Prisma Access
Set Up GlobalProtect Mobile Users (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Set Up GlobalProtect Mobile Users (Strata Cloud Manager)
Set up a mobile users location in just a few steps in Prisma Access (Managed by Strata Cloud Manager).
In just a few steps, here’s how to start onboarding
GlobalProtect mobile users to Prisma Access.
- Enable GlobalProtect as a mobile user connection type
Go to WorkflowsPrisma Access SetupMobile Users.You can divide your mobile user license between GlobalProtect and Explicit Proxy connections; some users can connect through GlobalProtect and others through Explicit Proxy. With a GlobalProtect Connection, the GlobalProtect app installed on mobile user devices sends traffic to Prisma Access.
- Set up basic infrastructure settings
Configure the infrastructure settings that are specific to GlobalProtect. There are a few required settings you’ll need to fill out initially, so that Prisma Access can provision your mobile user environment.
- When you set up GlobalProtect for the first time, you’ll decide whether to enable Prisma Access IP Optimization. Choosing to enable IP Optimization requires GlobalProtect client version 6.1.4 and later, 6.2.3 and later, or 6.3.0 and later, and does not support IPv6. Choose carefully, as you can’t change this setting later.
- IP Optimization functionality is for new Prisma Access GlobalProtect deployments only. Existing GlobalProtect deployments, including new tenants you create from an existing multitenant deployment, are not eligible.
- If you are migrating your GlobalProtect deployment to Prisma Access (away from using on-premises gateways and portals), ensure all users are running GlobalProtect app version 6.1.4 and later, 6.2.3 and later, or 6.3 and later before enabling this functionality.
Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructureInfrastructure Settings.- Specify the Portal Name.
- Default Domain—If you select this option, your portal hostname uses the default domain name: .gpcloudservice.com. In this case, simply enter a Portal Hostname to append to the default domain name. Prisma Access for Users will automatically create the necessary certificates and publish the hostname to public DNS servers.
- Custom Domain—You can also customize the portal address if you want the domain in the portal hostname to match your company domain name (for example, myportal.mydomain.com).
- Enter Client DNS resolution settings for your
GlobalProtect deployment.
- Select a region for the DNS Servers
(Add Region).Select Worldwide or a theater. If you specify multiple proxy settings with a mix of Worldwide and theater settings, Prisma Access uses the settings for the location group, then theater, then Worldwide. Prisma Access evaluates the rules from top to bottom in the list.
- Choose whether or not you want Prisma Access to Resolve internal domains; if you do, Add one or more Internal Domain Resolve Rules.
- Enter a unique Name for the rule.
- Select Prisma Access Default to use the default Prisma Access DNS server to resolve internal domains. you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain List. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
- If you have a Custom DNS server that can access your internal domains, specify the Primary DNS and Secondary DNS server IP addresses.
- If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain Lists. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
- Save your changes when finished.
- Select a region for the DNS Servers
(Add Region).
- (Optional) Specify a Client IP
Pool.By default, Prisma Access provides you with a default mobile user IP Address pool of 100.127.0.0/16 that can be used any location worldwide. Prisma Access assigns an IP address from this pool to each GlobalProtect-connected device. You can optionally add an IP address pool on a per-region basis here.
- Enter a minimum required subnet of /23 (512 IP addresses) per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet, the minimum required subnet is /23 but we recommend IP Address Pools for a GlobalProtect Mobile Users Deployment to allocate a of IP addresses that is equal to or greater than the number of licensed mobile users so that they can log in at the same time.Don't specify addresses that overlap with other networks you use internally or with the pools you assigned when you Configure the Prisma Access Service Infrastructure (Panorama). In addition, don't use the following IP addresses and subnets, because Prisma Access reserves those IP addresses and subnets for its internal use.:
- 169.254.0.0/16
- 100.64.0.0/10
We recommend using an RFC 1918-compliant IP address pool. While we support the use of non-RFC 1918-compliant (public) IP addresses for mobile users, we don't recommend using them due to possible conflicts with internet public IP address space.
- Specify the DNS settings for Primary DNS for public domains and Secondary DNS for public domains.
- Prisma Access Default—Use the default Prisma Access DNS server.
- Internal DNS—Use the same server that you use to resolve internal domains.
- Custom—If you have a DNS server that can access your public (external) domains, enter the Primary DNS server address in that field.
- You can add a Client DNS Suffix List to specify the suffix that the client should use locally when an unqualified hostname is entered that it can't resolve, for example, acme.local. Don't enter a wildcard (*) character in front of the domain suffix (for example, acme.com). You can add multiple suffixes.
