Globalprotect Admin Guide

GlobalProtect
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandGlobalProtect7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:November21,2016
2 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................13
SetUptheGlobalProtectInfrastructure ................................ 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21
SetUpGlobalProtectUserAuthentication ............................................25
AboutGlobalProtectUserAuthentication.........................................25
SetUpExternalAuthentication ..................................................28
SetUpClientCertificateAuthentication ..........................................32
SetUpTwoFactorAuthentication ...............................................38
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients..................47
EnableGroupMapping.............................................................54
ConfigureGlobalProtectGateways..................................................57
PrerequisiteTasksforConfiguringtheGlobalProtectGateway ......................57
ConfigureaGlobalProtectGateway ..............................................57
ConfiguretheGlobalProtectPortal..................................................65
PrerequisiteTasksforConfiguringtheGlobalProtectPortal .........................65
SetUpAccesstotheGlobalProtectPortal ........................................66
DefinetheGlobalProtectClientAuthenticationConfigurations ......................67
GatewayPriorityinaMultipleGatewayConfiguration..............................68
DefinetheGlobalProtectAgentConfigurations....................................69
CustomizetheGlobalProtectAgent ..............................................74
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages ................82
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer .......................84
DeploytheGlobalProtectClientSoftware ............................................85
DeploytheGlobalProtectAgentSoftware ........................................85
DownloadandInstalltheGlobalProtectMobileApp ...............................90
DownloadandInstalltheGlobalProtectAppforChromeOS........................93
PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 3
TableofContents
DeployAgentSettingsTransparently................................................. 97
CustomizableAgentSettings .................................................... 98
DeployAgentSettingstoWindowsClients .......................................104
DeployAgentSettingstoMacClients ...........................................113
Reference:GlobalProtectAgentCryptographicFunctions..............................117
GlobalProtectMIBSupport........................................................118
MobileEndpointManagement....................................... 119
MobileEndpointManagementOverview............................................120
SetUpaMobileEndpointManagementSystem ......................................121
ManagetheGlobalProtectAppUsingAirWatch......................................122
DeploytheGlobalProtectMobileAppUsingAirWatch.............................122
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................123
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................126
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............130
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................133
ConfiguretheGlobalProtectAppforiOS.........................................133
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................134
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................135
ConfiguretheGlobalProtectAppforAndroid.....................................136
Example:SetVPNConfiguration ................................................137
Example:RemoveVPNConfiguration............................................137
UseHostInformationinPolicyEnforcement .......................... 139

AboutHostInformation...........................................................140
WhatDataDoestheGlobalProtectAgentCollect? ................................140
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?................142
HowDoUsersKnowifTheirSystemsareCompliant? .............................143
HowDoIGetVisibilityintotheStateoftheEndClients? ..........................143
ConfigureHIPBasedPolicyEnforcement............................................144
CollectApplicationandProcessDataFromClients ....................................151
BlockDeviceAccess..............................................................156
GlobalProtectQuickConfigs ........................................ 157

RemoteAccessVPN(AuthenticationProfile) .........................................158
RemoteAccessVPN(CertificateProfile) .............................................161
RemoteAccessVPNwithTwoFactorAuthentication .................................164
AlwaysOnVPNConfiguration .....................................................168
RemoteAccessVPNwithPreLogon ................................................169
GlobalProtectMultipleGatewayConfiguration .......................................175
GlobalProtectforInternalHIPCheckingandUserBasedAccess........................179
MixedInternalandExternalGatewayConfiguration...................................183
TableofContents
GlobalProtectReferenceArchitecture .................................189
GlobalProtectReferenceArchitectureTopology...................................... 190
GlobalProtectPortal .......................................................... 190
GlobalProtectGateways ....................................................... 191
GlobalProtectReferenceArchitectureFeatures...................................... 192
EndUserExperience .......................................................... 192
ManagementandLogging ..................................................... 192
MonitoringandHighAvailability ................................................ 193
GlobalProtectReferenceArchitectureConfigurations ................................. 194
GatewayConfiguration ........................................................ 194
PortalConfiguration .......................................................... 194
PolicyConfigurations.......................................................... 194
TableofContents
GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'semployeesworkoutsidethephysicalcorporateboundaries.Thisincreasedworkforcemobilitybrings
increasedproductivityandflexibilitywhilesimultaneouslyintroducingsignificantsecurityrisks.Everytime
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
associatedpoliciesthataredesignedtoprotectboththeuserandthenetwork.GlobalProtectsolvesthe
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses
AbouttheGlobalProtectComponents GlobalProtectOverview
AbouttheGlobalProtectComponents
GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.This
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient
GlobalProtectPortal
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,includinganycustominformationyourequire.YouConfiguretheGlobalProtectPortalonan
interfaceonanyPaloAltoNetworksnextgenerationfirewall.
GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
applyingsecuritypolicyforaccesstointernalresources.WhenusedinconjunctionwithUserIDand/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/ordevicestate.Internalgatewaysareusefulinsensitiveenvironments
whereauthenticatedaccesstocriticalresourcesisrequired.Youcanconfigureaninternalgatewayin
eithertunnelmodeornontunnelmode.
YouConfigureGlobalProtectGatewaysonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.Youcanrunbothagatewayandaportalonthesamefirewall,oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.
GlobalProtectOverview AbouttheGlobalProtectComponents
GlobalProtectClient
TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
viatheGlobalProtectportalsandgatewaysyouhavedeployed.TherearetwotypesofGlobalProtectclients:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
GlobalProtectportal.Youconfigurethebehavioroftheagentforexample,whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)youdefineontheportal.See
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,andChromebookdevices.Usersmust
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview
WhatClientOSVersionsareSupportedwithGlobalProtect?
PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,andmobiledevices.WerecommendthatyouconfigureGlobalProtectonfirewallsrunning
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
endpoints.TheminimumGlobalProtectappreleasevariesbyoperatingsystem;todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
systemsandPANOSreleaseswithwhichtheywerereleased.ForminimumPANOSreleasesupportfor
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite(youmustbearegisteredusertoaccessthissite).
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?
WhatFeaturesDoesGlobalProtectSupport?
ThefollowingtableliststhesupportedfeaturesonGlobalProtectbyOS.Anentryinthetableindicatesthe
firstsupportedreleaseofthefeatureontheOS.Aindicatesthefeatureisnotsupported.For
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?
Feature Android iOS Chrome Windows Windows10 Mac

UWP
ConnectMethods
Userlogon(always 1.0.0 3.1.3 1.0.0

on) (AlwaysOn
configured
from
thirdparty
MDM)
Prelogon(alwayson) 1.1.0 1.1.0
Prelogon(then 3.1.0 3.1.0

ondemand)
Ondemand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0
Modes
Internalmode 1.0.0 1.0.0 3.1.1 1.0 1.0.0
Externalmode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0
SingleSignOn(SSO)
SSO(Credential 1.2.0
Provider)
KerberosSSO 3.0.0
Customization
Enforce 3.1.0 3.1.3 3.1.0

GlobalProtectfor (VPN
networkaccess Lockdown
configured
from
thirdparty
MDM)
DeploymentofSSL 3.0.0 3.0.0

ForwardProxyCA
certificatesinthe
truststore
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview
Feature Android iOS Chrome Windows Windows10 Mac

UWP
HIPreports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0

(Host
information
only;
Notifications
not
supported)
Scriptactionsthatrun 2.3.0 2.3.0

beforeandafter
sessions
Certificateselection 3.0.0 3.0.0

byOID
Allowuserstodisable 2.2.0 2.2.0

GlobalProtect
Welcomeandhelp 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0

pages
Endpoint 1.0.0 1.0.0 3.0.0 3.1.3

managementsystem (Chromebook
(EDM/MDM) Management
Console)
GlobalProtectOverview AboutGlobalProtectLicenses
AboutGlobalProtectLicenses
IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures,suchHIPchecksandassociatedcontentupdatesand
supportfortheGlobalProtectmobileapp,youneedtopurchaseanannualgatewaysubscription.Thislicense
mustbeinstalledoneachfirewallrunningagateway(s)thatperformsHIPchecksandthatsupportsthe
GlobalProtectapponmobiledevices.
Feature GatewaySubscription
Single,externalgateway(WindowsandMac)
Singleormultipleinternalgateways
Multipleexternalgateways
HIPChecks
MobileappforiOSendpoints,Androidendpoints,
Chromebooks,andWindows10UWPendpoints
SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.
AboutGlobalProtectLicenses GlobalProtectOverview
SetUptheGlobalProtectInfrastructure
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
communicate.Atabasiclevel,thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
usersconnecttoaccesstheportalandthegatewaystothenetwork.BecausetheGlobalProtectcomponents
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
components.ThefollowingsectionsguideyouthroughthestepstosetuptheGlobalProtectinfrastructure:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents
SetUpGlobalProtectUserAuthentication
EnableGroupMapping
ConfigureGlobalProtectGateways
ConfiguretheGlobalProtectPortal
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
DeploytheGlobalProtectClientSoftware
DeployAgentSettingsTransparently
Reference:GlobalProtectAgentCryptographicFunctions
GlobalProtectMIBSupport
CreateInterfacesandZonesforGlobalProtect SetUptheGlobalProtectInfrastructure
CreateInterfacesandZonesforGlobalProtect
YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbe
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
asDMZ.Atunnelinterfacecanbeinthesamezoneastheinterfaceconnectingtoyourinternal
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,suchascorpvpn.Ifyoucreateaseparatezoneforyourtunnelinterface,youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
InternalgatewaysRequiresaLayer3orloopbackinterfaceinyourtrustzone.Youcanalsocreate
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?
Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.
SetUpInterfacesandZonesforGlobalProtect
Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >

portaland/orgatewayyouplanto Interfaces > Loopbackandthenselecttheinterfaceyouwant
deploy. toconfigureforGlobalProtect.Inthisexample,weare
Ifthegatewayandportalareon configuringethernet1/1astheportalinterface.
thesamefirewall,youcanusea 2. (Ethernetonly)SelectLayer3 fromtheInterface Type
singleinterfaceforboth. dropdown.
AsabestpracticeusestaticIP 3. OntheConfigtab,selectthezonetowhichtheportalor
addressesfortheportaland gatewayinterfacebelongsasfollows:
gateway.
Placeportalsandexternalgatewaysinanuntrustzonefor
accessbyhostsoutsideyournetwork,suchasl3untrust.
Placeinternalgatewaysinaninternalzone,suchasl3trust.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown.IntheZonedialog,definea
NameforthenewzoneandthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
208.80.56.100/24.
6. Tosavetheinterfaceconfiguration,clickOK.
SetUptheGlobalProtectInfrastructure CreateInterfacesandZonesforGlobalProtect
SetUpInterfacesandZonesforGlobalProtect(Continued)
Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtectagents. 3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou Touseyourtrustzoneastheterminationpointforthe
requiredynamicrouting.In tunnel,selectthezonefromthedropdown.
addition,assigninganIPaddress (Recommended)TocreateaseparatezoneforVPNtunnel
tothetunnelinterfacecanbe termination,clickNew Zone.IntheZonedialog,definea
usefulfortroubleshooting Namefornewzone(forexample,corpvpn),selectthe
connectivityissues. Enable User Identificationcheckbox,andthenclickOK.
BesuretoenableUserIDinthe 4. IntheVirtual Routerdropdown,selectNone.
zonewheretheVPNtunnels
5. (Optional)IfyouwanttoassignanIPaddresstothetunnel
terminate.
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample10.31.32.1/32.
6. Tosavetheinterfaceconfiguration,clickOK.
Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe

terminationofVPNconnections,create corpvpnzoneandthel3trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.
Step4 Savetheconfiguration. ClickCommit.

Ifyouenabledmanagement
accesstotheinterfacehosting
theportal,youmustadda:4443
totheURL.Forexample,to
accessthewebinterfaceforthe
portalconfiguredinthisexample,
youwouldenterthefollowing:
https://208.80.56.100:4443
Or,ifyouconfiguredaDNS
recordfortheFQDN,suchas
gp.acme.com,youwouldenter:
https://gp.acme.com:4443
Toaccesstheportalloginpage,
youwouldentertheURLwithout
theportnumber:
https://208.80.56.100
or
https://gp.acme.com
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure
EnableSSLBetweenGlobalProtectComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)intheconfigurations.Thefollowingsectionsdescribethesupported
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents
AboutGlobalProtectCertificateDeployment
TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
certificatesforalloftheGlobalProtectcomponents.However,thissolutionislesssecurethantheother
optionsandisthereforenotrecommended.Ifyoudochoosethisoption,enduserswillseeacertificate
errorthefirsttimetheyconnecttotheportal.Topreventthis,youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).
GlobalProtectCertificateBestPractices
ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:
Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices
CAcertificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto

totheGlobalProtect generateaCAcertificateontheportalandthenusethat
components. certificatetoissuetherequiredGlobalProtectcertificates.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents
Portalserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththeportal. associatedserviceprofileinaportalconfiguration.
Useacertificatefromawellknown,thirdpartyCA.Thisis
themostsecureoptionandensuresthattheuserendpoints
canestablishatrustrelationshipwiththeportalandwithout
requiringyoutodeploytherootCAcertificate.
Ifyoudonotuseawellknown,publicCA,youshouldexport
therootCAcertificatethatwasusedtogeneratetheportal
servercertificatetoallendpointsthatruntheGlobalProtect
agentorapplication.Exportingthiscertificatepreventsthe
endusersfromseeingcertificatewarningsduringtheinitial
portallogin.
TheCommonName(CN)and,ifapplicable,theSubject
AlternativeName(SAN)fieldsofthecertificatemustmatch
theIPaddressorFQDNoftheinterfacethathoststhe
portal.
Ingeneral,aportalmusthaveitsownservercertificate.
However,ifyouaredeployingasinglegatewayandportal
onthesameinterfaceforbasicVPNaccess,youmustuse
thesamecertificateforboththegatewayandtheportal.
Gatewayserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththegateway. associatedserviceprofileinagatewayconfiguration.
GenerateaCAcertificateontheportalandusethatCA
certificatetogenerateallgatewaycertificates.
TheCNand,ifapplicable,theSANfieldsofthecertificate
mustmatchtheFQDNorIPaddressoftheinterfacewhere
youplantoconfigurethegateway.
TheportaldistributesthegatewayrootCAcertificatesto
agentsintheclientconfiguration,sothegateway
certificatesdonotneedtobeissuedbyapublicCA.
IfyoudonotdeploytherootCAcertificatesforthe
GlobalProtectgatewaysintheclientconfiguration,the
agent/appwillnotperformcertificatecheckswhen
connecting,therebymakingtheconnectionvulnerableto
maninthemiddleattacks.
Ingeneral,eachgatewaymusthaveitsownserver
certificate.However,ifyouaredeployingasinglegateway
andportalonthesameinterfaceforbasicVPNaccess,you
mustuseasingleservercertificateforbothcomponents.As
abestpractice,useacertificatethatapublicCAsigned.
(Optional)Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure

certificate authenticationinestablishing theportaltodeploytheclientcertificatetotheagentsupon
anHTTPSsessionbetweenthe successfulloginusingeitherofthefollowingmethods:
GlobalProtectagentsandthe UseasingleclientcertificateacrossallGlobalProtect
gateways/portal.Thisensures agentsthatreceivethesameconfiguration.Youassign
thatonlydeviceswithvalid theLocalclientcertificatebyuploadingthecertificate
clientcertificatesareableto totheportalandselectingitinaportalagent
authenticateandconnectto configuration.
thenetwork. Usesimplecertificateenrollmentprotocol(SCEP)to
enabletheGlobalProtectportaltodeployuniqueclient
certificatestoyourGlobalProtectagents.Youenable
thisbyconfiguringaSCEPprofileandthenselecting
thatprofileinaportalagentconfiguration.
Useoneofthefollowingsupporteddigestalgorithmswhen
yougenerateclientcertificatesforGlobalProtectendpoints:
sha1,sha256,orsha384.Sha512isnotsupportedwith
clientcertificates.
Youcanuseothermechanismstodeployuniqueclient
certificatestoeachclientsystemforuseinauthenticating
theenduser.
Considertestingyourconfigurationwithouttheclient
certificatefirst,andthenaddtheclientcertificateafteryou
aresurethatallotherconfigurationsettingsarecorrect.
(Optional)Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen

certificates certificatethatisissuedtoa yougenerateclientcertificatesforGlobalProtectendpoints:
device.Eachmachine sha1,sha256,orsha384.Sha512isnotsupportedwith
certificateidentifiesthedevice clientcertificates.
inthesubjectfield(forexample, Ifyouplantousetheprelogonfeature,useyourownPKI
CN=laptop1.example.com) infrastructuretodeploymachinecertificatestoeachclient
insteadofauser.The systempriortoenablingGlobalProtectaccess.This
certificateensuresthatonly approachisimportantforensuringsecurity.
trustedendpointscanconnect Formoreinformation,seeRemoteAccessVPNwith
togatewaysortheportal. PreLogon.
Machinecertificatesare
requiredforuserswhose
connectmethodisprelogon,
whichenablesGlobalProtectto
establishaVPNtunnelbefore
theuserlogsin.
FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.
DeployServerCertificatestotheGlobalProtectComponents
ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:
DeploySSLServerCertificatestotheGlobalProtectComponents
Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
GlobalProtectportal.Thispractice Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.
CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >

selfsignedservercertificate. Device Certificates andthenclickGenerate.
Generateservercertificatesforeach 2. UsetheLocalcertificatetype(thedefault).
gatewayyouplantodeployand
3. EnteraCertificate Name.Thisnamecannotcontainspaces.
optionallyforthemanagementinterface
ofthethirdpartymobileendpoint 4. IntheCommon Namefield,entertheFQDN(recommended)
managementsystem(ifthisinterfaceis orIPaddressoftheinterfacewhereyouplantoconfigurethe
wherethegatewaysretrieveHIP gateway.
reports). 5. IntheSigned Byfield,selecttheGlobalProtect_CAyou
Inthegatewayservercertificates,the created.
valuesintheCNandSANfieldsmustbe
6. IntheCertificateAttributessection,Addanddefinethe
identical.Ifthevaluesdiffer,the
attributesthatuniquelyidentifythegateway.Keepinmind
GlobalProtectagentdetectsthe
thatifyouaddaHost Nameattribute(whichpopulatesthe
mismatchanddoesnottrustthe
SANfieldofthecertificate),itmustbethesameasthevalue
certificate.Selfsignedcertificates
youdefinedfortheCommon Name.
containaSANfieldonlyifyouaddaHost
Nameattribute. 7. Configurecryptographicsettingsfortheservercertificate
Asanalternativemethod,youcanUseSimple includingencryptionAlgorithm,keylength(Number of Bits),
CertificateEnrollmentProtocol(SCEP)to DigestalgorithmandExpiration(days).
requestaservercertificatefromyourenterprise 8. ClickOKtogeneratethecertificate.
CA.
UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor componenttowhichyoudeploytheservercertificate.If
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
deploy.ThenusethespecificSCEP capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe request.UseeitheraFixedchallengepasswordwhichyou
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust choicetotheSCEPServer.ForaDynamicSCEPchallenge,
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
TocomplywiththeU.S.Federal c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL http://10.200.101.1/certsrv/mscep/).
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) bytheSCEPserver.Thesubjectmustincludeacommon
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
settingsintheSCEPprofile.Ifsuccessful,the f. SelecttheSubject Alternative Name Type.Toenterthe
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 Name.Youcanalsoenter
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate Fingerprint.Obtainthis
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
certificate.TheGlobalProtectportalusesthesettingsinthe
SCEPprofiletosubmitaCSRtoyourenterprisePKI.
Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service

generatedtoanSSL/TLSserviceprofile. ProfileandclickAdd.
2. EnteraNametoidentifytheprofileandselecttheserver
Certificateyouimportedorgenerated.
3. DefinetherangeofSSL/TLSversions(Min VersiontoMax
Version)forcommunicationbetweenGlobalProtect
components.
4. ClickOKtosavetheSSL/TLSserviceprofile.
5. Committhechanges.
Deploytheselfsignedservercertificates. Exportthecertificatefromtheportal:
Exporttheselfsignedserver 1. SelectDevice > Certificate Management > Certificates >
certificatesissuedbytherootCAon Device Certificates.
theportalandimportthemontothe
2. Selectthegatewaycertificateyouwanttodeployandclick
gateways.
Export.
Besuretoissueauniqueserver
certificateforeachgateway. 3. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
Ifspecifyingselfsigned
certificates,youmustdistributethe 4. Enter(andreenter)aPassphrasetoencrypttheprivatekey.
RootCAcertificatetotheend 5. ClickOKtodownloadthePKCS12filetoalocationofyour
clientsintheportalclient choice.
configurations.
Importthecertificateonthegateway:
Device Certificates.
2. ClickImport.
3. EnteraCertificate Name.
4. BrowsetofindandselecttheCertificate Fileyou
downloadedinstep5,above.
5. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
6. Enter(andreenter)thePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportal.
7. ClickOKtoimportthecertificateandkey.
8. Committhechangestothegateway.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication
SetUpGlobalProtectUserAuthentication
TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
GlobalProtectresources.Youmustconfigureauthenticationmechanismsbeforecontinuingwiththeportal
andgatewaysetup.Thefollowingsectionsdetailthesupportedauthenticationmechanismsandhowto
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
AboutGlobalProtectUserAuthentication
ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
portal.Ifauthenticationsucceeds,theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
tothegateways.Aftersuccessfullydownloadingandcachingtheconfiguration,theclientattemptsto
connecttooneofthegatewaysspecifiedintheconfiguration.Becausethesecomponentsprovideaccessto
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
resourcesthatthegatewayprotects.GlobalProtectprovidesaflexibleauthenticationframeworkthatallows
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?
SupportedGlobalProtectAuthenticationMethods
ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.
AuthenticationMethod Description
LocalAuthentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe
firewall.Thisauthenticationmechanismisnotscalablebecauseitrequiresanaccountfor
everyGlobalProtectuserandis,therefore,advisableforonlyverysmalldeployments.
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure
Externalauthentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,
TACACS+,orRADIUSservice(includingsupportfortwofactor,tokenbased
authenticationmechanisms,suchasonetimepassword(OTP)authentication).Toenable
externalauthentication:
Createaserverprofilewithsettingsforaccesstotheexternalauthenticationservice.
Createanauthenticationprofilethatreferstotheserverprofile.
Specifyclientauthenticationintheportalandgatewayconfigurationsandoptionally
specifytheOSoftheendpointthatwillusethesesettings.
YoucanusedifferentauthenticationprofilesforeachGlobalProtectcomponent.SeeSet
UpExternalAuthenticationforinstructions.SeeRemoteAccessVPN(Authentication
Profile)foranexampleconfiguration.
Clientcertificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate
authentication toobtaintheusernameandauthenticatetheuserbeforegrantingaccesstothesystem.
Toauthenticatetheuser,oneofthecertificatefields,suchastheSubjectNamefield,
mustidentifytheusername.
Toauthenticatetheendpoint,theSubjectfieldofthecertificatemustidentifythedevice
typeinsteadoftheusername.(Withtheprelogonconnectmethods,theportalor
gatewayauthenticatestheendpointbeforetheuserlogsin.)
Foranagentconfigurationprofilethatspecifiesclientcertificates,eachuserreceivesa
clientcertificate.Themechanismforprovidingthecertificatesdetermineswhethera
certificateisuniquetoeachclientorthesameforallclientsunderthatagentconfiguration:
Todeployclientcertificatesthatareuniquetoeachuseranddevice,useSCEP.Whena
userfirstlogsin,theportalrequestsacertificatefromtheenterprisesPKI.Theportal
obtainsauniquecertificateanddeploysittotheclient.
Todeploythesameclientcertificatetoallusersthatreceiveanagentconfiguration,
deployacertificatethatisLocaltothefirewall.
Useanoptionalcertificateprofiletoverifytheclientcertificatethataclientpresentswith
aconnectionrequest.Thecertificateprofilespecifiesthecontentsoftheusernameand
userdomainfields;listsCAcertificates;criteriaforblockingasession;andofferswaysto
determinetherevocationstatusofCAcertificates.Youmustpredeploycertificatesused
incertificateprofilestotheendpointsbeforetheusersinitialportalloginbecausethe
certificateispartoftheauthenticationoftheendpointoruserforanewsession.
Thecertificateprofilespecifieswhichcertificatefieldcontainstheusername.Ifthe
certificateprofilespecifiesSubjectintheUsernameField,thecertificatepresentedbythe
clientmustcontainacommonnamefortheclienttoconnect.Ifthecertificateprofile
specifiesaSubjectAltwithanEmailorPrincipalNameastheUsernameField,the
certificatefromtheclientmustcontainthecorrespondingfields,whichwillbeusedasthe
usernamewhentheGlobalProtectagentauthenticatestotheportalorgateway.
GlobalProtectalsosupportsauthenticationbycommonaccesscards(CACs)andsmart
cards,whichrelyonacertificateprofile.Withthesecards,thecertificateprofilemust
containtherootCAcertificatethatissuedthecertificatetothesmartcardorCAC.
Ifyouspecifyclientcertificateauthentication,youshouldnotconfigureaclientcertificate
intheportalconfigurationbecausetheclientsystemprovidesitwhentheuserconnects.
Foranexampleofhowtoconfigureclientcertificateauthentication,seeRemoteAccess
VPN(CertificateProfile).
Twofactor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,suchasaonetimepasswordinadditiontoADlogincredentials.You
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
differentmethods.Regardless,withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
profile.Forexample,iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
authenticationservertriestoauthenticatetheuser.Ifyoudonotwanttoforceusersto
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
NonefortheUsernameField.SeeRemoteAccessVPNwithTwoFactorAuthenticationfor
anexampleconfiguration.
HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?
Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
forportallogin.Inthesimplestcase,wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways
CookieAuthenticationonthePortalorGateway
Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
toeach.Thisimprovestheuserexperiencebyminimizingthenumberoftimesthatusersmustenter
credentials.Inaddition,cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
onthesamecookietoauthenticatetheuser.Whentheagentpresentsthecookie,theportalorgateway
evaluateswhetherthecookieisvalidbasedontheconfiguredcookielifetime.Ifthecookieexpires,
GlobalProtectautomaticallypromptstheusertoauthenticatewiththeportalorgateway.When
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
sensitiveinformationas24hours.Whentheuserfirstauthenticateswiththeportal,theportalissuesthe
authenticationcookie.Ifafterfivedays,theuserattemptedtoconnecttotheportal,theauthentication
cookiewouldstillbevalid.However,ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
receiveareplacementauthenticationcookie.Thenewauthenticationcookiewouldthenbevalidforanother
15daysontheportalandanother24hoursonthegateways.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
CredentialForwardingtoSomeorAllGateways
Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)thatpromptfortheirownsetofcredentials.Thisoptionspeedsuptheauthenticationprocess
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
allowingyoutocustomizethesecurityfordifferentGlobalProtectcomponents.Forexample,youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.
SetUpExternalAuthentication
ThefollowingworkflowdescribeshowtosetuptheGlobalProtectportalandgatewaystouseanexternal
authenticationservice.ThesupportedauthenticationservicesareLDAP,Kerberos,RADIUS,orTACACS+.
Thisworkflowalsodescribeshowtocreateanoptionalauthenticationprofilethataportalorgatewaycanuse
toidentifytheexternalauthenticationservice.Thisstepisoptionalforexternalauthenticationbecausethe
authenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.
GlobalProtectalsosupportslocalauthentication.Touselocalauthentication,createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.
Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.
SetUpExternalUserAuthentication
Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselectthetypeofprofile

Theserverprofileidentifiestheexternal (LDAP,Kerberos,RADIUS,orTACACS+).
authenticationserviceandinstructsthe 2. ClickAddandenteraNamefortheprofile,suchas
firewallhowtoconnecttothat GPUserAuth.
authenticationserviceandaccessthe
3. (LDAPonly)SelecttheTypeofLDAPserver.
authenticationcredentialsforyourusers.
IfyouwanttoEnableDeliveryof 4. ClickAddintheServerssectionandthenenterthenecessary
GlobalProtectClientVSAstoa informationforconnectingtotheauthenticationserver,
RADIUSServer,youmustcreate includingtheserverName,IPaddressorFQDNoftheServer,
aRADIUSserverprofile. andPort.
IfyouareusingLDAPtoconnect 5. (RADIUS,TACACS+,andLDAPonly)Specifysettingsto
toActiveDirectory(AD),you enabletheauthenticationservicetoauthenticatethefirewall,
mustcreateaseparateLDAP asfollows:
serverprofileforeveryAD RADIUSandTACACS+EnterthesharedSecretwhen
domain. addingtheserverentry.
LDAPEntertheBind DNandPassword.
6. (LDAPonly)IfyouwantthedevicetouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
AnyotherportThedevicefirstattemptstouseTLS.Ifthe
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothatthedevice
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/TLSconnections.Toenableverification,youalsohaveto
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,thecertificatemustmeetoneof
thefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
8. ClickOKtosavetheserverprofile.
SetUpExternalUserAuthentication(Continued)
Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.

