>
    Set Up GlobalProtect Connectivity to Cortex Data Lake
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect App Log Collection for Troubleshooting
    4. Set Up GlobalProtect Connectivity to Cortex Data Lake
    Download PDF

    GlobalProtect

    Set Up GlobalProtect Connectivity to Cortex Data Lake

    Table of Contents

    Set Up GlobalProtect Connectivity to Cortex Data Lake

    You must set up GlobalProtect connectivity so that the GlobalProtect app can authenticate with Cortex Data Lake for log collection. Only one client certificate is used per tenant. For example, all the end users endpoints that are hosted by a Prisma Access tenant will obtain the same certificate pushed from the portal configuration. The client certificate is valid for 1 year. The GlobalProtect app uses the client certificate and the Cortex Data Lake instance to send the GlobalProtect App Troubleshooting logs to Cortex Data Lake.
    Based on the Cloud Services plugin version, you must set up GlobalProtect connectivity to Cortex Data Lake by using the command line interface (CLI) or the Panorama web interface that manages Prisma Access:
    With Cloud Managed Prisma Access, you can enable Log Collection for Troubleshooting for the GlobalProtect app by using the Prisma Access app on the hub to generate the certificate and to automatically import it so that the app can authenticate with Cortex Data Lake for log collection. The certificate is automatically displayed in the
    Certificate Management
     page, and is pushed as the client certificate to the Prisma Access portal.

    Set Up GlobalProtect Connectivity to Cortex Data Lake (Cloud Services Plugin 2.0 Innovation)

    With the Cloud Services plugin 2.0 Innovation, if you have a deployment that uses Prisma Access or the next-generation firewall, you must use the Panorama web interface to set up GlobalProtect connectivity so that the GlobalProtect app can authenticate with Cortex Data Lake for log collection.
    1. Use the Cortex Sizing Calculator to calculate the amount of storage you need in Cortex Data Lake.
    2. Generate a client certificate that is used to establish a connection from the GlobalProtect app to Cortex Data Lake.
      1. Use the Panorama web interface that manages Prisma Access to generate a client certificate.
        1. Log in to the Panorama that manages Prisma Access.
        2. Select
          Panorama
          Cloud Services
          Configuration
          Service Setup
          .
        3. Select
          Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM
          .
        4. For Prisma Access deployments, click
          Yes
           to generate a client certificate.
          If you configure Prisma Access to manage a single tenant, the
          globalprotect_app_log_cert
           certificate is automatically imported to the
          Mobile_User_Template
           and the
          Shared
           location.
          If you configure Prisma Access to manage multiple tenants, the
          globalprotect_app_log_cert
           certificate is automatically imported to the second mobile user template after the first and named
          mu-tpl-
          tenant
          . The
          globalprotect_app_log_cert
           certificate is imported to the additional tenants.
          After the
          globalprotect_app_log_cert
           certificate has been generated and downloaded to
          Device
          Certificate Management
          Certificates
          , you receive a success message. The
          Mobile_User_Template
           is selected automatically as the
          Template
           and
          Shared
           is selected automatically as the
          Location
          .
        5. In next-generation firewall deployments, select any
          Template
           from the drop-down and
          Location
           from the drop-down.
          Click
          Yes
           to generate a client certificate.
          After the
          globalprotect_app_log_cert
           certificate has been generated and downloaded to
          Device
          Certificate Management
          Certificates
          Device Certificates
          , you receive a success message. The assigned template is selected automatically as the
          Template
           and the assigned location is selected automatically as the
          Location
          .
        6. (
          Optional
          ) In next-generation firewall deployments, copy the
          globalprotect_app_log_cert
           certificate to another template and location.
          Select
          Copy Certificate for GlobalProtect App Log Collection and Autonomous DEM
          .
          Select another
          Template
           from the drop-down and
          Location
           from the drop-down.
          Click
          Yes
           to generate a client certificate.
          After the
          globalprotect_app_log_cert
           certificate has been generated and downloaded to
          Device
          Certificate Management
          Certificates
          Device Certificates
          , you receive a success message. The assigned template is selected automatically as the
          Template
           and the assigned location is selected automatically as the
          Location
          .
    3. (
      Optional
      ) Request a new client certificate before the certificate expires.
      The client certificate has a lifespan of 90 days.
      1. In Panorama, select
        Panorama
        Cloud Services
        Configuration
        Tenants
      2. Select the tenant you created from the
        Tenant
         drop-down.
      3. Select
        Panorama
        Cloud Services
        Configuration
        Service Setup
        .
      4. Select
        Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM
        .
      5. Click
        Yes
         to renew and download another client certificate. The assigned template is associated automatically as the
        Template
         and the assigned location is associated automatically as the
        Location
        .
    4. Create or modify the existing GlobalProtect agent configuration for a specific group of users.
      To enable the GlobalProtect app log collection for troubleshooting, you must define the agent configuration for a specific group of users to send the logs to Cortex Data Lake.
      1. In Panorama, select
        Network
        GlobalProtect
        Portals
        .
      2. Select the
        Mobile_User_Template
         from the
        Template
         drop-down.
        If you set up a deployment that includes multiple instances of Prisma Access on a single Panorama (multi-tenancy), you can select another template associated with the configuration.
      3. Select
        GlobalProtect_Portal
         to edit the Prisma Access portal configuration.
      4. Select the
        Agent
         tab.
      5. Select the
        Agent
         tab and select the agent configuration.
      6. Select the
        Local
         (default) and
        DEFAULT
        globalprotect_app_log_cert
         from the
        Client Certificate
         drop-down.
        Because the
        Client Certificate
         is used to push the Cortex Data Lake certificate, you cannot push the client certificate to authenticate to the portal or gateway either using a
        Local
         certificate type (default) or Simple Certificate Enrollment Protocol (SCEP).