- Set up Advanced Settings.
- (Optional) Use
Static Entries to resolve FQDNs to specific
IP addresses.This functionality can be useful if you have guest internet services at your organization and you want your guests to safely use search engines, preventing them from searching for potentially inappropriate or offensive material that could be against company policy. To do so, enter a unique Name for the static entry rule, an FQDN, and the IP Address where the FQDN request should be directed.
- If you want Prisma Access to proxy DNS requests, configure values for UDP Queries Retries (the Interval (Sec) to retry the query in seconds and the number of retry Attempts to perform.
- (Optional) Use
Static Entries to resolve FQDNs to specific
IP addresses.
- Choose the Prisma Access location to which your GlobalProtect users will connect
Add the Prisma Access locations where you want to support GlobalProtect users. Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructurePrisma Access Locations.The map displays the global regions where you can deploy Prisma Access for Users . In addition, Prisma Access provides multiple locations within each region to ensure that your users can connect to a location that provides a user experience tailored to the users’ locale. For the best performance, Select All. Alternatively, select the specific locations within each selected region where your users will need access. By limiting your deployment to a single region, you can have more granular control over your deployed regions and exclude regions required by your policy or industry regulations.For the best user experience, if you're limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location isn't available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.
- Authenticate GlobalProtect users
Set up User Authentication so that only legitimate users have access to your services and applications. Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructureUser Authentication.To test your setup, you can add users who Prisma Access authenticates locally, or you can go straight to setting up enterprise-level authentication. Learn more on how to Enable Mobile Users to Authenticate to Prisma Access.
- Prisma Access enforces best practice security policy rules by default. These rules allow your users to securely browse to general internet sites. Users are:
- Blocked from visiting known bad websites based on URL
- Blocked from uploading or downloading files that are known to be malicious
- Protected from unknown, never-before-seen threats
- Protected from malware, spyware (command and control attacks), and vulnerabilities
After going through the initial setup, you can review and update these default rules to meet your enterprise needs. - Verify that the mobile user's location is active
After you push your initial configuration to Prisma Access, Prisma Access begins provisioning your GlobalProtect mobile user environment. This can take up to 15 minutes.You can also validate your setup by selecting WorkflowsPrisma Access SetupPrisma AccessInfrastructure Settings and edit infrastructure settings to confirm a gateway is set up in each of the locations you provisioned.
GlobalProtect — Customize the Portal Address
Prisma Access requires only the minimal settings to provision your mobile user's environment so
that you can test it. If you would prefer to use your company domain in the
portal address, you can change the address after the initial environment
setup.
By default, Prisma Access uses the gpcloudservice.com domain to set up the
Prisma Access portal address that your mobile users will need to
connect to for secure access to the internet and your HQ and data centers. You
must use this default domain when you initially set up and test your
environment. If you want to customize the domain name after the initial setup to
use your company domain, you can go back and edit the environment settings so
that the portal address your users connect to contains your own company domain
(for example, prisma-access.acme.com).
The *.gpcloudservice.com domain is
associated with the Palo Alto Networks application.
To configure Prisma Access to use
your own domain, you must:
- Obtain certificates for the service.
- Create a DNS CNAME entry on your DNS servers that maps the default portal address using the default domain to the custom portal address that uses your company domain. You need to do this because Prisma Access publishes the portal address you set up to public domain servers during initial provisioning.
- Select WorkflowsPrisma Access SetupGlobalProtectInfrastructure and edit Infrastructure Settings.In Strata Cloud Manager, Network Redundancy is enabled by default between portals or gateways and service connections, ensuring redundant connectivity for mobile users to accessible services and applications.Set the Portal Name Type to Custom Domain.Enter the Portal Hostname you want to use.Add the Portal DNS CNAME to which to map your DNS server entries.Import the Certificate you provisioned for your custom domain portal address.
- Select the certificate Format for the certificate you're importing:
- Encrypted Private Key and Certificate (PKCS12)—The key and certificate are in a single container (Certificate File). Click Choose File and browse to the PKCS12 file to import.
- Base64 Encoded Certificate (PEM)—If you select this option, you must import the Key File separately from the certificate. To import the PEM certificate and Key File, click Choose File.
Enter the Passphrase to encrypt the key and Confirm Passphrase and then click Save.If you have not already done so, configure your DNS servers to point to the Prisma Access DNS CNAME you defined.Save the environment setup and Push Config to Prisma Access.Make sure to select both Explicit Proxy and GlobalProtect configuration scopes.