Professional Documents
Culture Documents
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandGlobalProtect7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:November21,2016
2 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................13
SetUptheGlobalProtectInfrastructure ................................ 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21
SetUpGlobalProtectUserAuthentication ............................................25
AboutGlobalProtectUserAuthentication.........................................25
SetUpExternalAuthentication ..................................................28
SetUpClientCertificateAuthentication ..........................................32
SetUpTwoFactorAuthentication ...............................................38
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients..................47
EnableGroupMapping.............................................................54
ConfigureGlobalProtectGateways..................................................57
PrerequisiteTasksforConfiguringtheGlobalProtectGateway ......................57
ConfigureaGlobalProtectGateway ..............................................57
ConfiguretheGlobalProtectPortal..................................................65
PrerequisiteTasksforConfiguringtheGlobalProtectPortal .........................65
SetUpAccesstotheGlobalProtectPortal ........................................66
DefinetheGlobalProtectClientAuthenticationConfigurations ......................67
GatewayPriorityinaMultipleGatewayConfiguration..............................68
DefinetheGlobalProtectAgentConfigurations....................................69
CustomizetheGlobalProtectAgent ..............................................74
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages ................82
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer .......................84
DeploytheGlobalProtectClientSoftware ............................................85
DeploytheGlobalProtectAgentSoftware ........................................85
DownloadandInstalltheGlobalProtectMobileApp ...............................90
DownloadandInstalltheGlobalProtectAppforChromeOS........................93
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 3
TableofContents
DeployAgentSettingsTransparently................................................. 97
CustomizableAgentSettings .................................................... 98
DeployAgentSettingstoWindowsClients .......................................104
DeployAgentSettingstoMacClients ...........................................113
Reference:GlobalProtectAgentCryptographicFunctions..............................117
GlobalProtectMIBSupport........................................................118
MobileEndpointManagement....................................... 119
MobileEndpointManagementOverview............................................120
SetUpaMobileEndpointManagementSystem ......................................121
ManagetheGlobalProtectAppUsingAirWatch......................................122
DeploytheGlobalProtectMobileAppUsingAirWatch.............................122
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................123
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................126
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............130
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................133
ConfiguretheGlobalProtectAppforiOS.........................................133
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................134
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................135
ConfiguretheGlobalProtectAppforAndroid.....................................136
Example:SetVPNConfiguration ................................................137
Example:RemoveVPNConfiguration............................................137
4 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GlobalProtectReferenceArchitecture .................................189
GlobalProtectReferenceArchitectureTopology...................................... 190
GlobalProtectPortal .......................................................... 190
GlobalProtectGateways ....................................................... 191
GlobalProtectReferenceArchitectureFeatures...................................... 192
EndUserExperience .......................................................... 192
ManagementandLogging ..................................................... 192
MonitoringandHighAvailability ................................................ 193
GlobalProtectReferenceArchitectureConfigurations ................................. 194
GatewayConfiguration ........................................................ 194
PortalConfiguration .......................................................... 194
PolicyConfigurations.......................................................... 194
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 5
TableofContents
6 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'semployeesworkoutsidethephysicalcorporateboundaries.Thisincreasedworkforcemobilitybrings
increasedproductivityandflexibilitywhilesimultaneouslyintroducingsignificantsecurityrisks.Everytime
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
associatedpoliciesthataredesignedtoprotectboththeuserandthenetwork.GlobalProtectsolvesthe
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 7
AbouttheGlobalProtectComponents GlobalProtectOverview
AbouttheGlobalProtectComponents
GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.This
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient
GlobalProtectPortal
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,includinganycustominformationyourequire.YouConfiguretheGlobalProtectPortalonan
interfaceonanyPaloAltoNetworksnextgenerationfirewall.
GlobalProtectGateways
GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
applyingsecuritypolicyforaccesstointernalresources.WhenusedinconjunctionwithUserIDand/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/ordevicestate.Internalgatewaysareusefulinsensitiveenvironments
whereauthenticatedaccesstocriticalresourcesisrequired.Youcanconfigureaninternalgatewayin
eithertunnelmodeornontunnelmode.
YouConfigureGlobalProtectGatewaysonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.Youcanrunbothagatewayandaportalonthesamefirewall,oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.
8 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AbouttheGlobalProtectComponents
GlobalProtectClient
TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
viatheGlobalProtectportalsandgatewaysyouhavedeployed.TherearetwotypesofGlobalProtectclients:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
GlobalProtectportal.Youconfigurethebehavioroftheagentforexample,whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)youdefineontheportal.See
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,andChromebookdevices.Usersmust
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 9
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview
WhatClientOSVersionsareSupportedwithGlobalProtect?
PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,andmobiledevices.WerecommendthatyouconfigureGlobalProtectonfirewallsrunning
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
endpoints.TheminimumGlobalProtectappreleasevariesbyoperatingsystem;todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
systemsandPANOSreleaseswithwhichtheywerereleased.ForminimumPANOSreleasesupportfor
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite(youmustbearegisteredusertoaccessthissite).
10 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?
WhatFeaturesDoesGlobalProtectSupport?
ThefollowingtableliststhesupportedfeaturesonGlobalProtectbyOS.Anentryinthetableindicatesthe
firstsupportedreleaseofthefeatureontheOS.Aindicatesthefeatureisnotsupported.For
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?
ConnectMethods
Modes
SingleSignOn(SSO)
SSO(Credential 1.2.0
Provider)
KerberosSSO 3.0.0
Customization
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 11
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview
12 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AboutGlobalProtectLicenses
AboutGlobalProtectLicenses
IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures,suchHIPchecksandassociatedcontentupdatesand
supportfortheGlobalProtectmobileapp,youneedtopurchaseanannualgatewaysubscription.Thislicense
mustbeinstalledoneachfirewallrunningagateway(s)thatperformsHIPchecksandthatsupportsthe
GlobalProtectapponmobiledevices.
Feature GatewaySubscription
Single,externalgateway(WindowsandMac)
Singleormultipleinternalgateways
Multipleexternalgateways
HIPChecks
MobileappforiOSendpoints,Androidendpoints,
Chromebooks,andWindows10UWPendpoints
SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 13
AboutGlobalProtectLicenses GlobalProtectOverview
14 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
communicate.Atabasiclevel,thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
usersconnecttoaccesstheportalandthegatewaystothenetwork.BecausetheGlobalProtectcomponents
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
components.ThefollowingsectionsguideyouthroughthestepstosetuptheGlobalProtectinfrastructure:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents
SetUpGlobalProtectUserAuthentication
EnableGroupMapping
ConfigureGlobalProtectGateways
ConfiguretheGlobalProtectPortal
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
DeploytheGlobalProtectClientSoftware
DeployAgentSettingsTransparently
Reference:GlobalProtectAgentCryptographicFunctions
GlobalProtectMIBSupport
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 15
CreateInterfacesandZonesforGlobalProtect SetUptheGlobalProtectInfrastructure
CreateInterfacesandZonesforGlobalProtect
YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbe
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
asDMZ.Atunnelinterfacecanbeinthesamezoneastheinterfaceconnectingtoyourinternal
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,suchascorpvpn.Ifyoucreateaseparatezoneforyourtunnelinterface,youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
InternalgatewaysRequiresaLayer3orloopbackinterfaceinyourtrustzone.Youcanalsocreate
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?
Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.
SetUpInterfacesandZonesforGlobalProtect
16 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure CreateInterfacesandZonesforGlobalProtect
SetUpInterfacesandZonesforGlobalProtect(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 17
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure
EnableSSLBetweenGlobalProtectComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)intheconfigurations.Thefollowingsectionsdescribethesupported
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents
AboutGlobalProtectCertificateDeployment
TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
certificatesforalloftheGlobalProtectcomponents.However,thissolutionislesssecurethantheother
optionsandisthereforenotrecommended.Ifyoudochoosethisoption,enduserswillseeacertificate
errorthefirsttimetheyconnecttotheportal.Topreventthis,youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).