    Set Up GlobalProtect Connectivity to Cortex Data Lake (Cloud Services Plugin 1.8 and 2.0 Preferred)

    With the Cloud Services plugin 1.8 and 2.0 Preferred, you must use the commands to set up GlobalProtect connectivity so that the GlobalProtect app can authenticate with Cortex Data Lake for log collection.
    1. Use the Cortex Sizing Calculator to calculate the amount of storage you need in Cortex Data Lake.
    2. Generate a client certificate that is used to establish a connection from the GlobalProtect app to Cortex Data Lake.
      1. Open a CLI session with administrator privileges, using the same IP address that you use to log in to the Panorama that manages Prisma Access.
      2. Enter the
        request plugins cloud_services gpclient_cert fetch
        command, as shown in the following example:
        admin-Panorama>
        request plugins cloud_services gpclient_cert fetch
        
Success
Successfully imported globalprotect_gp_log_cert into candidate configuration
        If a client certificate is already generated, the command output is as follows:
        admin-Panorama> 
        request plugins cloud_services gpclient_cert fetch
        
certificate exists and not expired
      3. Commit your changes on Panorama.
      4. Verify the status of the client certificate by entering the following command:
        admin-Panorama> 
        request plugins cloud_services gpclient_cert status 
        
certificate globalprotect_app_log_cert is valid till Oct 22 21:55:39 2021 GMT
    3. Export the
      gp_app_log_cert
       certificate from the Panorama certificate store.
      1. In Panorama, select
        Panorama
        Certificate Management
        Certificates
        , select the
        gp_app_log_cert
         certificate, and
        Export Certificate
        .
      2. Select
        Encrypted Private Key and Certificate (PKCS12)
         from the
        File Format
         drop-down to export the certificate and private key in a single file.
      3. Enter a
        Passphrase
         and
        Confirm Passphrase
         to import the certificate key.
      4. Click
        OK
         and save the certificate/key file to your computer.
    4. Import the
      gp_app_log_cert
       certificate to the Panorama template where the GlobalProtect portal configuration resides.
      If you configure Prisma Access to manage a single tenant, you must import the
      gp_app_log_cert
       certificate to the
      Mobile_User_Template
      .
      If you configure Prisma Access to manage multiple tenants, you must import the
      gp_app_log_cert
       certificate to the second mobile user template automatically created after the first and named
      mu-tpl-
      tenant
      . You must import the
      gp_app_log_cert
       certificate to the additional tenants.
      1. In Panorama, select
        Device
        Certificate Management
        Certificates
        , and then click
        Import
        .
      2. For the
        Certificate Type
        , select
        Local
        .
      3. Enter
        gp_app_log_cert
         as the
        Certificate Name
        .
      4. Browse
         for the certificate file that you exported.
      5. Enter the
        Passphrase
         and
        Confirm Passphrase
         used to encrypt the private key.
      6. Click
        OK
         to import the certificate.
    5. Create or modify the existing GlobalProtect agent configuration for a specific group of users.
      To enable the GlobalProtect app log collection for troubleshooting, you must define the agent configuration for a specific group of users to send the logs to Cortex Data Lake.
      1. In Panorama, select
        Network
        GlobalProtect
        Portals
        .
      2. Select the
        Mobile_User_Template
         from the
        Template
         drop-down.
        If you set up a deployment that includes multiple instances of Prisma Access on a single Panorama (multi-tenancy), you can select another template associated with the configuration.
      3. Select
        GlobalProtect_Portal
         to edit the Prisma Access portal configuration.
      4. Select the
        Agent
         tab.
      5. Select the
        Agent
         tab and select the
        DEFAULT
         agent configuration.
      6. Select the
        Local
         (default) and
        gp_app_log_cert
         from the
        Client Certificate
         drop-down.
        Because the
        Client Certificate
         is used to push the Cortex Data Lake certificate, you cannot push the client certificate to authenticate to the portal or gateway either using a
        Local
         certificate type (default) or Simple Certificate Enrollment Protocol (SCEP).

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.