PAN-OS: Configuring GlobalProtect Portal and Gateway

Introduction to GlobalProtect

GlobalProtect™ is Palo Alto Networks' solution for providing secure remote access for mobile users (laptops, smartphones, tablets) to organizational resources. It extends the firewall's security policies and visibility to users regardless of their location. A typical GlobalProtect deployment involves two main components configured on the firewall:

Proper configuration of both Portal and Gateway is essential for a functioning GlobalProtect deployment.

Prerequisites

Before configuring the Portal and Gateway, ensure the following are in place:

Configuring the GlobalProtect Portal

Purpose and Location

The Portal acts as the initial point of contact and configuration delivery mechanism.

Key Configuration Tabs:

  1. General Tab:

    • Name: A unique name for the Portal configuration.
    • Interface: Select the firewall interface where the Portal will listen for connections (e.g., your primary external interface).
    • IP Address(es): Select the specific IPv4 and/or IPv6 address on the chosen interface.

  2. Authentication Tab:

    • SSL/TLS Service Profile: Crucial. Select the profile containing the server certificate the Portal will use to secure communication. Clients must trust this certificate.
    • Client Authentication: Click 'Add' to define how users authenticate *to the Portal*.
      • Authentication Profile: Select the pre-configured Authentication Profile (LDAP, SAML, etc.).
      • Specify OS, authentication message, etc.

  3. Agent Tab:

    This tab defines the configuration pushed down to the GlobalProtect agent software.

    • Click 'Add' under 'Agent Configurations'.
    • Config Name: Name for this specific agent config (e.g., `Default-Agent-Config`).
    • Client App Settings: Control agent behavior (Connect Method, User Credential Forwarding, etc.).
    • Authentication Override: Settings related to cookie authentication for seamless connection to gateways.
    • External Tab (Gateways): Crucial. Define the list of Gateways the agent can connect to.
      • Click 'Add' under External Gateways.
      • Name: Descriptive name (e.g., `Primary-GW`).
      • Address: Enter the FQDN or IP address of the GlobalProtect Gateway. Using an FQDN is highly recommended as it allows for DNS-based load balancing or changes without needing to push new client configs.
      • Set Source Region and Priority for gateway selection logic.
    • Internal Tab (Gateways): Define gateways for internal use (when the client detects it's inside the corporate network). Often uses Internal Host Detection.
    • HIP Data Collection: Configure Host Information Profile (HIP) settings if used.

  4. Satellite Tab:

    Used for LSVPN (Large Scale VPN) configurations, where the Portal provides configuration to satellite firewalls, not end-user clients. Not typically configured for standard remote access VPN.

Configuring the GlobalProtect Gateway

Purpose and Location

The Gateway terminates the VPN tunnels and enforces policy on user traffic.

Key Configuration Tabs:

  1. General Tab:

    • Name: A unique name for the Gateway configuration.
    • Interface: Select the firewall interface where the Gateway will listen for tunnel connections (often the same external interface as the Portal, but can be different).
    • IP Address(es): Select the specific IPv4 and/or IPv6 address on the chosen interface.

  2. Authentication Tab:

    • SSL/TLS Service Profile: Crucial. Select the profile containing the server certificate the Gateway will use to secure tunnel negotiation/establishment. Clients must trust this certificate. Often the same profile as the Portal.
    • Client Authentication: Click 'Add' to define how users authenticate *to establish the VPN tunnel*.
      • Authentication Profile: Select the pre-configured Authentication Profile. This *can* be the same as the Portal auth profile, but might be different (e.g., Portal uses SAML, Gateway uses LDAP or certificate + cookie).
      • Specify OS, authentication message, etc.
      • Authentication Modifier (Cookie): Enable if using cookie authentication for seamless connection after Portal login. Requires matching settings on the Portal Agent config.

  3. Agent Tab:

    Defines tunnel parameters and client settings provided by this *specific* gateway.

    • Tunnel Settings Tab:
      • Tunnel Interface: Crucial. Select the pre-configured logical Tunnel Interface (e.g., tunnel.10 ) that will terminate the GP tunnels for this gateway.
      • Enable IPSec: Recommended for better performance. The client will attempt IPSec first, falling back to SSL if IPSec fails (e.g., blocked by intermediate firewall). If unchecked, only SSL tunnels are used.
      • Tunnel Mode: Select the tunnel mode (usually just 'Tunnel Mode').
      • Set IPSec Crypto profiles, timers, etc. if IPSec is enabled.
    • Client Settings Tab:
      • Click 'Add' under 'Client Configuration'.
      • Config Name: Name for this client config (e.g., `Default-Client-Settings`).
      • Network Settings:
        • IP Pool: Crucial. Select the IP address pool(s) to assign to connecting clients.
        • DNS Servers: Provide Primary/Secondary DNS server IPs for clients to use for name resolution.
        • (Optional) WINS, DNS Suffixes.
      • Split Tunnel Tab:
        • Access Route Configuration: Define which destination subnets should be sent *through* the VPN tunnel. Leaving this empty typically means *all* traffic goes through the tunnel (Full Tunnel). Adding specific internal subnets enables Split Tunneling.
        • Configure include/exclude lists for domains, applications, or video streaming services for more granular split tunneling.
    • Network Services Tab: Configure how DNS proxy functionality behaves if enabled.