GlobalProtectCertificateBestPractices
ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:
Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices
18 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 19
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure
FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.
20 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents
DeployServerCertificatestotheGlobalProtectComponents
ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:
DeploySSLServerCertificatestotheGlobalProtectComponents
Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
GlobalProtectportal.Thispractice Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.
CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 21
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
22 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor componenttowhichyoudeploytheservercertificate.If
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
deploy.ThenusethespecificSCEP capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe request.UseeitheraFixedchallengepasswordwhichyou
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust choicetotheSCEPServer.ForaDynamicSCEPchallenge,
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
TocomplywiththeU.S.Federal c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL http://10.200.101.1/certsrv/mscep/).
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) bytheSCEPserver.Thesubjectmustincludeacommon
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
settingsintheSCEPprofile.Ifsuccessful,the f. SelecttheSubject Alternative Name Type.Toenterthe
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 Name.Youcanalsoenter
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate Fingerprint.Obtainthis
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
certificate.TheGlobalProtectportalusesthesettingsinthe
SCEPprofiletosubmitaCSRtoyourenterprisePKI.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 23
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Deploytheselfsignedservercertificates. Exportthecertificatefromtheportal:
Exporttheselfsignedserver 1. SelectDevice > Certificate Management > Certificates >
certificatesissuedbytherootCAon Device Certificates.
theportalandimportthemontothe
2. Selectthegatewaycertificateyouwanttodeployandclick
gateways.
Export.
Besuretoissueauniqueserver
certificateforeachgateway. 3. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
Ifspecifyingselfsigned
certificates,youmustdistributethe 4. Enter(andreenter)aPassphrasetoencrypttheprivatekey.
RootCAcertificatetotheend 5. ClickOKtodownloadthePKCS12filetoalocationofyour
clientsintheportalclient choice.
configurations.
Importthecertificateonthegateway:
1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImport.
3. EnteraCertificate Name.
4. BrowsetofindandselecttheCertificate Fileyou
downloadedinstep5,above.
5. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
6. Enter(andreenter)thePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportal.
7. ClickOKtoimportthecertificateandkey.
8. Committhechangestothegateway.
24 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
SetUpGlobalProtectUserAuthentication
TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
GlobalProtectresources.Youmustconfigureauthenticationmechanismsbeforecontinuingwiththeportal
andgatewaysetup.Thefollowingsectionsdetailthesupportedauthenticationmechanismsandhowto
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
AboutGlobalProtectUserAuthentication
ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
portal.Ifauthenticationsucceeds,theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
tothegateways.Aftersuccessfullydownloadingandcachingtheconfiguration,theclientattemptsto
connecttooneofthegatewaysspecifiedintheconfiguration.Becausethesecomponentsprovideaccessto
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
resourcesthatthegatewayprotects.GlobalProtectprovidesaflexibleauthenticationframeworkthatallows
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?
SupportedGlobalProtectAuthenticationMethods
ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.
AuthenticationMethod Description
LocalAuthentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe
firewall.Thisauthenticationmechanismisnotscalablebecauseitrequiresanaccountfor
everyGlobalProtectuserandis,therefore,advisableforonlyverysmalldeployments.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 25
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
AuthenticationMethod Description
Externalauthentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,
TACACS+,orRADIUSservice(includingsupportfortwofactor,tokenbased
authenticationmechanisms,suchasonetimepassword(OTP)authentication).Toenable
externalauthentication:
Createaserverprofilewithsettingsforaccesstotheexternalauthenticationservice.
Createanauthenticationprofilethatreferstotheserverprofile.
Specifyclientauthenticationintheportalandgatewayconfigurationsandoptionally
specifytheOSoftheendpointthatwillusethesesettings.
YoucanusedifferentauthenticationprofilesforeachGlobalProtectcomponent.SeeSet
UpExternalAuthenticationforinstructions.SeeRemoteAccessVPN(Authentication
Profile)foranexampleconfiguration.
Clientcertificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate
authentication toobtaintheusernameandauthenticatetheuserbeforegrantingaccesstothesystem.
Toauthenticatetheuser,oneofthecertificatefields,suchastheSubjectNamefield,
mustidentifytheusername.
Toauthenticatetheendpoint,theSubjectfieldofthecertificatemustidentifythedevice
typeinsteadoftheusername.(Withtheprelogonconnectmethods,theportalor
gatewayauthenticatestheendpointbeforetheuserlogsin.)
Foranagentconfigurationprofilethatspecifiesclientcertificates,eachuserreceivesa
clientcertificate.Themechanismforprovidingthecertificatesdetermineswhethera
certificateisuniquetoeachclientorthesameforallclientsunderthatagentconfiguration:
Todeployclientcertificatesthatareuniquetoeachuseranddevice,useSCEP.Whena
userfirstlogsin,theportalrequestsacertificatefromtheenterprisesPKI.Theportal
obtainsauniquecertificateanddeploysittotheclient.
Todeploythesameclientcertificatetoallusersthatreceiveanagentconfiguration,
deployacertificatethatisLocaltothefirewall.
Useanoptionalcertificateprofiletoverifytheclientcertificatethataclientpresentswith
aconnectionrequest.Thecertificateprofilespecifiesthecontentsoftheusernameand
userdomainfields;listsCAcertificates;criteriaforblockingasession;andofferswaysto
determinetherevocationstatusofCAcertificates.Youmustpredeploycertificatesused
incertificateprofilestotheendpointsbeforetheusersinitialportalloginbecausethe
certificateispartoftheauthenticationoftheendpointoruserforanewsession.
Thecertificateprofilespecifieswhichcertificatefieldcontainstheusername.Ifthe
certificateprofilespecifiesSubjectintheUsernameField,thecertificatepresentedbythe
clientmustcontainacommonnamefortheclienttoconnect.Ifthecertificateprofile
specifiesaSubjectAltwithanEmailorPrincipalNameastheUsernameField,the
certificatefromtheclientmustcontainthecorrespondingfields,whichwillbeusedasthe
usernamewhentheGlobalProtectagentauthenticatestotheportalorgateway.
GlobalProtectalsosupportsauthenticationbycommonaccesscards(CACs)andsmart
cards,whichrelyonacertificateprofile.Withthesecards,thecertificateprofilemust
containtherootCAcertificatethatissuedthecertificatetothesmartcardorCAC.
Ifyouspecifyclientcertificateauthentication,youshouldnotconfigureaclientcertificate
intheportalconfigurationbecausetheclientsystemprovidesitwhentheuserconnects.
Foranexampleofhowtoconfigureclientcertificateauthentication,seeRemoteAccess
VPN(CertificateProfile).
26 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
AuthenticationMethod Description
Twofactor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,suchasaonetimepasswordinadditiontoADlogincredentials.You
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
differentmethods.Regardless,withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
profile.Forexample,iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
authenticationservertriestoauthenticatetheuser.Ifyoudonotwanttoforceusersto
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
NonefortheUsernameField.SeeRemoteAccessVPNwithTwoFactorAuthenticationfor
anexampleconfiguration.
HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?
Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
forportallogin.Inthesimplestcase,wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways
CookieAuthenticationonthePortalorGateway
Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
toeach.Thisimprovestheuserexperiencebyminimizingthenumberoftimesthatusersmustenter
credentials.Inaddition,cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
onthesamecookietoauthenticatetheuser.Whentheagentpresentsthecookie,theportalorgateway
evaluateswhetherthecookieisvalidbasedontheconfiguredcookielifetime.Ifthecookieexpires,
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 27
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
GlobalProtectautomaticallypromptstheusertoauthenticatewiththeportalorgateway.When
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
sensitiveinformationas24hours.Whentheuserfirstauthenticateswiththeportal,theportalissuesthe
authenticationcookie.Ifafterfivedays,theuserattemptedtoconnecttotheportal,theauthentication
cookiewouldstillbevalid.However,ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
receiveareplacementauthenticationcookie.Thenewauthenticationcookiewouldthenbevalidforanother
15daysontheportalandanother24hoursonthegateways.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
CredentialForwardingtoSomeorAllGateways
Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)thatpromptfortheirownsetofcredentials.Thisoptionspeedsuptheauthenticationprocess
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
allowingyoutocustomizethesecurityfordifferentGlobalProtectcomponents.Forexample,youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
SetUpExternalAuthentication
ThefollowingworkflowdescribeshowtosetuptheGlobalProtectportalandgatewaystouseanexternal
authenticationservice.ThesupportedauthenticationservicesareLDAP,Kerberos,RADIUS,orTACACS+.
Thisworkflowalsodescribeshowtocreateanoptionalauthenticationprofilethataportalorgatewaycanuse
toidentifytheexternalauthenticationservice.Thisstepisoptionalforexternalauthenticationbecausethe
authenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.
GlobalProtectalsosupportslocalauthentication.Touselocalauthentication,createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.
Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.
28 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
SetUpExternalUserAuthentication
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 29
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
SetUpExternalUserAuthentication(Continued)
30 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
SetUpExternalUserAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 31
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
SetUpClientCertificateAuthentication
Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
connectionrequesttotheGlobalProtectportalorgateway.Theportalorgatewaycanuseeitherasharedor
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication
DeploySharedClientCertificatesforAuthentication
Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
endpointsorgenerateseparatecertificatestodeploywithaparticularagentconfiguration.Usethis
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.
DeploySharedClientCertificatesforAuthentication
32 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
DeployMachineCertificatesforAuthentication
Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
certificateforexport.Withtheprelogonconnectmethods,amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
toauthenticatetheuser.SeeTwofactorauthentication.
Usethefollowingworkflowtocreatetheclientcertificateandmanuallydeployittoanendpoint.Formore
information,seeAboutGlobalProtectUserAuthentication.Foranexampleconfiguration,seeRemote
AccessVPN(CertificateProfile).
DeployMachineCertificatesforAuthentication
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 33
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
DeployMachineCertificatesforAuthentication(Continued)
4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.
5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
thePasswordthatyouusedtoencrypttheprivatekey.Select
PersonalastheCertificate store.
34 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
DeployMachineCertificatesforAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 35
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
DeployMachineCertificatesforAuthentication(Continued)
DeployUserSpecificClientCertificatesforAuthentication
Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
deploytheclientcertificatetotheendpointspriortoenablingGlobalProtect.Toautomatethegeneration
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
requestsitandsendsthecertificatetotheportal.Theportalthentransparentlydeploysthecertificatetothe
client.Whenauserrequestsaccess,theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
whethertopermitaccesstotheuser.GlobalProtectblocksaccessifthehostIDisonadeviceblocklistorif
thesessionmatchesanyblockingoptionsspecifiedinacertificateprofile.Ifclientauthenticationfailsdueto
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
settingsintheauthenticationprofileandretrievethecertificate.Iftheclientcannotretrievethecertificate
fromtheportal,thedeviceisnotabletoconnect.
DeployUserSpecificClientCertificatesforAuthentication
36 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
DeployUserSpecificClientCertificatesforAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 37
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
DeployUserSpecificClientCertificatesforAuthentication(Continued)
SetUpTwoFactorAuthentication
Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
authenticationscheme.Atwofactorauthenticationschemerequirestwothings:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
38 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
authenticatebothtoacertificateprofileandanauthenticationprofile.Theusermustsuccessfully
authenticateusingbothmethodsinordertoconnecttotheportal/gateway.Formoredetailsonthis
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 39
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)
40 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
andgateways.Whenauserrequestsaccess,theportalorgatewaypromptstheusertoenteranOTP.The
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,theagentsuppliesthesamecredentialsitusedtologintotheportalandtothegateway.Inthe
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,theusersOTPmayexpire.Toprevent
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
override.Thisenablestheportalsandgatewaystogenerateandacceptasecureencryptedcookieto
authenticatetheuserforaspecifiedamountoftime.Theportalsand/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.
EnableTwoFactorAuthenticationUsingOTPs
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 41
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableTwoFactorAuthenticationUsingOTPs(Continued)
42 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 43
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableTwoFactorAuthenticationUsingOTPs(Continued)
44 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableTwoFactorAuthenticationUsingOTPs(Continued)
ThesecondpromptrequestsyourtokenorOTP:
EnableTwoFactorAuthenticationUsingSmartCards
Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
cardsontotheportalandgateway.YoucanthencreateacertificateprofilethatincludesthatRootCAand
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.
EnableSmartCardAuthentication
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 45
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableSmartCardAuthentication(Continued)
46 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableSmartCardAuthentication(Continued)
ThesecondpromptrequestsyourtokenorOTP:
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.
ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.
ToconnecttotheGlobalProtectgateway,theusermustsuccessfullyauthenticate.Thefollowingworkflows
showexamplesofhowtoenableauthenticationforstrongSwanclients.Forcompleteinformationabout
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 47
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableAuthenticationUsingaCertificateProfile
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.
EnableAuthenticationUsingaCertificateProfile
48 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableAuthenticationUsingaCertificateProfile(Continued)
EnableAuthenticationUsinganAuthenticationProfile
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
profile.TheauthenticationprofilespecifieswhichserverprofiletousewhenauthenticatingstrongSwan
clients.
EnableAuthenticationUsinganAuthenticationProfile
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 49
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableAuthenticationUsinganAuthenticationProfile(Continued)
50 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableAuthenticationUsinganAuthenticationProfile(Continued)
EnableAuthenticationUsingTwoFactorAuthentication
Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
certificateprofileandanauthenticationprofiletoconnecttotheGlobalProtectgateway.Thefollowing
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.
EnableAuthenticationUsingTwoFactorAuthentication
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 51
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
52 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 53
EnableGroupMapping SetUptheGlobalProtectInfrastructure
EnableGroupMapping
Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,theidentityofeachGlobalProtectuserisknown.However,if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
directoryserver.Thisisknownasgroupmapping.
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
information.AfterthefirewallconnectstotheLDAPserverandretrievesthegroupmappings,youcanselect
groupswhenyoudefinetheagentconfigurationsandsecuritypolicies.Thefirewallsupportsavarietyof
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:
54 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableGroupMapping
MapUserstoGroups
Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 55
EnableGroupMapping SetUptheGlobalProtectInfrastructure
MapUserstoGroups(Continued)
56 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways
ConfigureGlobalProtectGateways
BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
EnforcesecuritypolicyfortheGlobalProtectagentsandappsthatconnecttoit.YoucanalsoenableHIP
collectiononthegatewayforenhancedsecuritypolicygranularity.FormoreinformationonenablingHIP
checks,seeUseHostInformationinPolicyEnforcement.
Providevirtualprivatenetwork(VPN)accesstoyourinternalnetwork.VPNaccessisprovidedthrough
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.
YoucanalsoconfigureGlobalProtectgatewaysonVMSeriesfirewallsdeployedintheAWScloud.Bydeploying
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
resources.Fordetails,seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.
PrerequisiteTasksforConfiguringtheGlobalProtectGateway
BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)fortheinterfacewhereyouplantoconfigureeachgateway.For
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
tunnelinterface.SeeCreateInterfacesandZonesforGlobalProtect.
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
toestablishanSSLconnectionwiththegateway.SeeEnableSSLBetweenGlobalProtectComponents.
