,orversionswithinacategory.For
Thissteponlyappliesifyouplantouse moredetails,seeStep 3inConfigureHIPBasedPolicy
theHIPfeatureandthereisinformation Enforcement.
youwanttocollectthatcannotbe
3. SelectCustom Checkstodefineanycustomdatayouwantto
collectedusingthestandardHIPobjects
collectfromhostsrunningthisagentconfiguration,andadd
orifthereisHIPinformationthatyouare
thecategoryandvendor.Formoredetails,seeStep 2inHost
notinterestedincollecting.SeeHost
Information.
Informationfordetailsonsettingupand
usingtheHIPfeature.
Step12 Savetheagentconfiguration. 1. ClickOKtosavethesettingsandclosetheConfigsdialog.

2. Ifyouwanttoaddanotheragentconfiguration,repeatStep 3
throughStep 12.
Step13 Arrangetheagentconfigurationssothat Tomoveanagentconfigurationuponthelistofconfigurations,

theproperconfigurationisdeployedto selecttheconfigurationandclickMove Up.
eachagent. Tomoveanagentconfigurationdownonthelistof
Whenanagentconnects,theportalwill configurations,selecttheconfigurationandclickMove Down.
comparethesourceinformationinthe
packetagainsttheagentconfigurations
youhavedefined.Aswithsecurityrule
evaluation,theportallooksforamatch
startingfromthetopofthelist.Whenit
findsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.
Step14 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtectPortal

Configurationdialog.
Customize the GlobalProtect Agent
TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
agentsinstalledontheirsystemsortheGlobalProtectappinstalledontheirmobiledevices.Youcandefine
differentagentsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.Formore
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Youcancustomizethedisplayandbehavioroftheagent.Forexample,youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
Whethertodisplayawelcomepageuponsuccessfullogin.Youcanalsoconfigurewhetherornotthe
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
touseGlobalProtectwithinyourenvironment.SeeCustomizetheGlobalProtectPortalLogin,Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.
Promptusersifmultifactorauthenticationisneededtoaccesssensitivenetworkresources.
YoucanalsodefineagentsettingsdirectlyfromtheWindowsregistryortheglobalMacplist.For
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/MsiexecortheMacplist.Formoredetails,seeDeploy
AgentSettingsTransparently.
AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.
UsethefollowingproceduretocustomizetheGlobalProtectagent.
CustomizetheAgent
Step1 SelecttheAgenttabintheagent 1. SelectNetwork > GlobalProtect > Portals andselecttheportal

configurationyouwanttocustomize. configurationforwhichyouwanttoaddanagent
Youcanalsoconfiguremost configuration(orAddanewconfiguration).
settingsthatareontheApptab 2. SelecttheAgent tabandselecttheconfigurationyouwantto
fromagrouppolicybyadding modify(orAddanewconfiguration).
settingstotheWindows
3. SelecttheApptab.
registry/Macplist.OnWindows
systems,youcanalsosetthem TheAppConfigurationsareadisplaystheoptionswithdefault
usingtheMsiexecutilityonthe valuesthatyoucancustomizeforeachagentconfiguration.
commandlineduringtheagent Whenyouchangethedefaultbehavior,thewebinterface
installation.However,settings changesthecolorfromgraytothedefaulttextcolor.
definedinthewebinterfaceor
theCLItakeprecedenceover
registry/plistsettings.See
DeployAgentSettings
Transparentlyfordetails.
CustomizetheAgent(Continued)
Step2 SpecifytheConnect Method thatan IntheAppConfigurationsarea,configureanyofthefollowing

agentorappusesforitsGlobalProtect options:
connection. SelectaConnect Method:
Considerthefollowingbest User-logon (Always On)TheGlobalProtectagent
practiceswhenyouconfigurethe automaticallyconnectstotheportalassoonastheuserlogs
Connect Method: intotheendpoint(ordomain).Whenusedinconjunction
UseonlytheOn-demand withSSO(Windowsusersonly),GlobalProtectloginis
option(default)ifyouareusing transparenttotheenduser.
GlobalProtectforVPNaccessto OniOSendpoints,thissettingpreventsonetime
externalgateways. password(OTP)applicationsfromworkingbecause
DonotusetheOn-demand GlobalProtectforcesalltraffictogothroughthe
optionifyouplantorunthe tunnel.
GlobalProtectagentinhidden Pre-logon (Always On)Authenticatestheuserand
mode. establishesaVPNtunneltotheGlobalProtectgateway
Forfasterconnectiontimes,use beforetheuserlogsintotheclient.Thisoptionrequiresthat
internalhostdetectionin youuseanexternalPKIsolutiontopredeployamachine
configurationswhereyouhave certificatetoeachendpointthatreceivesthisconfiguration.
enabledSSO. SeeRemoteAccessVPNwithPreLogonfordetailsabout
prelogon.
On-demand (Manual user initiated connection)Userswill
havetomanuallylaunchtheagenttoconnectto
GlobalProtect.Usethisconnectmethodforexternal
gatewaysonly.
Pre-logon then On-demandSimilartothePre-logon
(Always On)connectmethod,thisconnectmethod(which
requiresContentReleaseversion5903397orlater)
enablestheGlobalProtectagenttoauthenticatetheuser
andestablishaVPNtunneltotheGlobalProtectgateway
beforetheuserlogsintotheclient.Unliketheprelogon
connectionmethod,aftertheuserlogsintotheclient,users
mustmanuallylaunchtheagenttoconnecttoGlobalProtect
iftheconnectionisterminatedforanyreason.Thebenefit
ofthisoptionisthatyoucanallowausertospecifyanew
passwordafterpasswordexpirationorauserforgetstheir
passwordbutstillrequiretheusertomanuallyinitiatethe
connectionaftertheuserlogsin.
Step3 Specifywhethertoenforce IntheAppConfigurationsarea,configureanyofthefollowing

GlobalProtectconnectionsfornetwork options:
access. ToforceallnetworktraffictotraverseaGlobalProtecttunnel,
ToenforceGlobalProtectfor setEnforce GlobalProtect Connection for Network Accessto
networkaccess,werecommend Yes.Bydefault,GlobalProtectisnotrequiredfornetworkaccess
thatyouenablethisfeatureonly meaninguserscanstillaccesstheinternetifGlobalProtectis
forusersthatconnectin disabledordisconnected.Toprovideinstructionstousersbefore
User-logonorPre-logonmodes. trafficisblocked,configureaTraffic Blocking Notification
Usersthatconnectin Messageandoptionallyspecifywhentodisplaythemessage
On-demandmodemaynotbe (Traffic Blocking Notification Delay).
abletoestablishaconnection Topermittrafficrequiredtoestablishaconnectionwitha
withinthepermittedgrace captiveportal,specifyaCaptive Portal Exception Timeout.The
periods. usermustauthenticatewiththeportalbeforethetimeout
expires.Toprovideadditionalinstructions,configureaCaptive
Portal Detection Message.
ThesefeaturesrequireContentReleaseversion6073486
orlater.
Step4 SpecifyadditionalGlobalProtect IntheAppConfigurationsarea,configureanyofthefollowing

connectionsettings. options:
Withsinglesignon(SSO) (Windowsonly)SetUse Single Sign-OntoNotodisallow
enabled(thedefault),the GlobalProtecttousetheWindowslogincredentialsto
GlobalProtectagentusesthe automaticallyauthenticatetheuseruponlogintoActive
usersWindowslogincredentials Directory.
toautomaticallyauthenticateto EntertheMaximum Internal Gateway Connection Attemptsto
andconnecttotheGlobalProtect specifythenumberoftimestheGlobalProtectagentshould
portalandgateway. retrytheconnectiontoaninternalgatewayafterthefirst
GlobalProtectwithSSOenabled attemptfails(rangeis0100;4or5isrecommended;defaultis
alsoallowsfortheGlobalProtect 0,whichmeanstheGlobalProtectagentdoesnotretrythe
agenttowrapthirdparty connection).Byincreasingthevalue,youenabletheagentto
credentialstoensurethat connecttoaninternalgatewaythatistemporarilydownor
Windowsuserscanauthenticate unreachableduringthefirstconnectionattemptbutcomesback
andconnect,evenwhena upbeforethespecifiednumberofretriesareexhausted.
thirdpartycredentialprovideris Increasingthevaluealsoensuresthattheinternalgateway
beingusedtowraptheWindows receivesthemostuptodateuserandhostinformation.
logincredentials. EntertheGlobalProtect App Config Refresh Interval (hours) to
specifythenumberofhourstheGlobalProtectportalwaits
beforeitinitiatesthenextrefreshofaclientsconfiguration
(rangeis1168;defaultis24).
SpecifywhethertoRetain Connection on Smart Card Removal.
Bydefault,theoptionissettoYes,meaningGlobalProtect
retainsthetunnelwhenauserremovesasmartcardcontaining
aclientcertificate.Toterminatethetunnel,setthisoptiontoNo.
Thedecisiononwhethertoretaintheconnectiondependson
yoursecurityrequirements.
ThisfeaturerequiresContentReleaseversion5903397
oralaterversion.
Step5 ConfigurethemenusandUIviewsthat Configureanyorallofthefollowingoptions:

areavailabletouserswhohavethis Ifyouwantuserstobeabletoseeonlybasicstatusinformation
agentconfiguration. withintheapplication,setEnable Advanced ViewtoNo.By
default,theadvancedviewisenabled.Itallowsuserstosee
detailedstatistical,host,andtroubleshootinginformationandto
performcertaintasks,suchaschangingtheirpassword.
IfyouwanthidetheGlobalProtectagentonendusersystems,
setDisplay GlobalProtect IcontoNo.Whentheiconishidden,
userscannotperformothertaskssuchaschangingpasswords,
rediscoveringthenetwork,resubmittinghostinformation,
viewingtroubleshootinginformation,orperformingan
ondemandconnection.However,HIPnotificationmessages,
loginprompts,andcertificatedialogswillstilldisplayas
necessaryforinteractingwiththeenduser.
Topreventusersfromperforminganetworkrediscovery,setthe
Enable Rediscover Network OptiontoNo.Whenyoudisablethe
option,itisgrayedoutintheGlobalProtectmenu.
TopreventusersfrommanuallyresubmittingHIPdatatothe
gateway,setEnable Resubmit Host Profile Option toNo.This
optionisenabledbydefault,andisusefulincaseswhere
HIPbasedsecuritypolicypreventsusersfromaccessing
resourcesbecauseitallowstheusertofixthecomplianceissue
onthecomputerandthenresubmittheHIP.
(Windowsonly)ToallowGlobalProtecttodisplaynotifications
inthenotificationarea(systemtray),setShow System Tray
NotificationstoYes.
Tocreateacustommessagetodisplaytouserswhentheir
passwordisabouttoexpireconfiguretheCustom Password
Expiration Message (LDAP Authentication Only).Themaximum
messagelengthis200characters.
Step6 Definewhattheenduserswiththis SetAllow User to Change PortalAddresstoNotodisablethe

configurationcandointheirclient. PortalfieldontheHometabintheGlobalProtectagent.Because
theuserwillthenbeunabletospecifyaportaltowhichto
connect,youmustsupplythedefaultportaladdressinthe
Windowsregistry(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal)orthe
Macplist
(/Library/Preferences/com.paloaltonetworks.GlobalProt
ect.settings.plistwithkeyPortalunderdictionary
PanSetup).Formoreinformation,seeDeployAgentSettings
Transparently.
Topreventusersfromdismissingthewelcomepage,setAllow
User to Dismiss Welcome Page toNo.Otherwise,whensetto
Yes,theusercandismissthewelcomepageandprevent
GlobalProtectfromdisplayingthepageaftersubsequentlogins.
Step7 Specifywhetheruserscandisablethe Topreventuserswiththeuserlogonconnectmethodfrom

GlobalProtectagent. disablingGlobalProtect,setAllow User to Disable GlobalProtect
TheAllow User to Disable GlobalProtect to Disallow.
optionappliestoagentconfigurations ToallowuserstodisableGlobalProtectiftheyprovidea
thathavetheConnect Methodsetto passcode,setAllow User to Disable GlobalProtect to Allow with
User-Logon (Always On).Inuserlogon Passcode.Then,intheDisableGlobalProtectApparea,enter
mode,theagentorappautomatically (andconfirm)thePasscodethattheendusersmustsupply.
connectstoGlobalProtectassoonasthe Toallowuserstodisconnectiftheyprovideaticket,setAllow
userlogsintotheendpoint.Thismodeis User to Disable GlobalProtect toAllow with Ticket.Withthis
sometimesreferredtoasalwayson, option,thedisconnectactiontriggerstheagenttogeneratea
whichiswhytheusermustoverridethis RequestNumber.Theendusermustthencommunicatethe
behaviortodisableGlobalProtectclient. RequestNumbertotheadministrator.Theadministratorthen
Bydefault,thisoptionissettoAllow clicksGenerate TicketontheNetwork > GlobalProtect > Portals
whichpermitsuserstodisable pageandenterstherequestnumberfromtheusertogenerate
GlobalProtectwithoutprovidinga theticket.Theadministratorthenprovidesthetickettotheend
comment,passcode,orticketnumber. user,whoentersitintotheDisableGlobalProtectdialogtoenable
Iftheagenticonisnotvisible, theagenttodisconnect.
usersarenotabletodisablethe
GlobalProtectclient.SeeStep 5
fordetails.
TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.
Step8 Configurethecertificatesettingsand Client Certificate Store LookupSelectwhichstoretheagent

behaviorfortheusersthatreceivethis shouldusetolookupclientcertificates.Usercertificatesare
configuration. storedintheCurrentUsercertificatestoreonWindowsandin
thePersonalKeychainonMacOS.Machinecertificatesare
storedintheLocalComputercertificatestoreonWindowsandin
theSystemKeychainonMacOS.Bydefault,theagentlooksfor
User and machinecertificatesinbothplaces.
SCEP Certificate Renewal Period (days)WithSCEP,theportal
canrequestanewclientcertificatebeforethecertificateexpires.
ThistimebeforethecertificateexpiresistheoptionalSCEP
certificaterenewalperiod.Duringaconfigurablenumberofdays
beforeaclientcertificateexpires,theportalcanrequestanew
certificatefromtheSCEPserverinyourenterprisePKI(rangeis
030;defaultis7).Avalueof0meanstheportaldoesnot
automaticallyrenewtheclientcertificatewhenitrefreshesthe
agentconfiguration.
Foranagentorapptoobtainthenewcertificateduringthe
renewalperiod,theusermustlogintotheGlobalProtectclient.
Forexample,ifaclientcertificatehasalifespanof90days,the
certificaterenewalperiodis7days,andtheuserlogsinduringthe
final7daysofthecertificatelifespan,theportalacquiresanew
certificateanddeploysitalongwithafreshagentconfiguration.
Formoreinformation,seeDeployUserSpecificClient
CertificatesforAuthentication.
Extended Key Usage OID for Client CertificateEnterthe
extendedkeyusageofaclientcertificatebyspecifyingitsobject
identifier(OID).ThissettingensuresthattheGlobalProtectagent
selectsonlyacertificatethatisintendedforclientauthentication
whenmultiplecertificatetypesarepresentandenables
GlobalProtecttosavetheselectionforfutureuse.Thisoptionis
supportedonWindowsandMacendpointsonly.
Ifyoudonotwanttheagenttoestablishaconnectionwiththe
portalwhentheportalcertificateisnotvalid,setAllow User to
Continue with Invalid Portal Server CertificatetoNo.Keepin
mindthattheportalprovidestheagentconfigurationonly;itdoes
notprovidenetworkaccessandthereforesecuritytotheportalis
lesscriticalthansecuritytothegateway.However,ifyouhave
deployedatrustedservercertificatefortheportal,deselecting
thisoptioncanhelppreventmaninthemiddle(MITM)attacks.
Step9 Specifywhetherusersreceivelogin SetEnable Inbound Authentication Prompts from MFA

promptswhenmultifactor GatewaystoYes.Tosupportmultifactorauthentication(MFA),a
authenticationisrequiredtoaccess GlobalProtectclientmustreceiveandacknowledgeUDP
sensitivenetworkresources. promptsthatareinboundfromthegateway.SelectYes toenable
Forinternalgatewayconnections, aGlobalProtectclienttoreceiveandacknowledgetheprompt.By
sensitivenetworkresources(for default,thevalueissettoNo meaningGlobalProtectwillblock
example,financialapplicationsor UDPpromptsfromthegateway.
softwaredevelopmentapplications)may InNetwork Port for Inbound Authentication Prompts (UDP),
requireadditionalauthentication.You specifytheportnumberaGlobalProtectclientusestoreceive
canconfigureGlobalProtectclientsto inboundauthenticationpromptsfromMFAgateways.The
displaytheauthenticationprompts defaultportis4501.Tochangetheport,specifyanumberfrom
requiredtoaccesstheseresources.Refer 1to65535.
toSetUpMultiFactorAuthentication InTrusted MFA Gateways,specifythelistofauthentication
formoreinformation. gatewaysaGlobalProtectclientwilltrustformultifactor
authentication.WhenaGlobalProtectclientreceivesaUDP
messageonthespecifiednetworkport,GlobalProtectdisplaysan
authenticationmessageonlyiftheUDPpromptcomesfroma
trustedgateway.
ConfiguretheDefault Message for Inbound Authentication
Prompts (forexample:You have attempted to access a
protected resource that requires additional
authentication. Proceed to authenticate at
\\server1\myapp).Whenuserstrytoaccessaresourcethat
requiresadditionalauthentication,GlobalProtectreceivesan
inboundauthenticationpromptanddisplaysthismessage.
Step10 (Windowsonly)Configuresettingsfor Update DNS Settings at ConnectSelectYestoflushtheDNS

Windowsbasedendpointsthatreceive cacheandforcealladapterstousetheDNSsettingsinthe
thisconfiguration. configuration.SelectNo(thedefault)tousetheDNSsettings
fromthephysicaladapterontheendpoint.
Send HIP Report Immediately if Windows Security Center
(WSC) State ChangesSelectNotopreventtheGlobalProtect
agentfromsendingHIPdatawhenthestatusoftheWindows
SecurityCenter(WSC)changes.SelectYes(default)to
immediatelysendHIPdatawhenthestatusoftheWSCchanges.
Detect Proxy for Each ConnectionSelectNotoautodetectthe
proxyfortheportalconnectionandusethatproxyfor
subsequentconnections.SelectYes(default)toautodetectthe
proxyateveryconnection.
Clear Single Sign-On Credentials on LogoutSelectNotokeep
singlesignoncredentialswhentheuserlogsout.SelectYes
(default)toclearthemandforcetheusertoentercredentials
uponthenextlogin.
Use Default Authentication on Kerberos Authentication
FailureSelectNotouseonlyKerberosauthentication.Select
Yes(default)toretryusingthedefaultauthenticationmethod
afterauthenticationusingKerberosfails.

Step11 Ifyourendpointsfrequentlyexperience Configurevaluesforanyofthefollowingoptions:

latencyorslownesswhenconnectingto Portal Connection Timeout (sec)Thenumberofseconds
theGlobalProtectportalorgateways, beforeaconnectionrequesttotheportaltimesoutduetono
consideradjustingtheportalandTCP responsefromtheportal(rangeis1600;defaultis30).
timeoutvalues. TCP Connection Timeout (sec)Thenumberofsecondsbefore
Toallowmoretimeforyourendpointsto aTCPconnectionrequesttimesoutduetounresponsiveness
connecttoorreceivedatafromthe fromeitherendoftheconnection(rangeis1600;defaultis60).
portalorgateway,increasethetimeout TCP Receive Timeout (sec)Thenumberofsecondsbeforea
values,asneeded.Keepinmindthat TCPconnectiontimesoutduetotheabsenceofsomepartial
increasingthevaluescanresultinlonger responseofaTCPrequest(rangeis1600;defaultis30).
waittimesiftheGlobalProtectagentis
unabletoestablishtheconnection.In
contrast,decreasingthevaluescan
preventtheGlobalProtectagentfrom
establishingaconnectionwhenthe
portalorgatewaydoesnotrespond
beforethetimeoutexpires.
Step12 Specifywhetherremotedesktop Bydefault,theUser Switch Tunnel Rename Timeoutfieldissetto

connectionsarepermittedoverexisting 0meaningtheGlobalProtectgatewayterminatestheconnectionif
VPNtunnelsbyspecifyingtheUser anewuserauthenticatesovertheVPNtunnel.Tomodifythis
Switch Tunnel Rename Timeout.When behavior,configureatimeoutvaluefrom1to600seconds.Ifthe
anewuserconnectstoaWindows newuserdoesnotlogintothegatewaybeforethetimeoutvalue
machineusingRemoteDesktopProtocol expires,theGlobalProtectgatewayterminatestheVPNtunnel
(RDP),thegatewayreassignstheVPN assignedtothefirstuser.
tunneltothenewuser.Thegatewaycan ChangingtheUser Switch Tunnel Rename Timeoutvalue
thenenforcesecuritypoliciesonthenew onlyaffectstheRDPtunnelanddoesnotrenamea
user. prelogontunnelwhenconfigured.
Allowingremotedesktopconnections
overVPNtunnelscanbeusefulin
situationswhereanITadministrator
needstoaccessaremoteenduser
systemusingRDP.