Supporting Configuration (Essential Steps)

Required Objects and Policies

Simply configuring the Portal and Gateway objects isn't enough. The following must also be configured:

Visualization 

graph TD
    subgraph "Remote User"
        GPClient[GlobalProtect Agent]
    end

    subgraph "Internet"
        I{{Public Network}}
    end

    subgraph "Firewall"
        ExtIntf(External Interface
e.g., eth1/1) --- P(GP Portal
Delivers Config,
GW List);
        ExtIntf --- G(GP Gateway
Terminates Tunnel);
        P -- Provides GW Info --> GPClient;
        G -- Establishes Tunnel --> GPClient;

        TunIntf(Tunnel Interface
e.g., tunnel.10
Zone: VPN) -- Terminates --> G;
        TunIntf -- Member of --> VR(Virtual Router);
        VR -- Routes Traffic --> IntZone(Internal Zone
e.g., Trust);
        SecPol(Security Policy
VPN Zone to Trust Zone) -- Allows --> TrafficFlow;
        NoNAT(NAT Policy
No-NAT for VPN Pool) -- Applies to --> TrafficFlow;
    end

    subgraph "Internal Network"
        IntRes(Internal Resources
Servers, Apps)
    end

    GPClient -- 1. Connects to Portal --> P;
    GPClient -- 2. Connects to Gateway --> G;
    GPClient -- Tunneled Traffic --> TunIntf;
    TrafficFlow(User Traffic) -- Goes via VR --> IntZone --> IntRes;


    linkStyle 0 stroke-width:1px,color:gray;
    linkStyle 1 stroke-width:1px,color:gray;
    linkStyle 2 stroke:#007bff,stroke-width:2px,color:blue;
    linkStyle 3 stroke:#007bff,stroke-width:2px,color:blue;
    linkStyle 4 stroke-width:1px,color:gray;
    linkStyle 5 stroke-width:1px,color:gray;
    linkStyle 6 stroke-width:1px,color:gray;
    linkStyle 7 stroke-width:1px,color:gray;
    linkStyle 8 stroke:#28a745,stroke-width:2px,color:green;
    linkStyle 9 stroke:#28a745,stroke-width:2px,color:green;
    linkStyle 10 stroke:#6f42c1,stroke-width:2px,color:purple;
    linkStyle 11 stroke:#6f42c1,stroke-width:2px,color:purple;
Simplified GlobalProtect Connection Flow.

Best Practices

PCNSE Exam Focus

For the PCNSE exam, regarding GlobalProtect Portal and Gateway configuration:

GlobalProtect Portal/Gateway Quiz

1. What is the primary function of the GlobalProtect Portal?

The Portal acts as the initial contact, authenticating the user (for portal access), verifying HIP checks (optional), and providing the necessary configuration (available gateways, agent settings) to the client agent.

2. Which component of the GlobalProtect configuration is responsible for terminating the actual VPN tunnel and enforcing security policies on the tunneled traffic?

The Gateway is the endpoint for the tunnel itself. It handles user authentication for tunnel establishment, decrypts traffic, enforces security policies, and routes traffic to internal networks.

3. Where does an administrator configure the list of available GlobalProtect Gateways that the client agent should try to connect to?

The Portal is responsible for delivering the configuration to the agent, including the list of gateways (their addresses, priorities, etc.). This is configured within the Agent section of the Portal settings.

4. Which configuration object is selected in the GlobalProtect Gateway settings (Agent > Tunnel Settings) to logically terminate the VPN tunnels?

A pre-configured logical Tunnel Interface must be selected within the Gateway's Tunnel Settings. This interface is then assigned to a Security Zone and Virtual Router to integrate the VPN traffic into the firewall's policy and routing structure.

5. What setting within the GlobalProtect Gateway's Client Settings configuration determines which networks the client sends through the VPN tunnel versus accessing directly?

The Access Routes configuration within the Split Tunnel settings defines which destination networks are included (sent via the tunnel) or excluded (sent via the client's local internet connection).

6. What type of certificate is typically required and configured in an SSL/TLS Service Profile for both the GlobalProtect Portal and Gateway?

Both the Portal and Gateway present themselves as servers to the client. They require a Server Certificate, specified within an SSL/TLS Service Profile, to secure the HTTPS and tunnel setup communications. This certificate needs to be trusted by the client devices.

7. After configuring the Portal and Gateway, what crucial policy must be created to allow GlobalProtect users to access internal resources?

Traffic arriving through the VPN tunnel enters the firewall via the Tunnel Interface, which resides in a designated VPN Security Zone. A Security Policy rule is mandatory to permit this traffic to flow from the VPN zone to internal zones like Trust or DMZ.

8. What is the purpose of configuring a "No NAT" rule for GlobalProtect traffic?

Typically, when VPN clients access internal resources, you want the internal servers to see the client's assigned VPN IP address (from the IP Pool) as the source. A No-NAT rule ensures that this traffic isn't source NATted by a broader outbound NAT rule as it goes to internal networks.

9. Which GlobalProtect component requires a valid GlobalProtect subscription/license on the firewall?

A valid GlobalProtect subscription (license) is required on any firewall acting as either a Portal or a Gateway to enable the respective functionality.

10. Using an FQDN instead of an IP address for the Gateway address in the Portal configuration is recommended primarily because it:

Using an FQDN allows DNS to handle IP address changes or direct clients to different gateways (e.g., via Geo-DNS or round-robin) without requiring the Portal administrator to push a new configuration to all clients every time a gateway IP changes.

References