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
GlobalProtectusers.SeeSetUpGlobalProtectUserAuthentication.
ConfigureaGlobalProtectGateway
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:
ConfiguretheGateway
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 57
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure
ConfiguretheGateway(Continued)
58 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 59
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure
ConfiguretheGateway(Continued)
60 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 61
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure
ConfiguretheGateway(Continued)
62 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways
ConfiguretheGateway(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 63
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure
ConfiguretheGateway(Continued)
64 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
ConfiguretheGlobalProtectPortal
TheGlobalProtectPortalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
connecttothegateways.Inaddition,theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.
TheportaldoesnotdistributetheGlobalProtectappforuseonmobiledevices.TogettheGlobalProtectappfor
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,orMicrosoftStoreforWindows10UWP.However,theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
haveaccess.Formoredetailsonsupportedversions,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)forthefirewallinterfacewhereyouplantoconfiguretheportal.See
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
services.SeeEnableSSLBetweenGlobalProtectComponents.
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
authenticateGlobalProtectusers.SeeSetUpGlobalProtectUserAuthentication.
ConfigureGlobalProtectGatewaysandunderstandGatewayPriorityinaMultipleGateway
Configuration.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 65
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
SetUpAccesstotheGlobalProtectPortal
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectPortalasfollows:
SetUpAccesstothePortal
66 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
authenticatewiththeGlobalProtectportal.YoucancustomizethesettingsforeachOSoryoucanconfigure
thesettingstoapplytoalldevices.Forexample,youcanconfigureAndroiduserstouseRADIUS
authenticationandWindowsuserstouseLDAPauthentication.Youcanalsocustomizetheclient
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.
DefinetheGlobalProtectClientAuthenticationConfigurations
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 67
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
GatewayPriorityinaMultipleGatewayConfiguration
Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
gateways.Todeterminethepreferredgatewaytowhichyouragentsconnect,addthegatewaystoaportal
agentconfigurationandassigneachgatewayaconnectionpriority.SeeDefinetheGlobalProtectAgent
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
connecttoallgatewayslistedinitsagentconfiguration.Theagentwillthenusepriorityandresponsetime
astodeterminethegatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyifthe
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:
Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,connectstogw2.Inthis
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:
Inthisexample,theaverageresponsetimeforallgatewaysis35ms.Theagentwouldthenevaluatewhich
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
responsetimes.Theagentwouldthenconnecttowhichevergatewayhadthehighestpriority.Inthis
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.
68 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
DefinetheGlobalProtectAgentConfigurations
AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,basedonthesettingsyoudefined.Ifyouhavedifferent
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
eachusertypeorusergroup.TheportalusestheOSoftheendpointandtheusernameorgroupnameto
determinetheagentconfigurationtodeploy.Aswithothersecurityruleevaluations,theportalstartsto
searchforamatchatthetopofthelist.Whenitfindsamatch,theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
Theclientcertificatethattheendpointshouldpresenttothegatewaywhenitconnects.This
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.
Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 69
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
Usethefollowingproceduretocreateanagentconfiguration.
CreateaGlobalProtectAgentConfiguration
70 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CreateaGlobalProtectAgentConfiguration(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 71
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CreateaGlobalProtectAgentConfiguration(Continued)
72 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CreateaGlobalProtectAgentConfiguration(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 73
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CustomizetheGlobalProtectAgent
TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
agentsinstalledontheirsystemsortheGlobalProtectappinstalledontheirmobiledevices.Youcandefine
differentagentsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.Formore
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Youcancustomizethedisplayandbehavioroftheagent.Forexample,youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
Whethertodisplayawelcomepageuponsuccessfullogin.Youcanalsoconfigurewhetherornotthe
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
touseGlobalProtectwithinyourenvironment.SeeCustomizetheGlobalProtectPortalLogin,Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.
YoucanalsodefineagentsettingsdirectlyfromtheWindowsregistryortheglobalMacplist.For
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/MsiexecortheMacplist.Formoredetails,seeDeploy
AgentSettingsTransparently.
AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.
74 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
UsethefollowingproceduretocustomizetheGlobalProtectagent.
CustomizetheAgent
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 75
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CustomizetheAgent(Continued)
76 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 77
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CustomizetheAgent(Continued)
TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.
78 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 79
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CustomizetheAgent(Continued)
80 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CustomizetheAgent(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 81
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
GlobalProtectprovidesdefaultlogin,welcome,and/orhelppages.However,youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.
Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configuretheDisable login pageoptionfromNetwork >
GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninsteaduse
asoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.
CustomizethePortalLogin,Welcome,andHelpPages
82 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
CustomizethePortalLogin,Welcome,andHelpPages(Continued)
TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectHelp.Thenewhelp
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome Page.The
newwelcomepagewilldisplay.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 83
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer SetUptheGlobalProtectInfrastructure
EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server
WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
version.YoucanenablethefirewalltosendthisinformationasVendorSpecificAttributes(VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
administratorscanthenperformadministrativetasksbasedonthoseVSAs.Forexample,RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
Step1 LogintothefirewallCLI.
Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.
84 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
DeploytheGlobalProtectClientSoftware
InordertoconnecttoGlobalProtect,anendhostmustberunningGlobalProtectclientsoftware.The
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
distributedbytheGlobalProtectportal.Toenablethesoftwarefordistribution,youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
thenactivatethesoftwarefordownload.Forinstructionsonhowtodownloadandactivatetheagent
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
Windows10phoneandWindows10UWPendpointsRequiretheGlobalProtectapp.Aswithother
mobiledeviceapps,theendusermustdownloadtheGlobalProtectappfromtheMicrosoftStore.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
iOSandAndroidendpointsRequiretheGlobalProtectapp.Aswithothermobiledeviceapps,theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
ChromebooksRequiretheGlobalProtectappforChromeOS.Similartothedownloadprocessfor
mobiledeviceapps,theendusercandownloadtheGlobalProtectappfromtheChromeWebStore.You
canalsodeploytheapptoamanagedChromebookusingtheChromebookManagementConsole.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?
DeploytheGlobalProtectAgentSoftware
ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
sothatenduserscaninstalltheupdateswhentheyconnecttotheportal.Thisoptionprovidesflexibility
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/oroperatingsystem.However,ifyouhavealargenumber
ofagentsthatrequireupdates,itcouldputextraloadonyourportal.SeeHostAgentUpdatesonthe
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
youmustfirstuninstalltheexistingagent.Inaddition,Msiexecallowsfordeploymentofagentsettings
directlyontheendpointsbysettingvaluesintheWindowsregistryorMacplist.SeeDeployAgent
SettingsTransparently.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 85
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,usingactivedirectorygrouppolicy.ADGrouppoliciesallowmodificationof
Windowshostcomputersettingsandsoftwareautomatically.Refertothearticleat
http://support.microsoft.com/kb/816102formoreinformationonhowtouseGroupPolicyto
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
GlobalProtectapp.SeeMobileEndpointManagement.
HostAgentUpdatesonthePortal
ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
connectingtotheportal.Todothisautomatically,thefirewallmusthaveaserviceroutethatenablesitto
accessthePaloAltoNetworksUpdateServer.IfthefirewalldoesnothaveaccesstotheInternet,youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.
YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto
https://www.paloaltonetworks.com/support/tabs/overview.html.)
Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
version.Fordetailsoncreatinganagentconfiguration,seeDefinetheGlobalProtectAgentConfigurations.
HosttheGlobalProtectAgentonthePortal
86 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
HosttheGlobalProtectAgentonthePortal(Continued)
HostAgentUpdatesonaWebServer
Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,considerhostingtheGlobalProtectagentsoftwareimagesonanexternalwebserver.Thishelps
reducetheloadonthefirewallwhenusersconnecttodownloadtheagent.Tousethisfeature,thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.
