>
    Prisma Access Internal Gateway
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Advanced Deployments
    4. Prisma Access Remote Network Advanced Deployments
    5. Prisma Access Internal Gateway
    Download PDF
    Prisma Access

    Prisma Access Internal Gateway

    Table of Contents

    Prisma Access
     Internal Gateway

    Learn how to set up the
    Prisma Access
     internal gateway and its requirements.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       and mobile user license
    • Minimum Required Prisma Access Version
      : 5.1
    • Minimum Required Dataplane Version for
      Prisma Access (Managed by Panorama)
      : 10.2.4
    • Minimum Required GlobalProtect Client Version: 6.0
    Previously, to generate IP user mappings and HIP for hosts running GlobalProtect client software in
    Prisma Access
     remote networks, you have to deploy an on-premises NGFW as an internal gateway. This solution isn't cloud-native. With
    Prisma Access
     cloud-native internal gateway, you can avoid using on-premises internal gateways, and Prisma Access internal gateway generates the IP user mappings and HIPs locally in remote networks. Remote networks consume IP user mappings, HIPs from the local database for posture checks instead of learning them from other firewalls.
    Note that you cannot deploy an internal gateway when a remote site has multiple IPsec tunnels to different remote network sites (for example, an active/active tunnel), or a high-bandwidth site. The following diagram shows an example of an supported environment for an internal gateway deployment.
    The following diagram provides examples of deployments where internal gateways are not supported.
    Before you set up the
    Prisma Access
     internal gateway, onboard your mobile users.

    Prisma Access
     Internal Gateway (
    Strata Cloud Manager
    )

    Learn how to set up the
    Prisma Access
     internal gateway and its requirements.
    Complete the following steps to set up the
    Prisma Access
     internal gateway.
    1. Notice that there are no internal host detection and internal gateway configurations at present.
    2. Make a note of the
      Remote Networks DNS IP Address
       from
      Workflows
      Prisma Access
       Setup
      Prisma Access
      .
    3. Make a note of the
      Gateway FQDNs
       from
      Workflows
      Prisma Access
       Setup
      GlobalProtect
      Infrastructure
      Infrastructure Settings
      Gateway FQDNs
      .
    4. Select
      Workflows
      Prisma Access
       Setup
      Remote Networks
      Advanced Settings
      .
    5. Edit the settings of
      Prisma Access
       Internal Gateway
       to enable the internal gateway and
      Save
       the changes.
      (
      Optional
      )
      Enable Internal Host Detection
       for IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you select
      Enable Internal Gateway
      .
      Prisma Access
       supports internal host detection only for the
      Always On
       connect method.
      When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection,
      Prisma Access
       creates PTR records on the remote network DNS proxy servers for the internal host detection process.
    6. Select
      Workflows
      Prisma Access
       Setup
      GlobalProtect
      GlobalProtect App
      .
    7. Select an app setting and view the internal host detection details and internal gateway details.
      When you enable the internal gateway and internal host detection in step 5, Prisma Access enables IPv4 internal host detection and internal gateway here as well.
      Prisma Access
       populates the
      Remote Networks DNS IP Address
       value, from step 2, as the IP address.
      Note that IPv6 internal host detection on
      Prisma Access
       DNS proxies isn't supported.
      You can't remove this
      Prisma Access
       Internal Gateway
       entry. However, you can add your self-deployed internal gateways. You can deploy your own DNS servers in the internal network for internal host detection, but ensure to add PTR records so that the internal host detection is possible.
      Prisma Access
       appends the
      Gateway FQDNs
       value, from step 3, to the address.
      You can view the DNS proxy server IP address details by selecting
      Workflows
      Prisma Access
       Setup
      Prisma Access
      .
      If you enable
      Internal Host Detection
      , verify that the DNS resolution is working, perform a reverse DNS lookup from your internal network to DNS proxy server IP, and ensure it returns an FQDN starting with
      any-igw
      .
    8. Push
       the changes to mobile users and remote networks at the same time.
    9. Log into the endpoint.
      When you connect to GlobalProtect, first you authenticate with the GlobalProtect portal. The internal host detection triggers GlobalProtect to connect to the internal gateway. Then, as GlobalProtect agent continues to operate in the non-tunnel mode, the second authentication appears and submits the host information to the internal gateway on remote networks.

    Prisma Access
     Internal Gateway (
    Panorama
    )

    1. Notice that there are no internal host detection and internal gateway configurations at present.
    2. Go to
      Panorama
      Cloud Services
      Configuration
      Remote Networks
      Settings
      .
    3. Enable Internal Gateway
       and save the changes.
      (
      Optional
      )
      Enable Prisma Access Internal Host Detection
       for IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you select
      Enable Internal Gateway
      .
      Prisma Access
       supports internal host detection only for the
      Always On
       connect method.
      When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection,
      Prisma Access
       creates PTR records on the remote network DNS proxy servers for the internal host detection process.
      When you enable the internal gateway,
      Prisma Access
       creates an internal gateway configuration in a remote network template.
    4. Go to
      Templates
      Network
      GlobalProtect
      Gateways
       and select
      Remote_Network_Template
      .
      You will find the
      GlobalProtect_Internal_Gateway
       template created for the internal gateway.
    5. Create an authentication profile for this remote network template similar to the authentication profile in the mobile user template.
      1. Select the remote network template,
        GlobalProtect_Internal_Gateway
         template, hyperlink.
      2. Go to
        Authentication
        Client Authentication
        .
      3. Edit the authentication profile details of the
        DEFAULT
         client authentication.
        Create an authentication profile same as the one in the mobile user template. You can find the authentication profile used in the mobile user template under
        Template
        Device
        Authentication Profile
        . Ensure to select
        Mobile_User_Template
        .
        You can also view the authentication profile for the remote network template by selecting
        Templates
        Device
        Authentication Profile
        . Select
        Remote_Network_Template
        .
    6. Create a device certificate for the remote network template similar to the device certificate in the mobile user template.
      1. Select the remote network template,
        GlobalProtect_Internal_Gateway
        , hyperlink.
      2. Go to
        Agent
        Client Settings
        .
      3. Select the
        DEFAULT
         configuration, and go to
        Authentication Override
         settings.
      4. Edit the
        Certificate to Encrypt/Decrypt Cookie
         settings, and create a new device certificate.
        Create a device certificate same as the one in the mobile user template. You can find the device certificate used in the mobile user template under
        Template
        Device
        Certificate Management
        Certificates
        Device Certificates
        . Ensure to select
        Mobile_User_Template
        . The
        DEFAULT
         configuration references the
        Authentication Cookie CA
         certificate. Follow the same hierarchy as the one in
        Mobile_User_Template
         for successful authentication.
        You can also view the device certificate for the remote network template by selecting
        Template
        Device
        Certificate Management
        Certificates
        Device Certificates
        . Select
        Remote_Network_Template
        .
    7. Push
       the changes to mobile users and remote networks at the same time.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.