Step13 SpecifyhowGlobalProtectagent Bydefault,theAllow User to Upgrade GlobalProtect App fieldis

upgradesoccur. settoprompttheendusertoupgrade.Tomodifythisbehavior,
Ifyouwanttocontrolwhenuserscan selectoneofthefollowingoptions:
upgrade,youcancustomizetheagent Allow TransparentlyUpgradesoccurautomaticallywithout
upgradeonaperconfigurationbasis.For interactionwiththeuser.Upgradescanoccurwhentheuseris
example,ifyouwanttotestareleaseon workingremotelyorconnectedfromwithinthecorporate
asmallgroupofusersbeforedeployingit network.
toyourentireuserbase,youcancreatea InternalUpgradesoccurautomaticallywithoutinteraction
configurationthatappliestousersin withtheuser,providedtheuserisconnectedfromwithinthe
yourITgrouponly,thusallowingthemto corporatenetwork.Thissettingisrecommendedtopreventslow
upgradeandtestanddisableupgradein upgradesinlowbandwidthsituations.Whenauserconnects
allotheruser/groupconfigurations. outsidethecorporatenetwork,theupgradeispostponedand
Then,afteryouhavethoroughlytested reactivatedlaterwhentheuserconnectsfromwithinthe
thenewversion,youcanmodifythe corporatenetwork.Youmustconfigureinternalgatewaysand
agentconfigurationsfortherestofyour internalhostdetectiontousethisoption.
userstoallowtheupgrade. Topreventagentupgrades,selectDisallow.
Toallowenduserstoinitiateagentupgrades,selectAllow
Manually.Inthiscase,theuserwouldselecttheCheck Version
optionintheagenttodetermineifthereisanewagentversion
andthenupgradeifdesired.Notethatthisoptionwillnotwork
iftheGlobalProtectagentishiddenfromtheuser.SeeStep 5for
detailsontheDisplay GlobalProtect Iconoption.
UpgradesforAllow Transparently andInternaloccuronly
iftheGlobalProtectsoftwareversionontheportalismore
recentthantheGlobalProtectsoftwareversiononthe
endpoint.Forexample,aGlobalProtect3.1.3agent
connectingtoaGlobalProtect3.1.1portalisnotupgraded.
Step14 Specifywhethertodisplayawelcome Todisplayawelcomepageafterasuccessfulloginselect

pageuponsuccessfullogin. factory-default fromtheWelcome Page dropdownontheright.
Awelcomepagecanbeausefulwayto GlobalProtectdisplaysthewelcomepageinthedefaultbrowseron
directuserstointernalresourcesthat Windows,Mac,andChromebookendpoints,orwithinthe
theycanonlyaccesswhenconnectedto GlobalProtectapponmobiledevices.Youcanalsoselectacustom
GlobalProtect,suchasyourIntranetor welcomepagethatprovidesinformationspecifictoyourusers,or
otherinternalservers. toaspecificgroupofusers(basedonwhichportalconfiguration
Bydefault,theonlyindicationthatthe getsdeployed).Fordetailsoncreatingcustompages,see
agenthassuccessfullyconnectedto CustomizetheGlobalProtectPortalLogin,Welcome,andHelp
GlobalProtectisaballoonmessagethat Pages.
displaysinthesystemtray/menubar.
Step15 Savetheagentconfigurationsettings. 1. Ifyouaredonecreatingagentconfigurations,clickOKtoclose

theConfigsdialog.Otherwise,forinstructionsoncompleting
theagentconfigurations,returntoDefinetheGlobalProtect
AgentConfigurations.
2. Ifyouaredoneconfiguringtheportal,clickOKtoclosethe
GlobalProtectPortalConfigurationdialog.
3. Whenyoufinishtheportalconfiguration,Committhechanges.

Customize the GlobalProtect Portal Login, Welcome, and Help Pages
GlobalProtectprovidesdefaultlogin,welcome,and/orhelppages.However,youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.
Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configurethe Portal Login Page > Disable optionfromNetwork
> GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninstead
useasoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.
CustomizethePortalLogin,Welcome,andHelpPages
Step1 Exportthedefaultportallogin,welcome, 1. SelectDevice > Response Pages.

orhelppage. 2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. SelecttheDefaultpredefinedpageandclickExport.
Step2 Edittheexportedpage. 1. UsetheHTMLtexteditorofyourchoicetoeditthepage.

2. Ifyouwanttoeditthelogoimagethatisdisplayed,hostthe
newlogoimageonawebserverthatisaccessiblefromthe
remoteGlobalProtectclients.Forexample,editthefollowing
lineintheHTMLtopointtothenewlogoimage:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
3. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
Step3 Importthenewpage(s). 1. SelectDevice > Response Pages.

2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4. (Optional)Selectthevirtualsystemonwhichthispagewillbe
usedfromtheDestinationdropdownorselectshared
(default)tomakeitavailabletoallvirtualsystems.
5. ClickOKtoimportthefile.
Step4 Configuretheportaltousethenew Portal Login PageandApp Help Page:

page(s). 1. SelectNetwork > GlobalProtect > Portals andselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheGeneral tab,selectthenewpagefromtherelevant
dropdownintheAppearancearea.
Custom Welcome Page:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheAgent tab,selecttheagentconfigurationtowhichyou
wanttoaddthewelcomepage.
3. SelecttheApptab,andselectthenewpagefromtheWelcome
Pagedropdown.
4. ClickOKtosavetheagentconfiguration.

CustomizethePortalLogin,Welcome,andHelpPages(Continued)
Step5 Savetheportalconfiguration. ClickOKandthenCommityourchanges.
Step6 Verifythatthenewpagedisplays. TesttheloginpageOpenabrowser,gototheURLforyour

portal(besureyoudonotaddthe:4443portnumbertotheend
oftheURLoryouwillbedirectedtothewebinterfaceforthe
firewall).Forexample,enterhttps://myportalratherthan
https://myportal:4443.
Thenewportalloginpagewilldisplay.
TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectHelp.Thenewhelp
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome Page.The
newwelcomepagewilldisplay.

GlobalProtectClients
DeploytheGlobalProtectClientSoftware
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
DeployAgentSettingsTransparently
GlobalProtectClientlessVPN
Reference:GlobalProtectAgentCryptographicFunctions
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer

DeploytheGlobalProtectClientSoftware GlobalProtectClients
DeploytheGlobalProtectClientSoftware
InordertoconnecttoGlobalProtect,anendhostmustberunningGlobalProtectclientsoftware.The
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
distributedbytheGlobalProtectportal.Toenablethesoftwarefordistribution,youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
thenactivatethesoftwarefordownload.Forinstructionsonhowtodownloadandactivatetheagent
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
Windows10phoneandWindows10UWPendpointsRequiretheGlobalProtectapp.Aswithother
mobiledeviceapps,theendusermustdownloadtheGlobalProtectappfromtheMicrosoftStore.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
iOSandAndroidendpointsRequiretheGlobalProtectapp.Aswithothermobiledeviceapps,theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
ChromebooksRequiretheGlobalProtectappforChromeOS.Similartothedownloadprocessfor
mobiledeviceapps,theendusercandownloadtheGlobalProtectappfromtheChromeWebStore.You
canalsodeploytheapptoamanagedChromebookusingtheChromebookManagementConsole.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?
AsanalternativetodeployingGlobalProtectclientsoftware,youcanconfiguretheGlobalProtect portalto
providesecureremoteaccesstocommonenterprisewebapplicationsthatuseHTML,HTML5,andJavascript
technologies.UsershavetheadvantageofsecureaccessfromSSLenabledwebbrowsers withoutinstalling
GlobalProtectclientsoftware.RefertoGlobalProtectClientlessVPN.
Deploy the GlobalProtect Agent Software
ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
sothatenduserscaninstalltheupdateswhentheyconnecttotheportal.Thisoptionprovidesflexibility
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/oroperatingsystem.However,ifyouhavealargenumber
ofagentsthatrequireupdates,itcouldputextraloadonyourportal.SeeHostAgentUpdatesonthe
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
youmustfirstuninstalltheexistingagent.Inaddition,Msiexecallowsfordeploymentofagentsettings
directlyontheendpointsbysettingvaluesintheWindowsregistryorMacplist.SeeDeployAgent
SettingsTransparently.

GlobalProtectClients DeploytheGlobalProtectClientSoftware
UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,usingactivedirectorygrouppolicy.ADGrouppoliciesallowmodificationof
Windowshostcomputersettingsandsoftwareautomatically.Refertothearticleat
http://support.microsoft.com/kb/816102formoreinformationonhowtouseGroupPolicyto
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
GlobalProtectapp.SeeMobileEndpointManagement.
HostAgentUpdatesonthePortal
ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
connectingtotheportal.Todothisautomatically,thefirewallmusthaveaserviceroutethatenablesitto
accessthePaloAltoNetworksUpdateServer.IfthefirewalldoesnothaveaccesstotheInternet,youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.
YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto
https://www.paloaltonetworks.com/support/tabs/overview.html.)
Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
version.Fordetailsoncreatinganagentconfiguration,seeDefinetheGlobalProtectAgentConfigurations.
HosttheGlobalProtectAgentonthePortal
Step1 Launchthewebinterfaceonthefirewall SelectDevice > GlobalProtect Client.

hostingtheGlobalProtectportalandgo
totheGlobalProtectClientpage.
Step2 Checkfornewagentsoftwareimages. IfthefirewallhasaccesstotheUpdateServer,clickCheck Now

tocheckforthelatestupdates.IfthevalueintheActioncolumn
isDownloaditindicatesthatanupdateisavailable.
IfthefirewalldoesnothaveaccesstotheUpdateServer,goto
thePaloAltoNetworksSoftwareUpdatessupportsiteand
Downloadthefiletoyourcomputer.Thengobacktothefirewall
tomanuallyUploadthefile.
YoumusthaveavalidPaloAltoNetworksaccounttolog
intoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto:
https://www.paloaltonetworks.com/support/tabs/overvi
ew.html)

HosttheGlobalProtectAgentonthePortal(Continued)
Step3 Downloadtheagentsoftwareimage. LocatetheagentversionyouwantandthenclickDownload.When

Ifyourfirewalldoesnothave thedownloadcompletes,thevalueintheActioncolumnchangesto
Internetaccessfromthe Activate.
managementport,youcan Ifyoumanuallyuploadedtheagentsoftwareasdetailedin
downloadtheagentupdatefrom Step 2,theActioncolumnwillnotupdate.Continuetothe
thePaloAltoNetworksSupport nextstepforinstructionsonactivatinganimagethatwas
Site: manuallyuploaded.
(https://www.paloaltonetworks.
com/support/tabs/overview.htm
l).
YoucanthenmanuallyUpload
theupdatetoyourfirewalland
thenactivateActivate From File.
Step4 Activatetheagentsoftwareimageso IfyoudownloadedtheimageautomaticallyfromtheUpdate

thatenduserscandownloaditfromthe Server,clickActivate.
portal. Ifyoumanuallyuploadedtheimagetothefirewall,clickActivate
Onlyoneversionofagent From FileandthenselecttheGlobalProtect Client Fileyou
softwareimagecanbeactivated uploadedfromthedropdown.ClickOKtoactivatetheselected
atatime.Ifyouactivateanew image.Youmayneedtorefreshthescreenbeforetheversion
version,buthavesomeagents displaysasCurrently Activated.
thatrequireapreviously
activatedversion,youwillhave
toactivatetherequiredversion
againtoenableitfordownload.
HostAgentUpdatesonaWebServer
Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,considerhostingtheGlobalProtectagentsoftwareimagesonanexternalwebserver.Thishelps
reducetheloadonthefirewallwhenusersconnecttodownloadtheagent.Tousethisfeature,thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.
HostGlobalProtectAgentImagesonaWebServer
Step1 Downloadtheversionofthe Followthestepsfordownloadingandactivatingtheagentsoftware

GlobalProtectagentthatyouplanto onthefirewallasdescribedinHosttheGlobalProtectAgentonthe
hostonthewebservertothefirewall Portal.
andactivateit.
Step2 DownloadtheGlobalProtectagent Fromabrowser,gotothePaloAltoNetworksSoftwareUpdates

imageyouwanttohostonyourweb siteandDownloadthefiletoyourcomputer.
server.
Youshoulddownloadthesameimage
thatyouactivatedontheportal.
Step3 Publishthefilestoyourwebserver. Uploadtheimagefile(s)toyourwebserver.

HostGlobalProtectAgentImagesonaWebServer(Continued)
Step4 Redirecttheenduserstothewebserver. Onthefirewallhostingtheportal,logintotheCLIandenterthe

followingoperationalmodecommands:
> set global-protect redirect on
> set global-protect redirect location
<path>
where<path>isthepathistheURLtothefolderhostingtheimage,
forexamplehttps://acme/GP.
Step5 Testtheredirect. 1. LaunchyourwebbrowserandgotothefollowingURL:

https://<portal address or name>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.Aftersuccessfullogin,theportalshould
redirectyoutothedownload.
TesttheAgentInstallation
Usethefollowingproceduretotesttheagentinstallation.
TesttheAgentInstallation
Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theagentinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
Wheninitiallyinstallingthe responsibleforadministeringthefirewall:
GlobalProtectagentsoftwareon 1. SelectNetwork > GlobalProtect > Portals andselecttheportal
theendpoint,theendusermust configurationtoedit.
beloggedintothesystemusing
2. SelecttheAgent tabandeitherselectanexistingconfiguration
anaccountthathas
orAddanewconfigurationtodeploytothetestusers/group.
administrativeprivileges.
Subsequentagentsoftware 3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
updatesdonotrequire section,selecttheuserorgroupwhowillbetestingtheagent,
administrativeprivileges. andthenclickOK.
4. OntheAgenttab,makesureAgent Upgradeissettoprompt
andthenclickOKtosavetheconfiguration.
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.

TesttheAgentInstallation(Continued)
Step2 LogintotheGlobalProtectportal. 1. LaunchyourwebbrowserandgotothefollowingURL:

https://<portaladdressorname>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.
Step3 Navigatetotheagentdownloadpage. Inmostcases,youwillseeanagentdownloadpagewhenyoulog

intotheportal.Usethispagetodownloadthelatestagentsoftware
package.
IfyouhaveenabledGlobalProtectClientlessVPNaccess,youwill
seeanapplicationspage(insteadoftheagentdownloadpage)
whenyoulogintotheportal.SelectGlobalProtect Agenttoopen
thedownloadpage.

Step4 Downloadtheagent. 1. Clickthelinkthatcorrespondstotheoperatingsystemyouare

runningonyourcomputertobeginthedownload.
2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
administrativeprivileges.Subsequentagentsoftware
updatesdonotrequireadministrativeprivileges.
Step5 CompletetheGlobalProtectagentsetup. 1. FromtheGlobalProtectSetupWizard,clickNext.

2. ClickNexttoacceptthedefaultinstallationfolder
(C:\Program Files\Palo Alto Networks\GlobalProtect)
orBrowsetochooseanewlocationandthenclickNexttwice.
3. Aftertheinstallationsuccessfullycompletes,clickClose.The
GlobalProtectagentwillautomaticallystart.

Step6 LogintoGlobalProtect. EntertheFQDNorIPaddressofthePortalandConnect.If

prompted,enteryourUsernameandPasswordandConnect.If
authenticationissuccessful,theagentwillconnectto
GlobalProtect.Usetheagenttoaccessresourcesonthecorporate
networkaswellasexternalresources,asdefinedinthe
correspondingsecuritypolices.
Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
portaladdress.SeeDefinetheGlobalProtectAgentConfigurations
fordetailsonsettingupagentconfigurations.
Download and Install the GlobalProtect Mobile App
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
devices.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecureaccess
toyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappwillautomaticallyconnecttothe
gatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.

ThisworkflowdescribeshowtoinstalltheGlobalProtectappdirectlyonthemobiledevice.Forinstructions
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.
InstalltheGlobalProtectMobileApp
Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theappinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
responsibleforadministeringthefirewall:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
configurationtoedit.
2. SelecttheAgenttabandeitherselectanexistingconfiguration
orAddanewconfigurationtodeploytothetestusers/group.
3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
sectionandthenselecttheuserorgroupwhowillbetesting
theagent.
4. IntheOSsection,selecttheappyouaretesting(iOS,Android,
orWindowsUWP).
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
Step2 Fromthemobiledevice,followthe OnAndroiddevices,searchfortheapponGooglePlay.

promptstodownloadandinstalltheapp. OniOSdevices,searchfortheappattheAppStore.
OnWindows10UWPdevices,searchfortheappatthe
MicrosoftStore.
Step3 Launchtheapp. Whensuccessfullyinstalled,theGlobalProtectappicondisplayson

thedevicesHomescreen.Tolaunchtheapp,taptheicon.When
promptedtoenableGlobalProtectVPNfunctionality,tapOK.

InstalltheGlobalProtectMobileApp(Continued)
Step4 Connecttotheportal. 1. Whenprompted,enterthePortalnameoraddress,

Username,andPassword.TheportalnamemustbeanFQDN
anditshouldnotincludethehttps://atthebeginning.
2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.

Download and Install the GlobalProtect App for Chrome OS
TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
toChromebooks.AswithotherremotehostsrunningtheGlobalProtectagent,theappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Aftertheuserinitiatesaconnection,the
appwillconnecttothegatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
yourcorporatenetwork.LiketheGlobalProtectagent,theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS
YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
Store.AsanalternativeyoucanDeploytheGlobalProtectAppUsingtheChromebookManagement
Console.
Step1 Createanagentconfigurationfortesting 1. SelectNetwork > GlobalProtect > Portals andselecttheportal

theappinstallation. configurationtoedit.
Asabestpractice,createan 2. SelecttheAgent tabandeitherselectanexistingconfiguration
agentconfigurationthatis orAddanewconfigurationtodeploytothetestusers/group.
limitedtoasmallgroupofusers,
3. OntheUser/User Grouptab,clickAddintheUser/User
suchasadministratorsintheIT
Groupsectionandthenselecttheuserorgroupthatwilltest
departmentandwhoresponsible
theagent.
foradministeringthefirewall.
4. IntheOSarea,selecttheappyouaretesting(Chrome)and
clickOK.
5. (Optional)Selecttheagentconfigurationyoujustcreatedor
modifiedandclickMove Upsothatitisbeforeanymore
genericconfigurationsyouhavecreated.
Step2 InstalltheGlobalProtectappforChrome 1. FromtheChromebook,searchfortheappintheChromeWeb

OS. StoreorgodirectlytotheGlobalProtectapppage.
Youcanalsoforceinstalltheappon 2. ClickAdd to Chromeandthenfollowthepromptstodownload
managedChromebooksusingthe andinstalltheapp.
ChromebookManagementConsole.See
DeploytheGlobalProtectAppUsingthe
ChromebookManagementConsole.
Step3 Launchtheapp. Whensuccessfullyinstalled,theChromeAppLauncherdisplaysthe

GlobalProtectappiconinthelistofapps.Tolaunchtheapp,click
theicon.

InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)
Step4 Configuretheportal. 1. Whenprompted,entertheIPaddressorFQDNofthePortal.

Theportalshouldnotincludethehttps://atthebeginning.
2. ClickAdd ConnectiontoaddtheGlobalProtectVPN
configuration.
TheappdisplaysthehomescreenafteritaddstheVPN
configurationtotheInternetconnectionsettingsofyour
Chromebookbutdoesnotinitiateaconnection.
Step5 Testtheconnection. TesttheGlobalProtectappforChromeOS
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,webbasedlocation.Fromtheconsole,youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole
Step1 Viewtheusersettingsforthe 1. FromtheChromebookManagementConsole,selectDevice

GlobalProtectapp. management > Chrome management > App management.
Theconsoledisplaysthelistofappsconfiguredinall
organization(org)unitsinyourdomainanddisplaysthestatus
ofeachapp.ClickanappStatustodisplaytheorgunitsto
whichthatstatusisapplied.
2. SelecttheGlobalProtectappandthenselectUser settings.
Iftheappisnotpresent,SEARCHforGlobalProtectinthe
ChromeWebStore.

ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)
Step2 Configurepoliciesandsettingsfor 1. Selecttheorgunitwhereyouwanttoconfiguresettingsand

everyoneinanorgunit. configureanyofthefollowingoptions:
Selectingthetoplevelorgunitappliessettingsto
everyoneinthatunit;selectingachildorgunitapplies
settingsonlytouserswithinthatchildorgunit.
Allow installationAllowusersinstallthisappfromthe
ChromeWebStore.Bydefault,anorgunitinheritsthe
settingsofitsparentorganization.Tooverridethedefault
settings,selectInherit,whichtogglestheOverridesetting.
Force installationInstallthisappautomaticallyand
preventsusersfromremovingit.
Pin to taskbarIftheappisinstalled,pintheapptothe
taskbar(inChromeOSonly).
Add to Chrome Web Store collectionRecommendthis
apptoyourusersintheChromeWebStore.
2. Ifyouhavenotalreadydoneso,createatextfileinJSON
formatthatusesthefollowingsyntaxandincludestheFQDN
orIPaddressofyourGlobalProtectportal:
{
"PortalAddress": {
"Value": "192.0.2.191"
}
}
3. OntheUser settingspage,selectUPLOAD CONFIGURATION
FILEandthenBrowsetotheGlobalProtectsettingsfile.
4. SAVEyourchanges.Settingstypicallytakeeffectwithin
minutes,butitmighttakeuptoanhourtopropagatethrough
yourorganization.
Step3 Testtheconnection. AfterChromeManagementConsolesuccessfullydeploystheapp,


UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
VPNconnectionsettings.Afteryouinstallandconfiguretheapp,itisnotnecessarytoopentheappto
establishaVPNconnection.Instead,youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.
TesttheGlobalProtectAppforChromeOS
Step1 LogintoGlobalProtect. 1. Clickthestatusareaatthebottomrightcornerofthe

Chromebook.
2. SelectVPN disconnectedandthenselecttheportalthatyou
enteredwhenconfiguringtheGlobalProtectVPNsettings.
ToviewVPNsettingsbeforeconnecting,selecttheportal
fromSettings > Private network,andthenclickConnect.
3. EntertheUsernameandPassword fortheportalandclick
Connect.RepeatthissteptoentertheUsernameand
Passwordforthegateway.Ifauthenticationissuccessful,
GlobalProtectconnectsyoutoyourcorporatenetwork.If
enabled,theGlobalProtectwelcomepagewilldisplay.
Step2 Viewtheconnectionstatus.Whenthe Toviewtheportaltowhichyouareconnected,clickthestatus

appisconnected,thestatusareadisplays area.
theVPNiconalongthebottomofthe
WiFiicon( ).
Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
GlobalProtectapp.Themainpagedisplaysconnection
informationand(ifapplicable)anyerrorsorwarnings.

GlobalProtectClients DeployAgentSettingsTransparently
DeployAgentSettingsTransparently
Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
plist.Soifyoudefinesettingsintheregistryorplist,buttheportalconfigurationspecifiesdifferentsettings,
thesettingstheagentreceivesfromtheportalwilloverridethesettingsdefinedontheclient.Thisoverride
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),andwhethertheagentcanconnectiftheportalcertificateisinvalid.Therefore,youshouldavoid
conflictingsettings.Inaddition,theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients
InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
applicationsandprocesses.Youcanthenmonitorthedataandaddittoasecurityruleasmatchingcriteria.
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.

DeployAgentSettingsTransparently GlobalProtectClients
Customizable Agent Settings
Inadditiontopredeployingtheportaladdress,youcanalsodefinetheagentconfigurationsettings.To
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:CustomizableAgentBehaviorOptionsdescribeseachcustomizableagentsetting.Settingsdefinedin
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.
Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
configuredusingWindowsregistryorMsiexec.Theseadditionalsettingsinclude:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.
AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions
AgentDisplayOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.
Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
Enable Advanced View enable-advanced-view yes | no ENABLEADVANCEDVIEW=yes | no yes
Display GlobalProtect Icon show-agent-icon yes | no SHOWAGENTICON=yes | no yes
Enable Rediscover Network rediscover-network yes | n REDISCOVERNETWORK=yes | no yes

Option
Enable Resubmit Host Profile resubmit-host-info yes | no RESUBMITHOSTINFO=yes | no yes

Option
Show System Tray Notifications show-system-tray-notifications SHOWSYSTEMTRAYNOTIFICATIONS=yes | yes

yes | no no

UserBehaviorOptions
customizehowtheusercaninteractwiththeGlobalProtectagent.
Table:CustomizableUserBehaviorOptions
Allow User to Change Portal can-change-portal yes | no CANCHANGEPORTAL=yes | no yes

Address
Allow User to Dismiss Welcome enable-hide-welcome-page yes | ENABLEHIDEWELCOMEPAGE=yes | no yes

no
Page
Allow User to Continue with can-continue-if-portal-cert- CANCONTINUEIFPORTALCERTINVALID= yes

invalid yes | no yes | no
Invalid Portal Server
Certificate
Allow User to Disable disable-allowed yes | no DISABLEALLOWED="yes | no" no

GlobalProtect App
Save User Credentials save-user-credentials 0 | 1 | 2 SAVEUSERCREDENTIALS 0 | 1 | 2
Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.
Notinportal can-save-password yes | no CANSAVEPASSWORD=yes | no yes
TheAllow user to save

passwordsettingisdeprecated
inthewebinterfaceinPANOS
7.1andlaterreleasesbutis
configurablefromtheWindows
registryandMacplist.Anyvalue
specifiedintheSave User
Credentialsfieldoverwritesa
valuespecifiedhere.

AgentBehaviorOptions
customizethebehavioroftheGlobalProtectagent.
Table:CustomizableAgentBehaviorOptions
Connect Method connect-method on-demand | CONNECTMETHOD=on-demand | user-logon

pre-logon | user-logon pre-logon | user-logon
GlobalProtect App Config refresh-config-interval <hours> REFRESHCONFIGINTERVAL=<hours> 24

Refresh Interval (hours)
Update DNS Settings at flushdns yes | no FLUSHDNS=yes | no no

Connect (Windows Only)
Send HIP Report Immediately if wscautodetect yes | no WSCAUTODETECT=yes | no no

Windows Security Center
(WSC) State Changes (Windows
Only)
Detect Proxy for Each ProxyMultipleAutoDetection yes PROXYMULTIPLEAUTODETECTION=yes | no

| no no
Connection (Windows Only)
Clear Single Sign-On LogoutRemoveSSO yes | no LOGOUTREMOVESSO=yes | no yes

Credentials on Logout
(Windows Only)
Use Default Authentication on krb-auth-fail-fallback yes | no KRBAUTHFAILFALLBACK=yes | no no

Kerberos Authentication
Failure (Windows Only)
Custom Password Expiration PasswordExpiryMessage <message> PASSWORDEXPIRYMESSAGE <message>

Message (LDAP Authentication
Only)
Portal Connection Timeout PortalTimeout <portaltimeout> PORTALTIMEOUT=<portaltimeout> 30

(sec)
TCP Connection Timeout (sec) ConnectTimeout <connecttimeout> CONNECTTIMEOUT=<connecttimeout> 60
TCP Receive Timeout (sec) ReceiveTimeout <receivetimeout> RECEIVETIMEOUT=<receivetimeout> 30
Client Certificate Store Lookup certificate-store-lookup user | CERTIFICATESTORELOOKUP="user | user and

machine | user and machine | machine | user and machine | machine
invalid invalid"
SCEP Certificate Renewal scep-certificate-renewal-period n/a 7

<renewalPeriod>
Period (days)
Maximum Internal Gateway max-internal-gateway-connection MIGCA="<maxValue>" 0

-attempts <maxValue>
Connection Attempts
Extended Key Usage OID for ext-key-usage-oid-for-client-ce EXTCERTOID=<oidValue> n/a

rt <oidValue>
Client Certificate
User Switch Tunnel Rename user-switch-tunnel-rename-timeo n/a 0

ut <renameTimeout>
Timeout (sec)

Use Single Sign-On use-sso yes | no USESSO="yes | no" yes
(WindowsOnly)
Notinportal portal <IPaddress> PORTAL="<IPaddress>" n/a

Thissettingspecifiesthedefault
portalIPaddress(orhostname).
Notinportal prelogon 1 PRELOGON="1" 1
Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.
Windowsonly/Notinportal can-prompt-user-credential yes CANPROMPTUSERCREDENTIAL=yes | no yes

| no
Thissettingisusedin
conjunctionwithsinglesignon
(SSO)andindicateswhetheror
nottoprompttheuserfor
credentialsifSSOfails.
Windowsonly/Notinportal wrap-cp-guid {third party WRAPCPGUID={guid_value] no

credential provider guid} FILTERNONGPCP=yes | no
Thissettingfiltersthe
thirdpartycredentialproviders
tilefromtheWindowslogin
pagesothatonlythenative
Windowstileisdisplayed.*
Windowsonly/Notinportal filter-non-gpcp no n/a n/a

Thissettingisanadditional
optionforthesetting
wrap-cp-guid,andallowsthe
thirdpartycredentialprovider
tiletobedisplayedonthe
Windowsloginpage,inaddition
tothenativeWindowslogon
tile.*
*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.

ScriptDeploymentOptions
ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
aVPNtunnelandbeforedisconnectingaVPNtunnel.Becausetheseoptionsarenotavailableintheportal,
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
pre-vpn-disconnectfromtheWindowsregistryorMacplist.Fordetailedstepstodeployscripts,see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.
Table:CustomizableScriptDeploymentOptions
Executethescriptspecifiedin command <parameter1> PREVPNCONNECTCOMMAND=<parameter1> n/a

<parameter2> [...] <parameter2> [...]
thecommandsetting(including
anyparameterspassedtothe Windows example: POSTVPNCONNECTCOMMAND=<parameter1
> <parameter2> [...]
script). command
%userprofile%\vpn_script.bat c:
PREVPNDISCONNECTCOMMAND=<paramete
Environmentalvariables test_user
r1> <parameter2> [...]
aresupported. Mac example:
Specifythefullpathin command $HOME/vpn_script.sh
/Users/test_user test_user
commands.
(Optional)Specifytheprivileges context admin | user PREVPNCONNECTCONTEXT=admin | user

user
underwhichthecommand(s)
canrun(defaultisuser:ifyoudo POSTVPNCONNECTCONTEXT=admin |
user
notspecifythecontext,the
commandrunsasthecurrent PREVPNDISCONNECTCONTEXT=admin |
user
activeuser).
(Optional)Specifythenumber timeout <value> PREVPNCONNECTTIMEOUT=<value> 0

ofsecondstheGlobalProtect POSTVPNCONNECTTIMEOUT=<value>
clientwaitsforthecommandto Example:
PREVPNDISCONNECTTIMEOUT=<value>
execute(rangeis0120).Ifthe timeout 60
commanddoesnotcomplete
beforethetimeout,theclient
proceedstoestablishor
disconnectfromtheVPNtunnel.
Avalueof0(thedefault)means
theclientwillnotwaitto
executethecommand.
Notsupportedfor
postvpnconnect.
(Optional)Specifythefullpath file <path_file> PREVPNCONNECTFILE=<path_file> n/a

ofafileusedinacommand.The POSTVPNCONNECTFILE=<path_file>
GlobalProtectclientwillverify
PREVPNDISCONNECTFILE=<path_file>
theintegrityofthefileby
checkingitagainstthevalue
specifiedinthechecksumkey.
Environmentalvariables
aresupported.

(Continued)PortalAgent WindowsRegistry/MacPlist MsiexecParameter Default
(Optional)Specifythesha256 checksum <value> PREVPNCONNECTCHECKSUM=<value> n/a

checksumofthefilereferredto
inthefilekey.Ifthechecksum POSTVPNCONNECTCHECKSUM=<value>
isspecified,theGlobalProtect PREVPNDISCONNECTCHECKSUM=<value>
clientexecutesthecommand(s)
onlyifthechecksumgenerated
bytheGlobalProtectclient
matchesthechecksumvalue
specifiedhere.
(Optional)Specifyanerror error-msg <message> PREVPNCONNECTERRORMSG=<message> n/a

messagetoinformtheuserthat Example: POSTVPNCONNECTERRORMSG=<message>
thecommand(s)cannotexecute error-msg Failed executing
PREVPNDISCONNECTERRORMSG=<message
orifthecommand(s)exitedwith pre-vpn-connect action! >
anonzeroreturncode.
Themessagemustbe
1,024orfewerANSI
characters.

Deploy Agent Settings to Windows Clients
UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
DeployAgentSettingsintheWindowsRegistry
YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
connectiontotheGlobalProtectportalbyusingtheWindowsregistry.Usetheoptionsdescribedinthe
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.
InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
agenttocollectspecificWindowsregistryinformationfromWindowsclients.Youcanthenmonitorthedataand
addittoasecurityruleasmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbe
enforcedaccordingtothesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings
LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)
Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).
DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).
EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.
DeployAgentSettingsfromMsiexec
OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromthecommandline.Onsystems
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
MsiexecExample Description
msiexec.exe /i GlobalProtect.msi /quiet InstallGlobalProtectinquietmode(nouserinteraction)

PORTAL=portal.acme.com andconfiguretheportaladdress.
msiexec.exe /i GlobalProtect.msi InstallGlobalProtectwiththeoptiontopreventusers

CANCONTINUEIFPORTALCERTINVALID=no fromconnectingtotheportalifthecertificateisnotvalid.

Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.
TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.
DeployScriptsUsingtheWindowsRegistry
YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,andbeforetheagentdisconnectsfromtheVPNtunnel.Usethe
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.
TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsintheWindowsRegistry
Step1 OpentheWindowsregistry,andlocate OpentheWindowsregistry(enterregeditinthecommand

theGlobalProtectagentcustomization prompt)andgotothelocationofthekeydependingonwhenyou
settings. wanttoexecutescripts(pre/postconnectorpredisconnect):
Networks\GlobalProtect\Settings\pre-vpn-connect
Networks\GlobalProtect\Settings\post-vpn-connect
Networks\GlobalProtect\Settings\pre-vpn-disconne
ct
IfthekeydoesnotexistwithintheSettingskey,createit
(rightclickSettingsandselectNew > Key).

DeployScriptsintheWindowsRegistry(Continued)
Step1 EnabletheGlobalProtectagenttorun 1. Ifthecommandstringdoesnotalreadyexist,createit

scriptsbycreatinganewStringValue (rightclickthepre-vpn-connect,post-vpn-connect,or
namedcommand. pre-vpn-disconnectkey,selectNew > String Value,and
Thebatchfilespecifiedhereshould nameitcommand).
containthespecificscript(includingany 2. RightclickcommandandselectModify.
parameterspassedtothescript)thatyou
3. EnterthecommandsorscriptthattheGlobalProtectagent
wantrunonthedevice.Forexamples,
shouldrun.Forexample:
seeWindowsOSBatchScriptExamples.
%userprofile%\pre_vpn_connect.bat c: test_user
Step2 (Optional)Addadditionalregistryentries Createormodifyregistrystringsandtheircorrespondingvalues,

asneededforeachcommand. includingcontext,timeout,file,checksum,orerror-msg.For
additionalinformation,seeCustomizableAgentSettings.
WindowsOSBatchScriptExamples
event,referencethebatchscriptfromacommandregistryentryforthatevent.Thefollowingtopicsshow
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
fromacommandregistryentryforapostvpnconnectevent.Thisenablesyoutoselectivelyexcluderoutes
andtosendallothertrafficthroughtheVPNtunnel.
Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
routes.Inmostcases,whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)theoldnetworkroutesareautomaticallydeleted.Intheeventthattheoldnetworkroutespersist,
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.
Forascriptthatyoucancopyandpaste,gohere.

@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
192.168.24.25 255.255.255.255
REM Initialize 'DefaultGateway'

set "DefaultGateway="
REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"
REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end
Example:MountaNetworkShareonWindowsEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\filer1.mycompany.local\share /user:mycompany\user1
DeployScriptsUsingMsiexec
OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromacommandline.Onsystemsrunning
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,andallenvironmentvariableexpansions.Ifyourunbatchfilesfromthe
commandline,thislimitationalsoappliestobatchfileprocessing.

Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
toautomaticallyconnecttotheGlobalProtectportalandgateway.IfSSOfails,youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
providerandanotherforthenativeWindowslogin.Thisisusefulwhenathirdpartycredentialprovideradds
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.

UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials
Step1 OpentheWindowsregistryandlocate 1. Fromthecommandprompt,enterthecommandregeditto

thegloballyuniqueidentifier(GUID)for opentheWindowsregistry.
thethirdpartycredentialproviderthat 2. Locatecurrentlyinstalledcredentialprovidersatthefollowing
youwanttowrap. location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\Credential Providers.
3. CopytheGUIDkeyforthecredentialproviderthatyouwant
towrap(includingthecurlybrackets{ and} oneitherend
oftheGUID):

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
Step2 EnableSSOwrappingforthirdparty 1. GotothefollowingWindowsregistrylocation:

credentialprovidersbyaddingthe HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\
settingwrap-cp-guidtothe GlobalProtect:
GlobalProtectregistry.
2. AddanewString Value:
3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.
Step3 NextSteps: YoucanconfigureSSOwrappingforthirdpartycredential

providerssuccessfullybycompletingsteps1and2.Withthis
setup,thenativeWindowslogontileisdisplayedtousers.Users
clickthetileandlogintothesystemwiththeirWindows
credentialsandthatsingleloginauthenticatestheusersto
Windows,GlobalProtect,andthethirdpartycredentialprovider.
(Optional)Ifyouwanttodisplaytwotilestousersatlogin,the
nativeWindowstileandthetileforthethirdpartycredential
provider,continuetoStep 4.

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
Step4 (Optional)Allowthethirdparty AddasecondString Value withtheName filter-non-gpcpand

credentialprovidertiletobedisplayedto enternoforthestringsValue data:
usersatlogin.
WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.
UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.
UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials
Wrapthirdpartycredentialsanddisplaythenativetiletousersatlogin.Usersclickthetileandlogintothe
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.
Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
providerslogontilesothatonlythenativetiledisplays.Inthiscase,boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.
Deploy Agent Settings to Mac Clients
UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

DeployAgentSettingsintheMacPlist
YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)file.This
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/Preferences.Thetilde
(~)symbolindicatesthatthelocationisinthecurrentuser'shomefolder.TheGlobalProtectagentonaMac
clientfirstchecksfortheGlobalProtectplistsettings.Iftheplistdoesnotexistatthatlocation,the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.
InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
tocollectspecificMacplistinformationfromclients.Youcanthenmonitorthedataandaddittoasecurityrule
asmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingto
thesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.
UsetheMacPlisttoDeployGlobalProtectAgentSettings
OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/com.paloaltonetworks.Global
Protect.settings.plist
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,createit.Thenaddeach
keytotheSettingsdictionaryasastring.
Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
throughtheMacplist.UnderthePanSetupdictionary,configurean
entryforPortal.
DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.

WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Usethefollowingworkflow
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.
TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
Step1 (ClientsrunningMacOSX10.9ora Toclearthedefaultpreferencescache,runthekillall cfprefsd

laterOS)Flushthesettingscache.This commandfromaMacterminal.
preventstheOSfromusingthecached
preferencesaftermakingchangestothe
plist.
Step2 OpentheGlobalProtectplistfile,and UseXcodeoranalternateplisteditortoopentheplistfile

locateorcreatetheGlobalProtect (/Library/Preferences/com.paloaltonetworks.GlobalProte
dictionaryassociatedwiththeconnect ct.settings.plist)andgotothelocationofthedictionary:
ordisconnectevent.Thedictionary /Palo Alto
underwhichyouwilladdthesettingswill Networks/GlobalProtect/Settings/pre-vpn-connect
determinewhentheGlobalProtectagent /Palo Alto
runsthescript(s). Networks/GlobalProtect/Settings/post-vpn-connect
/Palo Alto
Networks/GlobalProtect/Settings/pre-vpn-disconnect
IfSettingsdictionarydoesnotexist,createit.Then,in
Settings,createanewdictionaryfortheeventorevents
atwhichyouwanttorunscripts.
Step3 EnabletheGlobalProtectagenttorun Ifthecommandstringdoesnotalreadyexist,addittothedictionary

scriptsbycreatinganewStringnamed andspecifythescriptandparametersintheValuefield,for
command. example:
Thevaluespecifiedhereshould $HOME\pre_vpn_connect.sh /Users/username username
referencetheshellscript(andthe Environmentalvariablesaresupported.
parameterstopasstothescript)thatyou
wantrunonyourdevices.SeeMacOS
Asabestpractice,specifythefullpathincommands.
ScriptExamples.
Step4 (Optional)Addadditionalsettings Createormodifyadditionalstringsintheplist(context,timeout,

relatedtothecommand,including file,checksum,and/orerror-msg) andentertheir
administratorprivileges,atimeoutvalue correspondingvalues.Foradditionalinformation,see
forthescript,checksumvalueforthe CustomizableAgentSettings.
batchfile,andanerrormessageto
displayifthecommandfailstoexecute
successfully.
Step5 Savethechangestotheplistfile. Savetheplist.

