Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
Focus
Focus
Next-Generation Firewall

Cheat Sheet: GlobalProtect for Cloud Management of NGFWs

Table of Contents

Cheat Sheet: GlobalProtect for Cloud Management of NGFWs

Enable your cloud-managed NGFWs to work as GlobalProtect portals and gateways, to provide flexible, secure remote access to users everywhere.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • NGFW (Managed by Strata Cloud Manager)
GlobalProtect with cloud-managed NGFWs offers a comprehensive infrastructure for securing your mobile workforce. You can use Strata Cloud Manager to centrally manage GlobalProtect and your cloud-managed NGFWs. Enable your cloud-managed NGFWs as GlobalProtect gateways and portals, to provide flexible, secure remote access to users everywhere. This infrastructure includes the following components:
  • GlobalProtect portal—The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every endpoint that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways as well as any client certificates that are required to connect to one or more GlobalProtect gateways. You can set up access to the GlobalProtect portal on an interface on the cloud-managed NGFWs.
  • GlobalProtect gateways—The GlobalProtect gateways provide security enforcement for traffic originating from GlobalProtect applications. You can configure the NGFWs as external gateways by referencing the NGFWs' GlobalProtect gateway IP addresses, eliminating manual configuration and reducing the risk of configuration errors.

Get Started

To configure cloud-managed NGFWs to function as GlobalProtect portals and gateways, follow these steps:
  1. Ensure you have completed the following prerequisites:
    • Created interfaces and zones for each firewall hosting a portal and/or a gateway. For gateways that require tunnel connections, configure both the physical and virtual tunnel interfaces.
    • Set up the portal server certificate, gateway server certificate, SSL/TLS service profile, and optionally deploy any client certificates to enable SSL/TLS connections for GlobalProtect services.
    • Created the authentication profiles and certificate profiles that the portals and gateways can utilize to authenticate GlobalProtect users.
    • Established a fully qualified domain name (FQDN) alias for the interface where you plan to configure the gateway. For example, paloaltonetworks.com. Utilizing FQDN simplifies management as DNS resolves to the IP addresses automatically, eliminating the need for manual updates when IP addresses change.
  2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsGlobalProtect.
  3. Choose the Configuration Scope where you want to configure cloud-managed NGFWs to work as GlobalProtect.
    Select Global to apply configuration settings across all your NGFWs. Alternatively, you can choose a specific folder or firewall from your Folders or a Snippet to apply configuration to a group of objects associated with a folder.
    For example, you might create a folder named California and put 60 firewalls in it and then create another folder named Hawaii and put 15 firewalls in that. You then create a snippet called CA-HI and apply it to the California and Hawaii folders. When you want to import configuration settings only to firewalls in California, you set the scope as Folder and select the California folder. If you want to import the configuration settings to both California and Hawaii, set the scope as Snippet and select the CA-HI snippet.
  4. Define the GlobalProtect Agent Settings.
    Customize the Agent App Settings.
    Explore all GlobalProtect agent app settings available to you.
    1. Select Agent SettingsAdd Agent App Settings.
    2. Enter a Name for the agent app setting.
    3. Define the Match Criteria to specify the users, devices, or systems that should receive the settings.
    4. Specify the external gateways to which users with this configuration can connect. You can configure the firewall gateways as external gateways only; not as internal gateways.
      • Add the External Gateway to which users can connect.
      • Enter a descriptive Name for the gateway. Ensure that the name matches the one defined during the gateway configuration to provide clarity for users regarding the gateway's location.
      • Select either the FQDN or IP address of the interface where the gateway is configured.
        • For IP address, choose the Device and Gateway configured on that device, along with the IPv4 address of the interface, instead of manually entering them.
      • Add one or more source regions for the gateway, or select Any to make the gateway available to all regions. GlobalProtect recognizes the region when users connect and restricts access to gateways configured for that region. The source region is considered first for gateway selection, followed by gateway priority.
      • Set the Priority of the gateway by clicking the field and selecting one of the following values:
        • If you have only one external gateway, leave the value set to Highest (the default).
        • If you have multiple external gateways, adjust the priority values (ranging from Highest to Lowest) to indicate a preference for the specific user group. For example, if you prefer that the user group connects to a local gateway, set the priority higher than that of more geographically distant gateways.
        • If you prefer applications not to automatically establish connections with the gateway, select Manual only. This setting is useful in testing environments.
      • Select Manual to allow users to manually switch to the gateway.
      • Save your changes.
    Customize the Agent Tunnel Settings.
    Customize the settings for the VPN tunnel the GlobalProtect establishes to connect to the firewall. Explore all GlobalProtect agent tunnel settings available to you.
    1. Select Agent SettingsAdd Agent Tunnel Settings.
    2. Enter a Name and define the Match Criteria to specify the users, devices, or systems that should receive the settings. For example, you could indicate that a tunnel settings rule applies to all instances of the GlobalProtect app in a specific region.
    3. Exclude Traffic to not send video streaming traffic from the listed applications to the firewall. Specify traffic to exclude from firewall policy inspection and enforcement based on application, domain, and route.
  5. Define how the GlobalProtect portals and gateways authenticate users using Profiles.
    Configure GP Authentication Profiles.
    Explore all GlobalProtect agent tunnel settings available to you.
    1. Select ProfilesGP Authentication ProfilesAdd Profile. You can configure the GlobalProtect portal to authenticate users through a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, RADIUS (including OTP), or Cloud Identity Engine (CIE).
    2. Enter a Name to identify the client authentication configuration.
    3. Specify the endpoints to which you want to deploy this configuration. To apply this configuration to all endpoints, accept the default OS of Any.
    4. To enable users to authenticate to the portal or gateway using their user credentials, select or add an Authentication Profile.
    Configure Portal Agent Profiles.
    1. Select ProfilesPortal Agent ProfilesAdd Profile
    2. Enter a portal agent profile Name.
    3. Select the agent app setting you created in step 3 and Save the portal agent profile.
    Configure Gateway Agent Profiles.
    1. Select ProfilesGateway Agent ProfilesAdd Profile.
    2. Enter a gateway agent profile Name.
    3. Select the agent tunnel setting you created in step 3step 3 and Save the gateway agent profile.
  6. Attach the profiles created to the GlobalProtect Portals and Gateways.
    Attach the authentication profile to a portal.
    1. Select Portals and GatewaysPortalsAdd Portal.
    2. Name the portal.
    3. Specify the network settings such as interface and IP address type to enable the GlobalProtect app to communicate with the portal.
    4. Specify how the portal authenticates users by adding the SSL/TLS Service Profile and certificate profile that you configured for the portal.
    5. Save the portal configuration.
    Attach the authentication profile to a gateway.
    1. Select Portals and GatewaysGatewaysAdd Gateway.
    2. Name the gateway.
    3. Specify the network settings such as interface and IP address type that enables endpoints to connect to the gateway.
    4. Specify how the gateway authenticates users by adding the SSL/TLS Service Profile and certificate profile that you configured for the gateway.
    5. Save the gateway configuration.
  7. Push ConfigPush to push configuration changes to your NGFWs.