HostGlobalProtectAgentImagesonaWebServer
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 87
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
HostGlobalProtectAgentImagesonaWebServer(Continued)
TesttheAgentInstallation
Usethefollowingproceduretotesttheagentinstallation.
TesttheAgentInstallation
88 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
TesttheAgentInstallation(Continued)
2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
administrativeprivileges.Subsequentagentsoftware
updatesdonotrequireadministrativeprivileges.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 89
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
TesttheAgentInstallation(Continued)
Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
portaladdress.SeeDefinetheGlobalProtectAgentConfigurations
fordetailsonsettingupagentconfigurations.
DownloadandInstalltheGlobalProtectMobileApp
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
devices.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecureaccess
toyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappwillautomaticallyconnecttothe
gatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.
ThisworkflowdescribeshowtoinstalltheGlobalProtectappdirectlyonthemobiledevice.Forinstructions
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.
90 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
InstalltheGlobalProtectMobileApp
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 91
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
InstalltheGlobalProtectMobileApp(Continued)
2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.
92 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
DownloadandInstalltheGlobalProtectAppforChromeOS
TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
toChromebooks.AswithotherremotehostsrunningtheGlobalProtectagent,theappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Aftertheuserinitiatesaconnection,the
appwillconnecttothegatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
yourcorporatenetwork.LiketheGlobalProtectagent,theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS
InstalltheGlobalProtectAppfromtheChromeWebStore
YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
Store.AsanalternativeyoucanDeploytheGlobalProtectAppUsingtheChromebookManagement
Console.
InstalltheGlobalProtectAppfromtheChromeWebStore
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 93
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,webbasedlocation.Fromtheconsole,youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole
94 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 95
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
TesttheGlobalProtectappforChromeOS
UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
VPNconnectionsettings.Afteryouinstallandconfiguretheapp,itisnotnecessarytoopentheappto
establishaVPNconnection.Instead,youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.
TesttheGlobalProtectAppforChromeOS
Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
GlobalProtectapp.Themainpagedisplaysconnection
informationand(ifapplicable)anyerrorsorwarnings.
96 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently
DeployAgentSettingsTransparently
Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
plist.Soifyoudefinesettingsintheregistryorplist,buttheportalconfigurationspecifiesdifferentsettings,
thesettingstheagentreceivesfromtheportalwilloverridethesettingsdefinedontheclient.Thisoverride
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),andwhethertheagentcanconnectiftheportalcertificateisinvalid.Therefore,youshouldavoid
conflictingsettings.Inaddition,theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients
InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
applicationsandprocesses.Youcanthenmonitorthedataandaddittoasecurityruleasmatchingcriteria.
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 97
DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure
CustomizableAgentSettings
Inadditiontopredeployingtheportaladdress,youcanalsodefinetheagentconfigurationsettings.To
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:CustomizableAgentBehaviorOptionsdescribeseachcustomizableagentsetting.Settingsdefinedin
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.
Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
configuredusingWindowsregistryorMsiexec.Theseadditionalsettingsinclude:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.
AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions
AgentDisplayOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.
Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
98 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently
UserBehaviorOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizehowtheusercaninteractwiththeGlobalProtectagent.
Table:CustomizableUserBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 99
DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure
AgentBehaviorOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethebehavioroftheGlobalProtectagent.
Table:CustomizableAgentBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
(WindowsOnly)
Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.
*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.
ScriptDeploymentOptions
ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
aVPNtunnelandbeforedisconnectingaVPNtunnel.Becausetheseoptionsarenotavailableintheportal,
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
pre-vpn-disconnectfromtheWindowsregistryorMacplist.Fordetailedstepstodeployscripts,see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.
Table:CustomizableScriptDeploymentOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
DeployAgentSettingstoWindowsClients
UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
DeployAgentSettingsintheWindowsRegistry
YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
connectiontotheGlobalProtectportalbyusingtheWindowsregistry.Usetheoptionsdescribedinthe
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.
InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
agenttocollectspecificWindowsregistryinformationfromWindowsclients.Youcanthenmonitorthedataand
addittoasecurityruleasmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbe
enforcedaccordingtothesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings
LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)
Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).
DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).
EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.
DeployAgentSettingsfromMsiexec
OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromthecommandline.Onsystems
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
MsiexecExample Description
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.
TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.
DeployScriptsUsingtheWindowsRegistry
YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,andbeforetheagentdisconnectsfromtheVPNtunnel.Usethe
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.
TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsintheWindowsRegistry
DeployScriptsintheWindowsRegistry
WindowsOSBatchScriptExamples
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.Thefollowingtopicsshow
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
fromacommandregistryentryforapostvpnconnectevent.Thisenablesyoutoselectivelyexcluderoutes
andtosendallothertrafficthroughtheVPNtunnel.
Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
routes.Inmostcases,whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)theoldnetworkroutesareautomaticallydeleted.Intheeventthattheoldnetworkroutespersist,
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.
Forascriptthatyoucancopyandpaste,gohere.
@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
192.168.24.25 255.255.255.255
REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"
REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end
Example:MountaNetworkShareonWindowsEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\filer1.mycompany.local\share /user:mycompany\user1
DeployScriptsUsingMsiexec
OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromacommandline.Onsystemsrunning
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,andallenvironmentvariableexpansions.Ifyourunbatchfilesfromthe
commandline,thislimitationalsoappliestobatchfileprocessing.
Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Forascriptthatyoucancopyandpaste,gohere.
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents
Forascriptthatyoucancopyandpaste,gohere.
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
toautomaticallyconnecttotheGlobalProtectportalandgateway.IfSSOfails,youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
providerandanotherforthenativeWindowslogin.Thisisusefulwhenathirdpartycredentialprovideradds
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
2. AddanewString Value:
3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.
UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials
Wrapthirdpartycredentialsanddisplaythenativetiletousersatlogin.Usersclickthetileandlogintothe
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.
Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
providerslogontilesothatonlythenativetiledisplays.Inthiscase,boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.
DeployAgentSettingstoMacClients
UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints
DeployAgentSettingsintheMacPlist
YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)file.This
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/Preferences.Thetilde
(~)symbolindicatesthatthelocationisinthecurrentuser'shomefolder.TheGlobalProtectagentonaMac
clientfirstchecksfortheGlobalProtectplistsettings.Iftheplistdoesnotexistatthatlocation,the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.
InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
tocollectspecificMacplistinformationfromclients.Youcanthenmonitorthedataandaddittoasecurityrule
asmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingto
thesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.
UsetheMacPlisttoDeployGlobalProtectAgentSettings
OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/com.paloaltonetworks.Global
Protect.settings.plist
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,createit.Thenaddeach
keytotheSettingsdictionaryasastring.
Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
throughtheMacplist.UnderthePanSetupdictionary,configurean
entryforPortal.
DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.
DeployScriptsUsingtheMacPlist
WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Usethefollowingworkflow
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.
TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencetheshellscriptfromacommandplistentryforthatevent.Thefollowingtopicsshow
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
followingscriptfromacommandplistentryforaprevpnconnectevent.Similarly,youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
commandplistentryforapostvpnconnectevent.ThiscanbeusefulifyouwanttoforceallSSHtrafficto
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9
Example:MountaNetworkShareonMacEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:
Forascriptthatyoucancopyandpaste,gohere.
#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@10.101.2.17/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1
Reference:GlobalProtectAgentCryptographicFunctions
TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
GlobalProtectportalandGlobalProtectgateways.ThefollowingtablelistseachGlobalProtectagent
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:
GlobalProtectMIBSupport
PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)Framework.YoumustloadtheseMIBsintoyourSNMPmanagertomonitor
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS7.1AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
group.ThefollowingtabledescribestheobjectsthatmakeupthepanGlobalProtectobjectgroup.