MacOSScriptExamples
event,referencetheshellscriptfromacommandplistentryforthatevent.Thefollowingtopicsshow
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
followingscriptfromacommandplistentryforaprevpnconnectevent.Similarly,youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
commandplistentryforapostvpnconnectevent.ThiscanbeusefulifyouwanttoforceallSSHtrafficto
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:
#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@10.101.2.17/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1

GlobalProtectClients GlobalProtectClientlessVPN
GlobalProtectClientlessVPN
GlobalProtectClientlessVPNprovidessecureremoteaccesstocommonenterprisewebapplications.Users
havetheadvantageofsecureaccessfromSSLenabledwebbrowserswithoutinstallingGlobalProtectclient
software.Thisisusefulwhenyouneedtoenablepartnerorcontractoraccesstoapplications,andtosafely
enableunmanagedassets,includingpersonaldevices.YoucanconfiguretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalsoallowsinglesignonto
SAMLenabledapplications.Thefollowingtopicsprovideinformationonhowtoconfigureandtroubleshoot
ClientlessVPN.
Thisfeatureisavailableasapublicbetarelease.
ClientlessVPNOverview
SupportedTechnologies
ConfigureClientlessVPN
TroubleshootClientlessVPN
Clientless VPN Overview
WhenyouconfigureClientlessVPN,remoteuserscanlogintotheGlobalProtectportalusingawebbrowser
andlaunchthewebapplicationsyoupublishfortheuser.Basedonusersorusergroups,youcanallowusers
toaccessasetofapplicationsthatyoumakeavailabletothem,orallowthemtoaccessadditionalcorporate
applicationsbyenteringacustomapplicationURL.
Afterloggingintotheportal,usersseeapublishedapplicationspagewithalistofwebapplicationstheycan
launch.(YoucanusethedefaultapplicationslandingpageontheGlobalProtectportalorcreateacustom
landingpageforyourenterprise.)
Figure:ApplicationsLandingPageforClientlessVPN
Becausethispagereplacesthedefaultportallandingpage,itincludesalinktotheGlobalProtectagent
downloadpage.Ifconfigured,userscanalsoselectApplication URL andenterURLstolaunchadditional,
unpublishedcorporatewebapplications.

GlobalProtectClientlessVPN GlobalProtectClients
Whenyouconfigureonlyonewebapplication(anddisableaccesstounpublishedapplications),insteadof
takingtheusertothepublishedapplicationspage,theapplicationwilllaunchautomaticallyassoonasthe
userlogsin.IfyoudonotconfigureGlobalProtectClientlessVPN,userswillseetheagentsoftware
downloadpagewhentheylogintotheportal.
WhenyouconfigureGlobalProtectClientlessVPN,youneedsecuritypoliciestoallowtrafficfrom
GlobalProtectendpointstothesecurityzoneassociatedwiththeGlobalProtectportalthathoststhe
publishedapplicationslandingpageandsecuritypoliciestoallowuserbasedtrafficfromtheGlobalProtect
portalzonetothesecurityzonewherethepublishedapplicationserversarehosted.Thesecuritypolicies
youdefinecontrolwhichusershavepermissiontouseeachpublishedapplication.
Figure:ZonesandSecurityPolicyforClientlessVPN
Supported Technologies
ClientlessVPNisavailableasapublicbetarelease.MakesureyouthroughlytestyourClientlessVPN
applicationsinacontrolledenvironmentbeforedeployingthemormakingthemavailabletoalargenumber
ofusers.
YoucanconfiguretheGlobalProtect portalto providesecureremoteaccesstocommonenterpriseweb
applicationsthatuseHTML,HTML5,andJavascripttechnologies.Othertechnologies(suchasAdobe
FlashorMicrosoftSliverlight)arenotsupported.
SupportedoperatingsystemsareWindows,Mac,iOS,Android,Chrome,andLinux.
SupportedbrowsersarethelatestversionsofChrome,InternetExplorer,Safari,andFirefox.

ThetablebelowshowsapplicationsthatPaloAltoNetworkshasspecificallyqualifiedforpublicbeta,butyou
cantestanyapplicationthatusesHTML,HTML5,orJavascript.
QualifiedApplicationsforClientlessVPN
MicrosoftOutlookWebAccess2014 APD
MicrosoftSharePoint2013 Box
Google Drive Bugzilla
GoogleGmailforBusiness Drupal
Atlassian Confluence Jive!
Atlassian JIRA Joomla
Configure Clientless VPN
ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthefirewallthathoststheClientless
VPNfromtheGlobalProtectportal.YoualsoneedtheGlobalProtect Clientless VPNdynamicupdatestouse
thisfeature.RefertoActiveLicensesandSubscriptionsandInstallContentandSoftwareUpdates.Asabest
practice,configureaseparateFQDNfortheGlobalProtectportalthathostsClientlessVPN.Donotusethe
sameFQDNasthePANOSWebInterface.
ConfigureClientlessVPN
Step1 Configuretheapplicationsthatare 1. SelectNetwork > GlobalProtect > Clientless AppsandAdd

availableusingGlobalProtectClientless oneormoreapplications.Foreachapplication,specifythe
VPN.TheGlobalProtectportaldisplays following:
theseapplicationsonthelandingpage NameAdescriptivenamefortheapplication(upto31
thatusersseewhentheylogin(the characters).Thenameiscasesensitiveandmustbeunique.
applicationslandingpage). Useonlyletters,numbers,spaces,hyphens,and
underscores.
Location(forafirewallthatisinmultiplevirtualsystem
mode)thevirtualsystem(vsys)wheretheClientlessVPN
applicationsareavailable.Forafirewallthatisnotin
multivsysmode,theLocationfielddoesnotappear.
Application Home URLTheURLwheretheweb
applicationislocated(upto4095characters).
Application Description(Optional)Abriefdescriptionof
theapplication(upto255characters).
Application Icon (Optional)Anicontoidentifythe
applicationonthepublishedapplicationpage.Youcan
browsetouploadtheicon.
2. ClickOK.

ConfigureClientlessVPN(Continued)
Step2 (Optional).Creategroupstomanagesets 1. SelectNetwork > GlobalProtect > Clientless App Groups.Add

ofwebapplications. anewClientlessVPNapplicationgroupandspecifythe
ClientlessAppGroupsareusefulifyou following:
wanttomanagemultiplecollectionsof NameAdescriptivenamefortheapplicationgroup(upto
applicationsandprovideaccessbasedon 31characters).Thenameiscasesensitiveandmustbe
usergroups.Forexample,financial unique.Useonlyletters,numbers,spaces,hyphens,and
applicationsfortheG&Ateamor underscores.
developerapplicationsforthe Location(forafirewallthatisinmultiplevirtualsystem
Engineeringteam. mode)thevirtualsystem(vsys)wheretheClientlessVPN
applicationgroupisavailable.Forafirewallthatisnotin
multivsysmode,theLocationfielddoesnotappear.
2. IntheApplicationsarea,Addapplicationstothegroup.You
canselectfromthelistofexistingClientlessVPNapplications
ordefineaNew Clientless App.
3. ClickOK.

Step3 ConfiguretheGlobalProtectportalto 1. SelectNetwork > GlobalProtect > Portalandselectan

providetheClientlessVPNservice. existingportalconfigurationorAddanewportal.RefertoSet
UpAccesstotheGlobalProtectPortal.
2. IntheAuthenticationtab,youcan:
(Optional)Createanewclientauthenticationspecifically
forClientlessVPN.Inthiscase,chooseBrowserastheOS
forClient Authentication.
Useanexistingclientauthentication.
3. InClientless > General,selectClientless VPNtoenablethe
portalserviceandconfigurethefollowing:
SpecifyaHostname(IPaddressorfullyqualifieddomain
name)fortheGlobalProtectportalthathoststhe
applicationslandingpage.Thishostnameisusedfor
rewritingapplicationURLs.(FormoreinformationonURL
rewriting,refertoStep 7).
IfyouuseNetworkAddressTranslation(NAT)to
provideaccesstotheGlobalProtectportal,theIP
addressorFQDNyouentermustmatch(orresolve
to)theNATIPaddressfortheGlobalProtectportal
(thepublicIPaddress).
SpecifyaSecurity Zone.Thiszoneisusedasasourcezone
forthetrafficbetweenthefirewallandtheapplications.
Securityrulesdefinedfromthiszonetotheapplication
zonedeterminewhichapplicationscanbeaccessed.
SelectaDNS ProxyserverorconfigureaNew DNS Proxy.
GlobalProtectwillusethisproxytoresolveapplication
names.RefertoDNSProxyObject.
Login LifetimeSpecifythemaximumhoursorminutes
thataClientlessVPNsessionisvalid.Thetypicalsession
timeis3hours.Therangeforhoursis124;therangefor
minutesis601440.Afterthesessionexpires,usersmust
reauthenticateandstartanewClientlessVPNsession.
Inactivity TimeoutSpecifythenumberofhoursor
minutesthataClientlessVPNsessioncanremainidle.The
typicalinactivitytimeoutis30minutes.Therangeforhours
is124;therangeforminutesis5to1440.Ifthereisno
useractivityduringthespecifiedamountoftime,users
mustreauthenticateandstartanewClientlessVPN
session.
Max UserSpecifythemaximumnumberofuserswhocan
beloggedintotheportalatthesametime.Ifnovalueis
specified,thenendpointcapacityisassumed.Ifthe
endpointcapacityisunknown,thenacapacityof50users
isassumed.Whenthemaximumnumberofusersis
reached,additionalClientlessVPNuserscannotloginto
theportal.

Step4 Mapusersandusergroupsto 1. IntheApplicationstab,AddanApplications to User Mapping

applications. tomatchuserswithpublishedapplications.
Thismappingcontrolswhich NameEnteranameforthemapping(upto31characters).
applicationsusersorusergroupscan Thenameiscasesensitiveandmustbeunique.Useonly
launchfromaGlobalProtectClientless letters,numbers,spaces,hyphens,andunderscores.
VPNsession. Allow user to launch unpublished applicationsSelect
Publishinganapplicationtoauseror thisoptiontoallowuserstolaunchapplicationsthatarenot
grouporallowingthemtolaunch publishedontheapplicationslandingpage.(Userscanclick
unpublishedapplicationsdoesnotimply theApplication URL linkonthepageandspecifyaURL.)
thattheycanaccessthoseapplications. 2. SpecifytheSource Users.YoucanAddindividualusersor
Controllingaccesstoapplications usergroupstowhichthecurrentapplicationconfiguration
(publishedornot)isdoneusingsecurity applies.Theseusershavepermissiontolaunchtheconfigured
policies. applicationsusingaGlobalProtectClientlessVPN.Inaddition
Youmustconfiguregroup tousersandgroups,youcanspecifywhenthesesettingsapply
mapping(Device > User totheusersorgroups:
Identification > Group Mapping anyTheapplicationconfigurationappliestoallusers(no
Settings)beforeyoucanselect needtoAddusersorusergroups).
thegroups.
selectTheapplicationconfigurationappliesonlytousers
andusergroupsyouAddtothislist.
3. Addindividualapplicationsorapplicationgroupstothe
mapping.TheSource Usersyouincludedintheconfiguration
canuseGlobalProtectClientlessVPNtolinktothe
applicationsyouadd.

Step5 Specifythesecuritysettingsfora 1. IntheCrypto Settingstab,specifytheauthenticationand

ClientlessVPNsession. encryptionalgorithmsfortheSSLsessionsbetweenthe
firewallandthepublishedapplications.
Protocol VersionsSelecttherequiredminimumand
maximumTLS/SSLversions.ThehighertheTLSversion,
themoresecuretheconnection.ChoicesincludeSSLv3,
TLSv1.0,TLSv1.1,orTLSv1.2.
Key Exchange AlgorithmsSelectthesupportedalgorithm
typesforkeyexchange.Choicesare:RSA,DiffieHellman
(DHE),orEllipticCurveEphemeralDiffieHellman(ECDHE).
Encryption AlgorithmsSelectthesupportedencryption
algorithms.AES128orhigherisrecommended.
Authentication AlgorithmsSelectthesupported
authenticationalgorithms.Choicesare:MD5,SHA1,
SHA256,orSHA384.SHA256orhigherisrecommended.
2. Selecttheactiontotakewhenthefollowingissuesoccurwith
aservercertificatepresentedbyanapplication:
Block sessions with expired certificateIftheserver
certificatehasexpired,blockaccesstotheapplication.
Block sessions with untrusted issuersIftheserver
certificateisissuedfromanuntrustedcertificateauthority,
blockaccesstotheapplication.
Block sessions with unknown certificate statusIfthe
OSCPorCRLservicereturnsacertificaterevocationstatus
ofunknown,blockaccesstotheapplication.
Block sessions on certificate status check timeoutIfthe
certificatestatuschecktimesoutbeforereceivinga
responsefromanycertificatestatusservice,blockaccessto
theapplication.
Step6 (Optional)Specifyoneormoreproxy Ifusersneedtoreachtheapplicationsthroughaproxyserver,

serverconfigurationstoaccessthe specifya Proxy Server.Youcanaddmultipleproxyserver
applications. configurations,oneforeachsetofdomains.
Onlybasicauthenticationtothe NameAlabel(upto31characters)toidentifytheproxyserver
proxyissupported(username configuration.Thenameiscasesensitiveandmustbeunique.
andpassword). Useonlyletters,numbers,spaces,hyphens,andunderscores.
DomainsAddthedomainsservedbytheproxyserver.Youcan
useawildcardcharacter(*)atthebeginningofthedomainname
toindicatemultipledomains.
Use ProxySelecttoassignaproxyservertoprovideaccessto
thedomains.
ServerSpecifytheIPaddressorhostnameoftheproxy
server.
PortSpecifyaportnumberforcommunicationwiththeserver.
UserandPasswordSpecifytheUserandPassword
credentialsneededtologintotheproxyserver.Specifythe
passwordagainforverification.

Step7 (Optional)Specifyanyspecialtreatment Insomecases,theapplicationmayhavepagesthatdonotneedto

forapplicationdomains. beaccessedthroughtheportal(forexample,theapplicationmay
TheClientlessVPNactsasareverse includeastocktickerfromyahoo.finance.com).Youcanexclude
proxyandmodifieswebpagesreturned thesepages.
bythepublishedwebapplications.It IntheAdvanced Settingstab,Adddomainnames,hostnames,or
rewritesallURLsandpresentsa IPaddressestotheRewrite Exclude Domain List. Thesedomains
rewrittenpagetoremoteuserssuchthat areexcludedfromrewriterulesandcannotberewritten.
whentheyaccessanyofthoseURLs,the Pathsarenotsupportedinhostanddomainnames.Thewildcard
requestsgothroughGlobalProtect character(*)forhostnamesanddomainnamescanonlyappearat
portal. thebeginningofthename(forexample,*.etrade.com).
Step8 Savetheportalconfiguration. 1. ClickOKtwice.

2. Commityourchanges.
Step9 ConfigureaSecuritypolicyruletoenable Youneedsecuritypoliciesforthefollowing:

userstoaccessthepublished AllowtrafficfromGlobalProtectendpointstothesecurityzone
applications. associatedwiththeGlobalProtectportalthathoststhe
publishedapplicationslandingpage.
AllowuserbasedtrafficfromtheGlobalProtectportalzoneto
thesecurityzone(trustzone)wherethepublishedapplication
serversarehosted.Thesecuritypoliciesyoudefinecontrol
whichusershavepermissiontouseeachpublishedapplication.
Forthesecurityzonewherethepublishedapplicationservers
arehosted,makesureEnable User Identificationissetinorder
tocreateuserbasedrulesforaccessingpublishedapplications.
BydefaultService/URLinSecurity Policy Ruleisset
application-default.ClientlessVPNwillnotworkforHTTPS
siteswiththisdefaultsetting.ChangeService/URLtoinclude
bothservice-http andservice-https.
WhenyouconfigureaproxyservertoaccessClientlessVPN
applications,makesureyouincludetheproxyIPaddressand
portinthesecuritypolicydefinition.Whenapplicationsare
accessedthroughaproxyserver,onlysecuritypoliciesdefined
fortheproxyIPaddressandportareapplied.

Troubleshoot Clientless VPN
GlobalProtectClientlessVPNisafeaturethatiscurrentlyavailableinpublicbeta.Becausethisfeature
involvesdynamicrewritingofHTMLapplications,theHTMLcontentforsomeapplicationsmaynot
rewritecorrectlyandbreaktheapplication.Ifissuesoccur,usethecommandsinthefollowingtabletohelp
youidentifythelikelycause:

Table:UsefulCommandstoTroubleshootClientlessVPN
Action Command
CLI Commands
List the version of pancpe@cagp> show system setting ssl-decrypt memory

Clientless VPN dynamic proxy uses shared allocator
content being used SSL certificate cache:
Youcanalsoview Current Entries: 61
thedynamicupdate Allocated 2077, Freed 2016
versionfromthe Current CRE (58-13) : 2432 KB (Actual 2296 KB)
Device > Dynamic Last CRE (58-12) : 2432 KB (Actual 2291 KB)
Updates >
GlobalProtect
Inthisexample,thecurrentdynamicupdateisversion5813,andthelastinstalled
Clientless VPN.
dynamicupdateisversion5812.
List active (current) users pancpe@cagp> show global-protect-portal current-user portal

of Clientless VPN GPClientLessPortal filter-user all-users
GlobalProtect Portal : GPClientlessPortal

Vsys-Id : 1
User : paloaltonetworks.com\johndoe
Session-id :
1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0
Client-IP : 199.167.55.50
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1630
Login Lifetime : 10800
Seconds before login lifetime : 10629
Total number of user sessions: 1

Show DNS resolution pancpe@cagp> show system setting ssl-decrypt dns-cache
results
This can be useful to Total DNS cache entries: 89
determine if there are DNS Site IP Expire(secs)
issues. If there is a DNS Interface
issue, you will notice bugzilla.paloaltonetworks.local 10.0.2.15 querying
querying against an FQDN 0
that was not resolvable in www.google.com 216.58.216.4 Expired 0
the CLI output.
stats.g.doubleclick.net 74.125.199.154 Expired
0
ShowallClientlessVPN pancpe@cagp> show system setting ssl-decrypt gp-cookie-cache
usersessionsandcookies
stored User: johndoe, Session-id: 1SU2vrPIDfdopGf-7gahMTCiX8PuL0S0,
Client-ip: 199.167.55.50

Action Command
Show rewrite-stats pancpe@cagp> show system setting ssl-decrypt rewrite-stats

Thisisusefultoidentify
thehealthoftheClientless Rewrite Statistics
VPNrewriteengine. initiate_connection : 11938
RefertoTable:Rewrite setup_connection : 11909
EngineStatisticsfor session_notify_mismatch : 1
informationonrewrite reuse_connection : 37
statisticsandtheirmeaning file_end : 4719
orpurpose.
packet : 174257
packet_mismatch_session : 1
peer_queue_update_rcvd : 167305
peer_queue_update_sent : 167305
peer_queue_update_rcvd_failure: 66
setup_connection_r : 11910
packet_mismatch_session_r : 22
pkt_no_dest : 23
cookie_suspend : 2826
cookie_resume : 2826
decompress : 26
decompress_freed : 26
dns_resolve_timeout : 27
stop_openend_response : 43
received_fin_for_pending_req : 26
Destination Statistics
To mp : 4015
To site : 12018
To dp : 17276
Return Codes Statistics
ABORT : 18
RESET : 30
PROTOCOL_UNSUPPORTED : 7
DEST_UNKNOWN : 10
CODE_DONE : 52656
DATA_GONE : 120359
SWITCH_PARSER : 48
INSERT_PARSER : 591
SUSPEND : 2826
Total Rewrite Bytes : 611111955
Total Rewrite Useconds : 6902825
Total Rewrite Calls : 176545
Debug Commands
Enable debug logs on the debug dataplane packet-diag set log feature ssl all
firewall running Clientless debug dataplane packet-diag set log feature misc all
VPN Portal debug dataplane packet-diag set log feature proxy all
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on

Table:RewriteEngineStatistics
Statistic Description
initiate_connection_failure Connectioninitiationfailedtobackendhost
setup_connection_failure Connectionsetupfailed
setup_connection_duplicate Duplicatepeersessionexists
session_notify_mismatch Mostlyinvalidsession
packet_mismatch_session Failedtofindrightsessionforincomingpacket
peer_queue_update_rcvd_failure Sessionwasinvalidwhenpacketupdatereceivedbypeer
peer_queue_update_sent_failure Failedtosendpacketupdatestopeerorfailedtosendpacketqueuelength
updatestopeer
exceed_pkt_queue_limit Toomanypacketsqueued
proxy_connection_failure Proxyconnectionfailed
setup_connection_r Installingthepeersessiontotheapplicationserver.Thisvalueshouldmatchthe
valuesforinitiate_connectionandsetup_connection.
setup_connection_duplicate_r Duplicatesessionsalreadyinproxy
setup_connection_failure_r Failedtosetupthepeersession
session_notify_mismatch_r Peersessionnotfound
packet_mismatch_session_r Peersessionnotfoundwhentryingtogetthepacket
exceed_pkt_queue_limit_r Toomanypacketsheld
unknown_dest Failedtofinddestinationhost
pkt_no_dest Nodestinationforthispacket
cookie_suspend Suspendedsessiontofetchcookies
cookie_resume ReceivedresponsefromMPwithupdatedcookies.Thisvaluegenerallymatches
thevalueofcookie_suspend.
decompress_failure Failedtodecompress
memory_alloc_failure Failedtoallocatememory
wait_for_dns_resolve SuspendedsessiontoresolveDNSrequests
dns_resolve_reschedule RescheduledDNSqueryduetonoresponse(retrybeforetimeout)
dns_resolve_timeout DNSquerytimeout
setup_site_conn_failure Failedtosetupconnectiontosite(proxy,DNS)
site_dns_invalid DNSresolvefailed
multiple_multipart Multipartcontenttypeprocessed
site_from_referer Receivedthebackendhostfromreferrer.Thiscanindicatefailedrewritelinks
fromflashorothercontentwhichClientlessVPNdoesnotrewrite.

