GlobalProtect
Set Up GlobalProtect Connectivity to Cortex Data Lake
Table of Contents
Set Up GlobalProtect Connectivity to Strata Logging Service
Strata Logging Service
Set up GlobalProtect connectivity so that the GlobalProtect app can authenticate with
Strata Logging Service
for log collection. You must set up GlobalProtect connectivity so that the GlobalProtect app can authenticate with
Strata Logging Service
for log collection. Only one client certificate is
used per tenant. For example, all the end users endpoints that are hosted by a
Prisma Access tenant will obtain the same certificate pushed from the portal
configuration. The client certificate is valid for 1 year. The GlobalProtect app
uses the client certificate and the Strata Logging Service
instance to send
the GlobalProtect App Troubleshooting logs to Strata Logging Service
. Based on the Cloud Services plugin version, you must set up GlobalProtect connectivity to
Strata Logging Service
by using the command line interface (CLI) or the
Panorama web interface that manages Prisma Access:With
Cloud Managed Prisma Access, you can enable Log Collection for Troubleshooting for
the GlobalProtect app by using the Prisma Access app on the hub
to generate the certificate and to automatically import it so that
the app can authenticate with
Strata Logging Service
for log collection.
The certificate is automatically displayed in the Certificate
Management
page, and is pushed as the client certificate
to the Prisma Access portal.Set Up GlobalProtect Connectivity to Strata Logging Service (Cloud
Services Plugin 2.0 Innovation)
Strata Logging Service
(Cloud
Services Plugin 2.0 Innovation)With the Cloud Services plugin 2.0 Innovation,
if you have a deployment that uses Prisma Access or the next-generation
firewall, you must use the Panorama web interface to set up GlobalProtect
connectivity so that the GlobalProtect app can authenticate with
Strata Logging Service
for log collection.- Use the Strata Logging Service Estimator to calculate the amount of storage you need inStrata Logging Service.
- Generate a client certificate that is used to establish a connection from the GlobalProtect app toStrata Logging Service.
- Use the Panorama web interface that manages Prisma Access to generate a client certificate.
- Log in to the Panorama that manages Prisma Access.
- Select .
- SelectGenerate Certificate for GlobalProtect App Log Collection and Autonomous DEM.
- For Prisma Access deployments, clickYesto generate a client certificate.If you configure Prisma Access to manage a single tenant, theglobalprotect_app_log_certcertificate is automatically imported to theMobile_User_Templateand theSharedlocation.If you configure Prisma Access to manage multiple tenants, theglobalprotect_app_log_certcertificate is automatically imported to the second mobile user template after the first and namedmu-tpl-tenant. Theglobalprotect_app_log_certcertificate is imported to the additional tenants.After theglobalprotect_app_log_certcertificate has been generated and downloaded to , you receive a success message. TheMobile_User_Templateis selected automatically as theTemplateandSharedis selected automatically as theLocation.
- In next-generation firewall deployments, select anyTemplatefrom the drop-down andLocationfrom the drop-down.ClickYesto generate a client certificate.
After theglobalprotect_app_log_certcertificate has been generated and downloaded to , you receive a success message. The assigned template is selected automatically as theTemplateand the assigned location is selected automatically as theLocation.
- (Optional) In next-generation firewall deployments, copy theglobalprotect_app_log_certcertificate to another template and location.SelectCopy Certificate for GlobalProtect App Log Collection and Autonomous DEM.
Select anotherTemplatefrom the drop-down andLocationfrom the drop-down.ClickYesto generate a client certificate.
After theglobalprotect_app_log_certcertificate has been generated and downloaded to , you receive a success message. The assigned template is selected automatically as theTemplateand the assigned location is selected automatically as theLocation.
- (Optional) Request a new client certificate before the certificate expires.The client certificate has a lifespan of 1 year.
- In Panorama, select
- Select the tenant you created from theTenantdrop-down.
- Select .
- SelectRenew Certificate for GlobalProtect App Log Collection and Autonomous DEM.
- ClickYesto renew and download another client certificate. The assigned template is associated automatically as theTemplateand the assigned location is associated automatically as theLocation.
- Create or modify the existing GlobalProtect agent configuration for a specific group of users.To enable the GlobalProtect app log collection for troubleshooting, you must define the agent configuration for a specific group of users to send the logs toStrata Logging Service.
- In Panorama, select .
- Select theMobile_User_Templatefrom theTemplatedrop-down.If you set up a deployment that includes multiple instances of Prisma Access on a single Panorama (multi-tenancy), you can select another template associated with the configuration.