profile. 2. EnteraNamefortheprofileandthenselectthe
Theauthenticationprofilespecifiesthe authenticationType:None,Local Database(the
serverprofilefortheportalorgateways authenticationdatabaseonthefirewall),RADIUS,TACACS+,
tousewhentheyauthenticateusers.On LDAP,orKerberos.
aportalorgateway,youcanassignone
3. IftheauthenticationTypeisRADIUS,TACACS+,LDAP,or
ormoreauthenticationprofilesinoneor
Kerberos,selecttheauthenticationServer Profilethatyou
moreclientauthenticationprofiles.For
createdinStep 1fromthedropdown.
descriptionsofhowanauthentication
profilewithinaclientauthentication 4. Specifythedomainnameandusernameformat.Thedevice
profilesupportsgranularuser combinestheUser DomainandUsername Modifiervaluesto
authentication,seeConfigurea modifythedomain/usernamestringthatauserentersduring
GlobalProtectGatewayandSetUp login.Thedeviceusesthemodifiedstringforauthentication
AccesstotheGlobalProtectPortal. andusestheUser DomainvalueforUserIDgroupmapping.
Toenableuserstoconnectand Modifyinguserinputisusefulwhentheauthenticationservice
changetheirownexpired requiresdomain/usernamestringsinaparticularformatand
passwordswithout youdontwanttorelyonuserstocorrectlyenterthedomain.
administrativeintervention, Youcanselectfromthefollowingoptions:
considerusingaprelogon Tosendonlytheunmodifieduserinput,leavetheUser
connectmethod.SeeRemote Domainblank(thedefault)andsettheUsername Modifier
AccessVPNwithPreLogonfor tothevariable%USERINPUT%(thedefault).
details. Toprependadomaintotheuserinput,enteraUser
Ifusersallowtheirpasswordsto DomainandsettheUsername Modifierto
expire,youmayassigna %USERDOMAIN%\%USERINPUT%.
temporaryLDAPpasswordto Toappendadomaintotheuserinput,enteraUser Domain
enablethemtologintotheVPN. andsettheUsername Modifierto
Inthiscase,thetemporary %USERINPUT%@%USERDOMAIN%.
passwordmaybeusedto IftheUsername Modifierincludesthe
authenticatetotheportal,butthe %USERDOMAIN%variable,theUser Domainvalue
gatewayloginmayfailbecause replacesanydomainstringthattheuserenters.If
thesametemporarypassword theUser Domainisblank,thatmeansthedevice
cannotbereused.Toprevent removesanyuserentereddomainstring.
this,enableanauthentication
overrideintheportal 5. (Kerberosonly)ConfigureKerberossinglesignon(SSO)if
configuration(Network > yournetworksupportsit:
GlobalProtect > Portal)toenable EntertheKerberos Realm(upto127characters).Thisis
theagenttouseacookieto thehostnameportionoftheuserloginname.Forexample,
authenticatetotheportalanduse theuseraccountnameuser@EXAMPLE.LOCALhasthe
thetemporarypasswordto realmEXAMPLE.LOCAL.
authenticatethegateway. SpecifyaKerberos Keytabfile:clicktheImportlink,
Browsetothekeytabfile,andclickOK.During
authentication,theendpointfirsttriestousethekeytabto
establishSSO.Ifitsucceeds,andtheuserattempting
accessisintheAllow List,authenticationsucceeds
immediately.Otherwise,theauthenticationprocessfalls
backtomanual(username/password)authenticationofthe
specifiedType.TheTypedoesnthavetobeKerberos.To
changethisbehaviorsothatuserscanauthenticateonly
usingKerberos,setUse Default Authentication on
Kerberos Authentication FailuretoNoinaGlobalProtect
portalagentconfiguration.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.
SetUpExternalUserAuthentication(Continued)
7. (LDAPonly)SetthePassword Expiry Warning tospecifythe

numberofdaysbeforepasswordexpirationthatuserswillbe
notified.Bydefault,userswillbenotifiedsevendayspriorto
passwordexpiration(rangeis1255).Becauseusersmust
changetheirpasswordsbeforetheendoftheexpiration
period,makesureyouprovideanotificationperiodthatis
adequateforyouruserbasetoensurecontinuedaccesstothe
VPN.Tousethisfeature,youmustspecifyoneofthe
followingtypesofLDAPserversinyourLDAPserverprofile:
active-directory,e-directory,orsun.
UserscannotaccesstheVPNiftheirpasswordsexpireunless
youenableprelogon.
8. (LDAPonly)Configureanoptionalcustomexpirymessageto
includeadditionalinstructions,suchashelpdeskcontact
informationoralinktoapasswordportalwhereuserscan
changetheirpasswords(seeStep 5inCustomizethe
GlobalProtectAgent).
9. SelecttheAdvancedtab.
10. IntheAllowList,Addandthenselecttheusersandgroups
thatareallowedtoauthenticatewiththisprofile.Selectingthe
predefinedalloptionallowseveryusertoauthenticate.By
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
11. ClickOK.
Step3 Committheconfiguration. ClickCommit.
SetUpClientCertificateAuthentication
Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
connectionrequesttotheGlobalProtectportalorgateway.Theportalorgatewaycanuseeitherasharedor
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication
Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
endpointsorgenerateseparatecertificatestodeploywithaparticularagentconfiguration.Usethis
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.
Step1 Generateacertificatetodeployto 1. CreatetherootCAcertificateforissuingselfsigned

multipleGlobalProtectclients. certificatesfortheGlobalProtectcomponents.
Device Certificates andthenclickGenerate.
3. UsetheLocalcertificatetype(thedefault).
5. IntheCommon Namefieldenteranametoidentifythis
certificateasanagentcertificate,forexample
GP_Windows_clients.Becausethissamecertificatewillbe
deployedtoallagentsusingthesameconfiguration,itdoes
notneedtouniquelyidentifyaspecificuserorendpoint.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
Step2 SetUpTwoFactorAuthentication. ConfigureauthenticationsettingsinaGlobalProtectportalagent

configurationtoenabletheportaltotransparentlydeploythe
clientcertificatethatisLocaltothefirewalltoclientsthatreceive
theconfiguration.
Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
certificateforexport.Withtheprelogonconnectmethods,amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
toauthenticatetheuser.SeeTwofactorauthentication.
Usethefollowingworkflowtocreatetheclientcertificateandmanuallydeployittoanendpoint.Formore
information,seeAboutGlobalProtectUserAuthentication.Foranexampleconfiguration,seeRemote
AccessVPN(CertificateProfile).
Step1 IssueclientcertificatestoGlobalProtect 1. CreatetherootCAcertificateforissuingselfsigned

clientsandendpoints.Thisenablesthe certificatesfortheGlobalProtectcomponents.
GlobalProtectportalandgatewaysto 2. SelectDevice > Certificate Management > Certificates >
validatethatthedevicebelongstoyour Device Certificates andthenclickGenerate.
organization.
3. EnteraCertificate Name.Thecertificatenamecannotcontain
anyspaces.
4. Configurecryptographicsettingsforthecertificateincluding
theencryptionAlgorithm,keylength(Number of Bits),Digest
algorithm(usesha1,sha256,orsha384;sha512isnot
supportedwithclientcertificates),andExpiration (indays)for
thecertificate.
IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
5. IntheCertificateAttributessection,Addanddefinethe
attributesthatuniquelyidentifytheGlobalProtectclientsas
belongingtoyourorganization.Keepinmindthatifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustbethesameasthevalueyoudefinedfor
theCommon Name.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. (Optional)IntheCertificateAttributessection,clickAddand
definetheattributestoidentifytheGlobalProtectclientsas
belongingtoyourorganizationifrequiredaspartofyour
securityrequirements.
DeployMachineCertificatesforAuthentication(Continued)
Step2 Installcertificatesinthepersonal Forexample,toinstallacertificateonaWindowssystemusingthe

certificatestoreontheendpoints. MicrosoftManagementConsole:
Ifyouareusinguniqueusercertificates 1. Fromthecommandprompt,entermmctolaunchtheconsole.
ormachinecertificates,youmustinstall
2. SelectFile > Add/Remove Snap-in.
eachcertificateinthepersonal
certificatestoreontheendpointpriorto 3. SelectCertificates,clickAddandthenselectoneofthe
thefirstportalorgatewayconnection. following,dependingonwhattypeofcertificateyouare
InstallmachinecertificatestotheLocal importing:
ComputercertificatestoreonWindows Computer accountSelectthisoptionifyouareimportinga
andintheSystemKeychainonMacOS. machinecertificate.
InstallusercertificatestotheCurrent My user accountSelectthisoptionifyouareimportinga
UsercertificatestoreonWindowsandin usercertificate.
thePersonalKeychainonMacOS.
4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.
5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
thePasswordthatyouusedtoencrypttheprivatekey.Select
PersonalastheCertificate store.
Step3 Verifythatthecertificatehasbeen Navigatetothepersonalcertificatestore:

addedtothepersonalcertificatestore.
Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificateusedtoissuetheclient

issuetheclientcertificatesontothe certificates(Base64format).
firewall. 2. ImporttherootCAcertificatefromtheCAthatgeneratedthe
Thisstepisrequiredonlyifanexternal clientcertificatesontothefirewall:
CAissuedtheclientcertificates,suchas a. SelectDevice > Certificate Management > Certificates >
apublicCAoranenterprisePKICA.If Device Certificates andclickImport.
youareusingselfsignedcertificates,the
b. UsetheLocalcertificatetype(thedefault).
rootCAisalreadytrustedbytheportal
andgateways. c. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
d. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
e. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
f. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
g. SelectTrusted Root CAandthenclickOK.
Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificates > Certificate Management >

Certificate Profile,clickAdd,andenteraprofileName.
2. SelectavaluefortheUsername Fieldtospecifywhichfieldin
thecertificatewillcontaintheusersidentityinformation.
Ifyouplantoconfiguretheportalorgatewaystoauthenticate
userswithcertificatesonly,youmustspecifytheUsername
Field.ThisenablesGlobalProtecttoassociateausernamewith
thecertificate.
Ifyouplantosetuptheportalorgatewayfortwofactor
authentication,youcanleavethedefaultvalueofNone,or,to
addanadditionallayerofsecurity,specifyausername.Ifyou
specifyausername,yourexternalauthenticationservice
verifiesthattheusernameintheclientcertificatematchesthe
usernamerequestingauthentication.Thisensuresthatthe
useristheonetowhichthecertificatewasissued.
Userscannotchangetheusernamethatisincludedinthe
certificate.
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificateyouimportedinStep 4andthenclickOK.
Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
deploytheclientcertificatetotheendpointspriortoenablingGlobalProtect.Toautomatethegeneration
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
requestsitandsendsthecertificatetotheportal.Theportalthentransparentlydeploysthecertificatetothe
client.Whenauserrequestsaccess,theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
whethertopermitaccesstotheuser.GlobalProtectblocksaccessifthehostIDisonadeviceblocklistorif
thesessionmatchesanyblockingoptionsspecifiedinacertificateprofile.Ifclientauthenticationfailsdueto
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
settingsintheauthenticationprofileandretrievethecertificate.Iftheclientcannotretrievethecertificate
fromtheportal,thedeviceisnotabletoconnect.
Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserverinthePKIinfrastructureandthenenterthe
Afteryouconfigurethismechanism,its passwordintothePasswordfield.
operationisinvisible,andnofurther DynamicEnterausernameandpasswordofyourchoice
inputfromyouisnecessary. (possiblythecredentialsofthePKIadministrator)andtheSCEP
TocomplywiththeU.S.Federal Server URLwheretheportalclientsubmitsthesecredentials.
InformationProcessingStandard(FIPS), TheusesthecredentialstoauthenticatewiththeSCEPserver
useaDynamicSCEPchallengeand whichtransparentlygeneratesanOTPpasswordfortheportal
specifyaServer URLthatusesHTTPS uponeachcertificaterequest.(YoucanseethisOTPchange
(seeStep 7). afterascreenrefreshinThe enrollment challenge password
isfieldaftereachcertificaterequest.)ThePKItransparently
passeseachnewpasswordtotheportal,whichthenusesthe
passwordforitscertificaterequest.
DeployUserSpecificClientCertificatesforAuthentication(Continued)
Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand http://10.200.101.1/certsrv/mscep/).
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Whenauserattemptstologintothe NamefieldtoidentifytheSCEPserver.
portal,theendpointsendsidentifying
3. EntertheSubjectnametouseinthecertificatesgeneratedby
informationaboutitthatincludesitshost
theSCEPserver.Thesubjectmustbeadistinguishednamein
IDvalue.ThehostIDvaluevariesby
the<attribute>=<value>formatandmustincludea
devicetype,eitherGUID(Windows)
commonname(CN)key.TheCNsupportsthefollowing
MACaddressoftheinterface(Mac),
dynamicvariables:$USERNAME,$EMAILADDRESS,and$HOSTID.
AndroidID(Androiddevices),UDID(iOS
Usetheusernameoremailaddressvariabletoensurethatthe
devices),orauniquenamethat
portalrequestscertificatesforaspecificuser.Torequest
GlobalProtectassigns(Chrome).
certificatesforthedeviceonly,specifythehostIDvariable.
Youcanincludeadditionalinformation WhentheGlobalProtectportalpushestheSCEPsettingsto
abouttheclientdeviceoruserby theagent,theCNportionofthesubjectnameisreplacedwith
specifyingtokensintheSubjectnameof theactualvalue(username,hostid,oremailaddress)ofthe
thecertificate. certificateowner(forexample,O=acme,CN=$HOSTID).
Theportalincludesthetokenvalueand
4. SelecttheSubject Alternative Name Type:
hostIDintheCSRrequesttotheSCEP
server. RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.

settingsforthecertificate. IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):sha1,sha256,orsha384.
Sha512isnotsupportedasadigestalgorithmforclient
certificatesonGlobalProtectendpoints.
Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor signature checkbox.Thisenablestheendpointusetheprivate
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.
Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

connectingtothecorrectSCEPserver, example,http://<hostname or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.
DeployUserSpecificClientCertificatesforAuthentication(Continued)
Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan

betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicatedon
thefirewallloginpageandinits
statusbar.
Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.
Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate Name.Thisnamecannotcontainspaces.
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.
Step10 SetUpTwoFactorAuthentication. AssigntheSCEPprofileaGlobalProtectportalagentconfiguration

toenabletheportaltotransparentlyrequestanddeployclient
certificatestoclientsthatreceivetheconfiguration.
SetUpTwoFactorAuthentication
Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
authenticationscheme.Atwofactorauthenticationschemerequirestwothings:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards
ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
authenticatebothtoacertificateprofileandanauthenticationprofile.Theusermustsuccessfully
authenticateusingbothmethodsinordertoconnecttotheportal/gateway.Formoredetailsonthis
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.
Step1 Createanauthenticationserverprofile. 1. SelectDevice > Server Profilesandaprofiletype(LDAP,

Theauthenticationserverprofile Kerberos,RADIUS,orTACACS+).
determineshowthefirewallconnectsto 2. Addanewserverprofile.
anexternalauthenticationserviceand
3. EnteraProfileNamefortheprofile,suchasGPUserAuth.
retrievestheauthenticationcredentials
foryourusers. 4. (LDAPonly)SelecttheTypeofLDAPserver(active-directory,
IfyouareusingLDAPtoconnect e-directory,sun,orother).
toActiveDirectory(AD),you 5. ClickAddintheServerslistsectionandthenentertherequired
mustcreateaseparateLDAP informationforconnectionstotheauthenticationservice,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. (RADIUS,TACACS+,andLDAPonly)Specifysettingstoenable
thefirewalltoauthenticatetotheauthenticationserviceas
follows:
RADIUSandTACACS+EnterthesharedSecretwhen
addingtheserverentry.
LDAPEntertheBind DNandPassword.
7. (LDAPonly)IfyouwanttheendpointtouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
serverPortinthe Server list:
389(default)TLS(specifically,thedeviceusestheStartTLS
operationtoupgradetheinitialplaintextconnectiontoTLS).
636SSL.
directoryserverdoesnotsupportTLS,thedeviceusesSSL.
8. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothattheendpoint
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/TLSconnections.Toenableverification,youalsomust
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,oneofthefollowingconditions
mustbetrue:
Thecertificateisinthelistofdevicecertificates:Device >
Certificate Management > Certificates > Device
Certificates.Importthecertificateintotheendpointif
necessary.
9. ClickOKtosavetheserverprofile.
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)
Step2 Createanauthenticationprofilethat 1. SelectDevice > Authentication ProfileandAddanewprofile.

identifiestheserviceforauthenticating 2. EnteraNamefortheprofile.
users.(Youlaterhavetheoptionof
assigningtheprofileontheportalandon 3. SelecttheLocation.
gateways.) 4. SelecttheTypeofAuthentication(LDAP,Kerberos,RADIUS,
orTACACS+).
5. SelecttheServer ProfileyoucreatedinStep 1.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.
7. ClickOK tosavetheauthenticationprofile.
Step3 Createaclientcertificateprofilethatthe 1. SelectDevice > Certificates > Certificate Management >

portalusestoauthenticatetheclient Certificate ProfileandclickAddandenteraprofileName.
certificatesthatcomefromuserdevices. 2. SelectavaluefortheUsername Field:
Whenyouconfiguretwofactor Ifyouintendfortheclientcertificatetoauthenticate
authenticationtouseclient individualusers,selectthecertificatefieldthatidentifiesthe
certificates,theexternal user.
authenticationserviceusesthe
Ifyouaredeployingtheclientcertificatefromtheportal,
usernamevaluetoauthenticate
leavethisfieldsettoNone.
theuser,ifspecified,intheclient
certificate.Thisensuresthatthe Ifyouaresettingupacertificateprofileforusewitha
userwhoisloggingisinisactually prelogonconnectmethod,leavethefieldsettoNone.
theusertowhomthecertificate 3. IntheCA Certificatesarea,clickAddandthen:
wasissued. a. SelecttheCA certificate,eitheratrustedrootCAcertificate
ortheCAcertificatefromaSCEPserver.(Ifnecessary,
importthecertificate).
b. (Optional)EntertheDefault OCSP URL.
c. (Optional)SelectacertificateforOCSP Verify CA.
4. (Optional)Selectoptionsthatspecifywhentoblocktheusers
requestedsession:
a. Statusofcertificateisunknown.
b. GlobalProtectcomponentdoesnotretrievecertificate
statuswithinthenumberofsecondsinCertificate Status
Timeout.
c. Theauthenticatingdevicethatisconsideringthelogin
requestdidnotissuethecertificatethattheuserisoffering.
5. ClickOK.
Step4 (Optional)Issueclientcertificatesto 1. UseyourenterprisePKIorapublicCAtoissueaclient

GlobalProtectusers/machines. certificatetoeachGlobalProtectuser.
Totransparentlydeployclient 2. Fortheprelogonconnectmethods,installcertificatesinthe
certificates,configureyourportalto personalcertificatestoreontheclientsystems.
distributeasharedclientcertificateto
yourendpointsorconfiguretheportalto
useSCEPtorequestanddeployunique
clientcertificatesforeachuser.
Step5 SavetheGlobalProtectconfiguration. ClickCommit.
Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
andgateways.Whenauserrequestsaccess,theportalorgatewaypromptstheusertoenteranOTP.The
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,theagentsuppliesthesamecredentialsitusedtologintotheportalandtothegateway.Inthe
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,theusersOTPmayexpire.Toprevent
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
override.Thisenablestheportalsandgatewaystogenerateandacceptasecureencryptedcookieto
authenticatetheuserforaspecifiedamountoftime.Theportalsand/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.
EnableTwoFactorAuthenticationUsingOTPs
Step1 Afteryouhaveconfiguredthebackend Forspecificinstructions,refertothedocumentationforyour

RADIUSservicetogeneratetokensfor RADIUSserver.Inmostcases,youneedtosetupanauthentication
theOTPsandensuredusershaveany agentandaclientconfigurationontheRADIUSservertoenable
necessarydevices(suchasahardware communicationbetweenthefirewallandtheRADIUSserver.You
token),setupaRADIUSserverto alsodefinethesharedsecrettouseforencryptingsessions
interactwiththefirewall. betweenthefirewallandtheRADIUSserver.
Step2 Oneachfirewallthathoststhegateways 1. SelectDevice > Server Profiles > RADIUS.

and/orportal,createaRADIUSserver 2. Addanewprofile.
profile.(Forasmalldeployment,one
firewallcanhosttheportaland 3. EnteraNameforthisRADIUSprofile.
gateways.) 4. EnteraRADIUSDomainname.
WhencreatingtheRADIUS 5. IntheServersarea,AddaRADIUSinstanceandenter:
serverprofile,alwaysentera
AdescriptiveNametoidentifythisRADIUSserver
Domainname.Thisvalueserves
asthedefaultdomainforUserID TheRADIUS ServerIPaddress
mappingifusersdontsupplya ThesharedSecretforencryptingsessionsbetweenthe
UserIDuponlogin. firewallandtheRADIUSserver
ThePortnumberonwhichtheRADIUSserverlistensfor
authenticationrequests(default1812)
6. ClickOKtosavetheprofile.
EnableTwoFactorAuthenticationUsingOTPs(Continued)
Step3 Createanauthenticationprofile. 1. SelectDevice > Authentication Profile.

2. Addanewprofile.
3. EnteraNamefortheprofile.Thenamecannotcontainspaces.
4. Select RADIUSastheTypeofauthenticationservice.
5. SelecttheServer Profileyoucreatedforaccessingyour
RADIUSserver.
6. ClickOKtosavetheauthenticationprofile.
Step4 Assigntheauthenticationprofiletothe 1. SelectNetwork > GlobalProtect > Gatewaysandanexisting

GlobalProtectgateway(s)and/orportal. gatewayconfigurationbyname(orAddone).Ifyouareadding
YoucanconfiguremultipleClient anewgateway,specifyitsname,location,andnetwork
Authenticationconfigurationsforthe parameters.
portalandgateways.ForeachClient 2. OntheAuthenticationtab,selectanSSL/TLSserviceprofileor
Authenticationconfigurationyoucan Addanewprofile.
specifytheauthenticationprofileto
3. AddaClientAuthenticationconfigurationandenteritsName.
applytoendpointsofaspecificOS.
Thisstepdescribesonlyhowtoaddthe 4. SelecttheendpointOStowhichthisconfigurationapplies.
authenticationprofiletothegatewayor 5. SelecttheAuthentication ProfileyoucreatedinCreatean
portalconfiguration.Foradditional authenticationprofile.
detailsonsettingupthesecomponents,
6. (Optional)Enteracustomauthenticationmessage.
seeConfigureGlobalProtectGateways
andConfiguretheGlobalProtectPortal. 7. ToaddadditionalClientAuthenticationconfigurations,repeat
steps3through6.
8. ClickOKtosavetheconfiguration.
9. Toaddothergateways,repeatsteps2through8.
10. Toassigntheauthenticationprofiletotheportal,select
Network > GlobalProtect > Portalsandrepeatsteps2
through 8.
Step5 (Optional)Configuretheportalor 1. SelectNetwork > GlobalProtect > Portalsandselectan

gatewaystopromptforausernameand existingportalconfiguration.
passwordoronlyapasswordeachtime 2. SelectAgent.
theuserlogsin.Savingthepasswordis
notsupportedwithtwofactor 3. SelectanexistingagentconfigurationorAddone.
authenticationusingOTPsbecausethe 4. SetSave User CredentialstoSave Username OnlyorNo.This
usermustenteradynamicpassword settingenablesGlobalProtecttopromptfordynamic
eachtimetheylogin. passwordsforeachcomponentyouselectinthefollowing
Thisstepdescribesonlyhowto step.
configurethepasswordsettingina 5. ClickOKtwicetosavetheconfiguration.
portalagentconfiguration.Foradditional
details,seeCustomizetheGlobalProtect
Agent.
Step6 SelecttheGlobalProtectcomponents 1. SelectNetwork > GlobalProtect > Portalsandselectan

portalandtypesofgatewaysthat existingportalconfiguration.
promptfordynamicpasswords,suchas 2. SelectAgent.
OTPs,insteadofusingsavedcredentials.
3. SelectanexistingagentconfigurationorAddone.
4. SelecttheAuthenticationtab,andthenselectthe
ComponentsthatRequireDynamicPasswords(TwoFactor
Authentication).Whenselected,theportaland/ortypesof
gatewayspromptforOTPs.
5. ClickOKtwicetosavetheconfiguration.
Step7 Ifsinglesignon(SSO)isenabled,disable 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

it.Theagentconfigurationspecifies configuration.
RADIUSastheauthenticationserviceso 2. SelectAgentandthenselecttheagentconfiguration(orAdd
KerberosSSOisnotsupported. one).
Thisstepdescribesonlyhowtodisable
3. SelecttheApptab.
SSO.Formoredetails,seeDefinethe
GlobalProtectAgentConfigurations. 4. SetUse Single Sign-ontoNo.
Step8 (Optional)Tominimizethenumberof 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

timesausermustprovidecredentials, selecttheconfiguration(orAddone).
configureanauthenticationoverride. 2. SelectAgent > Client Settings(onthegateway)orAgent(on
Bydefault,theportalorgateways theportal)andthenselecttheconfiguration(orAddone).
authenticatetheuserwithan
3. IntheAuthentication Overridearea,configurethefollowing:
authenticationprofileandoptional
certificateprofile.Withauthentication Generate cookie for authentication overrideEnablethe
override,theportalorgateway portalorgatewaytogenerateencrypted,endpointspecific
authenticatestheuserwithanencrypted cookies.Afteruserssuccessfullyauthenticate,theportalor
cookiethatithasdeployedtothe gatewayissuetheauthenticationcookietotheendpoint.
endpoint.Whilethecookieisvalid,the Cookie LifetimeSpecifythehours,days,orweeksthatthe
usercanloginwithoutenteringregular cookieisvalid.Typicallifetimeis24hoursforgateways
credentialsoranOTP.Formore whichprotectsensitiveinformationor15daysforthe
information,seeCookieAuthentication portal.Therangeforhoursis172;forweeks,152;andfor
onthePortalorGateway. days,1365.Afterthecookieexpiresoneithertheportalor
Ifyouneedtoimmediatelyblock gateway(whicheveroccursfirst),theportalorgateway
accesstoadevicewhosecookie promptstheusertoauthenticateandsubsequently
hasnotyetexpired(forexample, encryptsanewcookietosendtotheendpoint.
ifthedeviceislostorstolen),you Accept cookie for authentication overrideSelectthe
canBlockDeviceAccessby checkboxtoinstructtheportalorgatewaytoauthenticate
addingthedevicetoablocklist. theuserthroughavalid,encryptedcookie.Whenthe
Formoredetails,seeConfigure endpointpresentsavalidcookie,theportalorgateway
GlobalProtectGatewaysand verifiesthatthecookiewasencryptedbytheportalor
ConfiguretheGlobalProtect gateway,decryptsthecookie,andthenauthenticatesthe
Portal. user.
Certificate to Encrypt/Decrypt CookieSelecttheRSA
certificatetousetoencryptanddecryptthecookie.You
mustusethesamecertificateontheportalandgateways.
Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
Step9 Committheconfiguration. ClickCommit.
Step10 Verifytheconfiguration. FromanendpointrunningtheGlobalProtectagent,trytoconnect

Thegatewayandportalmustbe toagatewayorportalonwhichyouenabledOTPauthentication.
configuredbeforeyoutakehisstep.For Youshouldseetwopromptssimilartothefollowing:
detailsonsettingupthesecomponents, ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
seeConfigureGlobalProtectGateways PIN):
andConfiguretheGlobalProtectPortal.
ThesecondpromptrequestsyourtokenorOTP:
Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
cardsontotheportalandgateway.YoucanthencreateacertificateprofilethatincludesthatRootCAand
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.
EnableSmartCardAuthentication
Step1 Setupyoursmartcardinfrastructure. Forspecificinstructions,refertothedocumentationfortheuser

Thisprocedureassumesthatyouhave authenticationprovidersoftware.
deployedsmartcardsandsmartcard Inmostcases,settingupthesmartcardinfrastructureinvolvesthe
readerstoyourendusers. generatingofcertificatesforendusersandfortheparticipating
servers,whicharetheGlobalProtectportalandgateway(s)inthis
usecase.
EnableSmartCardAuthentication(Continued)
Step2 ImporttheRootCAcertificatethat Makesurethecertificateisaccessiblefromyourmanagement

issuedtheclientcertificatescontained systemandthencompletethefollowingsteps:
ontheendusersmartcards. 1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImportandenteraCertificate Name.
3. EnterthepathandnametotheCertificate Filereceivedfrom
theCA,orBrowsetofindthefile.
4. SelectBase64 Encoded Certificate (PEM) astheFile Format
andthenclickOKtoimportthecertificate.
Step3 Createthecertificateprofile. Createthecertificateprofileoneachportal/gatewayonwhichyou

Fordetailsonothercertificate plantouseCACorsmartcardauthentication:
profilefields,suchaswhetherto 1. SelectDevice > Certificate Management > Certificate Profile
useCRLorOCSP,refertothe andclickAddandenteraprofileName.
onlinehelp.
2. IntheUsernamefield,selectthecertificatefieldthatPANOS
usestomatchtheIPaddressforUserID,eitherSubjecttouse
acommonname,Subject Alt: Emailtouseanemailaddress,
orSubject Alt: Principal Name tousethePrincipalName.
3. IntheCA Certificatesfield,clickAdd,selectthetrustedroot
CA CertificateyouimportedinStep 2andthenclickOK.
4. ClickOKtosavethecertificateprofile.
Step4 Assignthecertificateprofiletothe 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

gateway(s)orportal.Thissection selecttheconfiguration(orAddanewone).
describesonlyhowtoaddthecertificate 2. OntheAuthenticationtab,selecttheCertificate Profileyou
profiletothegatewayorportal justcreated.
configuration.Fordetailsonsettingup
thesecomponents,seeConfigure 3. ClickOKtosavetheconfiguration.
GlobalProtectGatewaysandConfigure
theGlobalProtectPortal.
EnableSmartCardAuthentication(Continued)
Step6 Verifytheconfiguration. FromaclientsystemrunningtheGlobalProtectagent,tryto