Statistic Description
received_fin_for_pending_req ReceivedFINfromserverforpendingrequestfromclient
unmatched_http_state UnexpectedHTTPcontent.Thiscanindicateanissueparsingthehttpheadersor
body.

EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer GlobalProtectClients
EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server
WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
version.YoucanenablethefirewalltosendthisinformationasVendorSpecificAttributes(VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
administratorscanthenperformadministrativetasksbasedonthoseVSAs.Forexample,RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
Step1 LogintothefirewallCLI.
Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.

GlobalProtectClients Reference:GlobalProtectAgentCryptographicFunctions
Reference:GlobalProtectAgentCryptographicFunctions
TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
GlobalProtectportalandGlobalProtectgateways.ThefollowingtablelistseachGlobalProtectagent
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:
CryptoFunction Key Usage
Winhttp (Windows) and Dynamickeynegotiatedbetween UsedtoestablishtheHTTPSconnection

NSURLConnection (MAC) theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
GlobalProtectportaland/orgateway GlobalProtectportalandGlobalProtect
aes256sha
forestablishingtheHTTPS gatewayforauthentication.
connection.
OpenSSL Dynamickeynegotiatedbetween UsedtoestablishtheSSLconnection

theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
aes256sha
GlobalProtectgatewayduringthe GlobalProtectgatewayforHIPreport
SSLhandshake. submission,SSLtunnelnegotiation,and
networkdiscovery.
IPSec encryption and authentication Thesessionkeysentfromthe UsedtoestablishtheIPSectunnel

GlobalProtectgateway. betweentheGlobalProtectagentandthe
aes128sha1,aes128cbc,
GlobalProtectgateway.Usethestrongest
aes128gcm,andaes256gcm algorithmsupportedbyyournetwork
(AESGCMisrecommended).
Toprovidedataintegrityandauthenticity
protection,theaes128cbccipher
requiresthesha1authentication
algorithm.BecauseAESGCMencryption
algorithms(aes128gcmand
aes256gcm)nativelyprovideESP
integrityprotection,thesha1
authenticationalgorithmisignoredfor
thesecipherseventhoughitisrequired
duringconfiguration.

Reference:GlobalProtectAgentCryptographicFunctions GlobalProtectClients

MobileEndpointManagement
MobileEndpointManagementOverview
SetUpaMobileEndpointManagementSystem
DeploytheGlobalProtectMobileAppUsingAirWatch
ManagetheGlobalProtectAppUsingAirWatch
ManagetheGlobalProtectAppUsingaThirdPartyMDM

MobileEndpointManagementOverview MobileEndpointManagement
MobileEndpointManagementOverview
Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
protectionagainstthreatsandvulnerabilities.Byusingathirdpartymobileendpointmanagementsystem
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).
Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
automaticallydeployyourcorporateaccountconfigurationandVPNsettingstocompliantendpoints.You
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
withanendpointthathasbeencompromised.Thisprotectsbothcorporatedataaswellaspersonalenduser
data.Forexample,ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,
youusehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthrough
theGlobalProtectgateway.YoucanalsousethemonitoringtoolsthatarebuiltintothePaloAlto
nextgenerationfirewalltomonitormobileendpointtraffic.

MobileEndpointManagement SetUpaMobileEndpointManagementSystem
SetUpaMobileEndpointManagementSystem
Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:
SetUpanEndpointManagementSystem
Step1 SetuptheGlobalProtectInfrastructure. 1. CreateInterfacesandZonesforGlobalProtect.

2. EnableSSLBetweenGlobalProtectComponents.
3. SetupGlobalProtectUserAuthentication.Referto
AboutGlobalProtectUserAuthentication.
4. EnableGroupMapping.
5. ConfigureaGlobalProtectGateway.
6. ActivateLicensesforeachfirewallrunninga
gateway(s)thatsupportstheGlobalProtectappon
mobileendpoints.
7. SetUpAccesstotheGlobalProtectPortal.
Step2 Setupthemobileendpointmanagementsystem Seetheinstructionsforyourmobileendpoint

anddecidewhethertosupportonly managementsystem,mobiledevicemanagement(MDM)
corporateissuedendpointsorboth system,orenterprisemobilitymanagement(EMM)
corporateissuedandpersonalendpoints. system.
Step3 ObtaintheGlobalProtectappformobile AppstoreDownloadandInstalltheGlobalProtect

endpoints. MobileApp
AirWatchDeploytheGlobalProtectMobileAppUsing
AirWatch
Otherthirdpartymobileendpointmanagement
systemSeetheinstructionsfromyourvendoronhow
todeployappstomanagedendpoints.
Step4 ConfigureVPNsettingsfortheGlobalProtect ManagetheGlobalProtectAppUsingAirWatch

app. ManagetheGlobalProtectAppUsingaThirdParty
MDM
Step5 Configurepolicesthattargetmobileendpoints ConfigureHIPBasedPolicyEnforcementformanaged

usinghostinformation. endpoints.

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement
ManagetheGlobalProtectAppUsingAirWatch
DeploytheGlobalProtectMobileAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
Deploy the GlobalProtect Mobile App Using AirWatch
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
endpoints.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappconnectstothegatewaythat
isclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
AirWatch.EndpointsrunningiOSorAndroidmustdownloadtheAirWatchagenttoenrollwiththeAirWatch
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
theendpoint.Afteryoudeploytheapp,configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.
DeploytheGlobalProtectAppfromAirWatch
Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).
Step2 FromAirWatch,selectApps & Books > Public > Add Application.
Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.
Step4 SelectthePlatform,eitherApple iOS,Android,orWindows Phone.
Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOShttps://itunes.apple.com/us/app/globalprotect/id592489989?mt=8&uo=4
Androidhttps://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect
Windows Phonehttps://www.microsoft.com/store/apps/9NBLGGH6BZL3

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch
DeploytheGlobalProtectAppfromAirWatch(Continued)
Step6 ClickNext.Ifyouchosetosearchfortheapptheappstorefortheendpoint,youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.
Step7 OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
Step8 OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
Step9 SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.
Step10 Nextsteps:
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
Configure the GlobalProtect App for iOS Using AirWatch
AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
fromacentralconsole.TheGlobalProtectappprovidesasecureconnectionbetweenAirWatchmanaged
mobileendpointsandthefirewallateitherthedeviceorapplicationlevel.UsingGlobalProtectasthesecure
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
accessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
AuthenticationChoosethemethodtoauthenticateendusers.Followtherelatedpromptstoentera
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.
Step5 Save & Publishyourchanges.
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
Step1 DownloadtheGlobalProtectappforiOS:
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
Step3 ConfigureGeneralprofilesettings:
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.
Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.
Step6 Configuretheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
Step7 SelecteitherManualorAuto Proxytypeandenterthespecificinformationneeded.
Step8 ClickSave & Publish.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
https://itunes.apple.com/us/app/boxforiphoneandipad/id290853822?mt=8&uo=4),andthenclick
Next.IfyouchoosetosearchtheAppStore,youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
9. SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.
Configure the GlobalProtect App for Android Using AirWatch
YoucanusetheGlobalProtectAppforAndroidwithAirWatchagent6.0andlaterreleases.TheAirWatch
agentinterfaceswithAirWatchtomanageAndroidendpoints.UsingtheGlobalProtectappforAndroidas
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
enforcementofnetworksecuritypolicyforthreatprevention.TheGlobalProtectappcanprovideasecure
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
configuringVPNaccessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
Step1 DownloadtheGlobalProtectappforAndroid:
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Step4 Save and PublishthisprofiletotheassignedSmartGroups.
Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step6 ConfigureConnection Info,including:

Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
Step8 Save & PublishthisprofiletotheassignedSmartGroups.

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
Step1 DownloadtheGlobalProtectappforAndroid:
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add
Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
profilewiththeauthorizationoftheadministrator.ChoosingWith Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step4 Save and PublishthisprofiletotheassignedSmartGroups.
Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. Selecttheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
https://play.google.com/store/apps/details?id=com.box.android).
6. ClickNext.IfyouchosetoimporttheappfromGooglePlayinthepreviousstep,youmustSelecttheapp
fromthelistofapprovedcompanyapps.Ifyoudonotseetheappinthelist,contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
10.Save & PublishtheconfigurationtotheassignedSmartGroups.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
Step8 Save & PublishthisprofiletotheassignedSmartGroups.
ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
malwareonAndroidendpoints.Whenenabled,theAirWatchagentsendsthelistofappsthatareinstalled
ontheAndroidendpointtoAirWatch.Thisoccursduringenrollmentandsubsequentlyonanydevice
checkin.AirWatchthenperiodicallyqueriesWildFireforverdictsandcantakecomplianceactiononthe
endpointbasedontheverdict.
Step1 Beforeyoubegin,obtainaWildFireAPIkey.IfyoudonotalreadyhaveanAPIkey,contactSupport.
Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.
Step3 SelectCurrent Setting: Override.
Step4 Select Enable Third Party App Scan AnalysistoenablecommunicationbetweenAirWatchandWildFire.
Step5 ChoosePalo Alto Networks WildFirefromtheChoose App Scan Vendordropdown.
Step6 EnteryourWildFireAPIkey.

EnableAppScanIntegrationwithWildFire(Continued)
Step7 ClickTest ConnectiontoensurethatAirWatchcancommunicatewithWildFire.Ifthetestisnotsuccessful,

verifyconnectivitytotheInternet,reentertheAPIkey,andthentryagain.
Step8 Saveyourchanges.AirWatchschedulesasynchronizationtasktocommunicatewithWildFiretoobtainthe
latestverdictsforapplicationhashesandrunsthetaskatregularintervals.ClickSync Nowtoinitiateamanual
syncwithWildFire.
Configure the GlobalProtect App for Windows 10 UWP Using AirWatch
UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
tunnel.UnmanagedappswillcontinuetoconnectdirectlytotheInternetinsteadofthroughthesecure
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
VPNirrespectiveofapp.DevicelevelVPNconfigurationsalsosupporttheabilitytoforcethesecure
connectiontobeAlwaysOn.Foreventightersecurityrequirements,youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
accesswhentheappisnotconnected.ThisconfigurationissimilartotheEnforce GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.
BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.

Step1 DownloadtheGlobalProtectappforWindows10UWP:
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.
Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.
Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.
Step4 SelectConfigureConnection Info,including:

Connection TypeSelectanalternateprovider(donotselectIKEv2,L2TP,PPTP,orAutomaticasthesedo
nothavetheassociatedvendorsettingsrequiredfortheGlobalProtectVPNprofile).
YoumustselectthealternatevendorbecauseAirWatchdoesnotyetlistGlobalProtectasanofficial
connectionproviderforWindowsendpoints.
Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.
Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps(typically.exefiles)ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
VPNconnectionwhentheappislaunchedandwhethertosendapptrafficthroughtheVPN.Youcanalso
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
theVPN.Theserulesarenotboundbyapplicationandareevaluatedacrosstheendpoint.Ifthetraffic
matchesthematchcriteria,itisroutedthroughtheVPN.
Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
accesswhentheappisnotconnected.TheVPN LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)
Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
theconfiguration.IfyouneedtochangeasettingafteryouexporttheVPNprofile,youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> XMLatthetopofthetable.AirWatchopenstheXMLviewoftheprofile.
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View.
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.
Step9 Cleanuptheoriginalprofile:SelecttheoriginalprofilefromtheDevices > Profiles > List View,selectMore

Actions > Deactivate.AirWatchmovestheprofiletotheInactivelist.
Step10 Testtheconfiguration.

MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM
ManagetheGlobalProtectAppUsingaThirdPartyMDM
Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
Configure the GlobalProtect App for iOS
WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
connectionbetweenthemobileendpointandservicesitconnectsto.Toenabletheclienttoestablishsecure
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.
Setting Description Value
Connection Type Typeofconnectionenabledbythepolicy. Custom SSL
Identifier IdentifierforthecustomSSLVPNin com.paloaltonetworks.GlobalPro

reverseDNSformat. tect.vpnplugin
Server HostnameorIPaddressofthe <hostname or IP address>
GlobalProtectportal. Forexample:gp.paloaltonetworks.com
Account Useraccountforauthenticatingthe <username>

connection.
User Authentication Authenticationtypefortheconnection. Certificate | Password

Credential (CertificateUserAuthenticationonly) <credential>
Credentialforauthenticatingthe Forexample:clientcredial.p12
connection.
Enable VPN On Demand (Optional)Domainandhostnamethatwill <domain and hostname and the

establishtheconnectionandthe on-demand action>
ondemandaction: Forexample:gp.acme.com; Never
Alwaysestablishaconnection establish
Neverestablishaconnection
Establishaconnectionifneeded

ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample Device Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN.vpn</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011d</string>
<key>UserDefinedName</key>
<string>Sample Device Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>DisconnectOnIdle</key>
<key>OnDemandEnabled</key>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Profile Description</string>
<string>Configuration</string>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<string>Configures VPN settings, including authentication.</string>
<string>VPN (Sample App Level VPN)</string>
<string>Sample App Level VPN.vpn</string>
<string>com.apple.vpn.managed.applayer</string>
<key>VPNUUID</key>
<string>cGFuU2FtcGxlIEFwcCBMZXZlbCBWUE52cG5TYW1wbGUgQXBwIExldmVsIFZQTg==</string>
<key>SafariDomains</key>
<array>
<string>*.paloaltonetworks.com</string>
</array>
<string>54370008-205f-7c59-0000-01a1</string>
<key>UserDefinedName</key>
<string>Sample App Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>OnDemandMatchAppEnabled</key>
<key>OnDemandEnabled</key>
<key>DisconnectOnIdle</key>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>OnlyAppLevel</key>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Profile Description</string>
<string>Configuration</string>

Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>
Configure the GlobalProtect App for Android
YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
theGlobalProtectgateway.FromyourthirdpartyMDMthatmanagesAndroidforWorkdevices,youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
includingalltheappsinstalledonthatdevice.Bydefault,allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
Profiletoseparatebusinessandpersonalapps.BydefaultonlymanagedappsintheWorkProfilecansend
trafficthroughtheVPNtunnelaccordingtotheaccessroutesdefinedonthegateway.Appsinstalledonthe
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
routestrafficfromspecificmanagedapps.ForPerAppVPN,youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,youcanalsospecifyhowtheuserconnectstotheVPN.Whenyou
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
automatically.WhenyouconfiguretheVPNconnectionmethodason-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.
TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.
RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.
Key ValueType Example
portal String 10.1.8.190
username String john
password String Passwd!234
certificate String(inBase64) DAFDSaweEWQ23wDSAFD.

Key ValueType Example
client_certificate_passphrase String PA$$W0RD$123
app_list* String whiltelist | blacklist: com.google.calendar;

com.android.email; com.android.chrome
connect_method String user-logon | on-demand
remove_vpn_config_via_restricti Boolean true | false

on
*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,andfollowitwithanarrayofappnamesseparatedbysemicolon.Thewhitelistspecifiestheapps
thatwillusetheVPNtunnelfornetworkcommunication.Thenetworktrafficforanyotherappthatisnot
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.
Example:SetVPNConfiguration
private static String RESTRICTION_PORTAL = "portal";

private static String RESTRICTION_USERNAME = "username";
private static String RESTRICTION_PASSWORD = "password";
private static String RESTRICTION_CONNECT_METHOD = "connect_method";
private static String RESTRICTION_CLIENT_CERTIFICATE = "client_certificate";
private static String RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE =
"client_certificate_passphrase";
private static String RESTRICTION_APP_LIST = "app_list";
private static String RESTRICTION_REMOVE_CONFIG = "remove_vpn_config_via_restriction";
Bundle config = new Bundle();

config.putString(RESTRICTION_PORTAL, "192.168.1.1");
config.putString(RESTRICTION_USERNAME, "john");
config.putString(RESTRICTION_PASSWORD, "Passwd!234");
config.putString(RESTRICTION_CONNECT_METHOD, "user-logon");
config.putString(RESTRICTION_CLIENT_CERTIFICATE, "DAFDSaweEWQ23wDSAFD.");
config.putString(RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE, "PA$$W0RD$123");
config.putString(RESTRICTION_APP_LIST,
"whitelist:com.android.chrome;com.android.calendar");
DevicePolicyManager dpm = (DevicePolicyManager)

getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),
"com.paloaltonetworks.globalprotect", config);

Example:RemoveVPNConfiguration
Bundle config = new Bundle();

config.putBoolean(RESTRICTION_REMOVE_CONFIG, true );
DevicePolicyManager dpm = (DevicePolicyManager)
getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),"com
.paloaltonetworks.globalprotect", config);

HostInformation
Althoughyoumayhavestringentsecurityatyourcorporatenetworkborder,yournetworkisreallyonlyas
secureastheenddevicesthatareaccessingit.Withtodaysworkforcebecomingmoreandmoremobile,
oftenrequiringaccesstocorporateresourcesfromavarietyoflocationsairports,coffeeshops,hotelsand
fromavarietyofdevicesbothcompanyprovisionedandpersonalyoumustlogicallyextendyour
networkssecurityouttoyourendpointstoensurecomprehensiveandconsistentsecurityenforcement.The
GlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthesecurity
statusofyourendhostssuchaswhethertheyhavethelatestsecuritypatchesandantivirusdefinitions
installed,whethertheyhavediskencryptionenabled,whetherthedeviceisjailbrokenorrooted(mobile
devicesonly),orwhetheritisrunningspecificsoftwareyourequirewithinyourorganization,including
customapplicationsandbasethedecisionastowhethertoallowordenyaccesstoaspecifichostbased
onadherencetothehostpoliciesyoudefine.
Thefollowingtopicsprovideinformationabouttheuseofhostinformationinpolicyenforcement.Itincludes
thefollowingsections:
AboutHostInformation
ConfigureHIPBasedPolicyEnforcement
CollectApplicationandProcessDataFromClients
BlockDeviceAccess

AboutHostInformation HostInformation
AboutHostInformation
OneofthejobsoftheGlobalProtectagentistocollectinformationaboutthehostitisrunningon.Theagent
thensubmitsthishostinformationtotheGlobalProtectgatewayuponsuccessfullyconnecting.Thegateway
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
defined.Ifitfindsamatch,itgeneratesanentryintheHIPMatchlog.Additionally,ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
securitystandardsbeforetheyareallowedaccesstoyournetworkresources.Forexample,beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
encryptionenabledontheirharddrives.Youcanenforcethispolicybycreatingasecurityrulethatonly
allowsaccesstotheapplicationiftheclientsystemhasencryptionenabled.Inaddition,forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?
What Data Does the GlobalProtect Agent Collect?
Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
certainresources.Inthiscase,youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:

HostInformation AboutHostInformation
Table:DataCollectionCategories
Category DataCollected
General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).
Patch Management Informationaboutanypatchmanagementsoftwarethatisenabledand/or

installedonthehostandwhetherthereareanymissingpatches.
Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.
Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
applicationsontheendpoint.ByintegratingwiththeOPSWATOESISframework,
GlobalProtectenablesyoutoassessthecompliancestateoftheendpoint.For
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.
Anti-Spyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.
Disk Backup Informationaboutwhetherdiskbackupsoftwareisinstalled,thelastbackuptime,

andthevendorandproductnameofthesoftware.
Disk Encryption Informationaboutwhetherdiskencryptionsoftwareisinstalled,whichdrives

and/orpathsareconfiguredforencryption,andthevendorandproductnameof
thesoftware.
Data Loss Prevention Informationaboutwhetherdatalossprevention(DLP)softwareisinstalledand/or

enabledforthepreventionsensitivecorporateinformationfromleavingthe
corporatenetworkorfrombeingstoredonapotentiallyinsecuredevice.This
informationisonlycollectedfromWindowsclients.
Mobile Devices Identifyinginformationaboutthemobiledevice,suchasthemodelnumber,

phonenumber,serialnumberandInternationalMobileEquipmentIdentity(IMEI)
number.Inaddition,theagentcollectsinformationaboutspecificsettingsonthe
device,suchaswhetherornotapasscodeisset,whetherthedeviceisjailbroken,
alistofappsinstalledonthedevicethataremanagedbyathirdpartymobile
devicemanager,ifthedevicecontainsappsthatareknowntohavemalware
(Androiddevicesonly),and,optionally,theGPSlocationofthedeviceandalistof
appsthatarenotmanagedbythethirdpartymobiledevicemanager.Notethat
foriOSdevices,someinformationiscollectedbytheGlobalProtectappandsome
informationisreporteddirectlybytheoperatingsystem.