Object Description
panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway
panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed
panGPGWUtilizationActiveTunnels Numberofactivetunnels
UsetheseSNMPobjectstomonitorutilizationofGlobalProtectgatewaysandmakechangesasneeded.For
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.
MobileEndpointManagementOverview
Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
protectionagainstthreatsandvulnerabilities.Byusingathirdpartymobileendpointmanagementsystem
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).
Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
automaticallydeployyourcorporateaccountconfigurationandVPNsettingstocompliantendpoints.You
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
withanendpointthathasbeencompromised.Thisprotectsbothcorporatedataaswellaspersonalenduser
data.Forexample,ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,you
usehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthroughthe
GlobalProtectgateway.YoucanalsousethemonitoringtoolsthatarebuiltintothePaloAlto
nextgenerationfirewalltomonitormobileendpointtraffic.
SetUpaMobileEndpointManagementSystem
Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:
SetUpanEndpointManagementSystem
ManagetheGlobalProtectAppUsingAirWatch
DeploytheGlobalProtectMobileAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
DeploytheGlobalProtectMobileAppUsingAirWatch
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
endpoints.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappconnectstothegatewaythat
isclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
AirWatch.EndpointsrunningiOSorAndroidmustdownloadtheAirWatchagenttoenrollwiththeAirWatch
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
theendpoint.Afteryoudeploytheapp,configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.
DeploytheGlobalProtectAppfromAirWatch
Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).
Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.
Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOShttps://itunes.apple.com/us/app/globalprotect/id592489989?mt=8&uo=4
Androidhttps://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect
Windows Phonehttps://www.microsoft.com/store/apps/9NBLGGH6BZL3
DeploytheGlobalProtectAppfromAirWatch(Continued)
Step6 ClickNext.Ifyouchosetosearchfortheapptheappstorefortheendpoint,youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.
Step10 Nextsteps:
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
fromacentralconsole.TheGlobalProtectappprovidesasecureconnectionbetweenAirWatchmanaged
mobileendpointsandthefirewallateitherthedeviceorapplicationlevel.UsingGlobalProtectasthesecure
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
accessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
AuthenticationChoosethemethodtoauthenticateendusers.Followtherelatedpromptstoentera
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforiOS:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
Step3 ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.
Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.
Step6 Configuretheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
https://itunes.apple.com/us/app/boxforiphoneandipad/id290853822?mt=8&uo=4),andthenclick
Next.IfyouchoosetosearchtheAppStore,youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
YoucanusetheGlobalProtectAppforAndroidwithAirWatchagent6.0andlaterreleases.TheAirWatch
agentinterfaceswithAirWatchtomanageAndroidendpoints.UsingtheGlobalProtectappforAndroidas
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
enforcementofnetworksecuritypolicyforthreatprevention.TheGlobalProtectappcanprovideasecure
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
configuringVPNaccessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. Selecttheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
https://play.google.com/store/apps/details?id=com.box.android).
6. ClickNext.IfyouchosetoimporttheappfromGooglePlayinthepreviousstep,youmustSelecttheapp
fromthelistofapprovedcompanyapps.Ifyoudonotseetheappinthelist,contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
EnableAppScanIntegrationwithWildFire
ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
malwareonAndroidendpoints.Whenenabled,theAirWatchagentsendsthelistofappsthatareinstalled
ontheAndroidendpointtoAirWatch.Thisoccursduringenrollmentandsubsequentlyonanydevice
checkin.AirWatchthenperiodicallyqueriesWildFireforverdictsandcantakecomplianceactiononthe
endpointbasedontheverdict.
EnableAppScanIntegrationwithWildFire
Step1 Beforeyoubegin,obtainaWildFireAPIkey.IfyoudonotalreadyhaveanAPIkey,contactSupport.
Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.
Step6 EnteryourWildFireAPIkey.
EnableAppScanIntegrationwithWildFire
Step8 Saveyourchanges.AirWatchschedulesasynchronizationtasktocommunicatewithWildFiretoobtainthe
latestverdictsforapplicationhashesandrunsthetaskatregularintervals.ClickSync Nowtoinitiateamanual
syncwithWildFire.
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
tunnel.UnmanagedappswillcontinuetoconnectdirectlytotheInternetinsteadofthroughthesecure
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
VPNirrespectiveofapp.DevicelevelVPNconfigurationsalsosupporttheabilitytoforcethesecure
connectiontobeAlwaysOn.Foreventightersecurityrequirements,youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
accesswhentheappisnotconnected.ThisconfigurationissimilartotheEnforce GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.
BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
Step1 DownloadtheGlobalProtectappforWindows10UWP:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.
Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.
Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.
Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps(typically.exefiles)ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
VPNconnectionwhentheappislaunchedandwhethertosendapptrafficthroughtheVPN.Youcanalso
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
theVPN.Theserulesarenotboundbyapplicationandareevaluatedacrosstheendpoint.Ifthetraffic
matchesthematchcriteria,itisroutedthroughtheVPN.
Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
accesswhentheappisnotconnected.TheVPN LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)
Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
theconfiguration.IfyouneedtochangeasettingafteryouexporttheVPNprofile,youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> XMLatthetopofthetable.AirWatchopenstheXMLviewoftheprofile.
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.
Step10 Testtheconfiguration.
ManagetheGlobalProtectAppUsingaThirdPartyMDM
Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
ConfiguretheGlobalProtectAppforiOS
WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
connectionbetweenthemobileendpointandservicesitconnectsto.Toenabletheclienttoestablishsecure
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>
ConfiguretheGlobalProtectAppforAndroid
YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
theGlobalProtectgateway.FromyourthirdpartyMDMthatmanagesAndroidforWorkdevices,youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
includingalltheappsinstalledonthatdevice.Bydefault,allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
Profiletoseparatebusinessandpersonalapps.BydefaultonlymanagedappsintheWorkProfilecansend
trafficthroughtheVPNtunnelaccordingtotheaccessroutesdefinedonthegateway.Appsinstalledonthe
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
routestrafficfromspecificmanagedapps.ForPerAppVPN,youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,youcanalsospecifyhowtheuserconnectstotheVPN.Whenyou
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
automatically.WhenyouconfiguretheVPNconnectionmethodason-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.
TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.
RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.
*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,andfollowitwithanarrayofappnamesseparatedbysemicolon.Thewhitelistspecifiestheapps
thatwillusetheVPNtunnelfornetworkcommunication.Thenetworktrafficforanyotherappthatisnot
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),"com
.paloaltonetworks.globalprotect", config);
AboutHostInformation
OneofthejobsoftheGlobalProtectagentistocollectinformationaboutthehostitisrunningon.Theagent
thensubmitsthishostinformationtotheGlobalProtectgatewayuponsuccessfullyconnecting.Thegateway
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
defined.Ifitfindsamatch,itgeneratesanentryintheHIPMatchlog.Additionally,ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
securitystandardsbeforetheyareallowedaccesstoyournetworkresources.Forexample,beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
encryptionenabledontheirharddrives.Youcanenforcethispolicybycreatingasecurityrulethatonly
allowsaccesstotheapplicationiftheclientsystemhasencryptionenabled.Inaddition,forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?
WhatDataDoestheGlobalProtectAgentCollect?
Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
certainresources.Inthiscase,youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:
Table:DataCollectionCategories
Category DataCollected
General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).
PatchManagement Informationaboutanypatchmanagementsoftwarethatisenabledand/or
installedonthehostandwhetherthereareanymissingpatches.
Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.
Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
applicationsontheendpoint.ByintegratingwiththeOPSWATOESISframework,
GlobalProtectenablesyoutoassessthecompliancestateoftheendpoint.For
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.
AntiSpyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.