Thegatewayandportalmustbe connecttoagatewayorportalonwhichyouenabledOTP
configuredbeforeyoutakehisstep.For authentication.Youshouldseetwopromptssimilartothe
detailsonsettingupthesecomponents, following:
seeConfigureGlobalProtectGateways ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
andConfiguretheGlobalProtectPortal. PIN):
ThesecondpromptrequestsyourtokenorOTP:
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients
ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.
ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.
ToconnecttotheGlobalProtectgateway,theusermustsuccessfullyauthenticate.Thefollowingworkflows
showexamplesofhowtoenableauthenticationforstrongSwanclients.Forcompleteinformationabout
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.
Step1 ConfigureanIPSectunnelfortheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysandthen

gatewayforcommunicatingwithastrongSwan selectthegatewayname.
client. 2. SelecttheCertificate Profileyouwanttousefor
authenticationintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesettings.
Step2 Verifythatthedefaultconnectionsettingsinthe Modifythefollowingsettingsintheconn %default

conn %defaultsectionoftheIPSectunnel sectionoftheipsec.conffiletotheserecommended
configurationfile(ipsec.conf)arecorrectly settings.
definedforthestrongSwanclient. ikelifetime=20m
Theipsec.conffileisusuallyfoundinthe/etc reauth=yes
folder. rekey=yes
Theconfigurationsinthisprocedureare keylife=10m
testedandverifiedforthefollowing rekeymargin=3m
releases: rekeyfuzz=0%
Ubuntu14.0.4withstrongSwan5.1.2 keyingtries=1
andCentOS6.5withstrongSwan5.1.3 type=tunnel
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.
Step3 ModifythestrongSwanclientsIPSec Modifythefollowingitemsintheipsec.conffiletothese

configurationfile(ipsec.conf)andtheIPSec recommendedsettings.
passwordfile(ipsec.secrets)touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=rsasig
Theipsec.secrets fileisusuallyfoundinthe ike=aes-sha1-modp1024,aes256
/etc folder. left=<strongSwan/Linux-client-IP-address>
leftcert=<client certificate with the
UsethestrongSwanclientusernameasthe strongSwan client username used as the
certificatescommonname. certificates common name>
leftsourceip=%config
leftauth2=xauth
right=<GlobalProtect-Gateway-IP-address>
rightid=CN=<Subject-name-of-gateway-certifica
te>
rightsubnet=0.0.0.0/0
auto=add
Modifythefollowingitemsintheipsec.conffiletothese
recommendedsettings.
:RSA <private key file> <passphrase if used>
EnableAuthenticationUsingaCertificateProfile(Continued)
Step4 StartstrongSwanIPSecservicesandconnectto Ubuntuclients:

theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOSclients:
Usetheconfig <name>variabletonamethe
tunnelconfiguration. strongSwan start
strongswan up <name>
Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific
VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > Gateways.Then,in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
client.ThestrongSwanclientshouldbelistedunder
Current Users.
ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
profile.TheauthenticationprofilespecifieswhichserverprofiletousewhenauthenticatingstrongSwan
clients.
Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheAuthentication Profileyouwanttousein
theAuthentication tab.
EnteraGroup NameandGroup Passwordifthey
arenotalreadyconfigured.
ClickOKtosavethesetunnelsettings.
EnableAuthenticationUsinganAuthenticationProfile(Continued)
Step2 Verifythatthedefaultconnectionsettingsinthe Intheconn %defaultsectionofthe ipsec.conf file,

conn %defaultsectionoftheIPSectunnel configurethefollowingrecommendedsettings:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileisusuallyfoundinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
differentversionofstrongSwan.Referto
thestrongSwanwikiformore
information.
Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
ikelifetime=1440m
Theipsec.secretsfileisusuallyfoundinthe keylife=60m
/etcfolder. aggressive=yes
ike=aes-sha1-modp1024,aes256
UsethestrongSwanclientusernameasthe esp=aes-sha1
certificatescommonname. xauth=client
left=<strongSwan/Linux-client-IP-address>
leftid=@#<hex of Group Name configured in the
GlobalProtect gateway>
leftsourceip=%modeconfig
leftauth=psk
rightauth=psk
leftauth2=xauth
right=<gateway-IP-address>
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
:PSK <Group Name configured in the gateway>
<username> :XAUTH <user password>

CentOSclients:
strongSwan start
EnableAuthenticationUsinganAuthenticationProfile(Continued)

Ubuntuclients:
CentOSclients:
Current Users.
Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
certificateprofileandanauthenticationprofiletoconnecttotheGlobalProtectgateway.Thefollowing
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.
Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheCertificate Profile andAuthentication
Profile youwanttouseintheAuthentication tab.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesetunnelsettings.
EnableAuthenticationUsingTwoFactorAuthentication(Continued)
Step2 Verifythatthedefaultconnectionsettingsinthe Configurethefollowingrecommendedsettingsinthe

conn %defaultsectionoftheIPSectunnel ipsec.conffile:
configurationfile(ipsec.conf)arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
Theipsec.conffileusuallyresidesinthe/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
forPANOS7.0.
Usetheconfigurationsinthisprocedure
asareferenceifyouareusingadifferent
versionofstrongSwan.Refertothe
strongSwanwikiformoreinformation.
Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile(ipsec.conf)andtheIPSec ipsec.conffile:
authby=xauthrsasig
Theipsec.secretsfileisusuallyfoundinthe ike=aes-sha1-modp1024
/etcfolder. esp=aes-sha1
xauth=client
UsethestrongSwanclientusernameasthe left=<strongSwan/Linux-client-IP-address>
certificatescommonname. leftcert=<client-certificate-without-password>
leftsourceip=%config
right=<GlobalProtect-gateway-IP-address>
rightid=%anyCN=<Subject-name-of-gateway-cert>
leftauth2=xauth
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
ipsec.secretsfile:
<username> :XAUTH <user password>
:RSA <private key file> <passphrase if used>

CentOSclients:
strongSwan start
EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Ubuntuclients:
CentOSclients:
Current Users.
EnableGroupMapping SetUptheGlobalProtectInfrastructure
EnableGroupMapping
Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,theidentityofeachGlobalProtectuserisknown.However,if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
directoryserver.Thisisknownasgroupmapping.
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
information.AfterthefirewallconnectstotheLDAPserverandretrievesthegroupmappings,youcanselect
groupswhenyoudefinetheagentconfigurationsandsecuritypolicies.Thefirewallsupportsavarietyof
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:
SetUptheGlobalProtectInfrastructure EnableGroupMapping
MapUserstoGroups
Step1 CreateanLDAPServerProfilethat 1. SelectDevice > Server Profiles > LDAPandclickAdd.

specifieshowtoconnecttothe 2. EnteraProfile Nametoidentifytheserverprofile.
directoryserverstowhichthefirewall
shouldconnecttoobtaingroupmapping 3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
information. capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
4. ForeachLDAPserver(uptofour),AddandenteraName(to
identifytheserver),serverIPaddress(LDAP Serverfield),and
serverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(itisselectedby
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. Foradditionalsecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthedeviceverifiesthecertificatethatthe
directoryserverpresentsforSSL/TLSconnections.Toenable
verification,youalsohavetoselecttheRequire SSL/TLS
secured connectioncheckbox.Forverificationtosucceed,
thecertificatemustmeetoneofthefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device Certificates.Import
thecertificateintothedevice,ifnecessary.
8. ClickOK.
Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.
EnableGroupMapping SetUptheGlobalProtectInfrastructure
MapUserstoGroups(Continued)
Step3 (Optional)Limitwhichgroupscanbe 1. Addexistinggroupsfromthedirectoryservice:

selectedinpolicyrules. a. SelecttheGroup Include Listtab.
Bydefault,ifyoudontspecifygroups,all b. IntheAvailableGroupslist,selectthegroupsyouwantto
groupsareavailableinpolicyrules. appearinpolicyrulesandclicktheAddicon .
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters,
thenclickOK.ThefirewalldoesntvalidateLDAPfilters.
TooptimizeLDAPsearchesandminimizethe
performanceimpactontheLDAPdirectoryserver,
useonlyindexedattributesinthefilter.
Step4 Commityourchanges. ClickOKandCommit.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways
ConfigureGlobalProtectGateways
BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
EnforcesecuritypolicyfortheGlobalProtectagentsandappsthatconnecttoit.YoucanalsoenableHIP
collectiononthegatewayforenhancedsecuritypolicygranularity.FormoreinformationonenablingHIP
checks,seeUseHostInformationinPolicyEnforcement.
Providevirtualprivatenetwork(VPN)accesstoyourinternalnetwork.VPNaccessisprovidedthrough
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.
YoucanalsoconfigureGlobalProtectgatewaysonVMSeriesfirewallsdeployedintheAWScloud.Bydeploying
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
resources.Fordetails,seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.
PrerequisiteTasksforConfiguringtheGlobalProtectGateway
BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)fortheinterfacewhereyouplantoconfigureeachgateway.For
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
tunnelinterface.SeeCreateInterfacesandZonesforGlobalProtect.
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
toestablishanSSLconnectionwiththegateway.SeeEnableSSLBetweenGlobalProtectComponents.
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
GlobalProtectusers.SeeSetUpGlobalProtectUserAuthentication.
ConfigureaGlobalProtectGateway
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:
ConfiguretheGateway
Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

2. IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure
ConfiguretheGateway(Continued)
Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatclientswilluseforcommunication

enablesclientstoconnecttothe withthegateway.
gateway. 2. SelecttheIP Addressforthegatewaywebservice.
Ifyouhaventcreatedthenetwork
3. ClickOKtosavechanges.
interfaceforthegateway,seeCreate
InterfacesandZonesforGlobalProtect
forinstructions.
Step3 Specifyhowthegatewayauthenticates SelectAuthenticationandthenconfigureanyofthefollowing:

users. Tosecurecommunicationbetweenthegatewayandtheagents,
IfyouhaventcreatedanSSL/TLSservice selecttheSSL/TLS Service Profileforthegateway.
profileforthegateway,seeDeploy Toauthenticateuserswithalocaluserdatabaseoranexternal
ServerCertificatestotheGlobalProtect authenticationservice,suchasLDAP,Kerberos,TACACS+,or
Components. RADIUS(includingOTP),AddaClientAuthentication
Ifyouhaventsetuptheauthentication configurationwiththefollowingsettings:
profilesorcertificateprofiles,seeSetUp EnteraNametoidentifytheclientauthentication
GlobalProtectUserAuthenticationfor configuration.
instructions. Identifythetypeofclienttowhichthisconfiguration
applies.Bydefault,theconfigurationappliestoAnyclient,
butyoucancustomizethetypeofendpointbyOS (Android,
Chrome,iOS,Mac,Windows,orWindowsUWP)orby
thirdpartyIPSecVPNclients(X-Auth).
SelectoraddanAuthentication Profiletoauthenticatean
endpointseekingaccesstothegateway.
EnteranAuthentication Message tohelpendusers
understandwhichcredentialstousewhenloggingin.The
messagecanbeupto100charactersinlength(defaultis
Enter login credentials).
Toauthenticateusersbasedonaclientcertificateora
smartcard/CAC,selectthecorrespondingCertificate
Profile.
Tousetwofactorauthentication,selectbothanauthentication
profileandacertificateprofile.Keepinmindthattheusermust
successfullyauthenticateusingbothmethodstobegranted
access.
Step4 Enabletunnelingandconfigurethe 1. OntheGlobalProtectGatewayConfigurationdialog,select

tunnelparameters. Agent > Tunnel Settings.
Thetunnelparametersarerequiredif 2. SelecttheTunnel Modecheckboxtoenabletunneling.
youaresettingupanexternalgateway.If
3. SelecttheTunnel InterfaceyoudefinedinStep 2inCreate
youareconfiguringaninternalgateway,
InterfacesandZonesforGlobalProtect.
theyareoptional.
Ifyouwanttoforceuseof 4. (Optional)SpecifyMax User forthemaximumnumberof
SSLVPNtunnelmode,clearthe usersthatcanaccessthegatewayatthesametimefor
Enable IPSeccheckbox.By authentication,HIPupdates,andGlobalProtectagentupdates
default,SSLVPNwillonlybe (rangevariesbasedontheplatformandisdisplayedwhenthe
usediftheendpointfailsto fieldisempty).
establishanIPSectunnel. 5. SelectaGlobalProtect IPSec CryptoprofiletosecuretheVPN
Extendedauthentication tunnelsbetweenGlobalProtectagentsandgateways.The
(XAuth)isonlysupportedon defaultprofileusesAES128CBCencryptionandsha1
IPSectunnels. authentication.
IfyouEnable X-Auth Support, YoucanalsocreateanewIPSeccryptoprofile.Tocreatea
GlobalProtectIPSecCrypto newprofile,selectNewGlobalProtect IPSec Cryptointhe
profilesarenotapplicable. samedropdownandconfigurethefollowing:
Forinformationonsupported a. EnteraNametoidentifytheprofile.
cryptographicalgorithms,see b. AddtheAuthenticationandEncryptionalgorithmsthatthe
Reference:GlobalProtectAgent VPNpeerscanusetonegotiatethekeysforsecuringthe
CryptographicFunctions. datainthetunnel:
EncryptionIfyouarenotcertainofwhattheVPNpeers
support,youcanaddmultipleencryptionalgorithmsin
toptobottomorderofmosttoleastsecure,asfollows:
aes-256-gcm,aes-128-gcm,aes-128-cbc.Thepeers
negotiatethestrongestalgorithmtoestablishthetunnel.
AuthenticationSelecttheauthenticationalgorithm
(sha1)toprovidedataintegrityandauthenticity
protection.Althoughtheauthenticationalgorithmis
requiredfortheprofile,thissettingonlyappliestothe
AESCBCcipher(aes-128-cbc).IfyouuseanAESGCM
encryptionalgorithm(aes-256-gcmor aes-128-gcm),
thesettingisignoredbecausetheseciphersnatively
provideESPintegrityprotection.
c. ClickOKtosavetheprofile.
6. (Optional)SelectEnable X-Auth Support ifanyendpoint
needstoconnecttothegatewaybyusingathirdpartyVPN
(forexample,aVPNCclientrunningonLinux).Ifyouenable
XAuth,youmustprovidetheGroupnameandGroup
Passwordiftheendpointrequiresit.Bydefault,theuserisnot
requiredtoreauthenticateifthekeyusedtoestablishthe
IPSectunnelexpires.Torequireuserstoreauthenticate,clear
theoptiontoSkip Auth on IKE Rekey.
AlthoughXAuthaccessissupportedoniOSand
Androidendpoints,itprovideslimitedGlobalProtect
functionalityontheseendpoints.Instead,usethe
GlobalProtectappforsimplifiedaccesstoallthe
securityfeaturesthatGlobalProtectprovidesoniOS
andAndroidendpoints.TheGlobalProtectappforiOS
isavailableattheAppleAppStore.TheGlobalProtect
appforAndroidisavailableatGooglePlay.
Step5 (Optional)Modifythedefaulttimeout OntheGlobalProtectGatewayConfigurationdialog,selectAgent

settingsforendpoints. > Timeout Settingsandthenconfigurethefollowingsettings:
ModifythemaximumLogin Lifetimeforasinglegatewaylogin
session.Thedefaultloginlifetimeis30daysduringthe
lifetime,theuserstaysloggedinaslongasthegatewayreceives
aHIPcheckfromtheendpointwithintheInactivity Logout
period.Afterthistime,theloginsessionautomaticallylogsout.
Modifytheamountoftimeafterwhichaninactivesessionis
automaticallyloggedout.ThedefaultInactivity Logoutperiodis
3hours.AuserisloggedoutofGlobalProtectifthegateway
doesnotreceiveaHIPcheckfromtheendpointduringthe
configuredamountoftime.
Modifythenumberofminutesafterwhichidleusersarelogged
outofGlobalProtect.ThedefaultperiodforDisconnect on Idle
is180minutes.UsersareloggedoutofGlobalProtectifthe
GlobalProtectagenthasnotroutedtrafficthroughtheVPN
tunnelintheconfiguredamountoftime.Thissettingappliesto
GlobalProtectagentsthatusetheondemandconnectmethod
only.
Step6 (Optional)Configureauthentication 1. OntheGlobalProtectGatewayConfigurationdialog,select

overridesettingstoenablethegateway Agent > Client Settings.
togenerateandacceptsecure, 2. Addanewagentconfigurationorselectanexisting
encryptedcookiestoauthenticatethe configuration.
user.Thiscapabilityallowstheuserto
providelogincredentialsonlyonce 3. EnteraNametoidentifytheagentconfiguration.
duringaspecifiedperiodoftime(for 4. ConfigurethefollowingsettingsintheAuthentication
example,every24hours). Override section:
Bydefault,agatewayauthenticatesthe Generate cookie for authentication overrideEnablethe
userwithanauthenticationprofileand gatewaytogenerateencrypted,endpointspecificcookies
optionalcertificateprofile.When andissuetheauthenticationcookiestotheendpoint.
authenticationoverrideisenabled, Cookie LifetimeSpecifythehours,days,orweeksthatthe
GlobalProtectcachestheresultofa cookieisvalid.Defaultis24hours.Therangeforhoursis
successfulloginandusesthecookieto 172;forweeks,152;andfordays,1365.Afterthe
authenticatetheuserinsteadof cookieexpires,theusermustenterlogincredentials,and
promptingtheuserforcredentials.For thegatewaysubsequentlyencryptsanewcookietosendto
moreinformation,seeCookie theagent.Thisvaluecanbethesameasordifferentfrom
AuthenticationonthePortalorGateway. theCookie Lifetimeyouconfigurefortheportal.
Ifclientcertificatesarerequired,the
Accept cookie for authentication overrideEnablethe
endpointmustalsoprovideavalid
gatewaytoauthenticateuserswithavalid,encrypted
certificatetobegrantedaccess.
cookie.Whentheagentpresentsavalidcookie,the
Intheeventthatyouneedto gatewayverifiesthatthecookiewasencryptedbythe
immediatelyblockaccesstoa portalorgateway,decryptsthecookie,andthen
devicewhosecookiehasnotyet authenticatestheuser.
expired(forexample,ifthe
Certificate to Encrypt/Decrypt CookieSelecttheRSA
deviceislostorstolen),youcan
certificatetousetoencryptanddecryptthecookie.You
immediatelyBlockDeviceAccess
mustusethesamecertificateontheportalandgateways.
byaddingthedevicetoablock
list. Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
Step7 Configuretheuserorusergroupandthe Inagatewayagentconfiguration,selecttheUser/User Grouptab

endpointOStowhichtheagent andconfigurethefollowingsettings:
configurationapplies. Todeliverthisconfigurationtoagentsorappsrunningon
Thegatewayusestheuser/usergroup specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
settingsyouspecifytodeterminewhich Mac,Windows,orWindowsUWP)towhichthisconfiguration
configurationtodelivertothe applies.OrleavethevalueinthissectionsettoAnytodeploy
GlobalProtectagentsthatconnect. theconfigurationbasedonuser/grouponly.
Therefore,ifyouhavemultiple Torestrictthisconfigurationtoaspecificuserand/orgroup,
configurations,youmustmakesureto clickAddintheUser/UserGroupsectionofthewindowand
orderthemproperly.Assoonasthe thenselecttheuserorgroupyouwanttoreceivethis
gatewayfindsamatch,itwilldeliverthe configurationfromthedropdown.Repeatthisstepforeach
configuration.Therefore,morespecific user/groupyouwanttoadd.
configurationsmustprecedemore Beforeyoucanrestricttheconfigurationtospecific
generalones.SeeStep 9forinstructions groups,youmustmapuserstogroupsasdescribedin
onorderingthelistofagent EnableGroupMapping.
configurations.
Torestricttheconfigurationtouserswhohavenotyetlogged
Networksettingsarenot intotheirsystems,selectpre-logonfromtheUser/UserGroup
requiredininternalgateway dropdown.
configurationsinnontunnel
Toapplytheconfigurationtoanyuserregardlessofloginstatus
mode,becauseagentsusethe
(bothprelogonandloggedinusers),selectanyfromthe
networksettingsassignedtothe
User/UserGroupdropdown.
physicalnetworkadapter.
Step8 (TunnelModeonly)Configurethe Inagatewayagentconfiguration,selecttheAgent > Network

networksettingstoassigntothevirtual Settings tabandconfigureanyofthefollowingsettingsandthen
networkadapterontheendpointwhen clickOK:
anagentestablishesatunnelwiththe TospecifytheauthenticationserverIPaddresspooltoassign
gateway. addressestoendpointsthatrequirestaticIPaddresses,select
Networksettingsarenot theRetrieve Framed-IP-Address attribute from
requiredininternalgateway authentication server checkboxandthenAddthesubnetorIP
configurationsinnontunnel addressrangetousetoassigntoremoteusersinthe
modebecauseagentsusethe Authentication Server IP Poolarea.Whenthetunnelis
networksettingsassignedtothe established,aninterfaceiscreatedontheremoteusers
physicalnetworkadapter. computerwithanaddressinthesubnetorIPrangethatmatches
Youcanoptionallyuseaddress theFramedIPattributeoftheauthenticationserver.
objectswhichallowyouto TheauthenticationserverIPaddresspoolmustbelarge
groupspecificsourceor enoughtosupportallconcurrentconnections.IP
destinationaddresseswhen addressassignmentisstaticandisretainedaftertheuser
configuringgatewayIPaddress disconnects.
poolsoraccessroutes. TospecifytheIP PooltousetoassignIPaddresses,clickAdd
andthenspecifytheIPaddressrangeoraddressobjecttouse.
Asabestpractice,useadifferentrangeofIPaddressesfrom
thoseassignedtoendpointsthatarephysicallyconnectedto
yourLANtoensureproperroutingbacktothegateway.
Todisablesplittunnelingincludingdirectaccesstolocal
networksonWindowsandMacOSsystems,enableNo direct
access to local network.Inthiscase,userscannotsendtraffic
toproxiesorlocalresourceswhileconnectedtoGlobalProtect.
Todefinewhatdestinationsubnetstoroutethroughthetunnel
clickAddintheAccess Routeareaandthenentertheroutesas
follows:
FulltunnelingTorouteallendpointtrafficGlobalProtect,
enter0.0.0.0/0astheaccessroute.Youwillthenneedto
usesecuritypolicytodefinewhatzonestheendpointcan
access(includinguntrustzones).Thebenefitofthis
configurationisthatyouhavevisibilityintoallVPNtraffic
andyoucanensurethatendpointsaresecuredaccordingto
yourpolicyevenwhentheyarenotphysicallyconnectedto
theLAN.Notethatinthisconfigurationtrafficdestinedfor
thelocalsubnetgoesthroughthephysicaladapter,rather
thanbeingtunneledtothegateway.
SplittunnelingTorouteonlysometrafficlikelytraffic
destinedforyourLANtoGlobalProtect,specifythe
destinationsubnetsoraddressobject(oftypeIP Netmask)
thatmustbetunneled.Inthiscase,trafficthatisnot
destinedforaspecifiedaccessroutewillberoutedthrough
theendpointsphysicaladapterratherthanthroughthe
virtualadapter(thetunnel).
Thefirewallsupportsupto100accessroutes.
Step9 Arrangethegatewayagent Tomoveagatewayconfigurationuponthelistofconfigurations,

configurationssothattheproper selecttheconfigurationandclickMove Up.
configurationisdeployedtoeachagent. Tomoveagatewayconfigurationdownonthelistof
Whenanagentconnects,thegateway configurations,selecttheconfigurationandclickMove Down.
willcomparethesourceinformationin
thepacketagainsttheagent
configurationsyouhavedefined.Aswith
securityruleevaluation,thegateway
looksforamatchstartingfromthetopof
thelist.Whenitfindsamatch,itdelivers
thecorrespondingconfigurationtothe
agentorapp.
Step10 (TunnelModeonly)Specifythenetwork InaGlobalProtectGatewayConfiguration,selecttheAgent >

configurationsettingsfortheendpoints. Network Servicestabandconfigurethesettingsforendpointsin
Networksettingsarenot oneofthefollowingways:
requiredininternalgateway IfthefirewallhasaninterfacethatisconfiguredasaDHCP
configurationsinnontunnel client,settheInheritance Sourcetothatinterfaceandthe
modebecauseinthiscaseagents GlobalProtectagentwillbeassignedthesamesettingsreceived
usethenetworksettingsassigned bytheDHCPclient.YoucanalsoInherit DNS Suffixesfromthe
tothephysicalnetworkadapter. inheritancesource.
ManuallyassigntheDNSserver(s)andsuffix,andWINSservers
bycompletingthecorrespondingfields.
Step11 (Optional)Definethenotification InaGlobalProtectGatewayConfiguration,selecttheAgent > HIP

messagesenduserswillseewhena NotificationtabandAddanewHIPNotificationconfiguration:
securityrulewithahostinformation 1. FromtheHost Informationdropdown,selecttheHIPobject
profile(HIP)isenforced. orprofiletowhichthismessageapplies.
Thissteponlyappliesifyouhavecreated
2. SelectMatch MessageorNot Match Messageandthen
hostinformationprofilesandadded
Enablenotifications,dependingonwhetheryouwantto
themtoyoursecuritypolicies.Fordetails
displaythemessagewhenthecorrespondingHIPprofileis
onconfiguringtheHIPfeatureandfor
matchedinpolicyorwhenitisnotmatched.Insomecases,
moredetailedinformationaboutcreating
youmightwanttocreatemessagesforbothamatchanda
HIPnotificationmessages,seeUseHost
nonmatch,dependingontheobjectsonwhichyouare
InformationinPolicyEnforcement.
matchingandwhatyourobjectivesareforthepolicy.Forthe
MatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App Listtoindicatewhatapplicationscantriggerthe
HIPmatch.
3. SelectwhetheryouwanttodisplaythemessageasaSystem
Tray BalloonorasaPop Up Message.
4. EnterandformatthetextofyourmessageintheTemplate
textboxandthenclickOK.
5. Repeatthesestepsforeachmessageyouwanttodefine.
Step12 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

GatewayConfigurationdialog.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal
ConfiguretheGlobalProtectPortal
TheGlobalProtectPortalprovidesthemanagementfunctionsforyourGlobalProtectinfrastructure.Every
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
connecttothegateways.Inaddition,theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.
TheportaldoesnotdistributetheGlobalProtectappforuseonmobiledevices.TogettheGlobalProtectappfor
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,orMicrosoftStoreforWindows10UWP.However,theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
haveaccess.Formoredetailsonsupportedversions,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)forthefirewallinterfacewhereyouplantoconfiguretheportal.See
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
services.SeeEnableSSLBetweenGlobalProtectComponents.
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
authenticateGlobalProtectusers.SeeSetUpGlobalProtectUserAuthentication.
ConfigureGlobalProtectGatewaysandunderstandGatewayPriorityinaMultipleGateway
Configuration.
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure
SetUpAccesstotheGlobalProtectPortal
Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectPortalasfollows:
SetUpAccesstothePortal
Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > PortalsandclickAdd.

2. OntheGeneralpage,enteraNamefortheportal.Thename
cannotcontainspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Step2 Specifynetworksettingstoenable 1. SelecttheInterface.

agentstocommunicatewiththeportal. 2. SelecttheIP Addressfortheportalwebservice.
Ifyouhavenotyetcreatedthenetwork
3. SelectanSSL/TLS Service Profile.
interfacefortheportal,seeCreate
InterfacesandZonesforGlobalProtect
forinstructions.Ifyouhavenotyet
createdanSSL/TLSserviceprofilefor
theportal,seeDeployServerCertificates
totheGlobalProtectComponents.
Step3 Disabletheloginpageentirelyorchoose SelecttheoptiontoDisable login pagetodisableaccesstothe

yourownloginpageorhelppage. GlobalProtectportalloginpagefromawebbrowser.
Althoughoptional,acustomloginorhelp ChooseaCustom Login Pageforuseraccesstotheportalor
pageletsyoudecideonthelookand importanewone.
contentofthepages.SeeCustomizethe ChooseaCustom Help Pagetoassisttheuserwith
GlobalProtectPortalLogin,Welcome, GlobalProtectorimportanewone.
andHelpPages.
Step4 Specifyhowtheportalauthenticatesthe OntheGlobalProtectPortalConfigurationdialog,select

users. Authentication,andthenconfigureanyofthefollowing:
Ifyouhavenotyetcreatedaserver Tosecurecommunicationbetweentheportalandtheagents,
certificatefortheportalandissued selecttheSSL/TLS Service Profileyouconfiguredforthe
gatewaycertificates,seeDeployServer portal.
CertificatestotheGlobalProtect Toauthenticateusersusingalocaluserdatabaseoranexternal
Components. authenticationservice,suchasLDAP,Kerberos,TACACS+,or
RADIUS(includingOTP),DefinetheGlobalProtectClient
AuthenticationConfigurations.
Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
authenticatewiththeGlobalProtectportal.YoucancustomizethesettingsforeachOSoryoucanconfigure
thesettingstoapplytoalldevices.Forexample,youcanconfigureAndroiduserstouseRADIUS
authenticationandWindowsuserstouseLDAPauthentication.Youcanalsocustomizetheclient
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.
Step1 SetUpAccesstotheGlobalProtect 1. SelectNetwork > GlobalProtect > Portals.

Portal. 2. Selecttheportalconfigurationtowhichyouareaddingthe
clientconfigurationandthenselecttheAuthenticationtab.
Step2 Specifyhowtheportalauthenticatesthe IntheClientAuthenticationarea,Addanewconfigurationwiththe

users. followingsettings:
YoucanconfiguretheGlobalProtect EnteraNametoidentifytheclientauthenticationconfiguration.
portaltoauthenticateusersusingalocal Specifytheendpointstowhichtodeploythisconfiguration.By
userdatabaseoranexternal default,theconfigurationappliestoallendpoints.Otherwise,
authenticationservice,suchasLDAP, youcanapplytheconfigurationtoendpointsrunningaspecific
Kerberos,TACACS+,orRADIUS OS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP)or
(includingOTP).Ifyouhavenotyetset toendpointsthataccesstheportalfromawebBrowserwith
uptheauthenticationprofilesand/or theintentofdownloadingtheGlobalProtectagent.
certificateprofiles,seeSetUp SelectoraddanAuthentication Profileforauthenticatingan
GlobalProtectUserAuthenticationfor endpointthattriestoaccessthegateway.
instructions.
EnteranAuthentication Messagetohelpendusersunderstand
whichcredentialstousewhenloggingin.Themessagecanbe
upto100charactersinlength(defaultisEnter login
credentials).
Step3 Arrangetheclientauthentication Tomoveaclientauthenticationconfigurationuponthelistof

configurationswithOSspecific configurations,selecttheconfigurationandclickMove Up.
configurationsatthetopofthelist,and Tomoveaclientauthenticationconfigurationdownonthelistof
configurationsthatapplytoAnyOSat configurations,selecttheconfigurationandclickMove Down.
thebottomofthelist.Aswithsecurity
ruleevaluation,theportallooksfora
matchstartingfromthetopofthelist.
Whenitfindsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.
Step4 (Optional)Toenabletwofactor SelectthecorrespondingCertificate Profiletoauthenticateusers

authenticationusinganauthentication basedonaclientcertificateorsmartcard.
profileandacertificateprofile,configure TheCommonName(CN)and,ifapplicable,theSubject
bothinthisportalconfiguration. AlternativeName(SAN)fieldsofthecertificatemust
Keepinmindtheportalmust exactlymatchtheIPaddressorFQDNoftheinterface
authenticatetheclientbyusingboth whereyouconfiguretheportalorHTTPSconnectionsto
methodsbeforetheusercangainaccess. theportalwillfail.
Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
GatewayPriorityinaMultipleGatewayConfiguration
Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
gateways.Todeterminethepreferredgatewaytowhichyouragentsconnect,addthegatewaystoaportal
agentconfigurationandassigneachgatewayaconnectionpriority.SeeDefinetheGlobalProtectAgent
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
connecttoallgatewayslistedinitsagentconfiguration.Theagentwillthenusepriorityandresponsetime
astodeterminethegatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyifthe
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:
Name Priority ResponseTime
gw1 Highest 80ms
gw2 High 25ms
Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,connectstogw2.Inthis
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:
Name Priority ResponseTime
gw1 Highest 30ms
gw2 High 25ms
gw3 Medium 50ms
Inthisexample,theaverageresponsetimeforallgatewaysis35ms.Theagentwouldthenevaluatewhich
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
responsetimes.Theagentwouldthenconnecttowhichevergatewayhadthehighestpriority.Inthis
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.
DefinetheGlobalProtectAgentConfigurations
AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,basedonthesettingsyoudefined.Ifyouhavedifferent
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
eachusertypeorusergroup.TheportalusestheOSoftheendpointandtheusernameorgroupnameto
determinetheagentconfigurationtodeploy.Aswithothersecurityruleevaluations,theportalstartsto
searchforamatchatthetopofthelist.Whenitfindsamatch,theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
Theclientcertificatethattheendpointshouldpresenttothegatewaywhenitconnects.This
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.
Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.
Usethefollowingproceduretocreateanagentconfiguration.
CreateaGlobalProtectAgentConfiguration
Step1 AddthetrustedRootCAcertificates 1. SelectNetwork > GlobalProtect > Portals.

thattheclientwillusetoperform 2. Selecttheportalconfigurationtowhichyouareaddingthe
certificatecheckswhenitconnectsto agentconfigurationandthenselecttheAgent tab.
theGlobalProtectgateway(s).Ifyoudo
notaddatrustedrootCAcertificateto 3. IntheTrusted Root CAfield,AddandthenselecttheCA
theagentconfiguration,theassociated certificatethatwasusedtoissuethegatewayserver
clientdoesnotperformcertificate certificates.Asabestpractice,allofyourgatewaysshoulduse
checkswhenitconnects. thesameissuer.
Asabestpractice,alwaysdeploy
thetrustedrootCAcertificatesin
theagentconfiguration.This
certificatedeploymentensures
thattheagentsorappsperforma
certificatechecktovalidatethe
identityofthegatewaybeforeit
connects.Thiscertificate
installationprotectstheagentor
appfrommaninthemiddle
attacks.
Step2 (Optional)AddthetrustedRootCA 1. AddthecertificateasdescribedinStep 1.

certificatethatthefirewallwillusefor 2. Totherightofthecertificate,selecttheInstall in Local Root
SSLforwardproxydecryption.The Certificate Storeoption.
firewallusesthiscertificate(onWindows
Theportalautomaticallysendsthecertificatewhentheuser
andMacendpointsonly)toterminatethe
logsintotheportalandinstallsitintheclient'slocalstorethus
HTTPSconnection,inspectthetrafficfor
eliminatingtheneedforyoutoinstallthecertificatemanually.
policycompliance,andreestablishthe
HTTPSconnectiontoforwardthe
encryptedtraffic.
Step3 Addanagentconfiguration. 1. IntheAgentarea,Addanewconfiguration.