AboutHostInformation HostInformation
Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
categoriesyouarenotinterestedin.Forexample,ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
privacy.Thiscanincludeexcludingdevicelocationandalistofappsinstalledonthedevicethatarenot
managedbyathirdpartymobiledevicemanager.
How Does the Gateway Use the Host Information to Enforce Policy?
Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
toenforcepolicyfromtherawdatareportedbytheagent.Forexample,whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
interestedinoneparticularapplicationthatyourequirewithinyourorganization.Inthiscase,youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
informationyoucollecttoenforcepolicy.KeepinmindthattheHIPobjectsthemselvesaremerely
buildingblocksthatallowyoutocreatetheHIPprofilesthatareusedinyoursecuritypolicies.Therefore,
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,orthepresenceofaspecificclientOS.By
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
securitypolicyenforcement.WhenyoucreateyourHIPprofiles,youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
evaluatedagainsttheresultingHIPprofileitwilleithermatchornotmatch.Ifthereisamatch,the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
defined.ThismakestheHIPMatchlogagoodresourceformonitoringthestateofthehostsonyournetwork
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
whatpoliciesyoubelieveneedenforcement.SeeConfigureHIPBasedPolicyEnforcementfordetailson
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.

HostInformation AboutHostInformation
How Do Users Know if Their Systems are Compliant?
Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
enforcementofaHIPenabledsecurityrule.However,youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)meansfortheuser.Thatis,doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
packagesarenotinstalled.Inthiscase,youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.
How Do I Get Visibility into the State of the End Clients?
WheneveranendhostconnectstoGlobalProtect,theagentpresentsitsHIPdatatothegateway.The
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/orHIPprofilesthehostmatches.Foreach
match,itgeneratesaHIPMatchlogentry.Unlikeatrafficlogwhichonlycreatesalogentryifthereisa
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/oraHIPprofileyouhavedefined.ThismakestheHIPMatchlogagoodresourcefor
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
softwareinstalledfromconnectingtothenetwork.InthiscaseyouwouldcreateaHIPobjectthatmatches
hoststhathaveaparticularAntivirussoftwareinstalled.ByincludingthisobjectinaHIPprofileandattaching
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
compliancewiththisrequirement.IfyouwantedtoalsoseealogforhoststhatdonothaveAntivirus
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
theconditionwheretheAntivirussoftwareisnotinstalled.Becausethisobjectisonlyneededforlogging
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.

ConfigureHIPBasedPolicyEnforcement HostInformation
ConfigureHIPBasedPolicyEnforcement
Toenabletheuseofhostinformationinpolicyenforcementyoumustcompletethefollowingsteps.For
moreinformationontheHIPfeature,seeAboutHostInformation.
EnableHIPChecking
Step1 VerifyproperlicensingforHIPchecks. TousetheHIPfeature,youmusthavepurchasedandinstalleda

GlobalProtectsubscriptionlicenseoneachgatewaythatwill
performHIPchecks.Toverifythestatusofyourlicensesoneach
portalandgateway,selectDevice > Licenses.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
donothavetherequiredlicenses.Formoreinformationon
licensing,seeAboutGlobalProtectLicenses.
Step2 (Optional)Defineanycustomhost 1. OnthefirewallthatishostingyourGlobalProtectportal,select

informationthatyouwanttheagentto Network > GlobalProtect > Portals.
collect.Forexample,ifyouhaveany 2. SelectyourportalconfigurationtoopentheGlobalProtect
requiredapplicationsthatarenot Portaldialog.
includedintheVendorand/orProduct
listsforcreatingHIPobjects,youcould 3. SelecttheAgent tabandthenselecttheagentconfiguration
createacustomcheckthatwillallowyou towhichyouwanttoaddacustomHIPcheck,orclickAddto
todeterminewhetherthatapplicationis createanewagentconfiguration.
installed(hasacorrespondingregistryor 4. SelecttheData Collectiontab.
plistkey)orisrunning(hasa
5. EnabletheoptiontoCollect HIP Data.
correspondingrunningprocess).
Step 2andStep 3assumethatyou 6. SelectCustom Checksanddefinethedatayouwanttocollect
havealreadycreatedaPortal fromhostsrunningthisagentconfigurationasfollows:
Configuration.Ifyouhavenotyet Tocollectinformationaboutspecificregistrykeys:Onthe
configuredyourportal,seeSetUp Windowstab,AddthenameofaRegistry Keyforwhichto
AccesstotheGlobalProtectPortal collectdataintheRegistryKeyarea.Optionally,torestrict
forinstructions. datacollectiontoaspecificRegistryValue,Addandthen
definethespecificRegistryValueorvalues.ClickOKto
savethesettings.
Tocollectinformationaboutrunningprocesses:Selectthe
appropriatetab(WindowsorMac)andthenAddaprocess
totheProcessList.Enterthenameoftheprocessthatyou
wanttheagenttocollectinformationabout.
Tocollectinformationaboutspecificpropertylists:Onthe
Mactab,clickAddinthePlistsection.EnterthePlistfor
whichtocollectdata.Optionally,clickAddtorestrictthe
datacollectiontospecificKeyvalues.ClickOKtosavethe
settings.
7. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Forinstructions,seeDefinethe
GlobalProtectAgentConfigurations.
8. ClickOKtosavetheclientconfiguration.

HostInformation ConfigureHIPBasedPolicyEnforcement
EnableHIPChecking(Continued)
Step3 (Optional)Excludecategoriesfrom 1. OnthefirewallthatishostingyourGlobalProtectportal,select

collection. Network > GlobalProtect > Portals.
2. SelectyourportalconfigurationtoopentheGlobalProtect
Portaldialog.
3. OntheAgent tab,selecttheAgentconfigurationfromwhich
toexcludecategories,orAddanewone.
4. SelectData Collection,andthenverifythatCollect HIP Data
isenabled.
5. OntheExclude Categories tab,clickAdd.TheEditExclude
Categorydialogdisplays.
6. SelecttheCategoryyouwanttoexcludefromthedropdown
list.
7. (Optional)Ifyouwanttoexcludespecificvendorsand/or
productsfromcollectionwithintheselectedcategoryrather
thanexcludingtheentirecategory,clickAdd.Youcanthen
selecttheVendortoexcludefromthedropdownontheEdit
Vendordialogand,optionally,clickAddtoexcludespecific
productsfromthatvendor.Whenyouaredonedefiningthat
vendor,clickOK.Youcanaddmultiplevendorsandproducts
totheexcludelist.
8. RepeatStep6andStep7foreachcategoryyouwantto
exclude.
9. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Formoreinformationondefining
clientconfigurations,seeDefinetheGlobalProtectAgent
Configurations.
10. ClickOKtosavetheclientconfiguration.

Step4 CreatetheHIPobjectstofiltertheraw 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

hostdatacollectedbytheagents. objectsamongmultiplegateways),selectObjects >
ThebestwaytodeterminewhatHIP GlobalProtect > HIP ObjectsandclickAdd.
objectsyouneedistodeterminehow 2. OntheGeneraltab,enteraNamefortheobject.
youwillusethehostinformationyou
3. Selectthetabthatcorrespondstothecategoryofhost
collecttoenforcepolicy.Keepinmind
informationyouareinterestedinmatchingagainstandselect
thattheHIPobjectsthemselvesare
thecheckboxtoenabletheobjecttomatchagainstthe
merelybuildingblocksthatallowyouto
category.Forexample,tocreateanobjectthatlooksfor
createtheHIPprofilesthatareusedin
informationaboutAntivirussoftware,selecttheAntivirustab
yoursecuritypolicies.Therefore,you
andthenselecttheAntiviruscheckboxtoenablethe
maywanttokeepyourobjectssimple,
correspondingfields.Completethefieldstodefinethedesired
matchingononething,suchasthe
matchingcriteria.Forexample,thefollowingscreenshot
presenceofaparticulartypeofrequired
showshowtocreateanobjectthatwillmatchiftheSymantec
software,membershipinaspecific
NortonAntiVirus2004Professionalapplicationisinstalled,
domain,orthepresenceofaspecific
hasRealTimeProtectionenabled,andhasvirusdefinitions
clientOS.Bydoingthis,youwillhavethe
thathavebeenupdatedwithinthelast5days.
flexibilitytocreateaverygranular(and
verypowerful)HIPaugmentedpolicy.
FordetailsonaspecificHIP
categoryorfield,refertotheonline
help.
Repeatthisstepforeachcategoryyouwanttomatchagainst
inthisobject.Formoreinformation,seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.

Step5 CreatetheHIPprofilesthatyouplanto 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

useinyourpolicies. profilesamongmultiplegateways),selectObjects >
WhenyoucreateyourHIPprofiles,you GlobalProtect > HIP ProfilesandclickAdd.
cancombinetheHIPobjectsyou 2. EnteradescriptiveNamefortheprofileandoptionallya
previouslycreated(aswellasotherHIP Description.
profiles)usingBooleanlogicsuchthat
3. ClickAdd Match CriteriatoopentheHIPObjects/Profiles
whenatrafficflowisevaluatedagainst
Builder.
theresultingHIPprofileitwilleither
matchornotmatch.Ifthereisamatch, 4. SelectthefirstHIPobjectorprofileyouwanttouseasmatch
thecorrespondingpolicyrulewillbe criteriaandthenclickadd tomoveitovertotheMatchtext
enforced;ifthereisnotamatch,theflow boxontheHIPProfiledialog.Keepinmindthatifyouwant
willbeevaluatedagainstthenextrule,as theHIPprofiletoevaluatetheobjectasamatchonlywhenthe
withanyotherpolicymatchingcriteria. criteriaintheobjectisnottrueforaflow,selecttheNOTcheck
boxbeforeaddingtheobject.
5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
logicyouintend.Forexample,thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:
7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.

Step6 VerifythattheHIPobjectsandHIP Onthegateway(s)thatyourGlobalProtectusersareconnectingto,

profilesyoucreatedarematchingyour selectMonitor > Logs > HIP Match.Thislogshowsallofthe
GlobalProtectclienttrafficasexpected. matchesthegatewayidentifiedwhenevaluatingtherawHIPdata
ConsidermonitoringHIPobjects reportedbytheagentsagainstthedefinedHIPobjectsandHIP
andprofilesasameanstomonitor profiles.Unlikeotherlogs,aHIPmatchdoesnotrequireasecurity
thesecuritystateandactivityof policymatchinordertobelogged.
yourhostendpoints.Bymonitoring
thehostinformationovertimeyou
willbebetterabletounderstand
whereyoursecurityand
complianceissuesareandyoucan
usethisinformationtoguideyouin
creatingusefulpolicy.Formore
details,seeHowDoIGetVisibility
intotheStateoftheEndClients?
Step7 EnableUserIDonthesourcezonesthat 1. SelectNetwork > Zones.

containtheGlobalProtectusersthatwill 2. ClickontheNameofthezoneinwhichyouwanttoenable
besendingrequeststhatrequire UserIDtoopentheZonedialog.
HIPbasedaccesscontrols.Youmust
enableUserIDevenifyoudontplanon 3. EnableUserIDbyselectingtheEnabledcheckboxandthen
usingtheuseridentificationfeatureor clickOK.
thefirewallwillnotgenerateanyHIP
Matchlogsentries.
Step8 CreatetheHIPenabledsecurityruleson 1. SelectPolicies > Securityandselecttheruletowhichyou

yourgateway(s). wanttoaddaHIPprofile.
Asabestpractice,youshouldcreate 2. OntheSourcetab,makesuretheSource Zoneisazonefor
yoursecurityrulesandtestthatthey whichyouenabledUserIDinStep 7.
matchtheexpectedflowsbasedonthe
3. OntheUsertab,clickAddintheHIP Profilessectionand
sourceanddestinationcriteriaas
selecttheHIPprofile(s)youwanttoaddtotherule(youcan
expectedbeforeaddingyourHIP
addupto63HIPprofilestoarule).
profiles.Bydoingthisyouwillalsobe
betterabletodeterminetheproper 4. ClickOKtosavetherule.
placementoftheHIPenabledrules 5. Committhechanges.
withinthepolicy.

Step9 Definethenotificationmessagesend 1. OnthefirewallthatishostingyourGlobalProtectgateway(s),

userswillseewhenasecurityrulewitha selectNetwork > GlobalProtect > Gateways.
HIPprofileisenforced. 2. Selectapreviouslydefinedgatewayconfigurationtoopenthe
Thedecisionastowhentodisplaya GlobalProtectGatewaydialog.
message(thatis,whethertodisplayit
3. SelectClient Configuration > HIP Notification andthenclick
whentheusersconfigurationmatchesa
Add.
HIPprofileinthepolicyorwhenit
doesntmatchit),dependslargelyon 4. SelecttheHIP Profilethismessageappliestofromthe
yourpolicyandwhataHIPmatch(or dropdown.
nonmatch)meansfortheuser.Thatis, 5. SelectMatch MessageorNot Match Message,dependingon
doesamatchmeantheyaregrantedfull whetheryouwanttodisplaythemessagewhenthe
accesstoyournetworkresources?Or correspondingHIPprofileismatchedinpolicyorwhenitisnot
doesitmeantheyhavelimitedaccess matched.Insomecasesyoumightwanttocreatemessages
duetoanoncomplianceissue? forbothamatchandanonmatch,dependingonwhatobjects
Forexample,supposeyoucreateaHIP youarematchingonandwhatyourobjectivesareforthe
profilethatmatchesiftherequired policy.FortheMatchMessage,youcanalsoenabletheoption
corporateantivirusandantispyware toInclude matched application list in messagetoindicate
softwarepackagesarenotinstalled.In whatapplicationstriggeredtheHIPmatch.
thiscase,youmightwanttocreateaHIP
6. SelecttheEnablecheckboxandselectwhetheryouwantto
notificationmessageforuserswho
displaythemessageasaPop Up MessageorasaSystem Tray
matchtheHIPprofiletellingthemthat
Balloon.
theyneedtoinstallthesoftware.
Alternatively,ifyourHIPprofilematched 7. EnterthetextofyourmessageintheTemplatetextboxand
ifthosesameapplicationsareinstalled, thenclickOK.ThetextboxprovidesbothaWYSIWYGviewof
youmightwanttocreatethemessage thetextandanHTMLsourceview,whichyoucantoggle
foruserswhodonotmatchtheprofile. betweenusingtheSourceEdit icon.Thetoolbaralso
providesmanyoptionsforformattingyourtextandfor
creatinghyperlinks toexternaldocuments,forexampleto
linkusersdirectlytothedownloadURLforarequired
softwareprogram.
8. Repeatthisprocedureforeachmessageyouwanttodefine.

Step10 VerifythatyourHIPprofilesareworking YoucanmonitorwhattrafficishittingyourHIPenabledpolicies

asexpected. usingtheTrafficlogasfollows:
1. Fromthegateway,selectMonitor > Logs > Traffic.
2. Filterthelogtodisplayonlytrafficthatmatchestherulethat
hastheHIPprofileyouareinterestedinmonitoringattached.
Forexample,tosearchfortrafficthatmatchesasecurityrule
namediOSAppsyouwouldenter( rule eq 'iOS Apps' )
inthefiltertextboxasfollows:

HostInformation CollectApplicationandProcessDataFromClients
CollectApplicationandProcessDataFromClients
TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,respectively.Youcancreateacustomcheckthatwillallowyoutodetermine
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)onaWindowsorMacclient.Enablingcustomchecksinstructsthe
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
TomonitorthedatacollectedwithcustomchecksyoucancreateaHIPobject.YoucanthenaddtheHIP
objecttoaHIPprofiletousethecollecteddatatomatchtodevicetrafficandenforcesecurityrules.The
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
hostinformationsubmittedbytheagent.WhenthegatewaymatchestheclientdatatoaHIPobject,aHIP
Matchlogentryisgeneratedforthedata.AHIPprofileallowsthegatewaytoalsomatchthecollecteddata
toasecurityrule.IftheHIPprofileisusedascriteriaforasecuritypolicyrule,thegatewaywillenforcethat
securityruleonthematchingtraffic.
UsethefollowingtasktoenablecustomcheckstocollectdatafromWindowsandMacclients.Thistask
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.
FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.
EnableandVerifyCustomChecksforWindowsorMacClients
Step1 EnabletheGlobalProtectagentto Collect data from a Windows client:

collectWindowsRegistryinformation 1. SelectNetwork > GlobalProtect > Portals andthenselectthe
fromWindowsclientsorPlist portalconfigurationyouwanttomodifyorAddanewone.
informationfromMacclients.Thetype
ofinformationcollectedcaninclude 2. SelecttheAgenttabandthenselecttheAgentconfiguration
whetherornotanapplicationisinstalled youwanttomodifyorAddanewone.
ontheclient,orspecificattributesor 3. Select Data Collection,andthenverifythatCollect HIP Datais
propertiesofthatapplication. enabled.
Thisstepenablestheagenttoreport 4. Select Custom Checks > Windows.
dataontheapplicationsandclient
settings.(Step 5andStep 6willshow 5. AddtheRegistryKeythatyouwanttocollectinformation
youhowtomonitorandusethereported about.Ifyouwanttorestrictdatacollectiontoavalue
datatoidentifyortakeactiononcertain containedwithinthatRegistryKey,addthecorresponding
devicetraffic). Registry Value.

CollectApplicationandProcessDataFromClients HostInformation
EnableandVerifyCustomChecksforWindowsorMacClients(Continued)
Collect data from a Mac client:

1. SelectNetwork > GlobalProtect > Portals andthenselectthe
portalconfigurationyouwanttomodifyorAddanewone.
2. SelecttheAgenttabandthenselecttheAgentconfiguration
youwanttomodifyorAddanewone.
3. Select Data Collection,andthenverifythatCollect HIP Datais
enabled.
4. Select Custom Checks > Mac.
5. AddthePlistthatyouwanttocollectinformationaboutand
thecorrespondingPlistKeytodetermineiftheapplicationis
installed:
.
Forexample,Add thePlistcom.apple.screensaverandthe
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:
ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:
Step2 (Optional)Checkifaspecificprocessis 1. ContinuefromStep 1ontheCustom Checkstab(Network >

runningontheclient. GlobalProtect > Portals > <portalconfig> > Agent >
<agentconfig>> Data Collection)andselecttheWindows tab
orMactab.
2. Addthenameoftheprocessthatyouwanttocollect
informationabouttotheProcess List.
Step3 Savethecustomcheck. ClickOKandCommitthechanges.