DiskBackup Informationaboutwhetherdiskbackupsoftwareisinstalled,thelastbackuptime,
andthevendorandproductnameofthesoftware.
DiskEncryption Informationaboutwhetherdiskencryptionsoftwareisinstalled,whichdrives
and/orpathsareconfiguredforencryption,andthevendorandproductnameof
thesoftware.
DataLossPrevention Informationaboutwhetherdatalossprevention(DLP)softwareisinstalledand/or
enabledforthepreventionsensitivecorporateinformationfromleavingthe
corporatenetworkorfrombeingstoredonapotentiallyinsecuredevice.This
informationisonlycollectedfromWindowsclients.
MobileDevices Identifyinginformationaboutthemobiledevice,suchasthemodelnumber,
phonenumber,serialnumberandInternationalMobileEquipmentIdentity(IMEI)
number.Inaddition,theagentcollectsinformationaboutspecificsettingsonthe
device,suchaswhetherornotapasscodeisset,whetherthedeviceisjailbroken,
alistofappsinstalledonthedevicethataremanagedbyathirdpartymobile
devicemanager,ifthedevicecontainsappsthatareknowntohavemalware
(Androiddevicesonly),and,optionally,theGPSlocationofthedeviceandalistof
appsthatarenotmanagedbythethirdpartymobiledevicemanager.Notethat
foriOSdevices,someinformationiscollectedbytheGlobalProtectappandsome
informationisreporteddirectlybytheoperatingsystem.
Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
categoriesyouarenotinterestedin.Forexample,ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
privacy.Thiscanincludeexcludingdevicelocationandalistofappsinstalledonthedevicethatarenot
managedbyathirdpartymobiledevicemanager.
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
toenforcepolicyfromtherawdatareportedbytheagent.Forexample,whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
interestedinoneparticularapplicationthatyourequirewithinyourorganization.Inthiscase,youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
informationyoucollecttoenforcepolicy.KeepinmindthattheHIPobjectsthemselvesaremerely
buildingblocksthatallowyoutocreatetheHIPprofilesthatareusedinyoursecuritypolicies.Therefore,
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,orthepresenceofaspecificclientOS.By
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
securitypolicyenforcement.WhenyoucreateyourHIPprofiles,youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
evaluatedagainsttheresultingHIPprofileitwilleithermatchornotmatch.Ifthereisamatch,the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
defined.ThismakestheHIPMatchlogagoodresourceformonitoringthestateofthehostsonyournetwork
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
whatpoliciesyoubelieveneedenforcement.SeeConfigureHIPBasedPolicyEnforcementfordetailson
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.
HowDoUsersKnowifTheirSystemsareCompliant?
Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
enforcementofaHIPenabledsecurityrule.However,youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)meansfortheuser.Thatis,doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
packagesarenotinstalled.Inthiscase,youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.
HowDoIGetVisibilityintotheStateoftheEndClients?
WheneveranendhostconnectstoGlobalProtect,theagentpresentsitsHIPdatatothegateway.The
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/orHIPprofilesthehostmatches.Foreach
match,itgeneratesaHIPMatchlogentry.Unlikeatrafficlogwhichonlycreatesalogentryifthereisa
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/oraHIPprofileyouhavedefined.ThismakestheHIPMatchlogagoodresourcefor
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
softwareinstalledfromconnectingtothenetwork.InthiscaseyouwouldcreateaHIPobjectthatmatches
hoststhathaveaparticularAntivirussoftwareinstalled.ByincludingthisobjectinaHIPprofileandattaching
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
compliancewiththisrequirement.IfyouwantedtoalsoseealogforhoststhatdonothaveAntivirus
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
theconditionwheretheAntivirussoftwareisnotinstalled.Becausethisobjectisonlyneededforlogging
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.
ConfigureHIPBasedPolicyEnforcement
Toenabletheuseofhostinformationinpolicyenforcementyoumustcompletethefollowingsteps.For
moreinformationontheHIPfeature,seeAboutHostInformation.
EnableHIPChecking
EnableHIPChecking(Continued)
EnableHIPChecking(Continued)
Repeatthisstepforeachcategoryyouwanttomatchagainst
inthisobject.Formoreinformation,seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.
6. Committhechanges.
EnableHIPChecking(Continued)
5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
logicyouintend.Forexample,thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:
7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.
9. Committhechanges.
EnableHIPChecking(Continued)
EnableHIPChecking(Continued)
8. Repeatthisprocedureforeachmessageyouwanttodefine.
9. Committhechanges.
EnableHIPChecking(Continued)
CollectApplicationandProcessDataFromClients
TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,respectively.Youcancreateacustomcheckthatwillallowyoutodetermine
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)onaWindowsorMacclient.Enablingcustomchecksinstructsthe
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
TomonitorthedatacollectedwithcustomchecksyoucancreateaHIPobject.YoucanthenaddtheHIP
objecttoaHIPprofiletousethecollecteddatatomatchtodevicetrafficandenforcesecurityrules.The
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
hostinformationsubmittedbytheagent.WhenthegatewaymatchestheclientdatatoaHIPobject,aHIP
Matchlogentryisgeneratedforthedata.AHIPprofileallowsthegatewaytoalsomatchthecollecteddata
toasecurityrule.IftheHIPprofileisusedascriteriaforasecuritypolicyrule,thegatewaywillenforcethat
securityruleonthematchingtraffic.
UsethefollowingtasktoenablecustomcheckstocollectdatafromWindowsandMacclients.Thistask
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.
FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.
EnableandVerifyCustomChecksforWindowsorMacClients
EnableandVerifyCustomChecksforWindowsorMacClients
CollectdatafromaMacclient:
1. SelectNetwork > GlobalProtect > Portals andthenselectthe
portalconfigurationyouwanttomodifyorAddanewone.
2. SelecttheAgenttabandthenselecttheAgentconfiguration
youwanttomodifyorAddanewone.
3. Select Data Collection,andthenverifythatCollect HIP Datais
enabled.
4. Select Custom Checks > Mac.
5. AddthePlistthatyouwanttocollectinformationaboutand
thecorrespondingPlistKeytodetermineiftheapplicationis
installed:
.
Forexample,Add thePlistcom.apple.screensaverandthe
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:
ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:
EnableandVerifyCustomChecksforWindowsorMacClients
ForMacclients:
OntheMacclient,clicktheGlobalProtecticonontheMenubar,
clickAdvanced View,andclickHost Statetoviewtheinformation
thattheGlobalProtectagentiscollectingfortheMacclient.Under
thecustomchecksdropdown,verifythatthedatayoudefinedfor
collectioninStep 7isdisplayed:
EnableandVerifyCustomChecksforWindowsorMacClients
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
ForMacclientsonly:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
EnableandVerifyCustomChecksforWindowsorMacClients
BlockDeviceAccess
IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
devicesperlocation.Therefore,youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.
BlockDeviceAccess
RemoteAccessVPN(AuthenticationProfile)
IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,sothisisthephysicalinterfacewhereGlobalProtectclientsconnect.Afteraclientconnects
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.31.32.310.31.32.118inthisexample.BecauseGlobalProtectVPNtunnelsterminateina
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.
Figure:GlobalProtectVPNforRemoteAccess
Thefollowingprocedureprovidestheconfigurationstepsforthisexample.Youcanalsowatchthevideo.
QuickConfig:VPNRemoteAccess
QuickConfig:VPNRemoteAccess(Continued)
QuickConfig:VPNRemoteAccess(Continued)
RemoteAccessVPN(CertificateProfile)
Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
GlobalProtectportalorgateway.Inadditiontothecertificateitself,theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
assignedanIPaddressfromtheIPpoolinthegatewaystunnelconfiguration.Tosupportuserbasedpolicy
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
addressthatthegatewayassigned.Also,ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.