Theagentconfigurationspecifiesthe 2. EnteraNametoidentifytheconfiguration.Ifyouplanto
GlobalProtectconfigurationsettingsto createmultipleconfigurations,makesurethenameyoudefine
deploytotheconnectingagents/apps. foreachisdescriptiveenoughtoallowyoutodistinguishthem.
Youmustdefineatleastoneagent
configuration.
CreateaGlobalProtectAgentConfiguration(Continued)
Step4 (Optional)Configuresettingstospecify OntheAuthenticationtab,configureanyofthefollowing

howuserswiththisconfigurationwill authenticationsettings:
authenticatewiththeportal. Toenableuserstoauthenticatewiththeportalusingclient
Ifthegatewayistoauthenticatethe certificates,selecttheClient Certificatesource(SCEP,Local,or
clientsbyusingaclientcertificate,you None)thatdistributesthecertificateanditsprivatekeytoan
mustselectthesourcethatdistributes endpoint.IfyouuseaninternalCAtodistributecertificatesto
thecertificate. clients,selectNone(default).Toenabletheportaltogenerate
andsendamachinecertificatetotheagentforstorageinthe
localcertificatestoreandusethecertificateforportaland
gatewayauthentication,selectSCEPandtheassociatedSCEP
profile.Thesecertificatesaredevicespecificandcanonlybe
usedontheendpointtowhichitwasissued.Tousethesame
certificateforallendpoints,selectacertificatethatisLocalto
theportal.WithNone,theportaldoesnotpushacertificateto
theclient,butyoucanusecanotherwaystogetacertificateto
theclientsendpoint.
SpecifywhethertoSave User Credentials.SelectYestosave
theusernameandpassword(default),Save Username Onlyto
saveonlytheusername,orNotoneversavecredentials.
Ifyouconfiguretheportalorgatewaystopromptforadynamic
passwordsuchasaonetimepassword(OTP),theusermust
enteranewpasswordateachlogin.Inthiscase,the
GlobalProtectagent/appignorestheselectiontosaveboththe
usernameandpassword,ifspecified,andsavesonlythe
username.Formoreinformation,seeEnableTwoFactor
AuthenticationUsingOneTimePasswords(OTPs).
Step5 IftheGlobalProtectendpointdoesnot 1. SelecttheInternal Host Detectioncheckbox.

requiretunnelconnectionswhenitison 2. EntertheIP Addressofahostthatcanbereachedfromthe
theinternalnetwork,configureinternal internalnetworkonly.
hostdetection.
3. EntertheDNSHostnamefortheIPaddressyouentered.
ClientsthattrytoconnecttoGlobalProtectattempttodoa
reverseDNSlookuponthespecifiedaddress.Ifthelookup
fails,theclientdeterminesthatitisontheexternalnetwork
andtheninitiatesatunnelconnectiontoagatewayonitslist
ofexternalgateways.
Step6 Setupaccesstoathirdpartymobile 1. EntertheIPaddressorFQDNofthedevicecheckininterface

endpointmanagementsystem. associatedwithyourmobileendpointmanagementsystem.
Thisstepisrequiredifthemobiledevices Thevalueyouenterheremustexactlymatchthevalueofthe
usingthisconfigurationwillbemanaged servercertificateassociatedwiththedevicecheckin
byathirdpartymobileendpoint interface.
managementsystem.Alldeviceswill 2. SpecifytheEnrollment Portonwhichthemobileendpoint
initiallyconnecttotheportaland,ifa managementsystemwillbelisteningforenrollmentrequests.
thirdpartymobileendpoint Thisvaluemustmatchthevaluesetonthemobileendpoint
managementsystemisconfiguredonthe managementsystem(default=443).
correspondingportalagent
configuration,thedevicewillbe
redirectedtoitforenrollment.
Step7 Configuretheuserorusergroupandthe SelecttheUser/User Grouptabandthenspecifyanyusers,user

endpointOStowhichtheagent groups,and/oroperatingsystemstowhichthisconfiguration
configurationapplies. shouldapply:
Theportalusestheuser/usergroup Todeliverthisconfigurationtoagentsorappsrunningon
settingsyouspecifytodeterminewhich specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
configurationtodelivertothe Mac,Windows,orWindowsUWP)towhichthisconfiguration
GlobalProtectagentsthatconnect. applies.OrleavethevalueinthissectionsettoAnytodeploythe
Therefore,ifyouhavemultiple configurationbasedonuser/grouponly.
configurations,youmustmakesureto Torestrictthisconfigurationtoaspecificuserand/orgroup,
orderthemproperly.Assoonasthe clickAddintheUser/UserGroupsectionofthewindowand
portalfindsamatch,itwilldeliverthe thenselecttheuserorgroupyouwanttoreceivethis
configuration.Therefore,morespecific configurationfromthedropdown.Repeatthisstepforeach
configurationsmustprecedemore user/groupyouwanttoadd.
generalones.SeeStep 12for Beforeyoucanrestricttheconfigurationtospecific
instructionsonorderingthelistofagent groups,youmustmapuserstogroupsasdescribedin
configurations. EnableGroupMapping.
Torestricttheconfigurationtouserswhohavenotyetloggedin
totheirsystems,selectpre-logonfromtheUser/UserGroup
dropdown.
Toapplytheconfigurationtoanyuserregardlessofloginstatus
(bothprelogonandloggedinusers),selectanyfromthe
User/UserGroupdropdown.
Step8 Specifythegatewaystowhichuserswith 1. OntheGatewaystab,clickAddinthesectionforInternal

thisconfigurationcanconnect. GatewaysorExternalGateways,dependingonwhichtypeof
Considerthefollowingbest gatewayyouareadding.
practiceswhenyouconfigurethe 2. EnteradescriptiveNameforthegateway.Thenameyouenter
gateways: hereshouldmatchthenameyoudefinedwhenyouconfigured
Ifyouareaddingbothinternal thegatewayandshouldbedescriptiveenoughforusersto
andexternalgatewaystothe knowthelocationofthegatewaytheyareconnectedto.
sameconfiguration,makesureto 3. EntertheFQDNorIPaddressoftheinterfacewherethe
enableInternalHostDetection. gatewayisconfiguredintheAddressfield.Theaddressyou
SeeStep 5inDefinethe specifymustexactlymatchtheCommonName(CN)inthe
GlobalProtectAgent gatewayservercertificate.
Configurationsforinstructions.
4. (Externalgatewaysonly)SetthePriorityofthegatewayby
Makesureyoudonotuse
clickinginthefieldandselectingavalue:
ondemandastheconnect
methodifyourconfiguration Ifyouhaveonlyoneexternalgateway,youcanleavethe
includesinternalgateways. valuesettoHighest(thedefault).
Tolearnmoreabouthowa Ifyouhavemultipleexternalgateways,youcanmodifythe
GlobalProtectclientdetermines priorityvalues(rangingfromHighesttoLowest)toindicate
thegatewaytowhichitshould apreferenceforthespecificusergrouptowhichthis
connect,seeGatewayPriorityin configurationapplies.Forexample,ifyoupreferthatthe
aMultipleGateway usergroupconnectstoalocalgatewayyouwouldsetthe
Configuration. priorityhigherthanthatofmoregeographicallydistant
gateways.Thepriorityvalueisthenusedtoweightthe
agentsgatewayselectionalgorithm.
Ifyoudonotwantagentstoautomaticallyestablishtunnel
connectionswiththegateway,selectManual only.This
settingisusefulintestingenvironments.
5. (Externalgatewaysonly)SelecttheManualcheckboxifyou
wanttoallowuserstobeabletomanuallyswitchtothe
gateway.
Step9 Customizethebehaviorofthe SelecttheApptabandthenmodifytheagentsettingsasdesired.

GlobalProtectagentforuserswiththis Formoredetailsabouteachoption,seeCustomizethe
configuration. GlobalProtectAgent.
Step10 (Optional)Defineanycustomhost 1. SelectData Collection andenabletheGlobalProtectagentto

informationprofile(HIP)datathatyou Collect HIP Data.
wanttheagenttocollectand/orexclude 2. SelectExclude Categoriestoexcludespecificcategories
HIPcategoriesfromcollection. and/orvendors,applications,orversionswithinacategory.For
Thissteponlyappliesifyouplantouse moredetails,seeStep 3inConfigureHIPBasedPolicy
theHIPfeatureandthereisinformation Enforcement.
youwanttocollectthatcannotbe
3. SelectCustom Checkstodefineanycustomdatayouwantto
collectedusingthestandardHIPobjects
collectfromhostsrunningthisagentconfiguration,andadd
orifthereisHIPinformationthatyouare
thecategoryandvendor.Formoredetails,seeStep 2inUse
notinterestedincollecting.SeeUseHost
HostInformationinPolicyEnforcement.
InformationinPolicyEnforcementfor
detailsonsettingupandusingtheHIP
feature.
Step11 Savetheagentconfiguration. 1. ClickOKtosavethesettingsandclosetheConfigsdialog.

2. Ifyouwanttoaddanotheragentconfiguration,repeatStep 3
throughStep 11.
Step12 Arrangetheagentconfigurationssothat Tomoveanagentconfigurationuponthelistofconfigurations,

theproperconfigurationisdeployedto selecttheconfigurationandclickMove Up.
eachagent. Tomoveanagentconfigurationdownonthelistof
Whenanagentconnects,theportalwill configurations,selecttheconfigurationandclickMove Down.
comparethesourceinformationinthe
packetagainsttheagentconfigurations
youhavedefined.Aswithsecurityrule
evaluation,theportallooksforamatch
startingfromthetopofthelist.Whenit
findsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.
Step13 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtectPortal

Configurationdialog.
CustomizetheGlobalProtectAgent
TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
agentsinstalledontheirsystemsortheGlobalProtectappinstalledontheirmobiledevices.Youcandefine
differentagentsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.Formore
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
Youcancustomizethedisplayandbehavioroftheagent.Forexample,youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
Whethertodisplayawelcomepageuponsuccessfullogin.Youcanalsoconfigurewhetherornotthe
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
touseGlobalProtectwithinyourenvironment.SeeCustomizetheGlobalProtectPortalLogin,Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.
YoucanalsodefineagentsettingsdirectlyfromtheWindowsregistryortheglobalMacplist.For
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/MsiexecortheMacplist.Formoredetails,seeDeploy
AgentSettingsTransparently.
AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.
UsethefollowingproceduretocustomizetheGlobalProtectagent.
CustomizetheAgent
Step1 SelecttheAgenttabintheagent 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

configurationyouwanttocustomize. configurationforwhichyouwanttoaddanagent
Youcanalsoconfiguremost configuration(orAddanewconfiguration).
settingsthatareontheApptab 2. SelecttheAgent tabandselecttheconfigurationyouwantto
fromagrouppolicybyadding modify(orAddanewconfiguration).
settingstotheWindows
3. SelecttheApptab.
registry/Macplist.OnWindows
systems,youcanalsosetthem TheAppConfigurationsareadisplaystheoptionswithdefault
usingtheMsiexecutilityonthe valuesthatyoucancustomizeforeachagentconfiguration.
commandlineduringtheagent Whenyouchangethedefaultbehavior,thewebinterface
installation.However,settings changesthecolorfromgraytothedefaulttextcolor.
definedinthewebinterfaceor
theCLItakeprecedenceover
registry/plistsettings.See
DeployAgentSettings
Transparentlyfordetails.
Step2 SpecifytheConnect Method thatan IntheAppConfigurationsarea,configureanyofthefollowing

agentorappusesforitsGlobalProtect options:
connection. SelectaConnect Method:
Considerthefollowingbest User-logon (Always On)TheGlobalProtectagent
practiceswhenyouconfigurethe automaticallyconnectstotheportalassoonastheuserlogs
Connect Method: intotheendpoint(ordomain).Whenusedinconjunction
UseonlytheOn-demand withSSO(Windowsusersonly),GlobalProtectloginis
option(default)ifyouareusing transparenttotheenduser.
GlobalProtectforVPNaccessto Pre-logon (Always On)Authenticatestheuserand
externalgateways. establishesaVPNtunneltotheGlobalProtectgateway
DonotusetheOn-demand beforetheuserlogsintotheclient.Thisoptionrequiresthat
optionifyouplantorunthe youuseanexternalPKIsolutiontopredeployamachine
GlobalProtectagentinhidden certificatetoeachendpointthatreceivesthisconfiguration.
mode. SeeRemoteAccessVPNwithPreLogonfordetailsabout
Forfasterconnectiontimes,use prelogon.
internalhostdetectionin On-demand (Manual user initiated connection)Userswill
configurationswhereyouhave havetomanuallylaunchtheagenttoconnectto
enabledSSO. GlobalProtect.Usethisconnectmethodforexternal
gatewaysonly.
Pre-logon then On-demandSimilartothePre-logon
(Always On)connectmethod,thisconnectmethod(which
requiresContentReleaseversion5903397orlater)
enablestheGlobalProtectagenttoauthenticatetheuser
andestablishaVPNtunneltotheGlobalProtectgateway
beforetheuserlogsintotheclient.Unliketheprelogon
connectionmethod,aftertheuserlogsintotheclient,users
mustmanuallylaunchtheagenttoconnecttoGlobalProtect
iftheconnectionisterminatedforanyreason.Thebenefit
ofthisoptionisthatyoucanallowausertospecifyanew
passwordafterpasswordexpirationorauserforgetstheir
passwordbutstillrequiretheusertomanuallyinitiatethe
connectionaftertheuserlogsin.
CustomizetheAgent(Continued)
Step3 Specifywhethertoenforce IntheAppConfigurationsarea,configureanyofthefollowing

GlobalProtectconnectionsfornetwork options:
access. ToforceallnetworktraffictotraverseaGlobalProtecttunnel,
ToenforceGlobalProtectfor setEnforce GlobalProtect Connection for Network Accessto
networkaccess,werecommend Yes.Bydefault,GlobalProtectisnotrequiredfornetworkaccess
thatyouenablethisfeatureonly meaninguserscanstillaccesstheinternetifGlobalProtectis
forusersthatconnectin disabledordisconnected.Toprovideinstructionstousersbefore
User-logonorPre-logonmodes. trafficisblocked,configureaTraffic Blocking Notification
Usersthatconnectin Messageandoptionallyspecifywhentodisplaythemessage
On-demandmodemaynotbe (Traffic Blocking Notification Delay).
abletoestablishaconnection Topermittrafficrequiredtoestablishaconnectionwitha
withinthepermittedgrace captiveportal,specifyaCaptive Portal Exception Timeout.The
periods. usermustauthenticatewiththeportalbeforethetimeout
expires.Toprovideadditionalinstructions,configureaCaptive
Portal Detection Message.
ThesefeaturesrequireContentReleaseversion6073486or
later.
Step4 SpecifyadditionalGlobalProtect IntheAppConfigurationsarea,configureanyofthefollowing

connectionsettings. options:
Withsinglesignon(SSO) (Windowsonly)SetUse Single Sign-OntoNotodisallow
enabled(thedefault),the GlobalProtecttousetheWindowslogincredentialsto
GlobalProtectagentusesthe automaticallyauthenticatetheuseruponlogintoActive
usersWindowslogincredentials Directory.
toautomaticallyauthenticateto EntertheMaximum Internal Gateway Connection Attemptsto
andconnecttotheGlobalProtect specifythenumberoftimestheGlobalProtectagentshould
portalandgateway. retrytheconnectiontoaninternalgatewayafterthefirst
GlobalProtectwithSSOenabled attemptfails(rangeis0100;4or5isrecommended;defaultis
alsoallowsfortheGlobalProtect 0,whichmeanstheGlobalProtectagentdoesnotretrythe
agenttowrapthirdparty connection).Byincreasingthevalue,youenabletheagentto
credentialstoensurethat connecttoaninternalgatewaythatistemporarilydownor
Windowsuserscanauthenticate unreachableduringthefirstconnectionattemptbutcomesback
andconnect,evenwhena upbeforethespecifiednumberofretriesareexhausted.
thirdpartycredentialprovideris Increasingthevaluealsoensuresthattheinternalgateway
beingusedtowraptheWindows receivesthemostuptodateuserandhostinformation.
logincredentials. EntertheGlobalProtect App Config Refresh Interval (hours) to
specifythenumberofhourstheGlobalProtectportalwaits
beforeitinitiatesthenextrefreshofaclientsconfiguration
(rangeis1168;defaultis24).
SpecifywhethertoRetain Connection on Smart Card Removal.
Bydefault,theoptionissettoYes,meaningGlobalProtect
retainsthetunnelwhenauserremovesasmartcardcontaining
aclientcertificate.Toterminatethetunnel,setthisoptiontoNo.
Thedecisiononwhethertoretaintheconnectiondependson
yoursecurityrequirements.
ThisfeaturerequiresContentReleaseversion5903397
oralaterversion.
Step5 ConfigurethemenusandUIviewsthat Configureanyorallofthefollowingoptions:

areavailabletouserswhohavethis Ifyouwantuserstobeabletoseeonlybasicstatusinformation
agentconfiguration. withintheapplication,setEnable Advanced ViewtoNo.By
default,theadvancedviewisenabled.Itallowsuserstosee
detailedstatistical,host,andtroubleshootinginformationandto
performcertaintasks,suchaschangingtheirpassword.
IfyouwanthidetheGlobalProtectagentonendusersystems,
setDisplay GlobalProtect IcontoNo.Whentheiconishidden,
userscannotperformothertaskssuchaschangingpasswords,
rediscoveringthenetwork,resubmittinghostinformation,
viewingtroubleshootinginformation,orperformingan
ondemandconnection.However,HIPnotificationmessages,
loginprompts,andcertificatedialogswillstilldisplayas
necessaryforinteractingwiththeenduser.
Topreventusersfromperforminganetworkrediscovery,setthe
Enable Rediscover Network OptiontoNo.Whenyoudisablethe
option,itisgrayedoutintheGlobalProtectmenu.
TopreventusersfrommanuallyresubmittingHIPdatatothe
gateway,setEnable Resubmit Host Profile Option toNo.This
optionisenabledbydefault,andisusefulincaseswhere
HIPbasedsecuritypolicypreventsusersfromaccessing
resourcesbecauseitallowstheusertofixthecomplianceissue
onthecomputerandthenresubmittheHIP.
(Windowsonly)ToallowGlobalProtecttodisplaynotificationsin
thenotificationarea(systemtray),setShow System Tray
NotificationstoYes.
Tocreateacustommessagetodisplaytouserswhentheir
passwordisabouttoexpireconfiguretheCustom Password
Expiration Message (LDAP Authentication Only).Themaximum
messagelengthis200characters.
Step6 Definewhattheenduserswiththis SetAllow User to Change PortalAddresstoNotodisablethe

configurationcandointheirclient. PortalfieldontheHometabintheGlobalProtectagent.Because
theuserwillthenbeunabletospecifyaportaltowhichto
connect,youmustsupplythedefaultportaladdressinthe
Windowsregistry(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal)orthe
Macplist
(/Library/Preferences/com.paloaltonetworks.GlobalProt
ect.settings.plistwithkeyPortalunderdictionary
PanSetup).Formoreinformation,seeDeployAgentSettings
Transparently.
Topreventusersfromdismissingthewelcomepage,setAllow
User to Dismiss Welcome Page toNo.Otherwise,whensetto
Yes,theusercandismissthewelcomepageandprevent
GlobalProtectfromdisplayingthepageaftersubsequentlogins.
Step7 Specifywhetheruserscandisablethe Topreventuserswiththeuserlogonconnectmethodfrom

GlobalProtectagent. disablingGlobalProtect,setAllow User to Disable GlobalProtect
TheAllow User to Disable GlobalProtect to Disallow.
optionappliestoagentconfigurations ToallowuserstodisableGlobalProtectiftheyprovidea
thathavetheConnect Methodsetto passcode,setAllow User to Disable GlobalProtect to Allow with
User-Logon (Always On).Inuserlogon Passcode.Then,intheDisableGlobalProtectApparea,enter
mode,theagentorappautomatically (andconfirm)thePasscodethattheendusersmustsupply.
connectstoGlobalProtectassoonasthe Toallowuserstodisconnectiftheyprovideaticket,setAllow
userlogsintotheendpoint.Thismodeis User to Disable GlobalProtect toAllow with Ticket.Withthis
sometimesreferredtoasalwayson, option,thedisconnectactiontriggerstheagenttogeneratea
whichiswhytheusermustoverridethis RequestNumber.Theendusermustthencommunicatethe
behaviortodisableGlobalProtectclient. RequestNumbertotheadministrator.Theadministratorthen
Bydefault,thisoptionissettoAllow clicksGenerate TicketontheNetwork > GlobalProtect > Portals
whichpermitsuserstodisable pageandenterstherequestnumberfromtheusertogenerate
GlobalProtectwithoutprovidinga theticket.Theadministratorthenprovidesthetickettotheend
comment,passcode,orticketnumber. user,whoentersitintotheDisableGlobalProtectdialogtoenable
Iftheagenticonisnotvisible, theagenttodisconnect.
usersarenotabletodisablethe
GlobalProtectclient.SeeStep 5
fordetails.
TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.
Step8 Configurethecertificatesettingsand Client Certificate Store LookupSelectwhichstoretheagent

behaviorfortheusersthatreceivethis shouldusetolookupclientcertificates.Usercertificatesare
configuration. storedintheCurrentUsercertificatestoreonWindowsandin
thePersonalKeychainonMacOS.Machinecertificatesare
storedintheLocalComputercertificatestoreonWindowsandin
theSystemKeychainonMacOS.Bydefault,theagentlooksfor
User and machinecertificatesinbothplaces.
SCEP Certificate Renewal Period (days)WithSCEP,theportal
canrequestanewclientcertificatebeforethecertificateexpires.
ThistimebeforethecertificateexpiresistheoptionalSCEP
certificaterenewalperiod.Duringaconfigurablenumberofdays
beforeaclientcertificateexpires,theportalcanrequestanew
certificatefromtheSCEPserverinyourenterprisePKI(rangeis
030;defaultis7).Avalueof0meanstheportaldoesnot
automaticallyrenewtheclientcertificatewhenitrefreshesthe
agentconfiguration.
Foranagentorapptoobtainthenewcertificateduringthe
renewalperiod,theusermustlogintotheGlobalProtectclient.
Forexample,ifaclientcertificatehasalifespanof90days,the
certificaterenewalperiodis7days,andtheuserlogsinduringthe
final7daysofthecertificatelifespan,theportalacquiresanew
certificateanddeploysitalongwithafreshagentconfiguration.
Formoreinformation,seeDeployUserSpecificClient
CertificatesforAuthentication.
Extended Key Usage OID for Client CertificateEnterthe
extendedkeyusageofaclientcertificatebyspecifyingitsobject
identifier(OID).ThissettingensuresthattheGlobalProtectagent
selectsonlyacertificatethatisintendedforclientauthentication
whenmultiplecertificatetypesarepresentandenables
GlobalProtecttosavetheselectionforfutureuse.Thisoptionis
supportedonWindowsandMacendpointsonly.
Ifyoudonotwanttheagenttoestablishaconnectionwiththe
portalwhentheportalcertificateisnotvalid,setAllow User to
Continue with Invalid Portal Server CertificatetoNo.Keepin
mindthattheportalprovidestheagentconfigurationonly;itdoes
notprovidenetworkaccessandthereforesecuritytotheportalis
lesscriticalthansecuritytothegateway.However,ifyouhave
deployedatrustedservercertificatefortheportal,deselecting
thisoptioncanhelppreventmaninthemiddle(MITM)attacks.
Step9 (Windowsonly)Configuresettingsfor Update DNS Settings at ConnectSelectYestoflushtheDNS

Windowsbasedendpointsthatreceive cacheandforcealladapterstousetheDNSsettingsinthe
thisconfiguration. configuration.SelectNo(thedefault)tousetheDNSsettings
fromthephysicaladapterontheendpoint.
Send HIP Report Immediately if Windows Security Center
(WSC) State ChangesSelectNotopreventtheGlobalProtect
agentfromsendingHIPdatawhenthestatusoftheWindows
SecurityCenter(WSC)changes.SelectYes(default)to
immediatelysendHIPdatawhenthestatusoftheWSCchanges.
Detect Proxy for Each ConnectionSelectNotoautodetectthe
proxyfortheportalconnectionandusethatproxyfor
subsequentconnections.SelectYes(default)toautodetectthe
proxyateveryconnection.
Clear Single Sign-On Credentials on LogoutSelectNotokeep
singlesignoncredentialswhentheuserlogsout.SelectYes
(default)toclearthemandforcetheusertoentercredentials
uponthenextlogin.
Use Default Authentication on Kerberos Authentication
FailureSelectNotouseonlyKerberosauthentication.Select
Yes(default)toretryusingthedefaultauthenticationmethod
afterauthenticationusingKerberosfails.
Step10 Ifyourendpointsfrequentlyexperience Configurevaluesforanyofthefollowingoptions:

latencyorslownesswhenconnectingto Portal Connection Timeout (sec)Thenumberofseconds
theGlobalProtectportalorgateways, beforeaconnectionrequesttotheportaltimesoutduetono
consideradjustingtheportalandTCP responsefromtheportal(rangeis1600;defaultis30).
timeoutvalues. TCP Connection Timeout (sec)Thenumberofsecondsbefore
Toallowmoretimeforyourendpointsto aTCPconnectionrequesttimesoutduetounresponsiveness
connecttoorreceivedatafromthe fromeitherendoftheconnection(rangeis1600;defaultis60).
portalorgateway,increasethetimeout TCP Receive Timeout (sec)Thenumberofsecondsbeforea
values,asneeded.Keepinmindthat TCPconnectiontimesoutduetotheabsenceofsomepartial
increasingthevaluescanresultinlonger responseofaTCPrequest(rangeis1600;defaultis30).
waittimesiftheGlobalProtectagentis
unabletoestablishtheconnection.In
contrast,decreasingthevaluescan
preventtheGlobalProtectagentfrom
establishingaconnectionwhenthe
portalorgatewaydoesnotrespond
beforethetimeoutexpires.
Step11 Specifywhetherremotedesktop Bydefault,theUser Switch Tunnel Rename Timeoutfieldissetto

connectionsarepermittedoverexisting 0meaningtheGlobalProtectgatewayterminatestheconnectionif
VPNtunnelsbyspecifyingtheUser anewuserauthenticatesovertheVPNtunnel.Tomodifythis
Switch Tunnel Rename Timeout.When behavior,configureatimeoutvaluefrom1to600seconds.Ifthe
anewuserconnectstoaWindows newuserdoesnotlogintothegatewaybeforethetimeoutvalue
machineusingRemoteDesktopProtocol expires,theGlobalProtectgatewayterminatestheVPNtunnel
(RDP),thegatewayreassignstheVPN assignedtothefirstuser.
tunneltothenewuser.Thegatewaycan ChangingtheUser Switch Tunnel Rename Timeoutvalue
thenenforcesecuritypoliciesonthenew onlyaffectstheRDPtunnelanddoesnotrenamea
user. prelogontunnelwhenconfigured.
Allowingremotedesktopconnections
overVPNtunnelscanbeusefulin
situationswhereanITadministrator
needstoaccessaremoteenduser
systemusingRDP.
Step12 SpecifyhowGlobalProtectagent Bydefault,theAllow User to Upgrade GlobalProtect App fieldis

upgradesoccur. settoprompttheendusertoupgrade.Tomodifythisbehavior,
Ifyouwanttocontrolwhenuserscan selectoneofthefollowingoptions:
upgrade,forexampleifyouwanttotest Ifyouwantupgradestooccurautomaticallywithoutinteraction
areleaseonasmallgroupofusersbefore withtheuser,selectAllow Transparently.
deployingittoyourentireuserbase,you Topreventagentupgrades,selectDisallow.
cancustomizetheagentupgrade Toallowenduserstoinitiateagentupgrades,selectAllow
behavioronaperconfigurationbasis.In Manually.Inthiscase,theuserwouldselecttheCheck Version
thiscase,youcouldcreatea optionintheagenttodetermineifthereisanewagentversion
configurationthatappliestousersin andthenupgradeifdesired.Notethatthisoptionwillnotwork
yourITgrouponlytoallowthemto iftheGlobalProtectagentishiddenfromtheuser.SeeStep 6for
upgradeandtestanddisableupgradein details.
allotheruser/groupconfigurations.
Then,afteryouhavethoroughlytested
thenewversion,youcouldmodifythe
agentconfigurationsfortherestofyour
userstoallowtheupgrade.
Step13 Specifywhethertodisplayawelcome Todisplayawelcomepageafterasuccessfulloginselect

pageuponsuccessfullogin. factory-default fromtheWelcome Page dropdownontheright.
Awelcomepagecanbeausefulwayto GlobalProtectdisplaysthewelcomepageinthedefaultbrowseron
directuserstointernalresourcesthat Windows,Mac,andChromebookendpoints,orwithinthe
theycanonlyaccesswhenconnectedto GlobalProtectapponmobiledevices.Youcanalsoselectacustom
GlobalProtect,suchasyourIntranetor welcomepagethatprovidesinformationspecifictoyourusers,or
otherinternalservers. toaspecificgroupofusers(basedonwhichportalconfiguration
Bydefault,theonlyindicationthatthe getsdeployed).Fordetailsoncreatingcustompages,see
agenthassuccessfullyconnectedto CustomizetheGlobalProtectPortalLogin,Welcome,andHelp
GlobalProtectisaballoonmessagethat Pages.
displaysinthesystemtray/menubar.
Step14 Savetheagentconfigurationsettings. 1. Ifyouaredonecreatingagentconfigurations,clickOKtoclose

theConfigsdialog.Otherwise,forinstructionsoncompleting
theagentconfigurations,returntoDefinetheGlobalProtect
AgentConfigurations.
2. Ifyouaredoneconfiguringtheportal,clickOKtoclosethe
GlobalProtectPortalConfigurationdialog.
3. Whenyoufinishtheportalconfiguration,Committhechanges.
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages
GlobalProtectprovidesdefaultlogin,welcome,and/orhelppages.However,youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.
Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configuretheDisable login pageoptionfromNetwork >
GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninsteaduse
asoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.
CustomizethePortalLogin,Welcome,andHelpPages
Step1 Exportthedefaultportallogin,welcome, 1. SelectDevice > Response Pages.

orhelppage. 2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. SelecttheDefaultpredefinedpageandclickExport.
Step2 Edittheexportedpage. 1. UsetheHTMLtexteditorofyourchoicetoeditthepage.