Step4 VerifythattheGlobalProtectagentis For Windows clients:

collectingthedatadefinedinthecustom OntheWindowsclient,doubleclicktheGlobalProtecticononthe
checkfromtheclient. taskbarandclicktheHost Statetabtoviewtheinformationthat
theGlobalProtectagentiscollectingfromtheMacclient.Underthe
customchecksdropdown,verifythatthedatathatyoudefinedfor
collectioninStep 7isdisplayed:
For Mac clients:

OntheMacclient,clicktheGlobalProtecticonontheMenubar,
clickAdvanced View,andclickHost Statetoviewtheinformation
thattheGlobalProtectagentiscollectingfortheMacclient.Under
thecustomchecksdropdown,verifythatthedatayoudefinedfor
collectioninStep 7isdisplayed:

CollectApplicationandProcessDataFromClients HostInformation
Step5 (Optional)CreateaHIPObjecttomatch For Windows and Mac clients:

toaRegistryKey(Windows)orPlist 1. SelectObjects > GlobalProtect > HIP ObjectsandAddaHIP
(Mac).Thiscanallowyoutofiltertheraw Object.
hostinformationcollectedfromthe
GlobalProtectagentinordertomonitor 2. SelectandenableCustom Checks.
thedataforthecustomcheck. For Windows clients only:
WithaHIPobjectdefinedforthecustom 1. TocheckWindowsclientsforaspecificregistrykey,select
checkdata,thegatewaywillmatchthe Registry KeyandAddtheregistrytomatchon.Toonlyidentify
rawdatasubmittedfromtheagenttothe clientsthatdonothavethespecifiedregistrykey,selectKey
HIPobjectandaHIPMatchlogentryis does not exist or match the specified value data.
generatedforthedata(Monitor > HIP
Match). 2. TomatchonspecificvalueswithintheRegistrykey,clickAdd
andthenentertheregistryvalueandvaluedata.Toidentify
clientsthatexplicitlydonothavethespecifiedvalueorvalue
data,selecttheNegate checkbox.
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
For Mac clients only:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.

Step6 (Optional)CreateaHIPprofiletoallow 1. SelectObjects > GlobalProtect > HIP Profile.

theHIPobjectyoucreatedinStep 5to 2. ClickAdd Match Criteria toopentheHIP Objects/Profiles
beevaluatedagainsttraffic. Builder.
TheHIPprofilecanbeaddedtoa
3. SelecttheHIP objectyouwanttouseasmatchcriteriaand
securitypolicyasanadditionalcheckfor
thenmoveitovertotheMatchboxontheHIPProfiledialog.
trafficmatchingthatpolicy.Whenthe
trafficismatchedtotheHIPprofile,the 4. WhenyouhavefinishedaddingtheobjectstothenewHIP
securitypolicyrulewillbeenforcedon profile,click OKandCommit.
thetraffic.
FormoredetailsoncreatingaHIP
profiles,seeConfigureHIPBasedPolicy
Enforcement.
Step7 AddtheHIPprofiletoasecuritypolicyso SelectPolicies > Security,andAdd ormodifyasecuritypolicy.Go

thatthedatacollectedwiththecustom totheUsertabtoaddaHIPprofiletothepolicy.Formoredetails
checkcanbeusedtomatchtoandacton onsecuritypoliciescomponentsandusingsecuritypoliciesto
traffic. matchtoandactontraffic,seeSecurityPolicy.

BlockDeviceAccess HostInformation
BlockDeviceAccess
IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
devicesperlocation.Therefore,youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.
BlockDeviceAccess
Step1 Createadeviceblocklist. 1. SelectNetwork > GlobalProtect > Device Block ListandAdd

YoucannotusePanorama adeviceblocklist.
templatestopushadeviceblock 2. EnteradescriptiveNameforthelist.
listtofirewalls.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
Step2 Addadevicetoablocklist. 1. Adddevices.EnterthehostID(required)andhostname

(optional)foradeviceyouneedtoblock.
2. Addadditionaldevices,ifneeded.
3. ClickOKtosaveandactivatetheblocklist.
Thedevicelistdoesnotrequireacommitandis
immediatelyactive.

GlobalProtectQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
deployments:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
AlwaysOnVPNConfiguration
RemoteAccessVPNwithPreLogon
GlobalProtectMultipleGatewayConfiguration
GlobalProtectforInternalHIPCheckingandUserBasedAccess
MixedInternalandExternalGatewayConfiguration

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs
IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,sothisisthephysicalinterfacewhereGlobalProtectclientsconnect.Afteraclientconnects
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.31.32.310.31.32.118inthisexample.BecauseGlobalProtectVPNtunnelsterminateina
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.
Figure:GlobalProtectVPNforRemoteAccess
Thefollowingprocedureprovidestheconfigurationstepsforthisexample.Youcanalsowatchthevideo.
QuickConfig:VPNRemoteAccess
Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernet andconfigure

GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustzoneandthedefault
interfaceconfigurationstoavoid virtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
interfaceandaddittoanewzonecalledcorpvpn.Assignittothe
defaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

GlobalProtectQuickConfigs RemoteAccessVPN(AuthenticationProfile)
QuickConfig:VPNRemoteAccess(Continued)
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenAddanewrule.

flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPNAccess
SourceZonecorpvpn
DestinationZonel3trust
Step3 Obtainaservercertificateforthe SelectDevice > Certificate Management > Certificates tomanage

interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe Obtainaservercertificate.Becausetheportalandgatewayare
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.
Step4 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles > LDAP).
howtoconnecttotheauthentication
service.SupportedmethodsareLocal,
RADIUS,Kerberos,SAML,andLDAP
authentication.Thisexampleshowsan
LDAPauthenticationprofilefor
authenticatingusersagainsttheActive
Directory.
Step5 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device >

profile. Authentication Profile).

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs
QuickConfig:VPNRemoteAccess(Continued)
Step6 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Portalsandaddthefollowing

configuration:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by GoDaddy
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118
Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal.Thisexampleuses
thefollowingsettings:
Server CertificateGP-server-cert.pem issued by
GoDaddy
2. DefinetheGlobalProtectClientAuthenticationConfigurations
usingthefollowingsettings:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway Addressgp.acme.com
Step8 DeploytheGlobalProtectAgent SelectDevice > GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.
Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectsubscription(Device >

GlobalProtectmobileapp. Licenses)toenableuseoftheapp.

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)
Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
GlobalProtectportalorgateway.Inadditiontothecertificateitself,theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
assignedanIPaddressfromtheIPpoolinthegatewaystunnelconfiguration.Tosupportuserbasedpolicy
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
addressthatthegatewayassigned.Also,ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.
Figure:GlobalProtectClientCertificateAuthenticationConfiguration
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.Theonly
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication
Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernetandconfigure

Usethedefaultvirtualrouterfor 203.0.113.1andassignittothel3untrustsecurityzoneandthe
allinterfaceconfigurationsto defaultvirtualrouter.
avoidhavingtocreateinterzone CreateaDNSArecordthatmapsIPaddress203.0.113.1to
routing. gp.acme.com.
SelectNetwork > Interfaces > Tunnel.
Addtunnel.2interfacetoanewzonecalledcorp-vpn.Assignthe
interfacetothedefaultvirtualrouter.

RemoteAccessVPN(CertificateProfile) GlobalProtectQuickConfigs
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenAddanewrule.

internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

certificate.
Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

clientsandendpoints. certificatetoeachGlobalProtectuser.
2. Installcertificatesinthepersonalcertificatestoreonthe
endpoints.
Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile,

clickAddandenteraprofileNamesuchasGP-client-cert.
2. SelectSubjectfromtheUsername Fielddropdown.
3. ClickAddintheCACertificatessection,selecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.
Step6 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Certificate ProfileGP-client-cert
IP Pool10.31.32.3 - 10.31.32.118

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
Step7 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portals andaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal:
GoDaddy
2. DefinetheGlobalProtectAgentConfigurations:
connection)

Portal.


RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs
IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
throughbothprofilesbeforegainingaccess.Forportalauthentication,thismeansthatcertificatesmustbe
predeployedtotheendclientsbeforetheirinitialportalconnection.Additionally,theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
clientcertificatedoesnotneedtohaveausername.Inthiscase,theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
usernameinthecorrespondingfield.Forexample,ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
elsetheauthenticationfails.Inaddition,whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
entercredentialsforauthenticatingtotheauthenticationprofile.Ifyoudonotwantforceusersto
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.However,
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.
VPNRemoteAccesswithTwoFactorAuthentication
Step1 CreateInterfacesandZonesfor SelectNetwork > Interfaces > Ethernetandconfigure

Usethedefaultvirtualrouterfor 203.0.113.1andassignittothel3untrustsecurityzoneandthe
allinterfaceconfigurationsto defaultvirtualrouter.
avoidhavingtocreateinterzone CreateaDNSArecordthatmapsIPaddress203.0.113.1to
routing. gp.acme.com.
interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies > SecurityandthenclickAddtoaddanewrule.

internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

certificate.
Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

clientsandendpoints. certificatetoeachGlobalProtectuser.
2. Installcertificatesinthepersonalcertificatestoreonthe
endpoints.

RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile,

AddandenteraprofileNamesuchasGP-client-cert.
2. Specifywheretogettheusernamethatwillbeusedto
authenticatetheenduser:
FromuserIfyouwanttheendusertosupplyausername
whenauthenticatingtotheservicespecifiedinthe
authenticationprofile,selectNoneastheUsername Field.
FromcertificateIfyouwanttoextracttheusernamefrom
thecertificate,selectSubjectastheUsername Field.Ifyou
usethisoption,theCNcontainedinthecertificatewill
automaticallypopulatedtheusernamefieldwhentheuseris
promptedtologintotheportal/gatewayandtheuserwillbe
requiredtologinusingthatusername.
3. IntheCACertificatessection,Add andthenselecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.
Step6 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles > LDAP).
howtoconnecttotheauthentication
service.Local,RADIUS,Kerberos,SAML,
andLDAPauthenticationmethodsare
supported.ThisexampleshowsanLDAP
authenticationprofileforauthenticating
usersagainsttheActiveDirectory.
Step7 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>

profile. Authentication Profile).

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
Step8 ConfigureaGlobalProtectGateway. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
IP Pool10.31.32.3 - 10.31.32.118

configuration:
GoDaddy
connection)

Portal.
Step11 (Optional)DeployAgentSettings Asanalternativetodeployingagentsettingsfromtheportal

Transparently. configuration,youcandefinesettingsdirectlyfromtheWindows
registryorglobalMACplist.Examplesofsettingsthatyoucan
deployincludespecifyingtheportalIPaddressorenabling
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsintothe
deviceandconnectstotheGlobalProtectportal.OnWindows
clientsonly,youcanalsoconfiguresettingsusingtheMSIEXEC
installer.Foradditionalinformation,seeCustomizableAgent
Settings.


AlwaysOnVPNConfiguration GlobalProtectQuickConfigs
AlwaysOnVPNConfiguration
InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
logontosubmituserandhostinformationandreceivetheclientconfiguration.Itthenautomatically
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.
ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.
SwitchtoanAlwaysOnConfiguration
Step1 SelectNetwork > GlobalProtect > Portalsandselecttheportalconfigurationtoopenit.
Step2 SelecttheAgent tabandthenselecttheagentconfigurationyouwanttomodify.
Step3 SelecttheApptab.
Step4 SelectUser-logon (Always On)astheConnect Method.Repeatthisstepforeachagentconfiguration.
Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.

GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon
PrelogonisaconnectmethodthatestablishesaVPNtunnelbeforeauserlogsin.Thepurposeofprelogon
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
torunassoonastheendpointpowerson.AmachinecertificateenablestheendpointtohavetheVPNtunnel
tothegateway.AcommonpracticeforITpersonnelistoinstallthemachinecertificatewhilestagingthe
endpointfortheuser.
AprelogonVPNtunnelhasnousernameassociationbecausetheuserhasnotloggedin.Therefore,tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
prelogonuser.Thesepoliciesshouldallowaccesstoonlythebasicservicesforstartingupthesystem,such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).
MacsystemsbehavedifferentlyfromWindowssystemswithprelogon.WithMacOS,thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.
Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
profile.Theportalcanalsouseanoptionalcertificateprofilethatvalidatestheclientcertificate(ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,theportaldeterminesiftheclientsconfigurationiscurrent.Iftheportalsconfiguration
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
orgatewayinstallsanencryptedcookieontheclient.Subsequently,theportalorgatewayusesthecookie
toauthenticateusersandforrefreshingtheclientsconfiguration.Also,ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
firstconnectingtotheportaltodownloadtheprelogonconfiguration.Todothis,youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.

RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs
ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.
Step1 CreateInterfacesandZonesfor Forthisexample,selectNetwork > Interfaces > Ethernetand

GlobalProtect. then:
Usethedefaultvirtualrouterfor Selectethernet1/2.
allinterfaceconfigurationsto Foritsinterfacetype,selectLayer 3.
avoidhavingtocreateinterzone Assign interface to:defaultvirtualrouter,defaultvirtual
routing. system,andl3-untrustsecurityzone.
SelectIPv4andAdd.
Selecttheaddress203.0.113.1(ortheobjectthatmaps
203.0.113.1)oraddaNew Addresstocreateanewobjectand
addressmapping.(LeavetheaddresstypeasStatic.)
CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork > Interfaces > Tunnel.
Addatunnel.2interfacetoanewzonecalledcorp-vpn.Assignit
tothedefaultvirtualrouter.

RemoteAccessVPNwithPreLogon(Continued)
Step2 Createthesecuritypolicyrules. Thisconfigurationrequiresthefollowingpolicies(Policies >

Security):
1. Createarulethatenablestheprelogonuseraccesstobasic
servicesthatarerequiredforthecomputertocomeup,such
asauthenticationservices,DNS,DHCP,andMicrosoft
Updates.
2. Createaruletoenableaccessbetweenthecorpvpnzoneand
thel3trustzoneforanyknownuseraftertheusersuccessfully
logsin.
Step3 Useoneofthefollowingmethodsto SelectDevice > Certificate Management > Certificates tomanage

obtainaservercertificateforthe certificateswiththefollowingcriteria:
interfacethatishoststheGlobalProtect Obtainaservercertificate.Becausetheportalandgatewayare
portalandgateway: onthesameinterface,thesameservercertificatecanbeusedfor
certificate.
Step4 Generateamachinecertificateforeach 1. IssueclientcertificatestoGlobalProtectclientsandendpoints.

clientsystemthatwillconnectto 2. Installcertificatesinthepersonalcertificatestoreonthe
GlobalProtectandimportthemintothe endpoints.(LocalComputerstoreonWindowsorSystem
personalcertificatestoreoneach KeychainonMacOS)
machine.
Althoughyoucouldgenerateselfsigned
certificatesforeachclientsystem,asa
bestpractice,useyourownpublickey
infrastructure(PKI)toissueand
distributecertificatestoyourclients.

Step5 ImportthetrustedrootCAcertificate 1. DownloadtheCAcertificateinBase64format.

fromtheCAthatissuedthemachine 2. Importthecertificateontoeachfirewallthathostsaportalor
certificatesontotheportaland gateway,asfollows:
gateway(s).
a. SelectDevice > Certificate Management > Certificates >
Youdonothavetoimportthe Device Certificates andclickImport.
privatekey.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
Step6 Oneachfirewallthathostsa 1. SelectDevice > Certificates > Certificate Management >

GlobalProtectgateway,createa Certificate Profile.
certificateprofiletoidentifytheCA 2. ClickAddandenteraNametouniquelyidentifytheprofile,
certificateforvalidatingthemachine suchasPreLogonCert.
certificates.
3. SetUsernameFieldtoNone.
Optionally,ifyouplantouseclient
certificateauthenticationtoauthenticate 4. (Optional)Ifyouwillalsouseclientcertificateauthentication
userswhentheylogintothesystem, toauthenticateusersuponlogin,addtheCAcertificatethat
makesurethattheCAcertificatethat issuedtheclientcertificatesifitisdifferentfromtheonethat
issuestheclientcertificatesisreferenced issuedthemachinecertificates.
inthecertificateprofileinadditiontothe 5. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificatethatissuedthemachine CAcertificateyouimportedinStep 5andthenclickOK.
certificatesiftheyaredifferent.
6. ClickOKtosavetheprofile.
Step7 ConfigureaGlobalProtectGateway. 1. SelectNetwork > GlobalProtect > Gatewaysandaddthe

Seethetopologydiagramshownin followingconfiguration:
Althoughyoumustcreateacertificate Server CertificateGP-server-cert.pem issued by
profileforprelogonaccesstothe GoDaddy
gateway,youcanuseeitherclient Certificate ProfilePreLogonCert
certificateauthenticationor
authenticationprofilebased
authenticationforloggedinusers.Inthis Tunnel Interfacetunnel.2
example,thesameLDAPprofileisused IP Pool10.31.32.3 - 10.31.32.118
thatisusedtoauthenticateuserstothe 2. Committhegatewayconfiguration.
portal.

Step8 ConfiguretheGlobalProtectPortals. SelectNetwork > GlobalProtect > Portalsandspecifythefollowing

ConfigureDevicedetails(networking configuration:
parameters,theauthenticationservice SetUpAccesstotheGlobalProtectPortal:
profile,andthecertificateforthe Interfaceethernet1/2
authenticationserver). IP Address203.0.113.1
GoDaddy
Certificate ProfileNone
Step9 DefinetheGlobalProtectAgent SelectAgentandspecifyoneofthefollowingconfigurations:

Configurationsforprelogonusersand Usethesamegatewaybeforeandafterprelogonuserslogin:
forloggedinusers. Use single sign-onenabled
Useasingleagentconfigurationifyou Connect Methodpre-logon
wantprelogonuserstoaccessthesame
External Gateway Addressgp1.acme.com
gatewaysbeforeandaftertheylogin.
User/User Groupany
Otherwise,todirectprelogonusersto
differentgatewaysbeforeandafterthey Authentication OverrideCookieauthenticationfor
login,createtwoagentconfiguration transparentlyauthenticatingusersandforconfigurationrefresh
profiles.Inthisfirstagentconfigurations Useseparategatewaysforprelogonusersbeforeandafterthey
User/User Group,selectthepre-logon login:
filter.Withprelogon,theportalfirst FirstAgentConfiguration:
authenticatestheendpoint,nottheuser, Connect Methodpre-logon
tosetupaVPN(eventhoughthe
External Gateway Addressgp1.acme.com
prelogonparameterisassociatedwith
users).Subsequently,theportal User/User Grouppre-logon
authenticatestheuserwhenheorshe Authentication OverrideCookieauthenticationfor
logsin. transparentlyauthenticatingusersandforconfigurationrefresh
Aftertheportalauthenticatestheuser,it SecondAgentConfiguration:
deploysthesecondagentconfiguration. Use single sign-onenabled
Inthiscase,User/User Groupisany. Connect Methodpre-logon
Asabestpractice,enableSSOin External Gateway Addressgp2.acme.com
thesecondagentconfiguration User/User Groupany
sothatthecorrectusernameis
Authentication OverrideCookieauthenticationfor
immediatelyreportedtothe
transparentlyauthenticatingusersandforconfigurationrefresh
gatewaywhentheuserlogsinto
theendpoint.IfSSOisnot Makesuretheprelogonclientconfigurationisfirstinthelistof
enabled,thesavedusernamein configurations.Ifitisnot,selectitandclickMove Up.
theAgentsettingspanelisused.

Step11 (Optional)Ifuserswillneverlogintoa 1. LocatetheGlobalProtectsettingsintheregistry:

device(forexample,aheadlessdevice)or HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
aprelogonconnectionisrequiredona Networks\GlobalProtect\PanSetup
systemthatauserhasnotpreviously
2. CreateaDWORDnamedPrelogonwithavalueof1inthe
loggedinto,createthePrelogonregistry
Value datafieldandHexadecimalastheBase.Thissetting
entryontheclientsystem.
enablesGlobalProtecttoinitiateaVPNconnectionbeforethe
Youmustalsopredeploy userlogsintothelaptop.
additionalagentsettingssuchas
thedefaultportalIPaddressand 3. CreateaString ValuenamedPortalthatspecifiestheIP
connectmethod. addressorhostnameofthedefaultportalforthe
GlobalProtectclient.
Formoreinformationaboutregistry
settings,seeDeployAgentSettings 4. CreateaString Valuenamedconnect-methodwithavalueof
Transparently. pre-logonintheValuedatafield.Thissettingenables
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsinto
thedeviceandconnectstotheGlobalProtectportal.

