GlobalProtect for Internal HIP Checking and User-Based Access
When used in conjunction with User-ID and/or
HIP checks, an internal gateway provides a secure, accurate method
of identifying and controlling traffic by user and/or device state,
replacing other network access control (NAC) services. Internal
gateways are useful in sensitive environments that require authenticated
access to critical resources.
In a configuration with only
internal gateways, all endpoints must be configured with User-Logon
(Always On); On-Demand mode is not supported. It is also recommended
that you configure all client configurations to use single sign-on
(SSO). In addition, since internal hosts do not need to establish
a tunnel connection with the gateway, the IP address of the physical
network adapter on the endpoint is used.
In this quick config,
the internal gateways enforce group-based policies that allow users
in the Engineering group access to the internal source control and
bug databases and users in the Finance group access to the CRM applications.
All authenticated users have access to internal web resources. In
addition, HIP profiles configured on the gateway check each host
to ensure compliance with internal maintenance requirements, such
as whether the latest security patches are installed, whether disk
encryption is enabled, or whether the required software is installed.
Use
the following steps to configure a GlobalProtect internal gateway.
In this configuration, you must set up interfaces on each
firewall hosting a portal and/or a gateway. Because this configuration
uses internal gateways only, you must configure the portal and gateways
on interfaces in the internal network.
Use the
default
virtual
router for all interface configurations to avoid creating inter-zone
routing.
On each firewall hosting a portal/gateway:
Select an Ethernet port to host the portal/gateway, and
then configure a Layer3 interface with an IP address in the
l3-trust
Security
Zone
(
Network
Interfaces
Ethernet
).
Enable User Identification
on
the
l3-trust
zone.
If any of your end users will be accessing the GlobalProtect
app on their mobile devices, or if you plan on using HIP-enabled
security policy, purchase and install a GlobalProtect subscription
for each firewall hosting an internal gateway.
After you
purchase the GlobalProtect subscriptions and receive your activation code,
install the GlobalProtect subscriptions on the firewalls hosting
your gateways, as follows:
Select
Device
Licenses
.
Select
Activate feature using authorization code
.
When prompted, enter the
Authorization Code
,
and then click
OK
.
Verify that the license was activated successfully.
Contact your Palo Alto Networks Sales Engineer or Reseller
if you do not have the required licenses. For more information on
licensing, see About
GlobalProtect Licenses.
Obtain server certificates for the GlobalProtect portal
and each GlobalProtect gateway.
In order to connect to the portal for the first time, the
endpoints must trust the root CA certificate used to issue the portal
server certificate. You can either use a self-signed certificate
on the portal and deploy the root CA certificate to the endpoints
before the first portal connection, or obtain a server certificate
for the portal from a trusted CA.
You can use self-signed
certificates on the gateways.
Define how you will authenticate users to the portal
and gateways.
You can use any combination of certificate profiles and/or
authentication profiles as necessary to ensure the security of your
portal and gateways. Portals and individual gateways can also use
different authentication schemes. See the following sections for
step-by-step instructions:
Create
the HIP objects to filter the raw host data collected by the app. For
example, if you want to prevent users that are not up-to-date with
required patches from connecting, you might create a HIP object
to match on whether the patch management software is installed and
that all patches with a given severity are up-to-date.
For example, if you want to ensure that only Windows users
with up-to-date patches can access your internal applications, you
might attach the following HIP profile that will match hosts that
do NOT have a missing patch:
Configure the internal gateways.
Select
Network
GlobalProtect
Gateways
, and then select an
existing internal gateway or
Add
a new gateway. Configure
the following gateway settings:
Interface
IP Address
Server Certificate
Authentication Profile
and/or
Configuration
Profile
Note that it is not necessary to
configure the client settings in the gateway configurations (unless
you want to set up HIP notifications) because tunnel connections
are not required. See Configure
a GlobalProtect Gateway for step-by-step instructions on
creating the gateway configurations.