2. Ifyouwanttoeditthelogoimagethatisdisplayed,hostthe
newlogoimageonawebserverthatisaccessiblefromthe
remoteGlobalProtectclients.Forexample,editthefollowing
lineintheHTMLtopointtothenewlogoimage:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
3. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
Step3 Importthenewpage(s). 1. SelectDevice > Response Pages.

2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4. (Optional)Selectthevirtualsystemonwhichthispagewillbe
usedfromtheDestinationdropdownorselectshared
(default)tomakeitavailabletoallvirtualsystems.
5. ClickOKtoimportthefile.
Step4 Configuretheportaltousethenew Custom Login PageandCustom Help Page:

page(s). 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheGeneral tab,selectthenewpagefromtherelevant
dropdownintheAppearancearea.
Custom Welcome Page:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheAgent tab,selecttheagentconfigurationtowhichyou
wanttoaddthewelcomepage.
3. SelecttheApptab,andselectthenewpagefromtheWelcome
Pagedropdown.
4. ClickOKtosavetheagentconfiguration.
CustomizethePortalLogin,Welcome,andHelpPages(Continued)
Step5 Savetheportalconfiguration. ClickOKandthenCommityourchanges.
Step6 Verifythatthenewpagedisplays. TesttheloginpageOpenabrowser,gototheURLforyour

portal(besureyoudonotaddthe:4443portnumbertotheend
oftheURLoryouwillbedirectedtothewebinterfaceforthe
firewall).Forexample,enterhttps://myportalratherthan
https://myportal:4443.
Thenewportalloginpagewilldisplay.
TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectHelp.Thenewhelp
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome Page.The
newwelcomepagewilldisplay.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer SetUptheGlobalProtectInfrastructure
EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server
WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
version.YoucanenablethefirewalltosendthisinformationasVendorSpecificAttributes(VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
administratorscanthenperformadministrativetasksbasedonthoseVSAs.Forexample,RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
Step1 LogintothefirewallCLI.
Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware
DeploytheGlobalProtectClientSoftware
InordertoconnecttoGlobalProtect,anendhostmustberunningGlobalProtectclientsoftware.The
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
distributedbytheGlobalProtectportal.Toenablethesoftwarefordistribution,youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
thenactivatethesoftwarefordownload.Forinstructionsonhowtodownloadandactivatetheagent
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
Windows10phoneandWindows10UWPendpointsRequiretheGlobalProtectapp.Aswithother
mobiledeviceapps,theendusermustdownloadtheGlobalProtectappfromtheMicrosoftStore.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
iOSandAndroidendpointsRequiretheGlobalProtectapp.Aswithothermobiledeviceapps,theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
ChromebooksRequiretheGlobalProtectappforChromeOS.Similartothedownloadprocessfor
mobiledeviceapps,theendusercandownloadtheGlobalProtectappfromtheChromeWebStore.You
canalsodeploytheapptoamanagedChromebookusingtheChromebookManagementConsole.For
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?
DeploytheGlobalProtectAgentSoftware
ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
sothatenduserscaninstalltheupdateswhentheyconnecttotheportal.Thisoptionprovidesflexibility
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/oroperatingsystem.However,ifyouhavealargenumber
ofagentsthatrequireupdates,itcouldputextraloadonyourportal.SeeHostAgentUpdatesonthe
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
youmustfirstuninstalltheexistingagent.Inaddition,Msiexecallowsfordeploymentofagentsettings
directlyontheendpointsbysettingvaluesintheWindowsregistryorMacplist.SeeDeployAgent
SettingsTransparently.
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure
UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,usingactivedirectorygrouppolicy.ADGrouppoliciesallowmodificationof
Windowshostcomputersettingsandsoftwareautomatically.Refertothearticleat
http://support.microsoft.com/kb/816102formoreinformationonhowtouseGroupPolicyto
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
GlobalProtectapp.SeeMobileEndpointManagement.
HostAgentUpdatesonthePortal
ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
connectingtotheportal.Todothisautomatically,thefirewallmusthaveaserviceroutethatenablesitto
accessthePaloAltoNetworksUpdateServer.IfthefirewalldoesnothaveaccesstotheInternet,youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.
YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto
https://www.paloaltonetworks.com/support/tabs/overview.html.)
Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
version.Fordetailsoncreatinganagentconfiguration,seeDefinetheGlobalProtectAgentConfigurations.
HosttheGlobalProtectAgentonthePortal
Step1 Launchthewebinterfaceonthefirewall SelectDevice > GlobalProtect Client.

hostingtheGlobalProtectportalandgo
totheGlobalProtectClientpage.
Step2 Checkfornewagentsoftwareimages. IfthefirewallhasaccesstotheUpdateServer,clickCheck Now

tocheckforthelatestupdates.IfthevalueintheActioncolumn
isDownloaditindicatesthatanupdateisavailable.
IfthefirewalldoesnothaveaccesstotheUpdateServer,goto
thePaloAltoNetworksSoftwareUpdatessupportsiteand
Downloadthefiletoyourcomputer.Thengobacktothefirewall
tomanuallyUploadthefile.
YoumusthaveavalidPaloAltoNetworksaccounttolog
intoanddownloadsoftwarefromtheSoftwareUpdates
page.Ifyoucannotloginandneedassistance,goto:
https://www.paloaltonetworks.com/support/tabs/overvi
ew.html)
HosttheGlobalProtectAgentonthePortal(Continued)
Step3 Downloadtheagentsoftwareimage. LocatetheagentversionyouwantandthenclickDownload.When

Ifyourfirewalldoesnothave thedownloadcompletes,thevalueintheActioncolumnchangesto
Internetaccessfromthe Activate.
managementport,youcan Ifyoumanuallyuploadedtheagentsoftwareasdetailedin
downloadtheagentupdatefrom Step 2,theActioncolumnwillnotupdate.Continuetothe
thePaloAltoNetworksSupport nextstepforinstructionsonactivatinganimagethatwas
Site: manuallyuploaded.
(https://www.paloaltonetworks.
com/support/tabs/overview.htm
l).
YoucanthenmanuallyUpload
theupdatetoyourfirewalland
thenactivateActivate From File.
Step4 Activatetheagentsoftwareimageso IfyoudownloadedtheimageautomaticallyfromtheUpdate

thatenduserscandownloaditfromthe Server,clickActivate.
portal. Ifyoumanuallyuploadedtheimagetothefirewall,clickActivate
Onlyoneversionofagent From FileandthenselecttheGlobalProtect Client Fileyou
softwareimagecanbeactivated uploadedfromthedropdown.ClickOKtoactivatetheselected
atatime.Ifyouactivateanew image.Youmayneedtorefreshthescreenbeforetheversion
version,buthavesomeagents displaysasCurrently Activated.
thatrequireapreviously
activatedversion,youwillhave
toactivatetherequiredversion
againtoenableitfordownload.
HostAgentUpdatesonaWebServer
Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,considerhostingtheGlobalProtectagentsoftwareimagesonanexternalwebserver.Thishelps
reducetheloadonthefirewallwhenusersconnecttodownloadtheagent.Tousethisfeature,thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.
HostGlobalProtectAgentImagesonaWebServer
Step1 Downloadtheversionofthe Followthestepsfordownloadingandactivatingtheagentsoftware

GlobalProtectagentthatyouplanto onthefirewallasdescribedinHosttheGlobalProtectAgentonthe
hostonthewebservertothefirewall Portal.
andactivateit.
Step2 DownloadtheGlobalProtectagent Fromabrowser,gotothePaloAltoNetworksSoftwareUpdates

imageyouwanttohostonyourweb siteandDownloadthefiletoyourcomputer.
server.
Youshoulddownloadthesameimage
thatyouactivatedontheportal.
Step3 Publishthefilestoyourwebserver. Uploadtheimagefile(s)toyourwebserver.
HostGlobalProtectAgentImagesonaWebServer(Continued)
Step4 Redirecttheenduserstothewebserver. Onthefirewallhostingtheportal,logintotheCLIandenterthe

followingoperationalmodecommands:
> set global-protect redirect on
> set global-protect redirect location
<path>
where<path>isthepathistheURLtothefolderhostingtheimage,
forexamplehttps://acme/GP.
Step5 Testtheredirect. 1. LaunchyourwebbrowserandgotothefollowingURL:

https://<portal address or name>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.Aftersuccessfullogin,theportalshould
redirectyoutothedownload.
TesttheAgentInstallation
Usethefollowingproceduretotesttheagentinstallation.
TesttheAgentInstallation
Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theagentinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
Wheninitiallyinstallingthe responsibleforadministeringthefirewall:
GlobalProtectagentsoftwareon 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
theendpoint,theendusermust configurationtoedit.
beloggedintothesystemusing
2. SelecttheAgent tabandeitherselectanexistingconfiguration
anaccountthathas
orAddanewconfigurationtodeploytothetestusers/group.
administrativeprivileges.
Subsequentagentsoftware 3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
updatesdonotrequire section,selecttheuserorgroupwhowillbetestingtheagent,
administrativeprivileges. andthenclickOK.
4. OntheAgenttab,makesureAgent Upgradeissettoprompt
andthenclickOKtosavetheconfiguration.
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
TesttheAgentInstallation(Continued)
Step2 LogintotheGlobalProtectportal. 1. LaunchyourwebbrowserandgotothefollowingURL:

https://<portaladdressorname>
Forexample,https://gp.acme.com.
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.
Step3 Downloadtheagent. 1. Clickthelinkthatcorrespondstotheoperatingsystemyouare

runningonyourcomputertobeginthedownload.
2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
administrativeprivileges.Subsequentagentsoftware
updatesdonotrequireadministrativeprivileges.
Step4 CompletetheGlobalProtectagentsetup. 1. FromtheGlobalProtectSetupWizard,clickNext.

2. ClickNexttoacceptthedefaultinstallationfolder
(C:\Program Files\Palo Alto Networks\GlobalProtect)
orBrowsetochooseanewlocationandthenclickNexttwice.
3. Aftertheinstallationsuccessfullycompletes,clickClose.The
GlobalProtectagentwillautomaticallystart.
TesttheAgentInstallation(Continued)
Step5 LogintoGlobalProtect. EntertheFQDNorIPaddressofthePortal,yourUsername,and

yourPasswordandthenclickConnect.Ifauthenticationis
successful,theagentwillconnecttoGlobalProtect.Usetheagent
toaccessresourcesonthecorporatenetworkaswellasexternal
resources,asdefinedinthecorrespondingsecuritypolices.
Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
portaladdress.SeeDefinetheGlobalProtectAgentConfigurations
fordetailsonsettingupagentconfigurations.
DownloadandInstalltheGlobalProtectMobileApp
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
devices.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecureaccess
toyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappwillautomaticallyconnecttothe
gatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.
ThisworkflowdescribeshowtoinstalltheGlobalProtectappdirectlyonthemobiledevice.Forinstructions
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.
InstalltheGlobalProtectMobileApp
Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theappinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
responsibleforadministeringthefirewall:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
configurationtoedit.
2. SelecttheAgenttabandeitherselectanexistingconfiguration
orAddanewconfigurationtodeploytothetestusers/group.
3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
sectionandthenselecttheuserorgroupwhowillbetesting
theagent.
4. IntheOSsection,selecttheappyouaretesting(iOS,Android,
orWindowsUWP).
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
Step2 Fromthemobiledevice,followthe OnAndroiddevices,searchfortheapponGooglePlay.

promptstodownloadandinstalltheapp. OniOSdevices,searchfortheappattheAppStore.
OnWindows10UWPdevices,searchfortheappatthe
MicrosoftStore.
Step3 Launchtheapp. Whensuccessfullyinstalled,theGlobalProtectappicondisplayson

thedevicesHomescreen.Tolaunchtheapp,taptheicon.When
promptedtoenableGlobalProtectVPNfunctionality,tapOK.
InstalltheGlobalProtectMobileApp(Continued)
Step4 Connecttotheportal. 1. Whenprompted,enterthePortalnameoraddress,

Username,andPassword.TheportalnamemustbeanFQDN
anditshouldnotincludethehttps://atthebeginning.
2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.
DownloadandInstalltheGlobalProtectAppforChromeOS
TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
toChromebooks.AswithotherremotehostsrunningtheGlobalProtectagent,theappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Aftertheuserinitiatesaconnection,the
appwillconnecttothegatewaythatisclosesttotheenduserscurrentlocation.Inaddition,traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
yourcorporatenetwork.LiketheGlobalProtectagent,theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS
YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
Store.AsanalternativeyoucanDeploytheGlobalProtectAppUsingtheChromebookManagement
Console.
Step1 Createanagentconfigurationfortesting 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

theappinstallation. configurationtoedit.
Asabestpractice,createan 2. SelecttheAgent tabandeitherselectanexistingconfiguration
agentconfigurationthatis orAddanewconfigurationtodeploytothetestusers/group.
limitedtoasmallgroupofusers,
3. OntheUser/User Grouptab,clickAddintheUser/User
suchasadministratorsintheIT
Groupsectionandthenselecttheuserorgroupthatwilltest
departmentandwhoresponsible
theagent.
foradministeringthefirewall.
4. IntheOSarea,selecttheappyouaretesting(Chrome)and
clickOK.
5. (Optional)Selecttheagentconfigurationyoujustcreatedor
modifiedandclickMove Upsothatitisbeforeanymore
genericconfigurationsyouhavecreated.
Step2 InstalltheGlobalProtectappforChrome 1. FromtheChromebook,searchfortheappintheChromeWeb

OS. StoreorgodirectlytotheGlobalProtectapppage.
Youcanalsoforceinstalltheappon 2. ClickAdd to Chromeandthenfollowthepromptstodownload
managedChromebooksusingthe andinstalltheapp.
ChromebookManagementConsole.See
DeploytheGlobalProtectAppUsingthe
ChromebookManagementConsole.
Step3 Launchtheapp. Whensuccessfullyinstalled,theChromeAppLauncherdisplaysthe

GlobalProtectappiconinthelistofapps.Tolaunchtheapp,click
theicon.
InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)
Step4 Configuretheportal. 1. Whenprompted,entertheIPaddressorFQDNofthePortal.

Theportalshouldnotincludethehttps://atthebeginning.
2. ClickAdd ConnectiontoaddtheGlobalProtectVPN
configuration.
TheappdisplaysthehomescreenafteritaddstheVPN
configurationtotheInternetconnectionsettingsofyour
Chromebookbutdoesnotinitiateaconnection.
Step5 Testtheconnection. TesttheGlobalProtectappforChromeOS
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,webbasedlocation.Fromtheconsole,youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole
Step1 Viewtheusersettingsforthe 1. FromtheChromebookManagementConsole,selectDevice

GlobalProtectapp. management > Chrome management > App management.
Theconsoledisplaysthelistofappsconfiguredinall
organization(org)unitsinyourdomainanddisplaysthestatus
ofeachapp.ClickanappStatustodisplaytheorgunitsto
whichthatstatusisapplied.
2. SelecttheGlobalProtectappandthenselectUser settings.
Iftheappisnotpresent,SEARCHforGlobalProtectin
theChromeWebStore.
ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)
Step2 Configurepoliciesandsettingsfor 1. Selecttheorgunitwhereyouwanttoconfiguresettingsand

everyoneinanorgunit. configureanyofthefollowingoptions:
Selectingthetoplevelorgunitappliessettingsto
everyoneinthatunit;selectingachildorgunitapplies
settingsonlytouserswithinthatchildorgunit.
Allow installationAllowusersinstallthisappfromthe
ChromeWebStore.Bydefault,anorgunitinheritsthe
settingsofitsparentorganization.Tooverridethedefault
settings,selectInherit,whichtogglestheOverridesetting.
Force installationInstallthisappautomaticallyand
preventsusersfromremovingit.
Pin to taskbarIftheappisinstalled,pintheapptothe
taskbar(inChromeOSonly).
Add to Chrome Web Store collectionRecommendthis
apptoyourusersintheChromeWebStore.
2. Ifyouhavenotalreadydoneso,createatextfileinJSON
formatthatusesthefollowingsyntaxandincludestheFQDN
orIPaddressofyourGlobalProtectportal:
{
"PortalAddress": {
"Value": "192.0.2.191"
}
}
3. OntheUser settingspage,selectUPLOAD CONFIGURATION
FILEandthenBrowsetotheGlobalProtectsettingsfile.
4. SAVEyourchanges.Settingstypicallytakeeffectwithin
minutes,butitmighttakeuptoanhourtopropagatethrough
yourorganization.
Step3 Testtheconnection. AfterChromeManagementConsolesuccessfullydeploystheapp,

UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
VPNconnectionsettings.Afteryouinstallandconfiguretheapp,itisnotnecessarytoopentheappto
establishaVPNconnection.Instead,youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.
TesttheGlobalProtectAppforChromeOS
Step1 LogintoGlobalProtect. 1. Clickthestatusareaatthebottomrightcornerofthe

Chromebook.
2. SelectVPN disconnectedandthenselecttheportalthatyou
enteredwhenconfiguringtheGlobalProtectVPNsettings.
ToviewVPNsettingsbeforeconnecting,selecttheportal
fromSettings > Private network,andthenclickConnect.
3. EntertheUsernameandPassword fortheportalandclick
Connect.RepeatthissteptoentertheUsernameand
Passwordforthegateway.Ifauthenticationissuccessful,
GlobalProtectconnectsyoutoyourcorporatenetwork.If
enabled,theGlobalProtectwelcomepagewilldisplay.
Step2 Viewtheconnectionstatus.Whenthe Toviewtheportaltowhichyouareconnected,clickthestatus

appisconnected,thestatusareadisplays area.
theVPNiconalongthebottomofthe
WiFiicon( ).
Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
GlobalProtectapp.Themainpagedisplaysconnection
informationand(ifapplicable)anyerrorsorwarnings.
SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently
DeployAgentSettingsTransparently
Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
plist.Soifyoudefinesettingsintheregistryorplist,buttheportalconfigurationspecifiesdifferentsettings,
thesettingstheagentreceivesfromtheportalwilloverridethesettingsdefinedontheclient.Thisoverride
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),andwhethertheagentcanconnectiftheportalcertificateisinvalid.Therefore,youshouldavoid
conflictingsettings.Inaddition,theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients
InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
applicationsandprocesses.Youcanthenmonitorthedataandaddittoasecurityruleasmatchingcriteria.
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.
DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure
CustomizableAgentSettings
Inadditiontopredeployingtheportaladdress,youcanalsodefinetheagentconfigurationsettings.To
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:CustomizableAgentBehaviorOptionsdescribeseachcustomizableagentsetting.Settingsdefinedin
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.
Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
configuredusingWindowsregistryorMsiexec.Theseadditionalsettingsinclude:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.
AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions
AgentDisplayOptions
ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.
Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default
Enable Advanced View enable-advanced-view yes | no ENABLEADVANCEDVIEW=yes | no yes
Display GlobalProtect Icon show-agent-icon yes | no SHOWAGENTICON=yes | no yes
Enable Rediscover Network rediscover-network yes | n REDISCOVERNETWORK=yes | no yes

Option
Enable Resubmit Host Profile resubmit-host-info yes | no RESUBMITHOSTINFO=yes | no yes

Option
Show System Tray Notifications show-system-tray-notifications SHOWSYSTEMTRAYNOTIFICATIONS=yes | yes

yes | no no
UserBehaviorOptions
customizehowtheusercaninteractwiththeGlobalProtectagent.
Table:CustomizableUserBehaviorOptions
Allow User to Change Portal can-change-portal yes | no CANCHANGEPORTAL=yes | no yes

Address
Allow User to Dismiss Welcome enable-hide-welcome-page yes | ENABLEHIDEWELCOMEPAGE=yes | no yes

no
Page
Allow User to Continue with can-continue-if-portal-cert- CANCONTINUEIFPORTALCERTINVALID= yes

invalid yes | no yes | no
Invalid Portal Server
Certificate
Allow User to Disable disable-allowed yes | no DISABLEALLOWED="yes | no" no

GlobalProtect App
Save User Credentials save-user-credentials 0 | 1 | 2 SAVEUSERCREDENTIALS 0 | 1 | 2
Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.
Notinportal can-save-password yes | no CANSAVEPASSWORD=yes | no yes
TheAllow user to save

passwordsettingisdeprecated
inthewebinterfaceinPANOS
7.1andlaterreleasesbutis
configurablefromtheWindows
registryandMacplist.Anyvalue
specifiedintheSave User
Credentialsfieldoverwritesa
valuespecifiedhere.
AgentBehaviorOptions
customizethebehavioroftheGlobalProtectagent.
Table:CustomizableAgentBehaviorOptions
Connect Method connect-method on-demand | CONNECTMETHOD=on-demand | user-logon

pre-logon | user-logon pre-logon | user-logon
GlobalProtect App Config refresh-config-interval <hours> REFRESHCONFIGINTERVAL=<hours> 24

Refresh Interval (hours)
Update DNS Settings at flushdns yes | no FLUSHDNS=yes | no no

Connect (Windows Only)
Send HIP Report Immediately if wscautodetect yes | no WSCAUTODETECT=yes | no no

Windows Security Center
(WSC) State Changes (Windows
Only)
Detect Proxy for Each ProxyMultipleAutoDetection yes PROXYMULTIPLEAUTODETECTION=yes | no

| no no
Connection (Windows Only)
Clear Single Sign-On LogoutRemoveSSO yes | no LOGOUTREMOVESSO=yes | no yes

Credentials on Logout
(Windows Only)
Use Default Authentication on krb-auth-fail-fallback yes | no KRBAUTHFAILFALLBACK=yes | no no

Kerberos Authentication
Failure (Windows Only)
Custom Password Expiration PasswordExpiryMessage <message> PASSWORDEXPIRYMESSAGE <message>

Message (LDAP Authentication
Only)
Portal Connection Timeout PortalTimeout <portaltimeout> PORTALTIMEOUT=<portaltimeout> 30

(sec)
TCP Connection Timeout (sec) ConnectTimeout <portaltimeout> CONNECTTIMEOUT=<portaltimeout> 60
TCP Receive Timeout (sec) ReceiveTimeout <portaltimeout> RECEIVETIMEOUT=<portaltimeout> 30
Client Certificate Store Lookup certificate-store-lookup user | CERTIFICATESTORELOOKUP="user | user and

machine | user and machine | machine | user and machine | machine
invalid invalid"
SCEP Certificate Renewal scep-certificate-renewal-period n/a 7

<renewalPeriod>
Period (days)
Maximum Internal Gateway max-internal-gateway-connection MIGCA="<maxValue>" 0

-attempts <maxValue>
Connection Attempts
Extended Key Usage OID for ext-key-usage-oid-for-client-ce EXTCERTOID=<oidValue> n/a

rt <oidValue>
Client Certificate
User Switch Tunnel Rename user-switch-tunnel-rename-timeo n/a 0

ut <renameTimeout>
Timeout (sec)

Use Single Sign-On use-sso yes | no USESSO="yes | no" yes
(WindowsOnly)
Notinportal portal <IPaddress> PORTAL="<IPaddress>" n/a

Thissettingspecifiesthedefault
portalIPaddress(orhostname).
Notinportal prelogon 1 PRELOGON="1" 1
Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.
Windowsonly/Notinportal can-prompt-user-credential yes CANPROMPTUSERCREDENTIAL=yes | no yes

| no
Thissettingisusedin
conjunctionwithsinglesignon
(SSO)andindicateswhetheror
nottoprompttheuserfor
credentialsifSSOfails.
Windowsonly/Notinportal wrap-cp-guid {third party WRAPCPGUID={guid_value] no

credential provider guid} FILTERNONGPCP=yes | no
Thissettingfiltersthe
thirdpartycredentialproviders
tilefromtheWindowslogin
pagesothatonlythenative
Windowstileisdisplayed.*
Windowsonly/Notinportal filter-non-gpcp no n/a n/a

Thissettingisanadditional
optionforthesetting
wrap-cp-guid,andallowsthe
thirdpartycredentialprovider
tiletobedisplayedonthe
Windowsloginpage,inaddition
tothenativeWindowslogon
tile.*
*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.

ScriptDeploymentOptions
ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
aVPNtunnelandbeforedisconnectingaVPNtunnel.Becausetheseoptionsarenotavailableintheportal,
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
pre-vpn-disconnectfromtheWindowsregistryorMacplist.Fordetailedstepstodeployscripts,see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.
Table:CustomizableScriptDeploymentOptions
Executethescriptspecifiedin command <parameter1> PREVPNCONNECTCOMMAND=<parameter1> n/a

<parameter2> [...] <parameter2> [...]
thecommandsetting(including
anyparameterspassedtothe Windowsexample: POSTVPNCONNECTCOMMAND=<parameter1
> <parameter2> [...]
script). command
%userprofile%\vpn_script.bat c:
PREVPNDISCONNECTCOMMAND=<paramete
Environmentalvariables test_user
r1> <parameter2> [...]
aresupported. Macexample:
Specifythefullpathin command $HOME/vpn_script.sh
/Users/test_user test_user
commands.
(Optional)Specifytheprivileges context admin | user PREVPNCONNECTCONTEXT=admin | user

user
underwhichthecommand(s)
canrun(defaultisuser:ifyoudo POSTVPNCONNECTCONTEXT=admin |
user
notspecifythecontext,the
commandrunsasthecurrent PREVPNDISCONNECTCONTEXT=admin |
user
activeuser).
(Optional)Specifythenumberof timeout <value> PREVPNCONNECTTIMEOUT=<value> 0

secondstheGlobalProtectclient POSTVPNCONNECTTIMEOUT=<value>
waitsforthecommandto Example:
PREVPNDISCONNECTTIMEOUT=<value>
execute(rangeis0120).Ifthe timeout 60
commanddoesnotcomplete
beforethetimeout,theclient
proceedstoestablishor
disconnectfromtheVPNtunnel.
Avalueof0(thedefault)means
theclientwillnotwaitto
executethecommand.
Notsupportedfor
postvpnconnect.
(Optional)Specifythefullpath file <path_file> PREVPNCONNECTFILE=<path_file> n/a

ofafileusedinacommand.The POSTVPNCONNECTFILE=<path_file>
GlobalProtectclientwillverify
PREVPNDISCONNECTFILE=<path_file>
theintegrityofthefileby
checkingitagainstthevalue
specifiedinthechecksumkey.
Environmentalvariables
aresupported.

(Continued)PortalAgent WindowsRegistry/MacPlist MsiexecParameter Default

Configuration
(Optional)Specifythesha256 checksum <value> PREVPNCONNECTCHECKSUM=<value> n/a

checksumofthefilereferredto
inthefilekey.Ifthechecksum POSTVPNCONNECTCHECKSUM=<value>
isspecified,theGlobalProtect PREVPNDISCONNECTCHECKSUM=<value>
clientexecutesthecommand(s)
onlyifthechecksumgenerated
bytheGlobalProtectclient
matchesthechecksumvalue
specifiedhere.
(Optional)Specifyanerror error-msg <message> PREVPNCONNECTERRORMSG=<message> n/a

messagetoinformtheuserthat Example: POSTVPNCONNECTERRORMSG=<message>
thecommand(s)cannotexecute error-msg Failed executing
PREVPNDISCONNECTERRORMSG=<message
orifthecommand(s)exitedwith pre-vpn-connect action! >
anonzeroreturncode.
Themessagemustbe
1,024orfewerANSI
characters.

DeployAgentSettingstoWindowsClients
UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller
DeployAgentSettingsintheWindowsRegistry
YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
connectiontotheGlobalProtectportalbyusingtheWindowsregistry.Usetheoptionsdescribedinthe
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.
InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
agenttocollectspecificWindowsregistryinformationfromWindowsclients.Youcanthenmonitorthedataand
addittoasecurityruleasmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbe
enforcedaccordingtothesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.
UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings
LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)
Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).
DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).
EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.
DeployAgentSettingsfromMsiexec
OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromthecommandline.Onsystems
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
MsiexecExample Description
msiexec.exe /i GlobalProtect.msi /quiet InstallGlobalProtectinquietmode(nouserinteraction)

PORTAL=portal.acme.com andconfiguretheportaladdress.
msiexec.exe /i GlobalProtect.msi InstallGlobalProtectwiththeoptiontopreventusers

CANCONTINUEIFPORTALCERTINVALID=no fromconnectingtotheportalifthecertificateisnotvalid.

Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.
TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.
DeployScriptsUsingtheWindowsRegistry
YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Torunthescriptataparticular
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,andbeforetheagentdisconnectsfromtheVPNtunnel.Usethe
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.
TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
DeployScriptsintheWindowsRegistry
Step1 OpentheWindowsregistry,andlocate OpentheWindowsregistry(enterregeditinthecommand

theGlobalProtectagentcustomization prompt)andgotothelocationofthekeydependingonwhenyou
settings. wanttoexecutescripts(pre/postconnectorpredisconnect):
Networks\GlobalProtect\Settings\pre-vpn-connect
Networks\GlobalProtect\Settings\post-vpn-connect
Networks\GlobalProtect\Settings\pre-vpn-disconne
ct
IfthekeydoesnotexistwithintheSettingskey,createit
(rightclickSettingsandselectNew > Key).

DeployScriptsintheWindowsRegistry
Step1 EnabletheGlobalProtectagenttorun 1. Ifthecommandstringdoesnotalreadyexist,createit

scriptsbycreatinganewStringValue (rightclickthepre-vpn-connect,post-vpn-connect,or
namedcommand. pre-vpn-disconnectkey,selectNew > String Value,and
Thebatchfilespecifiedhereshould nameitcommand).
containthespecificscript(includingany 2. RightclickcommandandselectModify.
parameterspassedtothescript)thatyou
3. EnterthecommandsorscriptthattheGlobalProtectagent
wantrunonthedevice.Forexamples,
shouldrun.Forexample:
seeWindowsOSBatchScriptExamples.
%userprofile%\pre_vpn_connect.bat c: test_user
Step2 (Optional)Addadditionalregistryentries Createormodifyregistrystringsandtheircorrespondingvalues,

asneededforeachcommand. includingcontext,timeout,file,checksum,orerror-msg.For
additionalinformation,seeCustomizableAgentSettings.
WindowsOSBatchScriptExamples
event,referencethebatchscriptfromacommandregistryentryforthatevent.Thefollowingtopicsshow
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
fromacommandregistryentryforapostvpnconnectevent.Thisenablesyoutoselectivelyexcluderoutes
andtosendallothertrafficthroughtheVPNtunnel.
Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
routes.Inmostcases,whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)theoldnetworkroutesareautomaticallydeleted.Intheeventthattheoldnetworkroutespersist,
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.
Forascriptthatyoucancopyandpaste,gohere.

@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
192.168.24.25 255.255.255.255
REM Initialize 'DefaultGateway'

set "DefaultGateway="
REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"
REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end
Example:MountaNetworkShareonWindowsEndpoints
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\filer1.mycompany.local\share /user:mycompany\user1
DeployScriptsUsingMsiexec
OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
msiexec.exe /i GlobalProtect.msi <SETTING>="<value>"
Msiexecisanexecutableprogramthatinstallsorconfiguresaproductfromacommandline.Onsystemsrunning
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,andallenvironmentvariableexpansions.Ifyourunbatchfilesfromthe
commandline,thislimitationalsoappliestobatchfileprocessing.

Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents
msiexec.exe /i GlobalProtect.msi
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeCustomizableAgentSettings.Or,
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
toautomaticallyconnecttotheGlobalProtectportalandgateway.IfSSOfails,youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
providerandanotherforthenativeWindowslogin.Thisisusefulwhenathirdpartycredentialprovideradds
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.

UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.
UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials
Step1 OpentheWindowsregistryandlocate 1. Fromthecommandprompt,enterthecommandregeditto

thegloballyuniqueidentifier(GUID)for opentheWindowsregistry.
thethirdpartycredentialproviderthat 2. Locatecurrentlyinstalledcredentialprovidersatthefollowing
youwanttowrap. location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\Credential Providers.
3. CopytheGUIDkeyforthecredentialproviderthatyouwant
towrap(includingthecurlybrackets{ and} oneitherend
oftheGUID):

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
Step2 EnableSSOwrappingforthirdparty 1. GotothefollowingWindowsregistrylocation:

credentialprovidersbyaddingthe HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\
settingwrap-cp-guidtothe GlobalProtect:
GlobalProtectregistry.
2. AddanewString Value:
3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.
Step3 NextSteps: YoucanconfigureSSOwrappingforthirdpartycredential

providerssuccessfullybycompletingsteps1and2.Withthis
setup,thenativeWindowslogontileisdisplayedtousers.Users
clickthetileandlogintothesystemwiththeirWindows
credentialsandthatsingleloginauthenticatestheusersto
Windows,GlobalProtect,andthethirdpartycredentialprovider.
(Optional)Ifyouwanttodisplaytwotilestousersatlogin,the
nativeWindowstileandthetileforthethirdpartycredential
provider,continuetoStep 4.

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)
Step4 (Optional)Allowthethirdparty AddasecondString Value withtheName filter-non-gpcpand

credentialprovidertiletobedisplayedto enternoforthestringsValue data:
usersatlogin.
WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.
UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.
UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials
Wrapthirdpartycredentialsanddisplaythenativetiletousersatlogin.Usersclickthetileandlogintothe
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.
Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
msiexec.exe /i GlobalProtect.msi WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
providerslogontilesothatonlythenativetiledisplays.Inthiscase,boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.
DeployAgentSettingstoMacClients
UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

DeployAgentSettingsintheMacPlist
YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)file.This
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/Preferences.Thetilde
(~)symbolindicatesthatthelocationisinthecurrentuser'shomefolder.TheGlobalProtectagentonaMac
clientfirstchecksfortheGlobalProtectplistsettings.Iftheplistdoesnotexistatthatlocation,the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.
InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
tocollectspecificMacplistinformationfromclients.Youcanthenmonitorthedataandaddittoasecurityrule
asmatchingcriteria.Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingto
thesecurityrule.Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.
UsetheMacPlisttoDeployGlobalProtectAgentSettings
OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/com.paloaltonetworks.Global
Protect.settings.plist
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,createit.Thenaddeach
keytotheSettingsdictionaryasastring.
Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
throughtheMacplist.UnderthePanSetupdictionary,configurean
entryforPortal.
DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.

WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,andbeforedisconnectingthetunnel.Usethefollowingworkflow
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.
TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.
Step1 (ClientsrunningMacOSX10.9ora Toclearthedefaultpreferencescache,runthekillall cfprefsd

laterOS)Flushthesettingscache.This commandfromaMacterminal.
preventstheOSfromusingthecached
preferencesaftermakingchangestothe
plist.
Step2 OpentheGlobalProtectplistfile,and UseXcodeoranalternateplisteditortoopentheplistfile

locateorcreatetheGlobalProtect (/Library/Preferences/com.paloaltonetworks.GlobalProte
dictionaryassociatedwiththeconnect ct.settings.plist)andgotothelocationofthedictionary:
ordisconnectevent.Thedictionary /Palo Alto
underwhichyouwilladdthesettingswill Networks/GlobalProtect/Settings/pre-vpn-connect
determinewhentheGlobalProtectagent /Palo Alto
runsthescript(s). Networks/GlobalProtect/Settings/post-vpn-connect
/Palo Alto
Networks/GlobalProtect/Settings/pre-vpn-disconnect
IfSettingsdictionarydoesnotexist,createit.Then,in
Settings,createanewdictionaryfortheeventorevents
atwhichyouwanttorunscripts.
Step3 EnabletheGlobalProtectagenttorun Ifthecommandstringdoesnotalreadyexist,addittothedictionary

scriptsbycreatinganewStringnamed andspecifythescriptandparametersintheValuefield,for
command. example:
Thevaluespecifiedhereshould $HOME\pre_vpn_connect.sh /Users/username username
referencetheshellscript(andthe Environmentalvariablesaresupported.
parameterstopasstothescript)thatyou
wantrunonyourdevices.SeeMacOS
Asabestpractice,specifythefullpathincommands.
ScriptExamples.
Step4 (Optional)Addadditionalsettingsrelated Createormodifyadditionalstringsintheplist(context,timeout,

tothecommand,includingadministrator file,checksum,and/orerror-msg) andentertheir
privileges,atimeoutvalueforthescript, correspondingvalues.Foradditionalinformation,see
checksumvalueforthebatchfile,andan CustomizableAgentSettings.
errormessagetodisplayifthecommand
failstoexecutesuccessfully.
Step5 Savethechangestotheplistfile. Savetheplist.

MacOSScriptExamples
event,referencetheshellscriptfromacommandplistentryforthatevent.Thefollowingtopicsshow
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
followingscriptfromacommandplistentryforaprevpnconnectevent.Similarly,youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
commandplistentryforapostvpnconnectevent.ThiscanbeusefulifyouwanttoforceallSSHtrafficto
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9
TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:
#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@10.101.2.17/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1

SetUptheGlobalProtectInfrastructure Reference:GlobalProtectAgentCryptographicFunctions
Reference:GlobalProtectAgentCryptographicFunctions
TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
GlobalProtectportalandGlobalProtectgateways.ThefollowingtablelistseachGlobalProtectagent
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:
CryptoFunction Key Usage
Winhttp(Windows)and Dynamickeynegotiatedbetween UsedtoestablishtheHTTPSconnection

NSURLConnection(MAC) theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
GlobalProtectportaland/or GlobalProtectportalandGlobalProtect
aes256sha
gatewayforestablishingthe gatewayforauthentication.
HTTPSconnection.
OpenSSL Dynamickeynegotiatedbetween UsedtoestablishtheSSLconnection

theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
aes256sha
GlobalProtectgatewayduringthe GlobalProtectgatewayforHIPreport
SSLhandshake. submission,SSLtunnelnegotiation,and
networkdiscovery.
IPSecencryptionand Thesessionkeysentfromthe UsedtoestablishtheIPSectunnelbetween

authentication GlobalProtectgateway. theGlobalProtectagentandthe
GlobalProtectgateway.Usethestrongest
aes128sha1,aes128cbc,
algorithmsupportedbyyournetwork
aes128gcm,andaes256gcm (AESGCMisrecommended).
Toprovidedataintegrityandauthenticity
protection,theaes128cbccipherrequires
thesha1authenticationalgorithm.Because
AESGCMencryptionalgorithms
(aes128gcmandaes256gcm)natively
provideESPintegrityprotection,thesha1
authenticationalgorithmisignoredforthese
cipherseventhoughitisrequiredduring
configuration.

GlobalProtectMIBSupport SetUptheGlobalProtectInfrastructure
GlobalProtectMIBSupport
PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)Framework.YoumustloadtheseMIBsintoyourSNMPmanagertomonitor
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS7.1AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
group.ThefollowingtabledescribestheobjectsthatmakeupthepanGlobalProtectobjectgroup.
Object Description
panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway
panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed
panGPGWUtilizationActiveTunnels Numberofactivetunnels
UsetheseSNMPobjectstomonitorutilizationofGlobalProtectgatewaysandmakechangesasneeded.For
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.

MobileEndpointManagement
MobileEndpointManagementOverview
SetUpaMobileEndpointManagementSystem
DeploytheGlobalProtectMobileAppUsingAirWatch
ManagetheGlobalProtectAppUsingAirWatch
ManagetheGlobalProtectAppUsingaThirdPartyMDM

MobileEndpointManagementOverview MobileEndpointManagement
MobileEndpointManagementOverview
Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
protectionagainstthreatsandvulnerabilities.Byusingathirdpartymobileendpointmanagementsystem
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).
Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
automaticallydeployyourcorporateaccountconfigurationandVPNsettingstocompliantendpoints.You
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
withanendpointthathasbeencompromised.Thisprotectsbothcorporatedataaswellaspersonalenduser
data.Forexample,ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,you
usehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthroughthe
GlobalProtectgateway.YoucanalsousethemonitoringtoolsthatarebuiltintothePaloAlto
nextgenerationfirewalltomonitormobileendpointtraffic.

MobileEndpointManagement SetUpaMobileEndpointManagementSystem
SetUpaMobileEndpointManagementSystem
Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:
SetUpanEndpointManagementSystem
Step1 SetUptheGlobalProtectInfrastructure. 1. CreateInterfacesandZonesforGlobalProtect.

2. EnableSSLBetweenGlobalProtectComponents.
3. SetUpGlobalProtectUserAuthentication.
4. EnableGroupMapping.
5. ConfigureGlobalProtectGateways.
6. ActivateLicensesforeachfirewallrunninga
gateway(s)thatsupportstheGlobalProtectappon
mobileendpoints.
7. ConfiguretheGlobalProtectPortal.
Step2 Setupthemobileendpointmanagementsystem Seetheinstructionsforyourmobileendpoint

anddecidewhethertosupportonly managementsystem,mobiledevicemanagement(MDM)
corporateissuedendpointsorboth system,orenterprisemobilitymanagement(EMM)
corporateissuedandpersonalendpoints. system.
Step3 ObtaintheGlobalProtectappformobile AppstoreDownloadandInstalltheGlobalProtect

endpoints. MobileApp
AirWatchDeploytheGlobalProtectMobileAppUsing
AirWatch
Otherthirdpartymobileendpointmanagement
systemSeetheinstructionsfromyourvendoronhow
todeployappstomanagedendpoints.
Step4 ConfigureVPNsettingsfortheGlobalProtect ManagetheGlobalProtectAppUsingAirWatch

app. ManagetheGlobalProtectAppUsingaThirdParty
MDM
Step5 Configurepolicesthattargetmobileendpoints ConfigureHIPBasedPolicyEnforcementformanaged

usinghostinformation. endpoints.

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement
ManagetheGlobalProtectAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch
TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
endpoints.AswithotherremotehostsrunningtheGlobalProtectagent,themobileappprovidessecure
accesstoyourcorporatenetworkoveranIPSecorSSLVPNtunnel.Theappconnectstothegatewaythat
isclosesttotheenduserscurrentlocation.Inaddition,traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
AirWatch.EndpointsrunningiOSorAndroidmustdownloadtheAirWatchagenttoenrollwiththeAirWatch
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
theendpoint.Afteryoudeploytheapp,configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.
DeploytheGlobalProtectAppfromAirWatch
Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).
Step2 FromAirWatch,selectApps & Books > Public > Add Application.
Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.
Step4 SelectthePlatform,eitherApple iOS,Android,orWindows Phone.
Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOShttps://itunes.apple.com/us/app/globalprotect/id592489989?mt=8&uo=4
Androidhttps://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect
Windows Phonehttps://www.microsoft.com/store/apps/9NBLGGH6BZL3

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch
DeploytheGlobalProtectAppfromAirWatch(Continued)
Step6 ClickNext.Ifyouchosetosearchfortheapptheappstorefortheendpoint,youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.
Step7 OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
Step8 OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
Step9 SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.
Step10 Nextsteps:
AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
fromacentralconsole.TheGlobalProtectappprovidesasecureconnectionbetweenAirWatchmanaged
mobileendpointsandthefirewallateitherthedeviceorapplicationlevel.UsingGlobalProtectasthesecure
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
accessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment TypeDetermineshowtheprofileisdeployedtoendpoints.SelectAutotodeploytheprofile
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart GroupTheSmartGrouptowhichyouwantthedeviceprofileadded.Includesanoption
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'senduser.Select
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
profilewiththeauthorizationoftheadministrator.ChoosingWith AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
AuthenticationChoosethemethodtoauthenticateendusers.Followtherelatedpromptstoentera
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.
Step5 Save & Publishyourchanges.
Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
Step1 DownloadtheGlobalProtectappforiOS:
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
Step3 ConfigureGeneralprofilesettings:
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.
Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.
Step6 Configuretheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
Step7 SelecteitherManualorAuto Proxytypeandenterthespecificinformationneeded.
Step8 ClickSave & Publish.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)
Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
https://itunes.apple.com/us/app/boxforiphoneandipad/id290853822?mt=8&uo=4),andthenclick
Next.IfyouchoosetosearchtheAppStore,youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
9. SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.
YoucanusetheGlobalProtectAppforAndroidwithAirWatchagent6.0andlaterreleases.TheAirWatch
agentinterfaceswithAirWatchtomanageAndroidendpoints.UsingtheGlobalProtectappforAndroidas
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
enforcementofnetworksecuritypolicyforthreatprevention.TheGlobalProtectappcanprovideasecure
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire
YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
configuringVPNaccessusingAirWatch.InadevicelevelVPNconfiguration,yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.
Step1 DownloadtheGlobalProtectappforAndroid:
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Step4 Save and PublishthisprofiletotheassignedSmartGroups.
Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.
Step6 ConfigureConnection Info,including:

Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
Step8 Save & PublishthisprofiletotheassignedSmartGroups.

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
GlobalProtectVPNaccessusingAirWatch.InaperappVPNconfiguration,youcanspecifywhichmanaged
appsontheendpointcansendtrafficthroughtheGlobalProtectVPNtunnel.Unmanagedappswillcontinue
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.
Step1 DownloadtheGlobalProtectappforAndroid:
DownloadtheGlobalProtectappdirectlyfromGooglePlay.
Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
profilewiththeauthorizationoftheadministrator.ChoosingWith Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.
Step4 Save and PublishthisprofiletotheassignedSmartGroups.
Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. Selecttheauthenticationmethodtousetoauthenticateusers.ForperappVPN,youmustuse
certificatebasedauthentication.SelectUser Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)
Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd Application.Or,tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
https://play.google.com/store/apps/details?id=com.box.android).
6. ClickNext.IfyouchosetoimporttheappfromGooglePlayinthepreviousstep,youmustSelecttheapp
fromthelistofapprovedcompanyapps.Ifyoudonotseetheappinthelist,contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.
10.Save & PublishtheconfigurationtotheassignedSmartGroups.
Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.
Step8 Save & PublishthisprofiletotheassignedSmartGroups.
ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
malwareonAndroidendpoints.Whenenabled,theAirWatchagentsendsthelistofappsthatareinstalled
ontheAndroidendpointtoAirWatch.Thisoccursduringenrollmentandsubsequentlyonanydevice
checkin.AirWatchthenperiodicallyqueriesWildFireforverdictsandcantakecomplianceactiononthe
endpointbasedontheverdict.
Step1 Beforeyoubegin,obtainaWildFireAPIkey.IfyoudonotalreadyhaveanAPIkey,contactSupport.
Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.
Step3 SelectCurrent Setting: Override.
Step4 Select Enable Third Party App Scan AnalysistoenablecommunicationbetweenAirWatchandWildFire.
Step5 ChoosePalo Alto Networks WildFirefromtheChoose App Scan Vendordropdown.
Step6 EnteryourWildFireAPIkey.

Step7 ClickTest ConnectiontoensurethatAirWatchcancommunicatewithWildFire.Ifthetestisnotsuccessful,

verifyconnectivitytotheInternet,reentertheAPIkey,andthentryagain.
Step8 Saveyourchanges.AirWatchschedulesasynchronizationtasktocommunicatewithWildFiretoobtainthe
latestverdictsforapplicationhashesandrunsthetaskatregularintervals.ClickSync Nowtoinitiateamanual
syncwithWildFire.
UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
tunnel.UnmanagedappswillcontinuetoconnectdirectlytotheInternetinsteadofthroughthesecure
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
VPNirrespectiveofapp.DevicelevelVPNconfigurationsalsosupporttheabilitytoforcethesecure
connectiontobeAlwaysOn.Foreventightersecurityrequirements,youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
accesswhentheappisnotconnected.ThisconfigurationissimilartotheEnforce GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.
BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.

Step1 DownloadtheGlobalProtectappforWindows10UWP:
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.
Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.
Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.
Step4 SelectConfigureConnection Info,including:

Connection TypeSelectanalternateprovider(donotselectIKEv2,L2TP,PPTP,orAutomaticasthesedo
nothavetheassociatedvendorsettingsrequiredfortheGlobalProtectVPNprofile).
YoumustselectthealternatevendorbecauseAirWatchdoesnotyetlistGlobalProtectasanofficial
connectionproviderforWindowsendpoints.
Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.
Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps(typically.exefiles)ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
VPNconnectionwhentheappislaunchedandwhethertosendapptrafficthroughtheVPN.Youcanalso
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
theVPN.Theserulesarenotboundbyapplicationandareevaluatedacrosstheendpoint.Ifthetraffic
matchesthematchcriteria,itisroutedthroughtheVPN.
Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
accesswhentheappisnotconnected.TheVPN LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)
Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
theconfiguration.IfyouneedtochangeasettingafteryouexporttheVPNprofile,youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> XMLatthetopofthetable.AirWatchopenstheXMLviewoftheprofile.
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.
Step9 Cleanuptheoriginalprofile:SelecttheoriginalprofilefromtheDevices > Profiles > List View,selectMore

Actions > Deactivate.AirWatchmovestheprofiletotheInactivelist.
Step10 Testtheconfiguration.

MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM
ManagetheGlobalProtectAppUsingaThirdPartyMDM
Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration
ConfiguretheGlobalProtectAppforiOS
WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
connectionbetweenthemobileendpointandservicesitconnectsto.Toenabletheclienttoestablishsecure
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.
Setting Description Value
ConnectionType Typeofconnectionenabledbythepolicy. Custom SSL
Identifier IdentifierforthecustomSSLVPNin com.paloaltonetworks.GlobalPro

reverseDNSformat. tect.vpnplugin
Server HostnameorIPaddressofthe <hostname or IP address>
GlobalProtectportal. Forexample:gp.paloaltonetworks.com
Account Useraccountforauthenticatingthe <username>

connection.
UserAuthentication Authenticationtypefortheconnection. Certificate | Password

Credential (CertificateUserAuthenticationonly) <credential>
Credentialforauthenticatingthe Forexample:clientcredial.p12
connection.
EnableVPNOnDemand (Optional)Domainandhostnamethatwill <domain and hostname and the

establishtheconnectionandthe on-demand action>
ondemandaction: Forexample:gp.acme.com; Never
Alwaysestablishaconnection establish
Neverestablishaconnection
Establishaconnectionifneeded

ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement
ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample Device Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN.vpn</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011d</string>
<key>UserDefinedName</key>
<string>Sample Device Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>DisconnectOnIdle</key>
<key>OnDemandEnabled</key>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Profile Description</string>
<string>Configuration</string>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<string>Configures VPN settings, including authentication.</string>
<string>VPN (Sample App Level VPN)</string>
<string>Sample App Level VPN.vpn</string>
<string>com.apple.vpn.managed.applayer</string>
<key>VPNUUID</key>
<string>cGFuU2FtcGxlIEFwcCBMZXZlbCBWUE52cG5TYW1wbGUgQXBwIExldmVsIFZQTg==</string>
<key>SafariDomains</key>
<array>
<string>*.paloaltonetworks.com</string>
</array>
<string>54370008-205f-7c59-0000-01a1</string>
<key>UserDefinedName</key>
<string>Sample App Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.paloaltonetworks.GlobalProtect.vpnplugin</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>cademogp.paloaltonetworks.com</string>
<key>AuthName</key>
<string></string>
<key>OnDemandMatchAppEnabled</key>
<key>OnDemandEnabled</key>
<key>DisconnectOnIdle</key>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>OnlyAppLevel</key>
<key>AllowPortalProfile</key>
<key>FromAspen</key>
</dict>
</dict>
</array>
<string>Profile Description</string>
<string>Configuration</string>

Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>
ConfiguretheGlobalProtectAppforAndroid
YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
theGlobalProtectgateway.FromyourthirdpartyMDMthatmanagesAndroidforWorkdevices,youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
includingalltheappsinstalledonthatdevice.Bydefault,allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
Profiletoseparatebusinessandpersonalapps.BydefaultonlymanagedappsintheWorkProfilecansend
trafficthroughtheVPNtunnelaccordingtotheaccessroutesdefinedonthegateway.Appsinstalledonthe
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
routestrafficfromspecificmanagedapps.ForPerAppVPN,youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,youcanalsospecifyhowtheuserconnectstotheVPN.Whenyou
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
automatically.WhenyouconfiguretheVPNconnectionmethodason-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.
TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.
RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.
Key ValueType Example
portal String 10.1.8.190
username String john
password String Passwd!234
certificate String(inBase64) DAFDSaweEWQ23wDSAFD.

Key ValueType Example
client_certificate_passphrase String PA$$W0RD$123
app_list* String whiltelist | blacklist: com.google.calendar;

com.android.email; com.android.chrome
connect_method String user-logon | on-demand
remove_vpn_config_via_restricti Boolean true | false

on
*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,andfollowitwithanarrayofappnamesseparatedbysemicolon.Thewhitelistspecifiestheapps
thatwillusetheVPNtunnelfornetworkcommunication.Thenetworktrafficforanyotherappthatisnot
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.
Example:SetVPNConfiguration
private static String RESTRICTION_PORTAL = "portal";

private static String RESTRICTION_USERNAME = "username";
private static String RESTRICTION_PASSWORD = "password";
private static String RESTRICTION_CONNECT_METHOD = "connect_method";
private static String RESTRICTION_CLIENT_CERTIFICATE = "client_certificate";
private static String RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE =
"client_certificate_passphrase";
private static String RESTRICTION_APP_LIST = "app_list";
private static String RESTRICTION_REMOVE_CONFIG = "remove_vpn_config_via_restriction";
Bundle config = new Bundle();

config.putString(RESTRICTION_PORTAL, "192.168.1.1");
config.putString(RESTRICTION_USERNAME, "john");
config.putString(RESTRICTION_PASSWORD, "Passwd!234");
config.putString(RESTRICTION_CONNECT_METHOD, "user-logon");
config.putString(RESTRICTION_CLIENT_CERTIFICATE, "DAFDSaweEWQ23wDSAFD.");
config.putString(RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE, "PA$$W0RD$123");
config.putString(RESTRICTION_APP_LIST,
"whitelist:com.android.chrome;com.android.calendar");
DevicePolicyManager dpm = (DevicePolicyManager)

getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),
"com.paloaltonetworks.globalprotect", config);
Example:RemoveVPNConfiguration
Bundle config = new Bundle();

config.putBoolean(RESTRICTION_REMOVE_CONFIG, true );
DevicePolicyManager dpm = (DevicePolicyManager)

getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.setApplicationRestrictions(EnforcerDeviceAdminReceiver.getComponentName(this),"com
.paloaltonetworks.globalprotect", config);

UseHostInformationinPolicy
Enforcement
Althoughyoumayhavestringentsecurityatyourcorporatenetworkborder,yournetworkisreallyonlyas
secureastheenddevicesthatareaccessingit.Withtodaysworkforcebecomingmoreandmoremobile,
oftenrequiringaccesstocorporateresourcesfromavarietyoflocationsairports,coffeeshops,hotelsand
fromavarietyofdevicesbothcompanyprovisionedandpersonalyoumustlogicallyextendyour
networkssecurityouttoyourendpointstoensurecomprehensiveandconsistentsecurityenforcement.The
GlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthesecurity
statusofyourendhostssuchaswhethertheyhavethelatestsecuritypatchesandantivirusdefinitions
installed,whethertheyhavediskencryptionenabled,whetherthedeviceisjailbrokenorrooted(mobile
devicesonly),orwhetheritisrunningspecificsoftwareyourequirewithinyourorganization,including
customapplicationsandbasethedecisionastowhethertoallowordenyaccesstoaspecifichostbased
onadherencetothehostpoliciesyoudefine.
Thefollowingtopicsprovideinformationabouttheuseofhostinformationinpolicyenforcement.Itincludes
thefollowingsections:
AboutHostInformation
ConfigureHIPBasedPolicyEnforcement
CollectApplicationandProcessDataFromClients
BlockDeviceAccess

AboutHostInformation UseHostInformationinPolicyEnforcement
AboutHostInformation
OneofthejobsoftheGlobalProtectagentistocollectinformationaboutthehostitisrunningon.Theagent
thensubmitsthishostinformationtotheGlobalProtectgatewayuponsuccessfullyconnecting.Thegateway
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
defined.Ifitfindsamatch,itgeneratesanentryintheHIPMatchlog.Additionally,ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
securitystandardsbeforetheyareallowedaccesstoyournetworkresources.Forexample,beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
encryptionenabledontheirharddrives.Youcanenforcethispolicybycreatingasecurityrulethatonly
allowsaccesstotheapplicationiftheclientsystemhasencryptionenabled.Inaddition,forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?
WhatDataDoestheGlobalProtectAgentCollect?
Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
certainresources.Inthiscase,youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:

UseHostInformationinPolicyEnforcement AboutHostInformation
Table:DataCollectionCategories
Category DataCollected
General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).
PatchManagement Informationaboutanypatchmanagementsoftwarethatisenabledand/or
installedonthehostandwhetherthereareanymissingpatches.
Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.
Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
applicationsontheendpoint.ByintegratingwiththeOPSWATOESISframework,
GlobalProtectenablesyoutoassessthecompliancestateoftheendpoint.For
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.
AntiSpyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.
DiskBackup Informationaboutwhetherdiskbackupsoftwareisinstalled,thelastbackuptime,
andthevendorandproductnameofthesoftware.
DiskEncryption Informationaboutwhetherdiskencryptionsoftwareisinstalled,whichdrives
and/orpathsareconfiguredforencryption,andthevendorandproductnameof
thesoftware.
DataLossPrevention Informationaboutwhetherdatalossprevention(DLP)softwareisinstalledand/or
enabledforthepreventionsensitivecorporateinformationfromleavingthe
corporatenetworkorfrombeingstoredonapotentiallyinsecuredevice.This
informationisonlycollectedfromWindowsclients.
MobileDevices Identifyinginformationaboutthemobiledevice,suchasthemodelnumber,
phonenumber,serialnumberandInternationalMobileEquipmentIdentity(IMEI)
number.Inaddition,theagentcollectsinformationaboutspecificsettingsonthe
device,suchaswhetherornotapasscodeisset,whetherthedeviceisjailbroken,
alistofappsinstalledonthedevicethataremanagedbyathirdpartymobile
devicemanager,ifthedevicecontainsappsthatareknowntohavemalware
(Androiddevicesonly),and,optionally,theGPSlocationofthedeviceandalistof
appsthatarenotmanagedbythethirdpartymobiledevicemanager.Notethat
foriOSdevices,someinformationiscollectedbytheGlobalProtectappandsome
informationisreporteddirectlybytheoperatingsystem.