Figure:GlobalProtectClientCertificateAuthenticationConfiguration
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.Theonly
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
RemoteAccessVPNwithTwoFactorAuthentication
IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
throughbothprofilesbeforegainingaccess.Forportalauthentication,thismeansthatcertificatesmustbe
predeployedtotheendclientsbeforetheirinitialportalconnection.Additionally,theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
clientcertificatedoesnotneedtohaveausername.Inthiscase,theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
usernameinthecorrespondingfield.Forexample,ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
elsetheauthenticationfails.Inaddition,whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
entercredentialsforauthenticatingtotheauthenticationprofile.Ifyoudonotwantforceusersto
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.However,
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.
VPNRemoteAccesswithTwoFactorAuthentication
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
AlwaysOnVPNConfiguration
InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
logontosubmituserandhostinformationandreceivetheclientconfiguration.Itthenautomatically
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.
ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.
SwitchtoanAlwaysOnConfiguration
Step3 SelecttheApptab.
Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.
RemoteAccessVPNwithPreLogon
PrelogonisaconnectmethodthatestablishesaVPNtunnelbeforeauserlogsin.Thepurposeofprelogon
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
torunassoonastheendpointpowerson.AmachinecertificateenablestheendpointtohavetheVPNtunnel
tothegateway.AcommonpracticeforITpersonnelistoinstallthemachinecertificatewhilestagingthe
endpointfortheuser.
AprelogonVPNtunnelhasnousernameassociationbecausetheuserhasnotloggedin.Therefore,tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
prelogonuser.Thesepoliciesshouldallowaccesstoonlythebasicservicesforstartingupthesystem,such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).
MacsystemsbehavedifferentlyfromWindowssystemswithprelogon.WithMacOS,thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.
Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
profile.Theportalcanalsouseanoptionalcertificateprofilethatvalidatestheclientcertificate(ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,theportaldeterminesiftheclientsconfigurationiscurrent.Iftheportalsconfiguration
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
orgatewayinstallsanencryptedcookieontheclient.Subsequently,theportalorgatewayusesthecookie
toauthenticateusersandforrefreshingtheclientsconfiguration.Also,ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
firstconnectingtotheportaltodownloadtheprelogonconfiguration.Todothis,youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.
ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.
RemoteAccessVPNwithPreLogon
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
RemoteAccessVPNwithPreLogon(Continued)
GlobalProtectMultipleGatewayConfiguration
InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
configuration.Multiplegatewaysaresupportedinalloftheprecedingexampleconfigurations.Additional
stepsincludeconfiguringasecondfirewallasaGlobalProtectgateway.Inaddition,whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.
Figure:GlobalProtectMultipleGatewayTopology
Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
listedinitsclientconfiguration.Theagentwillthenusepriorityandresponsetimeastodeterminethe
gatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyiftheresponsetimefor
thehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.Formore
information,seeGatewayPriorityinaMultipleGatewayConfiguration.
QuickConfig:GlobalProtectMultipleGatewayConfiguration
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
GlobalProtectforInternalHIPCheckingandUserBased
Access
WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)services.Internalgatewaysareusefulinsensitiveenvironmentswhere
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
modeisnotsupported.Inaddition,itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
totheCRMapplications.Allauthenticatedusershaveaccesstointernalwebresources.Inaddition,HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.
Figure:GlobalProtectInternalGatewayConfiguration
UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.
QuickConfig:GlobalProtectInternalGatewayConfiguration
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
MixedInternalandExternalGatewayConfiguration
InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
VPNaccessandforaccesstoyoursensitiveinternalresources.Withthisconfiguration,agentsperform
internalhostdetectiontodetermineiftheyareontheinternalorexternalnetwork.Iftheagentdetermines
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
resourcesyourexternalandinternalusershaveaccessto.Inaddition,youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
firewalls.Theexternalgatewayatgpvpn.acme.comprovidesremoteVPNaccesstothecorporatenetwork
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
membership.Inaddition,HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.
Figure:GlobalProtectDeploymentwithInternalandExternalGateways
UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
GlobalProtectReferenceArchitectureTopology
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectPortal
Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
cantestfeaturesbeforerollingthemouttoawideruserbase.Anyclientconfigurationcontainingnew
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
TheGlobalProtectportalalsopushesconfigurationstoGlobalProtectsatellites.Thisconfigurationincludes
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.
GlobalProtectGateways
ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
MicrosoftAzurepubliccloud.TheregionsorPOPlocationswheretheseAWSandAzuregatewaysare
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)using2FA.ThisgatewayrequiresuserstoprovidetheirActive
DirectorycredentialsandtheirOTP.Becausethisgatewayprotectssensitiveresources,itisconfigured
asamanualonlygateway.Asaresult,usersdonotconnecttothisgatewayautomaticallyandmust
manuallychoosetoconnecttothisgateway.Forexample,whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,somesensitiveinternalresourcesarenotaccessible.Theusermustthen
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
forallsatelliteconnectionsfromgatewaysinAWSandAzure.TheSantaClaraGatewayisalsoconfigured
tosetupanInternetProtocolSecurity(IPSec)tunneltotheITfirewallincorporateheadquarters.Thisis
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
andActiveDirectorycredentials.TheGlobalProtectportaldistributestheclientcertificatethatis
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
ThesegatewaysinthepubliccloudalsoactasGlobalProtectsatellites.Theycommunicatewiththe
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
SantaClaraGateway.GlobalProtectsatellitesinitiallyauthenticateusingserialnumber,andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
asGlobalProtectgateways.Theseareinternalgatewaysanddonotrequireendpointstosetupatunnel.
UsersauthenticatetothesegatewaysusingtheirActiveDirectorycredentials.Theseinternalgateways
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.
GlobalProtectReferenceArchitectureFeatures
EndUserExperience
ManagementandLogging
MonitoringandHighAvailability
EndUserExperience
Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
Azure.WhenyouconfiguretheGlobalProtectportalclientconfiguration,assignequalprioritytothe
gateways.Withthisconfiguration,thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,auserinAustraliawouldtypicallyconnecttotheAWSSydneyGateway.Oncetheuseris
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
firewallforinspection.GlobalProtectsendstraffictopublicinternetsitesdirectlyviatheAWSSydney
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
headquarters.Thisarchitectureisdesignedtoreduceanylatencytheusermayexperiencewhenaccessing
theinternet.IftheAWSSydneyGateway(oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
Activedirectoryserversresideinsidethecorporatenetwork.Whenremoteendusersauthenticate,the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
SantaClaraGateway.ThegatewaythenforwardstherequestthroughanIPSecsitetositetunneltothe
ActiveDirectoryServerincorporateheadquarters.
Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.
Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;TheGlobalProtectclientsendstheHIPreporttotheseinternalgateways.Whenusersareinsidethe
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.
ManagementandLogging
Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
configurations.Tosimplifyconfigurationofthegateways,Panoramaalsousesonedevicegroupandone
template.Inthisdeployment,allgatewaysforwardalllogstoPanorama.Thisenablesyoutomonitor
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.
Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.
MonitoringandHighAvailability
Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
monitoringsoftware.ConfigureNagiostoperiodicallyverifytheresponsefromtheportalandthegateways'
preloginpageandsendanalertiftheresponsedoesnotmatchtheexpectations.Youcanalsoconfigure
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
InthisdeploymentthereisonlyoneinstanceoftheGlobalProtectportal.Iftheportalbecomesunavailable,
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
redundancy.Therefore,configuringgatewaysasahighavailability(HA)pairisnotrequired.
GlobalProtectReferenceArchitectureConfigurations
Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
SecurityPolicy.Inthisreferencedeployment,thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
throughtheSantaClaraGateway.Thisensuresthatsiteslikewww.stubhub.comandwww.lowes.com
thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.