- SelectGlobalProtect_Portalto edit the Prisma Access portal configuration.
- Select theAgenttab.
- Select theAgenttab and select the agent configuration.
- Select theLocal(default) andDEFAULTglobalprotect_app_log_certfrom theClient Certificatedrop-down.After you "Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting" and pushglobalprotect_app_log_certto the client machine, one root CA, two intermediate CAs, and one client certificate, issued by Palo Alto Networks, are installed in the user's Personal store.Palo Alto Networks automatically generates theStrata Logging Serviceclient certificate, so the root CA certificate and intermediate CA certificate must be owned by Palo Alto Networks. Palo Alto Networks can add the root certificate to portal configuration so that the GlobalProtect client can install it as a trusted root CA to the machine if they want to do so.Because theClient Certificateis used to push theStrata Logging Servicecertificate, you cannot push the client certificate to authenticate to the portal or gateway either using aLocalcertificate type (default) or Simple Certificate Enrollment Protocol (SCEP).
Set Up GlobalProtect Connectivity to Strata Logging Service (Cloud
Services Plugin 1.8 and 2.0 Preferred)
Strata Logging Service
(Cloud
Services Plugin 1.8 and 2.0 Preferred)With the Cloud Services plugin 1.8 and 2.0 Preferred, you must use the commands to set up
GlobalProtect connectivity so that the GlobalProtect app can authenticate with
Strata Logging Service
for log collection.- Use the Strata Logging Service Estimator to calculate the amount of storage you need inStrata Logging Service.
- Generate a client certificate that is used to establish a connection from the GlobalProtect app toStrata Logging Service.
- Open a CLI session with administrator privileges, using the same IP address that you use to log in to the Panorama that manages Prisma Access.
- Enter therequest plugins cloud_services gpclient_cert fetchcommand, as shown in the following example:admin-Panorama>request plugins cloud_services gpclient_cert fetchSuccess Successfully imported globalprotect_gp_log_cert into candidate configurationIf a client certificate is already generated, the command output is as follows:admin-Panorama>request plugins cloud_services gpclient_cert fetchcertificate exists and not expired
- Commit your changes on Panorama.
- Verify the status of the client certificate by entering the following command:admin-Panorama>request plugins cloud_services gpclient_cert statuscertificate globalprotect_app_log_cert is valid till Oct 22 21:55:39 2021 GMT
- Export thegp_app_log_certcertificate from the Panorama certificate store.
- In Panorama, select , select thegp_app_log_certcertificate, andExport Certificate.
- SelectEncrypted Private Key and Certificate (PKCS12)from theFile Formatdrop-down to export the certificate and private key in a single file.
- Enter aPassphraseandConfirm Passphraseto import the certificate key.
- ClickOKand save the certificate/key file to your computer.
- Import thegp_app_log_certcertificate to the Panorama template where the GlobalProtect portal configuration resides.If you configure Prisma Access to manage a single tenant, you must import thegp_app_log_certcertificate to theMobile_User_Template.If you configure Prisma Access to manage multiple tenants, you must import thegp_app_log_certcertificate to the second mobile user template automatically created after the first and namedmu-tpl-tenant. You must import thegp_app_log_certcertificate to the additional tenants.
- In Panorama, select , and then clickImport.
- For theCertificate Type, selectLocal.
- Entergp_app_log_certas theCertificate Name.
- Browsefor the certificate file that you exported.
- Enter thePassphraseandConfirm Passphraseused to encrypt the private key.
- ClickOKto import the certificate.
- Create or modify the existing GlobalProtect agent configuration for a specific group of users.To enable the GlobalProtect app log collection for troubleshooting, you must define the agent configuration for a specific group of users to send the logs toStrata Logging Service.
- In Panorama, select .
- Select theMobile_User_Templatefrom theTemplatedrop-down.If you set up a deployment that includes multiple instances of Prisma Access on a single Panorama (multi-tenancy), you can select another template associated with the configuration.
- SelectGlobalProtect_Portalto edit the Prisma Access portal configuration.
- Select theAgenttab.
- Select theAgenttab and select theDEFAULTagent configuration.
- Select theLocal(default) andgp_app_log_certfrom theClient Certificatedrop-down.Because theClient Certificateis used to push theStrata Logging Servicecertificate, you cannot push the client certificate to authenticate to the portal or gateway either using aLocalcertificate type (default) or Simple Certificate Enrollment Protocol (SCEP).