AboutHostInformation UseHostInformationinPolicyEnforcement
Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
categoriesyouarenotinterestedin.Forexample,ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
privacy.Thiscanincludeexcludingdevicelocationandalistofappsinstalledonthedevicethatarenot
managedbyathirdpartymobiledevicemanager.
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
toenforcepolicyfromtherawdatareportedbytheagent.Forexample,whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
interestedinoneparticularapplicationthatyourequirewithinyourorganization.Inthiscase,youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
informationyoucollecttoenforcepolicy.KeepinmindthattheHIPobjectsthemselvesaremerely
buildingblocksthatallowyoutocreatetheHIPprofilesthatareusedinyoursecuritypolicies.Therefore,
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,orthepresenceofaspecificclientOS.By
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
securitypolicyenforcement.WhenyoucreateyourHIPprofiles,youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
evaluatedagainsttheresultingHIPprofileitwilleithermatchornotmatch.Ifthereisamatch,the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
defined.ThismakestheHIPMatchlogagoodresourceformonitoringthestateofthehostsonyournetwork
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
whatpoliciesyoubelieveneedenforcement.SeeConfigureHIPBasedPolicyEnforcementfordetailson
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.

UseHostInformationinPolicyEnforcement AboutHostInformation
HowDoUsersKnowifTheirSystemsareCompliant?
Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
enforcementofaHIPenabledsecurityrule.However,youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)meansfortheuser.Thatis,doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
packagesarenotinstalled.Inthiscase,youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.
HowDoIGetVisibilityintotheStateoftheEndClients?
WheneveranendhostconnectstoGlobalProtect,theagentpresentsitsHIPdatatothegateway.The
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/orHIPprofilesthehostmatches.Foreach
match,itgeneratesaHIPMatchlogentry.Unlikeatrafficlogwhichonlycreatesalogentryifthereisa
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/oraHIPprofileyouhavedefined.ThismakestheHIPMatchlogagoodresourcefor
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
softwareinstalledfromconnectingtothenetwork.InthiscaseyouwouldcreateaHIPobjectthatmatches
hoststhathaveaparticularAntivirussoftwareinstalled.ByincludingthisobjectinaHIPprofileandattaching
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
compliancewiththisrequirement.IfyouwantedtoalsoseealogforhoststhatdonothaveAntivirus
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
theconditionwheretheAntivirussoftwareisnotinstalled.Becausethisobjectisonlyneededforlogging
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.

ConfigureHIPBasedPolicyEnforcement UseHostInformationinPolicyEnforcement
ConfigureHIPBasedPolicyEnforcement
Toenabletheuseofhostinformationinpolicyenforcementyoumustcompletethefollowingsteps.For
moreinformationontheHIPfeature,seeAboutHostInformation.
EnableHIPChecking
Step1 VerifyproperlicensingforHIPchecks. TousetheHIPfeature,youmusthavepurchasedandinstalleda

GlobalProtectGatewaysubscriptionlicenseoneachgatewaythat
willperformHIPchecks.Toverifythestatusofyourlicenseson
eachportalandgateway,selectDevice > Licenses.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
donothavetherequiredlicenses.Formoreinformationon
licensing,seeAboutGlobalProtectLicenses.
Step2 (Optional)Defineanycustomhost 1. OnthefirewallthatishostingyourGlobalProtectportal,select

informationthatyouwanttheagentto Network > GlobalProtect > Portals.
collect.Forexample,ifyouhaveany 2. SelectyourportalconfigurationtoopentheGlobalProtect
requiredapplicationsthatarenot Portaldialog.
includedintheVendorand/orProduct
listsforcreatingHIPobjects,youcould 3. SelecttheAgent tabandthenselecttheagentconfiguration
createacustomcheckthatwillallowyou towhichyouwanttoaddacustomHIPcheck,orclickAddto
todeterminewhetherthatapplicationis createanewagentconfiguration.
installed(hasacorrespondingregistryor 4. SelecttheData Collectiontab.
plistkey)orisrunning(hasa
5. EnabletheoptiontoCollect HIP Data.
correspondingrunningprocess).
Step 2andStep 3assumethatyou 6. SelectCustom Checksanddefinethedatayouwanttocollect
havealreadycreatedaPortal fromhostsrunningthisagentconfigurationasfollows:
Configuration.Ifyouhavenotyet Tocollectinformationaboutspecificregistrykeys:Onthe
configuredyourportal,see Windowstab,AddthenameofaRegistry Keyforwhichto
ConfiguretheGlobalProtectPortal collectdataintheRegistryKeyarea.Optionally,torestrict
forinstructions. datacollectiontoaspecificRegistryValue,Addandthen
definethespecificRegistryValueorvalues.ClickOKto
savethesettings.
Tocollectinformationaboutrunningprocesses:Selectthe
appropriatetab(WindowsorMac)andthenAddaprocess
totheProcessList.Enterthenameoftheprocessthatyou
wanttheagenttocollectinformationabout.
Tocollectinformationaboutspecificpropertylists:Onthe
Mactab,clickAddinthePlistsection.EnterthePlistfor
whichtocollectdata.Optionally,clickAddtorestrictthe
datacollectiontospecificKeyvalues.ClickOKtosavethe
settings.
7. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Forinstructions,seeDefinethe
GlobalProtectAgentConfigurations.
8. ClickOKtosavetheclientconfiguration.

UseHostInformationinPolicyEnforcement ConfigureHIPBasedPolicyEnforcement
EnableHIPChecking(Continued)
Step3 (Optional)Excludecategoriesfrom 1. OnthefirewallthatishostingyourGlobalProtectportal,select

collection. Network > GlobalProtect > Portals.
2. SelectyourportalconfigurationtoopentheGlobalProtect
Portaldialog.
3. OntheAgent tab,selecttheAgentconfigurationfromwhich
toexcludecategories,orAddanewone.
4. SelectData Collection,andthenverifythatCollect HIP Data
isenabled.
5. OntheExclude Categories tab,clickAdd.TheEditExclude
Categorydialogdisplays.
6. SelecttheCategoryyouwanttoexcludefromthedropdown
list.
7. (Optional)Ifyouwanttoexcludespecificvendorsand/or
productsfromcollectionwithintheselectedcategoryrather
thanexcludingtheentirecategory,clickAdd.Youcanthen
selecttheVendortoexcludefromthedropdownontheEdit
Vendordialogand,optionally,clickAddtoexcludespecific
productsfromthatvendor.Whenyouaredonedefiningthat
vendor,clickOK.Youcanaddmultiplevendorsandproducts
totheexcludelist.
8. RepeatStep6andStep7foreachcategoryyouwantto
exclude.
9. Ifthisisanewclientconfiguration,completetherestofthe
configurationasdesired.Formoreinformationondefining
clientconfigurations,seeDefinetheGlobalProtectAgent
Configurations.
10. ClickOKtosavetheclientconfiguration.

Step4 CreatetheHIPobjectstofiltertheraw 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

hostdatacollectedbytheagents. objectsamongmultiplegateways),selectObjects >
ThebestwaytodeterminewhatHIP GlobalProtect > HIP ObjectsandclickAdd.
objectsyouneedistodeterminehow 2. OntheGeneraltab,enteraNamefortheobject.
youwillusethehostinformationyou
3. Selectthetabthatcorrespondstothecategoryofhost
collecttoenforcepolicy.Keepinmind
informationyouareinterestedinmatchingagainstandselect
thattheHIPobjectsthemselvesare
thecheckboxtoenabletheobjecttomatchagainstthe
merelybuildingblocksthatallowyouto
category.Forexample,tocreateanobjectthatlooksfor
createtheHIPprofilesthatareusedin
informationaboutAntivirussoftware,selecttheAntivirustab
yoursecuritypolicies.Therefore,you
andthenselecttheAntiviruscheckboxtoenablethe
maywanttokeepyourobjectssimple,
correspondingfields.Completethefieldstodefinethedesired
matchingononething,suchasthe
matchingcriteria.Forexample,thefollowingscreenshot
presenceofaparticulartypeofrequired
showshowtocreateanobjectthatwillmatchiftheSymantec
software,membershipinaspecific
NortonAntiVirus2004Professionalapplicationisinstalled,
domain,orthepresenceofaspecific
hasRealTimeProtectionenabled,andhasvirusdefinitions
clientOS.Bydoingthis,youwillhavethe
thathavebeenupdatedwithinthelast5days.
flexibilitytocreateaverygranular(and
verypowerful)HIPaugmentedpolicy.
FordetailsonaspecificHIP
categoryorfield,refertotheonline
help.
Repeatthisstepforeachcategoryyouwanttomatchagainst
inthisobject.Formoreinformation,seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.

Step5 CreatetheHIPprofilesthatyouplanto 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

useinyourpolicies. profilesamongmultiplegateways),selectObjects >
WhenyoucreateyourHIPprofiles,you GlobalProtect > HIP ProfilesandclickAdd.
cancombinetheHIPobjectsyou 2. EnteradescriptiveNamefortheprofileandoptionallya
previouslycreated(aswellasotherHIP Description.
profiles)usingBooleanlogicsuchthat
3. ClickAdd Match CriteriatoopentheHIPObjects/Profiles
whenatrafficflowisevaluatedagainst
Builder.
theresultingHIPprofileitwilleither
matchornotmatch.Ifthereisamatch, 4. SelectthefirstHIPobjectorprofileyouwanttouseasmatch
thecorrespondingpolicyrulewillbe criteriaandthenclickadd tomoveitovertotheMatchtext
enforced;ifthereisnotamatch,theflow boxontheHIPProfiledialog.Keepinmindthatifyouwant
willbeevaluatedagainstthenextrule,as theHIPprofiletoevaluatetheobjectasamatchonlywhenthe
withanyotherpolicymatchingcriteria. criteriaintheobjectisnottrueforaflow,selecttheNOTcheck
boxbeforeaddingtheobject.
5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
logicyouintend.Forexample,thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:
7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.

Step6 VerifythattheHIPobjectsandHIP Onthegateway(s)thatyourGlobalProtectusersareconnectingto,

profilesyoucreatedarematchingyour selectMonitor > Logs > HIP Match.Thislogshowsallofthe
GlobalProtectclienttrafficasexpected. matchesthegatewayidentifiedwhenevaluatingtherawHIPdata
ConsidermonitoringHIPobjects reportedbytheagentsagainstthedefinedHIPobjectsandHIP
andprofilesasameanstomonitor profiles.Unlikeotherlogs,aHIPmatchdoesnotrequireasecurity
thesecuritystateandactivityof policymatchinordertobelogged.
yourhostendpoints.Bymonitoring
thehostinformationovertimeyou
willbebetterabletounderstand
whereyoursecurityand
complianceissuesareandyoucan
usethisinformationtoguideyouin
creatingusefulpolicy.Formore
details,seeHowDoIGetVisibility
intotheStateoftheEndClients?
Step7 EnableUserIDonthesourcezonesthat 1. SelectNetwork > Zones.

containtheGlobalProtectusersthatwill 2. ClickontheNameofthezoneinwhichyouwanttoenable
besendingrequeststhatrequire UserIDtoopentheZonedialog.
HIPbasedaccesscontrols.Youmust
enableUserIDevenifyoudontplanon 3. EnableUserIDbyselectingtheEnabledcheckboxandthen
usingtheuseridentificationfeatureor clickOK.
thefirewallwillnotgenerateanyHIP
Matchlogsentries.
Step8 CreatetheHIPenabledsecurityruleson 1. SelectPolicies > Securityandselecttheruletowhichyou

yourgateway(s). wanttoaddaHIPprofile.
Asabestpractice,youshouldcreate 2. OntheSourcetab,makesuretheSource Zoneisazonefor
yoursecurityrulesandtestthatthey whichyouenabledUserIDinStep 7.
matchtheexpectedflowsbasedonthe
3. OntheUsertab,clickAddintheHIP Profilessectionand
sourceanddestinationcriteriaas
selecttheHIPprofile(s)youwanttoaddtotherule(youcan
expectedbeforeaddingyourHIP
addupto63HIPprofilestoarule).
profiles.Bydoingthisyouwillalsobe
betterabletodeterminetheproper 4. ClickOKtosavetherule.
placementoftheHIPenabledrules 5. Committhechanges.
withinthepolicy.

Step9 Definethenotificationmessagesend 1. OnthefirewallthatishostingyourGlobalProtectgateway(s),

userswillseewhenasecurityrulewitha selectNetwork > GlobalProtect > Gateways.
HIPprofileisenforced. 2. Selectapreviouslydefinedgatewayconfigurationtoopenthe
Thedecisionastowhentodisplaya GlobalProtectGatewaydialog.
message(thatis,whethertodisplayit
3. SelectClient Configuration > HIP Notification andthenclick
whentheusersconfigurationmatchesa
Add.
HIPprofileinthepolicyorwhenit
doesntmatchit),dependslargelyon 4. SelecttheHIP Profilethismessageappliestofromthe
yourpolicyandwhataHIPmatch(or dropdown.
nonmatch)meansfortheuser.Thatis, 5. SelectMatch MessageorNot Match Message,dependingon
doesamatchmeantheyaregrantedfull whetheryouwanttodisplaythemessagewhenthe
accesstoyournetworkresources?Or correspondingHIPprofileismatchedinpolicyorwhenitisnot
doesitmeantheyhavelimitedaccess matched.Insomecasesyoumightwanttocreatemessages
duetoanoncomplianceissue? forbothamatchandanonmatch,dependingonwhatobjects
Forexample,supposeyoucreateaHIP youarematchingonandwhatyourobjectivesareforthe
profilethatmatchesiftherequired policy.FortheMatchMessage,youcanalsoenabletheoption
corporateantivirusandantispyware toInclude matched application list in messagetoindicate
softwarepackagesarenotinstalled.In whatapplicationstriggeredtheHIPmatch.
thiscase,youmightwanttocreateaHIP
6. SelecttheEnablecheckboxandselectwhetheryouwantto
notificationmessageforuserswho
displaythemessageasaPop Up MessageorasaSystem Tray
matchtheHIPprofiletellingthemthat
Balloon.
theyneedtoinstallthesoftware.
Alternatively,ifyourHIPprofilematched 7. EnterthetextofyourmessageintheTemplatetextboxand
ifthosesameapplicationsareinstalled, thenclickOK.ThetextboxprovidesbothaWYSIWYGviewof
youmightwanttocreatethemessage thetextandanHTMLsourceview,whichyoucantoggle
foruserswhodonotmatchtheprofile. betweenusingtheSourceEdit icon.Thetoolbaralso
providesmanyoptionsforformattingyourtextandfor
creatinghyperlinks toexternaldocuments,forexampleto
linkusersdirectlytothedownloadURLforarequired
softwareprogram.
8. Repeatthisprocedureforeachmessageyouwanttodefine.

Step10 VerifythatyourHIPprofilesareworking YoucanmonitorwhattrafficishittingyourHIPenabledpolicies

asexpected. usingtheTrafficlogasfollows:
1. Fromthegateway,selectMonitor > Logs > Traffic.
2. Filterthelogtodisplayonlytrafficthatmatchestherulethat
hastheHIPprofileyouareinterestedinmonitoringattached.
Forexample,tosearchfortrafficthatmatchesasecurityrule
namediOSAppsyouwouldenter( rule eq 'iOS Apps' )
inthefiltertextboxasfollows:

UseHostInformationinPolicyEnforcement CollectApplicationandProcessDataFromClients
CollectApplicationandProcessDataFromClients
TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,respectively.Youcancreateacustomcheckthatwillallowyoutodetermine
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)onaWindowsorMacclient.Enablingcustomchecksinstructsthe
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
TomonitorthedatacollectedwithcustomchecksyoucancreateaHIPobject.YoucanthenaddtheHIP
objecttoaHIPprofiletousethecollecteddatatomatchtodevicetrafficandenforcesecurityrules.The
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
hostinformationsubmittedbytheagent.WhenthegatewaymatchestheclientdatatoaHIPobject,aHIP
Matchlogentryisgeneratedforthedata.AHIPprofileallowsthegatewaytoalsomatchthecollecteddata
toasecurityrule.IftheHIPprofileisusedascriteriaforasecuritypolicyrule,thegatewaywillenforcethat
securityruleonthematchingtraffic.
UsethefollowingtasktoenablecustomcheckstocollectdatafromWindowsandMacclients.Thistask
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.
FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.
EnableandVerifyCustomChecksforWindowsorMacClients
Step1 EnabletheGlobalProtectagentto CollectdatafromaWindowsclient:

collectWindowsRegistryinformation 1. SelectNetwork > GlobalProtect > Portals andthenselectthe
fromWindowsclientsorPlist portalconfigurationyouwanttomodifyorAddanewone.
informationfromMacclients.Thetype
ofinformationcollectedcaninclude 2. SelecttheAgenttabandthenselecttheAgentconfiguration
whetherornotanapplicationisinstalled youwanttomodifyorAddanewone.
ontheclient,orspecificattributesor 3. Select Data Collection,andthenverifythatCollect HIP Datais
propertiesofthatapplication. enabled.
Thisstepenablestheagenttoreport 4. Select Custom Checks > Windows.
dataontheapplicationsandclient
settings.(Step 5andStep 6willshow 5. AddtheRegistryKeythatyouwanttocollectinformation
youhowtomonitorandusethereported about.Ifyouwanttorestrictdatacollectiontoavalue
datatoidentifyortakeactiononcertain containedwithinthatRegistryKey,addthecorresponding
devicetraffic). Registry Value.

CollectApplicationandProcessDataFromClients UseHostInformationinPolicyEnforcement
CollectdatafromaMacclient:
1. SelectNetwork > GlobalProtect > Portals andthenselectthe
portalconfigurationyouwanttomodifyorAddanewone.
2. SelecttheAgenttabandthenselecttheAgentconfiguration
youwanttomodifyorAddanewone.
3. Select Data Collection,andthenverifythatCollect HIP Datais
enabled.
4. Select Custom Checks > Mac.
5. AddthePlistthatyouwanttocollectinformationaboutand
thecorrespondingPlistKeytodetermineiftheapplicationis
installed:
.
Forexample,Add thePlistcom.apple.screensaverandthe
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:
ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:
Step2 (Optional)Checkifaspecificprocessis 1. ContinuefromStep 1ontheCustom Checkstab(Network >

runningontheclient. GlobalProtect > Portals > <portalconfig> > Agent >
<agentconfig>> Data Collection)andselecttheWindows tab
orMactab.
2. Addthenameoftheprocessthatyouwanttocollect
informationabouttotheProcess List.
Step3 Savethecustomcheck. ClickOKandCommitthechanges.

Step4 VerifythattheGlobalProtectagentis ForWindowsclients:

collectingthedatadefinedinthecustom OntheWindowsclient,doubleclicktheGlobalProtecticononthe
checkfromtheclient. taskbarandclicktheHost Statetabtoviewtheinformationthat
theGlobalProtectagentiscollectingfromtheMacclient.Underthe
customchecksdropdown,verifythatthedatathatyoudefinedfor
collectioninStep 7isdisplayed:
ForMacclients:
OntheMacclient,clicktheGlobalProtecticonontheMenubar,
clickAdvanced View,andclickHost Statetoviewtheinformation
thattheGlobalProtectagentiscollectingfortheMacclient.Under
thecustomchecksdropdown,verifythatthedatayoudefinedfor
collectioninStep 7isdisplayed:

CollectApplicationandProcessDataFromClients UseHostInformationinPolicyEnforcement
Step5 (Optional)CreateaHIPObjecttomatch ForWindowsandMacclients:

toaRegistryKey(Windows)orPlist 1. SelectObjects > GlobalProtect > HIP ObjectsandAddaHIP
(Mac).Thiscanallowyoutofiltertheraw Object.
hostinformationcollectedfromthe
GlobalProtectagentinordertomonitor 2. SelectandenableCustom Checks.
thedataforthecustomcheck. ForWindowsclientsonly:
WithaHIPobjectdefinedforthecustom 1. TocheckWindowsclientsforaspecificregistrykey,select
checkdata,thegatewaywillmatchthe Registry KeyandAddtheregistrytomatchon.Toonlyidentify
rawdatasubmittedfromtheagenttothe clientsthatdonothavethespecifiedregistrykey,selectKey
HIPobjectandaHIPMatchlogentryis does not exist or match the specified value data.
generatedforthedata(Monitor > HIP
Match). 2. TomatchonspecificvalueswithintheRegistrykey,clickAdd
andthenentertheregistryvalueandvaluedata.Toidentify
clientsthatexplicitlydonothavethespecifiedvalueorvalue
data,selecttheNegate checkbox.
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
ForMacclientsonly:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).
3. ClickOKtosavetheHIPobject.YoucanCommittoviewthe
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.

Step6 (Optional)CreateaHIPprofiletoallow 1. SelectObjects > GlobalProtect > HIP Profile.

theHIPobjectyoucreatedinStep 5to 2. ClickAdd Match Criteria toopentheHIP Objects/Profiles
beevaluatedagainsttraffic. Builder.
TheHIPprofilecanbeaddedtoa
3. SelecttheHIP objectyouwanttouseasmatchcriteriaand
securitypolicyasanadditionalcheckfor
thenmoveitovertotheMatchboxontheHIPProfiledialog.
trafficmatchingthatpolicy.Whenthe
trafficismatchedtotheHIPprofile,the 4. WhenyouhavefinishedaddingtheobjectstothenewHIP
securitypolicyrulewillbeenforcedon profile,click OKandCommit.
thetraffic.
FormoredetailsoncreatingaHIP
profiles,seeConfigureHIPBasedPolicy
Enforcement.
Step7 AddtheHIPprofiletoasecuritypolicyso SelectPolicies > Security,andAdd ormodifyasecuritypolicy.Go

thatthedatacollectedwiththecustom totheUsertabtoaddaHIPprofiletothepolicy.Formoredetails
checkcanbeusedtomatchtoandacton onsecuritypoliciescomponentsandusingsecuritypoliciesto
traffic. matchtoandactontraffic,seeSecurityPolicy.

BlockDeviceAccess UseHostInformationinPolicyEnforcement
BlockDeviceAccess
IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
devicesperlocation.Therefore,youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.
BlockDeviceAccess
Step1 Createadeviceblocklist. 1. SelectNetwork > GlobalProtect > Device Block ListandAdd

YoucannotusePanorama adeviceblocklist.
templatestopushadeviceblock 2. EnteradescriptiveNameforthelist.
listtofirewalls.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
Step2 Addadevicetoablocklist. 1. Adddevices.EnterthehostID(required)andhostname

(optional)foradeviceyouneedtoblock.
2. Addadditionaldevices,ifneeded.
3. ClickOKtosaveandactivatetheblocklist.
Thedevicelistdoesnotrequireacommitandis
immediatelyactive.

GlobalProtectQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
deployments:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
AlwaysOnVPNConfiguration
RemoteAccessVPNwithPreLogon
GlobalProtectMultipleGatewayConfiguration
GlobalProtectforInternalHIPCheckingandUserBasedAccess
MixedInternalandExternalGatewayConfiguration

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs
IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,sothisisthephysicalinterfacewhereGlobalProtectclientsconnect.Afteraclientconnects
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.31.32.310.31.32.118inthisexample.BecauseGlobalProtectVPNtunnelsterminateina
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.
Figure:GlobalProtectVPNforRemoteAccess
Thefollowingprocedureprovidestheconfigurationstepsforthisexample.Youcanalsowatchthevideo.
QuickConfig:VPNRemoteAccess
Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces > Ethernetandconfigure

GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustzoneandthedefault
interfaceconfigurationstoavoid virtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork > Interfaces> Tunnel andaddthetunnel.2
interfaceandaddittoanewzonecalledcorpvpn.Assignittothe
defaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

GlobalProtectQuickConfigs RemoteAccessVPN(AuthenticationProfile)
QuickConfig:VPNRemoteAccess(Continued)
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenAddanewrule.

flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPNAccess
SourceZonecorpvpn
DestinationZonel3trust
Step3 Obtainaservercertificateforthe SelectDevice> Certificate Management> Certificates tomanage

interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe Obtainaservercertificate.Becausetheportalandgatewayare
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,gp.acme.com.
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.
Step4 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles> LDAP).
howtoconnecttotheauthentication
service.SupportedmethodsareLocal,
RADIUS,Kerberos,andLDAP
authentication.Thisexampleshowsan
LDAPauthenticationprofilefor
authenticatingusersagainsttheActive
Directory.
Step5 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>

profile. Authentication Profile).

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs
QuickConfig:VPNRemoteAccess(Continued)
Step6 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
Interfaceethernet1/2
IP Address203.0.113.1
Server CertificateGP-server-cert.pem issued by GoDaddy
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - 10.31.32.118
Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal.Thisexampleuses
thefollowingsettings:
Server CertificateGP-server-cert.pem issued by
GoDaddy
2. DefinetheGlobalProtectAgentConfigurationsusingthe
followingsettings:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway Addressgp.acme.com
Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.
Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectGatewaysubscription(Device

GlobalProtectmobileapp. > Licenses)toenableuseoftheapp.

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)
Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
GlobalProtectportalorgateway.Inadditiontothecertificateitself,theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
assignedanIPaddressfromtheIPpoolinthegatewaystunnelconfiguration.Tosupportuserbasedpolicy
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
addressthatthegatewayassigned.Also,ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.
Figure:GlobalProtectClientCertificateAuthenticationConfiguration
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.Theonly
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication
Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces> Ethernetandconfigure

Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustsecurityzoneandthe
interfaceconfigurationstoavoid defaultvirtualrouter.
gp.acme.com.
SelectNetwork> Interfaces> Tunnel.
Addtunnel.2interfacetoanewzonecalledcorp-vpn.Assignthe
interfacetothedefaultvirtualrouter.

RemoteAccessVPN(CertificateProfile) GlobalProtectQuickConfigs
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenAddanewrule.

internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

certificate.
Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

clientsandendpoints.Thisenablesthe certificatetoeachGlobalProtectuser.
GlobalProtectportalandgatewaysto 2. Installcertificatesinthepersonalcertificatestoreonthe
validatethatthedevicebelongstoyour endpoints.
organization.
Step5 Createaclientcertificateprofile. 1. SelectDevice> Certificate Management> Certificate Profile,

clickAddandenteraprofileNamesuchasGP-client-cert.
2. SelectSubjectfromtheUsername Fielddropdown.
3. ClickAddintheCACertificatessection,selecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.
Step6 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Certificate ProfileGP-client-cert
IP Pool10.31.32.3 - 10.31.32.118

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)
QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)

configuration:
1. SetUpAccesstotheGlobalProtectPortal:
GoDaddy
2. DefinetheGlobalProtectAgentConfigurations:
connection)

Portal.


RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs
IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
throughbothprofilesbeforegainingaccess.Forportalauthentication,thismeansthatcertificatesmustbe
predeployedtotheendclientsbeforetheirinitialportalconnection.Additionally,theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
clientcertificatedoesnotneedtohaveausername.Inthiscase,theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
usernameinthecorrespondingfield.Forexample,ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
elsetheauthenticationfails.Inaddition,whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
entercredentialsforauthenticatingtotheauthenticationprofile.Ifyoudonotwantforceusersto
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.
ThisquickconfigurationusesthesametopologyasFigure:GlobalProtectVPNforRemoteAccess.However,
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.
VPNRemoteAccesswithTwoFactorAuthentication
Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces> Ethernetandconfigure

Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustsecurityzoneandthe
interfaceconfigurationstoavoid defaultvirtualrouter.
gp.acme.com.
SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
interfaceandaddittoanewzonecalledcorp-vpn.Assignitto
thedefaultvirtualrouter.
Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenclickAddtoaddanewrule.

internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

certificate.
Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

clientsandendpoints.Thisenablesthe certificatetoeachGlobalProtectuser.
GlobalProtectportalandgatewaysto 2. Installcertificatesinthepersonalcertificatestoreonthe
validatethatthedevicebelongstoyour endpoints.
organization.

RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
Step5 Createaclientcertificateprofile. 1. SelectDevice> Certificate Management> Certificate Profile,

AddandenteraprofileNamesuchasGP-client-cert.
2. Specifywheretogettheusernamethatwillbeusedto
authenticatetheenduser:
FromuserIfyouwanttheendusertosupplyausername
whenauthenticatingtotheservicespecifiedinthe
authenticationprofile,selectNoneastheUsername Field.
FromcertificateIfyouwanttoextracttheusernamefrom
thecertificate,selectSubjectastheUsername Field.Ifyou
usethisoption,theCNcontainedinthecertificatewill
automaticallypopulatedtheusernamefieldwhentheuseris
promptedtologintotheportal/gatewayandtheuserwillbe
requiredtologinusingthatusername.
3. IntheCACertificatessection,Add andthenselecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.
Step6 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles> LDAP).
howtoconnecttotheauthentication
service.Local,RADIUS,Kerberos,and
LDAPauthenticationmethodsare
supported.ThisexampleshowsanLDAP
authenticationprofileforauthenticating
usersagainsttheActiveDirectory.
Step7 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>

profile. Authentication Profile).

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication
VPNRemoteAccesswithTwoFactorAuthentication(Continued)
Step8 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
IP Pool10.31.32.3 - 10.31.32.118

configuration:
GoDaddy
connection)

Portal.
Step11 (Optional)DeployAgentSettings Asanalternativetodeployingagentsettingsfromtheportal

Transparently. configuration,youcandefinesettingsdirectlyfromtheWindows
registryorglobalMACplist.Examplesofsettingsthatyoucan
deployincludespecifyingtheportalIPaddressorenabling
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsintothe
deviceandconnectstotheGlobalProtectportal.OnWindows
clientsonly,youcanalsoconfiguresettingsusingtheMSIEXEC
installer.Foradditionalinformation,seeCustomizableAgent
Settings.


AlwaysOnVPNConfiguration GlobalProtectQuickConfigs
AlwaysOnVPNConfiguration
InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
logontosubmituserandhostinformationandreceivetheclientconfiguration.Itthenautomatically
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.
ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.
SwitchtoanAlwaysOnConfiguration
Step1 SelectNetwork> GlobalProtect> Portalsandselecttheportalconfigurationtoopenit.
Step2 SelecttheAgent tabandthenselecttheagentconfigurationyouwanttomodify.
Step3 SelecttheApptab.
Step4 SelectUser-logon (Always On)astheConnect Method.Repeatthisstepforeachagentconfiguration.
Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.

GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon
PrelogonisaconnectmethodthatestablishesaVPNtunnelbeforeauserlogsin.Thepurposeofprelogon
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
torunassoonastheendpointpowerson.AmachinecertificateenablestheendpointtohavetheVPNtunnel
tothegateway.AcommonpracticeforITpersonnelistoinstallthemachinecertificatewhilestagingthe
endpointfortheuser.
AprelogonVPNtunnelhasnousernameassociationbecausetheuserhasnotloggedin.Therefore,tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
prelogonuser.Thesepoliciesshouldallowaccesstoonlythebasicservicesforstartingupthesystem,such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).
MacsystemsbehavedifferentlyfromWindowssystemswithprelogon.WithMacOS,thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.
Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
profile.Theportalcanalsouseanoptionalcertificateprofilethatvalidatestheclientcertificate(ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,theportaldeterminesiftheclientsconfigurationiscurrent.Iftheportalsconfiguration
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
orgatewayinstallsanencryptedcookieontheclient.Subsequently,theportalorgatewayusesthecookie
toauthenticateusersandforrefreshingtheclientsconfiguration.Also,ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
firstconnectingtotheportaltodownloadtheprelogonconfiguration.Todothis,youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.

RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs
ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.
Step1 CreateInterfacesandZonesfor Forthisexample,selectNetwork> Interfaces> Ethernetand

GlobalProtect. then:
Usethedefaultvirtualrouterforall Selectethernet1/2.
interfaceconfigurationstoavoid Foritsinterfacetype,selectLayer 3.
havingtocreateinterzonerouting. Assign interface to:defaultvirtualrouter,defaultvirtual
system,andl3-untrustsecurityzone.
SelectIPv4andAdd.
Selecttheaddress203.0.113.1(ortheobjectthatmaps
203.0.113.1)oraddaNew Addresstocreateanewobjectand
addressmapping.(LeavetheaddresstypeasStatic.)
CreateaDNSArecordthatmapsIPaddress203.0.113.1to
gp.acme.com.
SelectNetwork> Interfaces> Tunnel.
Addatunnel.2interfacetoanewzonecalledcorp-vpn.Assignit
tothedefaultvirtualrouter.

RemoteAccessVPNwithPreLogon(Continued)
Step2 Createthesecuritypolicyrules. Thisconfigurationrequiresthefollowingpolicies(Policies>

Security):
1. Createarulethatenablestheprelogonuseraccesstobasic
servicesthatarerequiredforthecomputertocomeup,such
asauthenticationservices,DNS,DHCP,andMicrosoft
Updates.
2. Createaruletoenableaccessbetweenthecorpvpnzoneand
thel3trustzoneforanyknownuseraftertheusersuccessfully
logsin.
Step3 Useoneofthefollowingmethodsto SelectDevice> Certificate Management> Certificates tomanage

obtainaservercertificateforthe certificateswiththefollowingcriteria:
interfacethatishoststheGlobalProtect Obtainaservercertificate.Becausetheportalandgatewayare
portalandgateway: onthesameinterface,thesameservercertificatecanbeusedfor
certificate.
Step4 Generateamachinecertificateforeach 1. IssueclientcertificatestoGlobalProtectclientsandendpoints.

clientsystemthatwillconnectto ThisenablestheGlobalProtectportalandgatewaystovalidate
GlobalProtectandimportthemintothe thatthedevicebelongstoyourorganization.
personalcertificatestoreoneach 2. Installcertificatesinthepersonalcertificatestoreonthe
machine. endpoints.(LocalComputerstoreonWindowsorSystem
Althoughyoucouldgenerateselfsigned KeychainonMacOS)
certificatesforeachclientsystem,asa
bestpractice,useyourownpublickey
infrastructure(PKI)toissueand
distributecertificatestoyourclients.

Step5 ImportthetrustedrootCAcertificate 1. DownloadtheCAcertificateinBase64format.

fromtheCAthatissuedthemachine 2. Importthecertificateontoeachfirewallthathostsaportalor
certificatesontotheportaland gateway,asfollows:
gateway(s).
a. SelectDevice> Certificate Management> Certificates>
Youdonothavetoimportthe Device Certificates andclickImport.
privatekey.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
Step6 Oneachfirewallthathostsa 1. SelectDevice> Certificates> Certificate Management>

GlobalProtectgateway,createa Certificate Profile.
certificateprofiletoidentifytheCA 2. ClickAddandenteraNametouniquelyidentifytheprofile,
certificateforvalidatingthemachine suchasPreLogonCert.
certificates.
3. SetUsernameFieldtoNone.
Optionally,ifyouplantouseclient
certificateauthenticationtoauthenticate 4. (Optional)Ifyouwillalsouseclientcertificateauthentication
userswhentheylogintothesystem, toauthenticateusersuponlogin,addtheCAcertificatethat
makesurethattheCAcertificatethat issuedtheclientcertificatesifitisdifferentfromtheonethat
issuestheclientcertificatesisreferenced issuedthemachinecertificates.
inthecertificateprofileinadditiontothe 5. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificatethatissuedthemachine CAcertificateyouimportedinStep 5andthenclickOK.
certificatesiftheyaredifferent.
6. ClickOKtosavetheprofile.
Step7 ConfigureaGlobalProtectGateway. 1. SelectNetwork> GlobalProtect> Gatewaysandaddthe

Seethetopologydiagramshownin followingconfiguration:
Althoughyoumustcreateacertificate Server CertificateGP-server-cert.pem issued by
profileforprelogonaccesstothe GoDaddy
gateway,youcanuseeitherclient Certificate ProfilePreLogonCert
certificateauthenticationor
authenticationprofilebased
authenticationforloggedinusers.Inthis Tunnel Interfacetunnel.2
example,thesameLDAPprofileisused IP Pool10.31.32.3 - 10.31.32.118
thatisusedtoauthenticateuserstothe 2. Committhegatewayconfiguration.
portal.

Step8 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandspecifythefollowing

ConfigureDevicedetails(networking configuration:
parameters,theauthenticationservice SetUpAccesstotheGlobalProtectPortal:
profile,andthecertificateforthe Interfaceethernet1/2
authenticationserver). IP Address203.0.113.1
GoDaddy
Certificate ProfileNone
Step9 DefinetheGlobalProtectAgent SelectAgentandspecifyoneofthefollowingconfigurations:

Configurationsforprelogonusersand Usethesamegatewaybeforeandafterprelogonuserslogin:
forloggedinusers. Use single sign-onenabled
Useasingleagentconfigurationifyou Connect Methodpre-logon
wantprelogonuserstoaccessthesame
External Gateway Addressgp1.acme.com
gatewaysbeforeandaftertheylogin.
User/User Groupany
Otherwise,todirectprelogonusersto
differentgatewaysbeforeandafterthey Authentication OverrideCookieauthenticationfor
login,createtwoagentconfiguration transparentlyauthenticatingusersandforconfigurationrefresh
profiles.Inthisfirstagentconfigurations Useseparategatewaysforprelogonusersbeforeandafterthey
User/User Group,selectthepre-logon login:
filter.Withprelogon,theportalfirst FirstAgentConfiguration:
authenticatestheendpoint,nottheuser, Connect Methodpre-logon
tosetupaVPN(eventhoughthe
External Gateway Addressgp1.acme.com
prelogonparameterisassociatedwith
users).Subsequently,theportal User/User Grouppre-logon
authenticatestheuserwhenheorshe Authentication OverrideCookieauthenticationfor
logsin. transparentlyauthenticatingusersandforconfigurationrefresh
Aftertheportalauthenticatestheuser,it SecondAgentConfiguration:
deploysthesecondagentconfiguration. Use single sign-onenabled
Inthiscase,User/User Groupisany. Connect Methodpre-logon
Asabestpractice,enableSSOin External Gateway Addressgp2.acme.com
thesecondagentconfigurationso User/User Groupany
thatthecorrectusernameis
Authentication OverrideCookieauthenticationfor
immediatelyreportedtothe
transparentlyauthenticatingusersandforconfigurationrefresh
gatewaywhentheuserlogsinto
theendpoint.IfSSOisnotenabled, Makesuretheprelogonclientconfigurationisfirstinthelistof
thesavedusernameintheAgent configurations.Ifitisnot,selectitandclickMove Up.
settingspanelisused.

Step11 (Optional)Ifuserswillneverlogintoa 1. LocatetheGlobalProtectsettingsintheregistry:

device(forexample,aheadlessdevice)or HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
aprelogonconnectionisrequiredona Networks\GlobalProtect\PanSetup
systemthatauserhasnotpreviously
2. CreateaDWORDnamedPrelogonwithavalueof1inthe
loggedinto,createthePrelogonregistry
Value datafieldandHexadecimalastheBase.Thissetting
entryontheclientsystem.
enablesGlobalProtecttoinitiateaVPNconnectionbeforethe
Youmustalsopredeploy userlogsintothelaptop.
additionalagentsettingssuchas
thedefaultportalIPaddressand 3. CreateaString ValuenamedPortalthatspecifiestheIP
connectmethod. addressorhostnameofthedefaultportalforthe
GlobalProtectclient.
Formoreinformationaboutregistry
settings,seeDeployAgentSettings 4. CreateaString Valuenamedconnect-methodwithavalueof
Transparently. pre-logonintheValuedatafield.Thissettingenables
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsinto
thedeviceandconnectstotheGlobalProtectportal.

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration
GlobalProtectMultipleGatewayConfiguration
InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
configuration.Multiplegatewaysaresupportedinalloftheprecedingexampleconfigurations.Additional
stepsincludeconfiguringasecondfirewallasaGlobalProtectgateway.Inaddition,whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.
Figure:GlobalProtectMultipleGatewayTopology
Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
listedinitsclientconfiguration.Theagentwillthenusepriorityandresponsetimeastodeterminethe
gatewaytowhichtoconnect.Theagentconnectstoalowerprioritygatewayonlyiftheresponsetimefor
thehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.Formore
information,seeGatewayPriorityinaMultipleGatewayConfiguration.

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs
QuickConfig:GlobalProtectMultipleGatewayConfiguration
Step1 CreateInterfacesandZonesfor Onthefirewallhostingtheportal/gateway(gw1):

GlobalProtect. SelectNetwork> Interfaces> Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesoneachfirewallhostinga 198.51.100.42andassignittothel3untrustsecurityzoneand
gateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterforall CreateaDNSArecordthatmapsIPaddress198.51.100.42to
interfaceconfigurationstoavoid gp1.acme.com.
havingtocreateinterzonerouting. SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
Onthefirewallhostingthesecondgateway(gw2):
SelectNetwork> Interfaces> Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
gp2.acme.com.
Step2 PurchaseandinstallaGlobalProtect Afteryoupurchasethegatewaysubscriptionandreceiveyour

gatewaysubscriptiononeachgatewayif activationcode,installthelicenseonthefirewallhostingtheportal
youhaveuserswhowillbeusingthe asfollows:
GlobalProtectappontheirmobile 1. SelectDevice> Licenses.
devicesorifyouplantouseHIPenabled
securitypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
Step3 OneachfirewallhostingaGlobalProtect Thisconfigurationrequirespolicyrulestoenabletrafficflow

gateway,createsecuritypolicy. betweenthecorpvpnzoneandthel3trustzonetoenableaccess
toyourinternalresources(Policies> Security).

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)
Step4 Obtainservercertificatesforthe Oneachfirewallhostingaportal/gatewayorgateway,select

interfaceshostingyourGlobalProtect Device> Certificate Management> Certificates tomanage
portalandeachofyourGlobalProtect certificatesasfollows:
gatewaysusingthefollowing Obtainaservercertificatefortheportal/gw1.Becausethe
recommendations: portalandthegatewayareonthesameinterfaceyoumustuse
(Onthefirewallhostingtheportalor thesameservercertificate.TheCNofthecertificatemustmatch
portal/gateway)Importaserver theFQDN,gp1.acme.com.Toenableclientstoconnecttothe
certificatefromawellknown, portalwithoutreceivingcertificateerrors,useaservercertificate
thirdpartyCA. fromapublicCA.
(Onafirewallhostingonlyagateway) Obtainaservercertificatefortheinterfacehostinggw2.
UsetherootCAontheportalto Becausethisinterfacehostsagatewayonlyyoucanusea
generateaselfsignedserver selfsignedcertificate.TheCNofthecertificatemustmatchthe
certificate. FQDN,gp2.acme.com.
Step5 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or

totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
portalandgateways.Portalsandindividualgatewayscanalsouse
differentauthenticationschemes.Seethefollowingsectionsfor
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.
Step6 Configurethegateways. Thisexampleshowstheconfigurationforgp1andgp2shownin

Figure:GlobalProtectMultipleGatewayTopology.(SeeConfigurea
GlobalProtectGatewayforstepbystepinstructionsoncreating
thegatewayconfigurations.)
Onthefirewallhostinggp1,selectNetwork> GlobalProtect>
Gatewaysandconfigurethegatewaysettingsasfollows:
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by GoDaddy
IP Pool10.31.32.3 - 10.31.32.118
Onthefirewallhostinggp2,selectNetwork> GlobalProtect>
Gatewaysandconfigurethegatewaysettingsasfollows:
IP Address192.0.2.4
Server Certificateself-signed certificate,
GP2-server-cert.pem
IP Pool10.31.33.3 - 10.31.33.118

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs
QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

configuration:
IP Address198.51.100.42
Server CertificateGP1-server-cert.pem issued by
GoDaddy
Thenumberofclientconfigurationsyoucreatedependson
yourspecificaccessrequirements,includingwhetheryou
requireuser/groupbasedpolicyand/orHIPenabledpolicy
enforcement.

Portal.
Step9 SavetheGlobalProtectconfiguration. ClickCommitonthefirewallhostingtheportalandthegateway(s).

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess
GlobalProtectforInternalHIPCheckingandUserBased
Access
WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)services.Internalgatewaysareusefulinsensitiveenvironmentswhere
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
modeisnotsupported.Inaddition,itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
totheCRMapplications.Allauthenticatedusershaveaccesstointernalwebresources.Inaddition,HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.
Figure:GlobalProtectInternalGatewayConfiguration

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs
UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.
QuickConfig:GlobalProtectInternalGatewayConfiguration
Step1 CreateInterfacesandZonesfor Oneachfirewallhostingaportal/gateway:

GlobalProtect. 1. SelectanEthernetporttohosttheportal/gatewayandthen
Inthisconfiguration,youmustsetup configureaLayer3interfacewithanIPaddressinthel3trust
interfacesoneachfirewallhostinga securityzone.(Network> Interfaces> Ethernet).
portaland/oragateway.Becausethis
2. Enable User Identificationonthel3trustzone.
configurationusesinternalgateways
only,youmustconfiguretheportaland
gatewaysoninterfacesontheinternal
network.
Usethedefaultvirtualrouterforall
interfaceconfigurationstoavoid
havingtocreateinterzonerouting.
Step2 Purchaseandinstallagateway Afteryoupurchasethegatewaysubscriptionsandreceiveyour

subscriptionforeachfirewallhostingan activationcode,installthegatewaysubscriptionsonthefirewalls
internalgatewayifyouhaveuserswho hostingyourgatewaysasfollows:
willbeusingtheGlobalProtectappon 1. SelectDevice> Licenses.
theirmobiledevicesorifyouplantouse
HIPenabledsecuritypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.Youcaneither
useaselfsignedcertificateontheportal c. UsetherootCAontheportaltogenerateaselfsigned
anddeploytherootCAcertificatetothe servercertificate.Repeatthisstepforeachgateway.
endclientsbeforethefirstportal 2. Oneachfirewallhostinganinternalgateway:
connection,orobtainaservercertificate a. Deploytheselfsignedservercertificates.
fortheportalfromatrustedCA.
Youcanuseselfsignedcertificateson
thegateways.

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeUseHostInformationinPolicy createaHIPobjecttomatchonwhetherthepatch
Enforcementformoreinformationon managementsoftwareisinstalledandthatallpatcheswitha
HIPmatching. givenseverityareuptodate.
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs
QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)
Step6 Configuretheinternalgateways. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

Althoughalloftheprevious configuration:
configurationscoulduseaConnect 1. SetUpAccesstotheGlobalProtectPortal:
MethodofUser-logon (Always On) Interfaceethernet1/2
orOn-demand (Manual user
initiated connection),aninternal
gatewayconfigurationmustalways Server CertificateGP-server-cert.pem issued by
beonandthereforerequiresa GoDaddywithCN=gp.acme.com
Connect MethodofUser-logon 2. DefinetheGlobalProtectClientAuthentication
(Always On). Configurations:
Use single sign-onenabled
Connect MethodUser-logon (Always On)
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Portal.
Step9 CreatetheHIPenabledand/or Addthefollowingsecurityrulesforthisexample:

user/groupbasedsecurityrulesonyour 1. SelectPolicies> SecurityandclickAdd.
gateway(s).
2. OntheSourcetab,settheSource Zonetol3-trust.
3. OntheUsertab,addtheHIPprofileanduser/grouptomatch.
ClickAddintheHIP ProfilessectionandselecttheHIP
profileMissingPatch.
ClickAddintheSource Usersectionandselectthegroup
(FinanceorEngineeringdependingonwhichruleyouare
creating).
4. ClickOKtosavetherule.
5. Committhegatewayconfiguration.

GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration
MixedInternalandExternalGatewayConfiguration
InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
VPNaccessandforaccesstoyoursensitiveinternalresources.Withthisconfiguration,agentsperform
internalhostdetectiontodetermineiftheyareontheinternalorexternalnetwork.Iftheagentdetermines
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
resourcesyourexternalandinternalusershaveaccessto.Inaddition,youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
firewalls.Theexternalgatewayatgpvpn.acme.comprovidesremoteVPNaccesstothecorporatenetwork
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
membership.Inaddition,HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.
Figure:GlobalProtectDeploymentwithInternalandExternalGateways

MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs
UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.
QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration
Step1 CreateInterfacesandZonesfor Onthefirewallhostingtheportalgateway(gp.acme.com):

GlobalProtect. SelectNetwork> Interfaces> Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesonthefirewallhostingaportal 198.51.100.42andassignittothel3untrustsecurityzoneand
andeachfirewallhostingagateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterforall CreateaDNSArecordthatmapsIPaddress198.51.100.42to
interfaceconfigurationstoavoid gp.acme.com.
havingtocreateinterzonerouting. SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
Onthefirewallhostingtheexternalgateway(gpvpn.acme.com):
SelectNetwork> Interfaces> Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
gpvpn.acme.com.
Onthefirewallhostingtheinternalgateways(california.acme.com
andnewyork.acme.com):
SelectNetwork> Interfaces> EthernetandconfigureLayer3
EthernetinterfacewithIPaddressesontheinternalnetworkand
assignthemtothel3trustsecurityzoneandthedefaultvirtual
router.
CreateaDNSArecordthatmapstheinternalIPaddresses
california.acme.comandnewyork.acme.com.
EnableUserIdentificationonthel3trustzone.
Step2 Purchaseandinstallagateway Afteryoupurchasethegatewaysubscriptionsandreceiveyour

subscriptionsforeachfirewallhostinga activationcode,installthegatewaysubscriptionsonthefirewalls
gateway(internalandexternal)ifyou hostingyourgatewaysasfollows:
haveuserswhowillbeusingthe 1. SelectDevice> Licenses.
GlobalProtectappontheirmobile
devicesorifyouplantouseHIPenabled 2. SelectActivate feature using authorization code.
securitypolicy. 3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicenseandsubscriptionsweresuccessfully
activated.

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)
Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.
c. UsetherootCAontheportaltogenerateaselfsigned
Youcanuseselfsignedcertificateson
servercertificate.Repeatthisstepforeachgateway.
thegatewaysanddeploytherootCA
certificatetotheagentsintheclient 2. Oneachfirewallhostinganinternalgateway:
configuration.Thebestpracticeisto Deploytheselfsignedservercertificates.
generateallofthecertificatesonfirewall
hostingtheportalanddeploythemto
thegateways.


Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway theagents.Forexample,ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeUseHostInformationinPolicy createaHIPobjecttomatchonwhetherthepatch
Enforcementformoreinformationon managementsoftwareisinstalledandthatallpatcheswitha
HIPmatching. givenseverityareuptodate.
2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:
Step6 Configuretheinternalgateways. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)becausetunnelconnectionsarenotrequired.See
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.


Althoughthisexampleshowshowto configuration:
createasingleclientconfigurationtobe 1. SetUpAccesstotheGlobalProtectPortal:
deployedtoallagents,youcouldchoose Interfaceethernet1/2
tocreateseparateconfigurationsfor
differentusesandthendeploythem
basedonuser/groupnameand/orthe Server CertificateGP-server-cert.pem issued by
operatingsystemtheagent/appis GoDaddywithCN=gp.acme.com
runningon(Android,iOS,Mac,or 2. DefinetheGlobalProtectClientAuthentication
Windows). Configurations:
Internal Host Detectionenabled
Use single sign-onenabled
Connect MethodUser-logon (Always On)
External Gateway Addressgpvpn.acme.com
Internal Gateway Addresscalifornia.acme.com,
newyork.acme.com
User/User Groupany
3. Committheportalconfiguration.

Portal.
Step9 Createsecuritypolicyrulesoneach Createsecuritypolicy(Policies> Security)toenabletrafficflow

gatewaytosafelyenableaccessto betweenthecorpvpnzoneandthel3trustzone.
applicationsforyourVPNusers. CreateHIPenabledanduser/groupbasedpolicyrulestoenable
granularaccesstoyourinternaldatacenterresources.
Forvisibility,createrulesthatallowallofyourusers
webbrowsingaccesstothel3untrustzone,usingthedefault
securityprofilestoprotectyoufromknownthreats.
Step10 SavetheGlobalProtectconfiguration. ClickCommitontheportalandallgateways.


GlobalProtectReferenceArchitecture
ThissectionoutlinesanexamplereferencearchitecturefordeployingGlobalProtectwhichsecuresinternet
trafficandprovidessecureaccesstocorporateresources.
Thereferencearchitectureandguidelinesdescribedinthissectionprovideacommondeploymentscenario.
Beforeadoptingthisarchitecture,identifyyourcorporatesecurity,infrastructuremanageability,andend
userexperiencerequirementsanddeployGlobalProtectbasedonthoserequirements.
Althoughtherequirementsmaybedifferentforeachenterprise,youcanleveragethecommonprinciples
anddesignconsiderationsoutlinedinthisdocumentalongwithbestpracticeconfigurationguidelinesto
meetyourenterprisesecurityneeds.
GlobalProtectReferenceArchitectureTopology
GlobalProtectReferenceArchitectureFeatures
GlobalProtectReferenceArchitectureConfigurations

GlobalProtectReferenceArchitectureTopology GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureTopology
GlobalProtectPortal
GlobalProtectPortal
Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
cantestfeaturesbeforerollingthemouttoawideruserbase.Anyclientconfigurationcontainingnew
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
TheGlobalProtectportalalsopushesconfigurationstoGlobalProtectsatellites.Thisconfigurationincludes
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureTopology
ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
MicrosoftAzurepubliccloud.TheregionsorPOPlocationswheretheseAWSandAzuregatewaysare
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)using2FA.ThisgatewayrequiresuserstoprovidetheirActive
DirectorycredentialsandtheirOTP.Becausethisgatewayprotectssensitiveresources,itisconfigured
asamanualonlygateway.Asaresult,usersdonotconnecttothisgatewayautomaticallyandmust
manuallychoosetoconnecttothisgateway.Forexample,whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,somesensitiveinternalresourcesarenotaccessible.Theusermustthen
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
forallsatelliteconnectionsfromgatewaysinAWSandAzure.TheSantaClaraGatewayisalsoconfigured
tosetupanInternetProtocolSecurity(IPSec)tunneltotheITfirewallincorporateheadquarters.Thisis
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
andActiveDirectorycredentials.TheGlobalProtectportaldistributestheclientcertificatethatis
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
ThesegatewaysinthepubliccloudalsoactasGlobalProtectsatellites.Theycommunicatewiththe
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
SantaClaraGateway.GlobalProtectsatellitesinitiallyauthenticateusingserialnumber,andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
asGlobalProtectgateways.Theseareinternalgatewaysanddonotrequireendpointstosetupatunnel.
UsersauthenticatetothesegatewaysusingtheirActiveDirectorycredentials.Theseinternalgateways
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.

GlobalProtectReferenceArchitectureFeatures GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureFeatures
EndUserExperience
ManagementandLogging
MonitoringandHighAvailability
EndUserExperience
Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
Azure.WhenyouconfiguretheGlobalProtectportalclientconfiguration,assignequalprioritytothe
gateways.Withthisconfiguration,thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,auserinAustraliawouldtypicallyconnecttotheAWSSydneyGateway.Oncetheuseris
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
firewallforinspection.GlobalProtectsendstraffictopublicinternetsitesdirectlyviatheAWSSydney
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
headquarters.Thisarchitectureisdesignedtoreduceanylatencytheusermayexperiencewhenaccessing
theinternet.IftheAWSSydneyGateway(oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
Activedirectoryserversresideinsidethecorporatenetwork.Whenremoteendusersauthenticate,the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
SantaClaraGateway.ThegatewaythenforwardstherequestthroughanIPSecsitetositetunneltothe
ActiveDirectoryServerincorporateheadquarters.
Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.
Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;TheGlobalProtectclientsendstheHIPreporttotheseinternalgateways.Whenusersareinsidethe
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.
ManagementandLogging
Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
configurations.Tosimplifyconfigurationofthegateways,Panoramaalsousesonedevicegroupandone
template.Inthisdeployment,allgatewaysforwardalllogstoPanorama.Thisenablesyoutomonitor
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureFeatures
Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.
MonitoringandHighAvailability
Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
monitoringsoftware.ConfigureNagiostoperiodicallyverifytheresponsefromtheportalandthegateways'
preloginpageandsendanalertiftheresponsedoesnotmatchtheexpectations.Youcanalsoconfigure
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
InthisdeploymentthereisonlyoneinstanceoftheGlobalProtectportal.Iftheportalbecomesunavailable,
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
redundancy.Therefore,configuringgatewaysasahighavailability(HA)pairisnotrequired.

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture
GlobalProtectReferenceArchitectureConfigurations
Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations
GatewayConfiguration
Disablesplittunneling.Todothis,ensuretherearenoAccessRoutesspecifiedinAgent > Client Settings

> Networksettings.SeeConfigureaGlobalProtectGateway.
EnableNo direct access to local networkinAgent > Client Settings > Split Tunnel.SeeConfigurea
GlobalProtectGateway.
EnablethegatewaytoAccept cookie for authentication override.SeeConfigureaGlobalProtectGateway.
PortalConfiguration
ConfiguretheConnect MethodasAlways-on (User logon).SeeCustomizetheGlobalProtectAgent.

SetUse Single Sign-On(Windowsonly)toYes.SeeCustomizetheGlobalProtectAgent.
ConfiguretheportaltoSave User Credentials(setthevaluetoYes).SeeDefinetheGlobalProtectAgent
Configurations.
EnabletheportaltoAccept cookie for authentication override.SeeDefinetheGlobalProtectAgent
Configurations.
ConfiguretheCookie Lifetimeas20hours.SeeDefinetheGlobalProtectAgentConfigurations.
Enforce GlobalProtectfornetworkaccess.SeeCustomizetheGlobalProtectAgent.
ConfigureInternal Host Detection.SeeDefinetheGlobalProtectAgentConfigurations.
EnabletheCollect HIP DataoptioninDataCollection.SeeDefinetheGlobalProtectAgent
Configurations.
DistributeandinstalltheSSLForwardProxyCAcertificateusedforSSLDecryption.SeeDefinethe
GlobalProtectAgentConfigurations.
PolicyConfigurations
ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
SecurityPolicy.Inthisreferencedeployment,thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
throughtheSantaClaraGateway.Thisensuresthatsiteslikewww.stubhub.comandwww.lowes.com

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureConfigurations
thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

Globalprotect Admin Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Globalprotect Admin Guide

Uploaded by

Copyright:

Available Formats

GlobalProtect

UseHostInformationinPolicyEnforcement .......................... 139

GlobalProtectQuickConfigs ........................................ 157

Feature Android iOS Chrome Windows Windows10 Mac

Userlogon(always 1.0.0 3.1.3 1.0.0

Prelogon(alwayson) 1.1.0 1.1.0

Prelogon(then 3.1.0 3.1.0

Ondemand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

Internalmode 1.0.0 1.0.0 3.1.1 1.0 1.0.0

Externalmode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

Enforce 3.1.0 3.1.3 3.1.0

DeploymentofSSL 3.0.0 3.0.0

Feature Android iOS Chrome Windows Windows10 Mac

HIPreports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0

Scriptactionsthatrun 2.3.0 2.3.0

Certificateselection 3.0.0 3.0.0

Allowuserstodisable 2.2.0 2.2.0

Welcomeandhelp 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0

Endpoint 1.0.0 1.0.0 3.0.0 3.1.3

Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >

Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe

Step4 Savetheconfiguration. ClickCommit.

CAcertificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto

Certificate Usage IssuingProcess/BestPractices

Portalserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

Gatewayserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

Certificate Usage IssuingProcess/BestPractices

(Optional)Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure

(Optional)Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen

UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >

Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselectthetypeofprofile

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.

7. (LDAPonly)SetthePassword Expiry Warning tospecifythe

Step3 Committheconfiguration. ClickCommit.

Step1 Generateacertificatetodeployto 1. CreatetherootCAcertificateforissuingselfsigned

Step2 SetUpTwoFactorAuthentication. ConfigureauthenticationsettingsinaGlobalProtectportalagent

Step1 IssueclientcertificatestoGlobalProtect 1. CreatetherootCAcertificateforissuingselfsigned

Step2 Installcertificatesinthepersonal Forexample,toinstallacertificateonaWindowssystemusingthe

Step3 Verifythatthecertificatehasbeen Navigatetothepersonalcertificatestore:

Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificateusedtoissuetheclient

Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificates > Certificate Management >

Step6 Savetheconfiguration. ClickCommit.

Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.

Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan

Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

Step10 SetUpTwoFactorAuthentication. AssigntheSCEPprofileaGlobalProtectportalagentconfiguration

Step1 Createanauthenticationserverprofile. 1. SelectDevice > Server Profilesandaprofiletype(LDAP,

Step2 Createanauthenticationprofilethat 1. SelectDevice > Authentication ProfileandAddanewprofile.

Step3 Createaclientcertificateprofilethatthe 1. SelectDevice > Certificates > Certificate Management >

Step4 (Optional)Issueclientcertificatesto 1. UseyourenterprisePKIorapublicCAtoissueaclient

Step5 SavetheGlobalProtectconfiguration. ClickCommit.

Step1 Afteryouhaveconfiguredthebackend Forspecificinstructions,refertothedocumentationforyour

Step2 Oneachfirewallthathoststhegateways 1. SelectDevice > Server Profiles > RADIUS.

Step3 Createanauthenticationprofile. 1. SelectDevice > Authentication Profile.

Step4 Assigntheauthenticationprofiletothe 1. SelectNetwork > GlobalProtect > Gatewaysandanexisting

Step5 (Optional)Configuretheportalor 1. SelectNetwork > GlobalProtect > Portalsandselectan