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration
GlobalProtectMultipleGatewayConfiguration
InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
configuration.Multiplegatewaysaresupportedinalloftheprecedingexampleconfigurations.Additional
stepsincludeconfiguringasecondfirewallasaGlobalProtectgateway.Inaddition,whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.
Figure:GlobalProtectMultipleGatewayTopology
Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
listedinitsclientconfiguration.Theagentwillthenusepriorityandresponsetimeastodeterminethe
gatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyiftheresponsetimefor
thehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.Formore
information,seeGatewayPriorityinaMultipleGatewayConfiguration.

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs
QuickConfig:GlobalProtectMultipleGatewayConfiguration
Step1 CreateInterfacesandZonesfor On the firewall hosting the portal/gateway (gw1):

GlobalProtect. SelectNetwork > Interfaces > Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesoneachfirewallhostinga 198.51.100.42andassignittothel3untrustsecurityzoneand
gateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterfor CreateaDNSArecordthatmapsIPaddress198.51.100.42to
allinterfaceconfigurationsto gp1.acme.com.
avoidhavingtocreateinterzone SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
routing. interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
On the firewall hosting the second gateway (gw2):
SelectNetwork > Interfaces > Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
gp2.acme.com.
Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionandreceiveyour

subscriptiononeachgatewayifyouhave activationcode,installthelicenseonthefirewallhostingtheportal
userswhowillbeusingtheGlobalProtect asfollows:
appontheirmobiledevicesorifyouplan 1. SelectDevice > Licenses.
touseHIPenabledsecuritypolicy.
2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
Step3 OneachfirewallhostingaGlobalProtect Thisconfigurationrequirespolicyrulestoenabletrafficflow

gateway,createsecuritypolicy. betweenthecorpvpnzoneandthel3trustzonetoenableaccess
toyourinternalresources(Policies > Security).

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
Step4 Obtainservercertificatesforthe Oneachfirewallhostingaportal/gatewayorgateway,select

interfaceshostingyourGlobalProtect Device > Certificate Management > Certificates tomanage
portalandeachofyourGlobalProtect certificatesasfollows:
gatewaysusingthefollowing Obtainaservercertificatefortheportal/gw1.Becausethe
recommendations: portalandthegatewayareonthesameinterfaceyoumustuse
(Onthefirewallhostingtheportalor thesameservercertificate.TheCNofthecertificatemustmatch
portal/gateway)Importaserver theFQDN,gp1.acme.com.Toenableclientstoconnecttothe
certificatefromawellknown, portalwithoutreceivingcertificateerrors,useaservercertificate
thirdpartyCA. fromapublicCA.
(Onafirewallhostingonlyagateway) Obtainaservercertificatefortheinterfacehostinggw2.
UsetherootCAontheportalto Becausethisinterfacehostsagatewayonlyyoucanusea
generateaselfsignedserver selfsignedcertificate.TheCNofthecertificatemustmatchthe
certificate. FQDN,gp2.acme.com.
Step5 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or

totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
portalandgateways.Portalsandindividualgatewayscanalsouse
differentauthenticationschemes.Seethefollowingsectionsfor
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.
Step6 Configurethegateways. Thisexampleshowstheconfigurationforgp1andgp2shownin

Figure:GlobalProtectMultipleGatewayTopology.(SeeConfigurea
GlobalProtectGatewayforstepbystepinstructionsoncreating
thegatewayconfigurations.)
On the firewall hosting gp1, select Network > GlobalProtect >
Gateways and configure the gateway settings as follows:
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by GoDaddy
IP Pool10.31.32.3 - 10.31.32.118
On the firewall hosting gp2, select Network > GlobalProtect >
Gateways and configure the gateway settings as follows:
IP Address192.0.2.4
Server Certificateself-signed certificate,
GP2-server-cert.pem
IP Pool10.31.33.3 - 10.31.33.118

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

configuration:
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by
GoDaddy
Thenumberofclientconfigurationsyoucreatedependson
yourspecificaccessrequirements,includingwhetheryou
requireuser/groupbasedpolicyand/orHIPenabledpolicy
enforcement.

Portal.
Step9 SavetheGlobalProtectconfiguration. ClickCommitonthefirewallhostingtheportalandthegateway(s).

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess
GlobalProtectforInternalHIPCheckingandUserBased
Access
WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)services.Internalgatewaysareusefulinsensitiveenvironmentswhere
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
modeisnotsupported.Inaddition,itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
totheCRMapplications.Allauthenticatedusershaveaccesstointernalwebresources.Inaddition,HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.
Figure:GlobalProtectInternalGatewayConfiguration

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs
UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.
QuickConfig:GlobalProtectInternalGatewayConfiguration
Step1 CreateInterfacesandZonesfor Oneachfirewallhostingaportal/gateway:

GlobalProtect. 1. SelectanEthernetporttohosttheportal/gatewayandthen
Inthisconfiguration,youmustsetup configureaLayer3interfacewithanIPaddressinthel3trust
interfacesoneachfirewallhostinga securityzone.(Network > Interfaces > Ethernet).
portaland/oragateway.Becausethis
2. Enable User Identificationonthel3trustzone.
configurationusesinternalgateways
only,youmustconfiguretheportaland
gatewaysoninterfacesontheinternal
network.
Usethedefaultvirtualrouterfor
allinterfaceconfigurationsto
avoidhavingtocreateinterzone
routing.
Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionsandreceive

subscriptionforeachfirewallhostingan youractivationcode,installtheGlobalProtectsubscriptionsonthe
internalgatewayifyouhaveuserswho firewallshostingyourgatewaysasfollows:
willbeusingtheGlobalProtectappon 1. SelectDevice > Licenses.
theirmobiledevicesorifyouplantouse
HIPenabledsecuritypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.Youcaneither
useaselfsignedcertificateontheportal c. UsetherootCAontheportaltogenerateaselfsigned
anddeploytherootCAcertificatetothe servercertificate.Repeatthisstepforeachgateway.
endclientsbeforethefirstportal 2. Oneachfirewallhostinganinternalgateway:
connection,orobtainaservercertificate a. Deploytheselfsignedservercertificates.
fortheportalfromatrustedCA.
Youcanuseselfsignedcertificateson
thegateways.

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeHostInformationformore createaHIPobjecttomatchonwhetherthepatch
informationonHIPmatching. managementsoftwareisinstalledandthatallpatcheswitha
givenseverityareuptodate.
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
Step6 Configuretheinternalgateways. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

Althoughalloftheprevious configuration:
configurationscouldusea 1. SetUpAccesstotheGlobalProtectPortal:
Connect MethodofUser-logon Interfaceethernet1/2
(Always On)orOn-demand
(Manual user initiated
connection),aninternalgateway Server CertificateGP-server-cert.pem issued by
configurationmustalwaysbeon GoDaddywithCN=gp.acme.com
andthereforerequiresaConnect 2. DefinetheGlobalProtectClientAuthentication
MethodofUser-logon (Always Configurations:
On). Use single sign-onenabled
Connect MethodUser-logon (Always On)
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Portal.
Step9 CreatetheHIPenabledand/or Addthefollowingsecurityrulesforthisexample:

user/groupbasedsecurityrulesonyour 1. SelectPolicies > SecurityandclickAdd.
gateway(s).
2. OntheSourcetab,settheSource Zonetol3-trust.
3. OntheUsertab,addtheHIPprofileanduser/grouptomatch.
ClickAddintheHIP ProfilessectionandselecttheHIP
profileMissingPatch.
ClickAddintheSource Usersectionandselectthegroup
(FinanceorEngineeringdependingonwhichruleyouare
creating).
4. ClickOKtosavetherule.
5. Committhegatewayconfiguration.

GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration
MixedInternalandExternalGatewayConfiguration
InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
VPNaccessandforaccesstoyoursensitiveinternalresources.Withthisconfiguration,agentsperform
internalhostdetectiontodetermineiftheyareontheinternalorexternalnetwork.Iftheagentdetermines
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
resourcesyourexternalandinternalusershaveaccessto.Inaddition,youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
firewalls.Theexternalgatewayatgpvpn.acme.comprovidesremoteVPNaccesstothecorporatenetwork
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
membership.Inaddition,HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.
Figure:GlobalProtectDeploymentwithInternalandExternalGateways

MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs
UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration
Step1 CreateInterfacesandZonesfor On the firewall hosting the portal gateway (gp.acme.com):

GlobalProtect. SelectNetwork > Interfaces > Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesonthefirewallhostingaportal 198.51.100.42andassignittothel3untrustsecurityzoneand
andeachfirewallhostingagateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterfor CreateaDNSArecordthatmapsIPaddress198.51.100.42to
allinterfaceconfigurationsto gp.acme.com.
avoidhavingtocreateinterzone SelectNetwork > Interfaces > Tunnel andaddthetunnel.2
routing. interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
On the firewall hosting the external gateway (gpvpn.acme.com):
SelectNetwork > Interfaces > Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
gpvpn.acme.com.
On the firewall hosting the internal gateways (california.acme.com
and newyork.acme.com):
SelectNetwork > Interfaces > EthernetandconfigureLayer3
EthernetinterfacewithIPaddressesontheinternalnetworkand
assignthemtothel3trustsecurityzoneandthedefaultvirtual
router.
CreateaDNSArecordthatmapstheinternalIPaddresses
california.acme.comandnewyork.acme.com.
EnableUserIdentificationonthel3trustzone.
Step2 PurchaseandinstallaGlobalProtect AfteryoupurchasetheGlobalProtectsubscriptionsandreceive

subscriptionforeachfirewallhostinga youractivationcode,installtheGlobalProtectsubscriptionsonthe
gateway(internalandexternal)ifyou firewallshostingyourgatewaysasfollows:
haveuserswhowillbeusingthe 1. SelectDevice > Licenses.
GlobalProtectappontheirmobile
devicesorifyouplantouseHIPenabled 2. SelectActivate feature using authorization code.
securitypolicy. 3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicenseandsubscriptionsweresuccessfully
activated.

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.
c. UsetherootCAontheportaltogenerateaselfsigned
Youcanuseselfsignedcertificateson
servercertificate.Repeatthisstepforeachgateway.
thegatewaysanddeploytherootCA
certificatetotheagentsintheclient 2. Oneachfirewallhostinganinternalgateway:
configuration.Thebestpracticeisto Deploytheselfsignedservercertificates.
generateallofthecertificatesonfirewall
hostingtheportalanddeploythemto
thegateways.


Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeHostInformationformore createaHIPobjecttomatchonwhetherthepatch
informationonHIPmatching. managementsoftwareisinstalledandthatallpatcheswitha
givenseverityareuptodate.
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
Step6 Configuretheinternalgateways. SelectNetwork > GlobalProtect > Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.


Althoughthisexampleshowshowto configuration:
createasingleclientconfigurationtobe 1. SetUpAccesstotheGlobalProtectPortal:
deployedtoallagents,youcouldchoose Interfaceethernet1/2
tocreateseparateconfigurationsfor
differentusesandthendeploythem
basedonuser/groupnameand/orthe Server CertificateGP-server-cert.pem issued by
operatingsystemtheagent/appis GoDaddywithCN=gp.acme.com
runningon(Android,iOS,Mac,or 2. DefinetheGlobalProtectClientAuthentication
Windows). Configurations:
Internal Host Detectionenabled
Use single sign-onenabled
Connect MethodUser-logon (Always On)
External Gateway Addressgpvpn.acme.com
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Portal.
Step9 Createsecuritypolicyrulesoneach Createsecuritypolicy(Policies > Security)toenabletrafficflow

gatewaytosafelyenableaccessto betweenthecorpvpnzoneandthel3trustzone.
applicationsforyourVPNusers. CreateHIPenabledanduser/groupbasedpolicyrulestoenable
granularaccesstoyourinternaldatacenterresources.
Forvisibility,createrulesthatallowallofyourusers
webbrowsingaccesstothel3untrustzone,usingthedefault
securityprofilestoprotectyoufromknownthreats.
Step10 SavetheGlobalProtectconfiguration. ClickCommitontheportalandallgateways.


GlobalProtectReferenceArchitecture
ThissectionoutlinesanexamplereferencearchitecturefordeployingGlobalProtectwhichsecures
internettrafficandprovidessecureaccesstocorporateresources.
Thereferencearchitectureandguidelinesdescribedinthissectionprovideacommondeploymentscenario.
Beforeadoptingthisarchitecture,identifyyourcorporatesecurity,infrastructuremanageability,andend
userexperiencerequirementsanddeployGlobalProtectbasedonthoserequirements.
Althoughtherequirementsmaybedifferentforeachenterprise,youcanleveragethecommonprinciples
anddesignconsiderationsoutlinedinthisdocumentalongwithbestpracticeconfigurationguidelinesto
meetyourenterprisesecurityneeds.
GlobalProtectReferenceArchitectureTopology
GlobalProtectReferenceArchitectureFeatures
GlobalProtectReferenceArchitectureConfigurations

GlobalProtectReferenceArchitectureTopology GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureTopology
GlobalProtectPortal
GlobalProtectPortal
Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
cantestfeaturesbeforerollingthemouttoawideruserbase.Anyclientconfigurationcontainingnew
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
TheGlobalProtectportalalsopushesconfigurationstoGlobalProtectsatellites.Thisconfigurationincludes
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureTopology
ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
MicrosoftAzurepubliccloud.TheregionsorPOPlocationswheretheseAWSandAzuregatewaysare
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)using2FA.ThisgatewayrequiresuserstoprovidetheirActive
DirectorycredentialsandtheirOTP.Becausethisgatewayprotectssensitiveresources,itisconfigured
asamanualonlygateway.Asaresult,usersdonotconnecttothisgatewayautomaticallyandmust
manuallychoosetoconnecttothisgateway.Forexample,whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,somesensitiveinternalresourcesarenotaccessible.Theusermustthen
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
forallsatelliteconnectionsfromgatewaysinAWSandAzure.TheSantaClaraGatewayisalsoconfigured
tosetupanInternetProtocolSecurity(IPSec)tunneltotheITfirewallincorporateheadquarters.Thisis
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
andActiveDirectorycredentials.TheGlobalProtectportaldistributestheclientcertificatethatis
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
ThesegatewaysinthepubliccloudalsoactasGlobalProtectsatellites.Theycommunicatewiththe
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
SantaClaraGateway.GlobalProtectsatellitesinitiallyauthenticateusingserialnumber,andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
asGlobalProtectgateways.Theseareinternalgatewaysanddonotrequireendpointstosetupatunnel.
UsersauthenticatetothesegatewaysusingtheirActiveDirectorycredentials.Theseinternalgateways
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.

GlobalProtectReferenceArchitectureFeatures GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureFeatures
EndUserExperience
ManagementandLogging
MonitoringandHighAvailability
EndUserExperience
Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
Azure.WhenyouconfiguretheGlobalProtectportalclientconfiguration,assignequalprioritytothe
gateways.Withthisconfiguration,thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,auserinAustraliawouldtypicallyconnecttotheAWSSydneyGateway.Oncetheuseris
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
firewallforinspection.GlobalProtectsendstraffictopublicinternetsitesdirectlyviatheAWSSydney
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
headquarters.Thisarchitectureisdesignedtoreduceanylatencytheusermayexperiencewhenaccessing
theinternet.IftheAWSSydneyGateway(oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
Activedirectoryserversresideinsidethecorporatenetwork.Whenremoteendusersauthenticate,the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
SantaClaraGateway.ThegatewaythenforwardstherequestthroughanIPSecsitetositetunneltothe
ActiveDirectoryServerincorporateheadquarters.
Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.
Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;TheGlobalProtectclientsendstheHIPreporttotheseinternalgateways.Whenusersareinsidethe
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.
ManagementandLogging
Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
configurations.Tosimplifyconfigurationofthegateways,Panoramaalsousesonedevicegroupandone
template.Inthisdeployment,allgatewaysforwardalllogstoPanorama.Thisenablesyoutomonitor
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureFeatures
Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.
MonitoringandHighAvailability
Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
monitoringsoftware.ConfigureNagiostoperiodicallyverifytheresponsefromtheportalandthegateways'
preloginpageandsendanalertiftheresponsedoesnotmatchtheexpectations.Youcanalsoconfigure
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
InthisdeploymentthereisonlyoneinstanceoftheGlobalProtectportal.Iftheportalbecomesunavailable,
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
redundancy.Therefore,configuringgatewaysasahighavailability(HA)pairisnotrequired.

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureConfigurations
Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
GatewayConfiguration
Disablesplittunneling.Todothis,ensuretherearenoAccessRoutesspecifiedinAgent > Client Settings

> Split Tunnel settings.SeeConfigureaGlobalProtectGateway.
EnableNo direct access to local networkinAgent > Client Settings > Split Tunnel.SeeConfigurea
GlobalProtectGateway.
EnablethegatewaytoAccept cookie for authentication override.SeeConfigureaGlobalProtectGateway.
PortalConfiguration
ConfiguretheConnect MethodasAlways-on (User logon).SeeCustomizetheGlobalProtectAgent.

SetUse Single Sign-On(Windowsonly)toYes.SeeCustomizetheGlobalProtectAgent.
ConfiguretheportaltoSave User Credentials(setthevaluetoYes).SeeDefinetheGlobalProtectAgent
Configurations.
EnabletheportaltoAccept cookie for authentication override.SeeDefinetheGlobalProtectAgent
Configurations.
ConfiguretheCookie Lifetimeas20hours.SeeDefinetheGlobalProtectAgentConfigurations.
Enforce GlobalProtectfornetworkaccess.SeeCustomizetheGlobalProtectAgent.
ConfigureInternal Host Detection.SeeDefinetheGlobalProtectAgentConfigurations.
EnabletheCollect HIP DataoptioninDataCollection.SeeDefinetheGlobalProtectAgent
Configurations.
DistributeandinstalltheSSLForwardProxyCAcertificateusedforSSLDecryption.SeeDefinethe
GlobalProtectAgentConfigurations.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureConfigurations
PolicyConfigurations
ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
SecurityPolicy.Inthisreferencedeployment,thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
throughtheSantaClaraGateway.Thisensuresthatsiteslikewww.stubhub.comandwww.lowes.com
thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

Globalprotect Admin Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Globalprotect Admin Guide

Caricato da

Copyright:

Formati disponibili

GlobalProtect

Palo Alto Networks, Inc.

GlobalProtectClients .............................................. 105

Feature Android iOS Chrome Windows Windows10 Mac

Agent Login 4.0 4.0 4.0 4.0

Multi-Factor 4.0 4.0 4.0 4.0 4.0 4.0

SAML Authentication 4.0 4.0 4.0 4.0 4.0 4.0

Single Sign-On (SSO)

SSO (Credential 1.2.0

Kerberos SSO 3.0.0

User-logon (always 1.0.0 3.1.3 1.0.0

Pre-logon (always-on) 1.1.0 1.1.0

Pre-logon (then 3.1.0 3.1.0

On-demand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

External Gateway 4.0 4.0 4.0 4.0 4.0 4.0

Feature Android iOS Chrome Windows Windows10 Mac

Internal Gateway 4.0 4.0 4.0 4.0 4.0 4.0

Internal mode 1.0.0 1.0.0 3.1.1 1.0 1.0.0

External mode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

IPv6 Support 4.0 4.0 4.0 4.0 4.0 4.0

Split Tunnel to 4.0 4.0 4.0 4.0 4.0 4.0

Restrict Transparent 4.0 4.0 4.0 4.0 4.0 4.0

Enforce 3.1.0 3.1.3 3.1.0

Deployment of SSL 3.0.0 3.0.0

HIP reports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0

Script actions that run 2.3.0 2.3.0

Certificate selection 3.0.0 3.0.0

Allow users to disable 2.2.0 2.2.0

Feature Android iOS Chrome Windows Windows10 Mac

Welcome and help 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0

Endpoint mobility 1.0.0 1.0.0 3.0.0 3.1.3

Single, external gateway (Windows and Mac)

Single or multiple internal gateways

Multiple external gateways

Mobile app for iOS endpoints, Android endpoints,

Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >

Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe

Step4 Savetheconfiguration. ClickCommit.

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

CA certificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto

Certificate Usage IssuingProcess/BestPractices

Portal server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

Gateway server EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

Certificate Usage IssuingProcess/BestPractices

(Optional) Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure

(Optional) Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen

Deploy Server Certificates to the GlobalProtect Components

UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >

Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service

Deploytheselfsignedservercertificates. Export the certificate from the portal:

Supported GlobalProtect Authentication Methods

Local Authentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe

External authentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,

Client certificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate

How Does the Agent or App Know What Credentials to Supply?

Set Up LDAP Authentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheLDAPprofile.

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.

Step3 Committheconfiguration. ClickCommit.

Set Up SAML Authentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselecttheSAML Identity

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.