Remote Access VPN (Authentication Profile)

Where Can I Use This?	What Do I Need?
NGFW (managed by Panorama or Strata Cloud Manager) Prisma Access (managed by Panorama or Strata Cloud Manager)	GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription

In the GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are configured on ethernet1/2, so this is the physical interface where GlobalProtect users connect. After a user connects and authenticates to the portal and gateway, the endpoint establishes a tunnel from its virtual adapter, which has been assigned an IP address from the IP pool associated with the gateway tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels terminate in a separate corp-vpn zone, you have visibility into the connection traffic as well as the ability to customize security policies for remote users.

1. (Required only on NGFW managed by Panorama or Strata Cloud Manager)Create Interfaces and Zones for GlobalProtect.

   Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.

   • Select NetworkInterfacesEthernet. Configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 203.0.113.1, and then assign it to the l3-untrust Security Zone and the default Virtual Router.
   • Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
   • Select NetworkInterfacesTunnel and Add the tunnel.2 interface. Add the tunnel interface to a new Security Zone called corp-vpn, and then assign it to the default Virtual Router.
   • Enable User Identification on the corp-vpn zone.
2. Create security policies to enable traffic flow between the corp-vpn zone and the l3-trust zone, which enables access to your internal resources.

   1. Do one of the following:

      • On Panorama, select PoliciesSecurity, and then Add a new rule.
      • On Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessSecurity Services and then Add a new rule.
   2. For this example, you would define the rule with the following settings:

      • Name (General tab)—VPN Access
      • Source Zone (Source tab)—corp-vpn
      • Destination Zone (Destination tab)—l3-trust

3. Use one of the following methods to obtain a server certificate for the interface hosting the GlobalProtect portal and gateway:

   • (Recommended)Import a Server Certificate from a Well-known, Third-party CA
   • Use Root CA on the Portal to Generate a Self-signed Server Certificate

   Manage certificates as follows:

   • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
   • The CN of the certificate must match the FQDN, gp.acme.com.
   • To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
4. Create a server profile for connecting to the LDAP server.

   The server profile instructs the firewall on how to connect to the authentication service. Local, RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example shows an LDAP authentication profile for authenticating users against the Active Directory.

5. (Optional) Create an authentication profile.

   Attach the server profile to an authentication profile:

   • On Panorama, select DeviceAuthentication Profile.
   • On Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthentication Profiles.

6. Configure a GlobalProtect Gateway with the following configuration.

   Interface—ethernet1/2

   IP Address—203.0.113.1

   Server Certificate—GP-server-cert.pem issued by GoDaddy

   Authentication Profile—Corp-LDAP

   Tunnel Interface—tunnel.2

   IP Pool—10.31.32.3 - 10.31.32.118
7. Configure a GlobalProtect Portals with the following configuration:

   1. Set Up Access to the GlobalProtect Portal:

      Interface—ethernet1/2

      IP Address—203.0.113.1

      Server Certificate—GP-server-cert.pem issued by GoDaddy

      Authentication Profile—Corp-LDAP
   2. Define the GlobalProtect Client Authentication Configurations:

      Connect Method—On-demand (Manual user initiated connection)

      External Gateway Address—gp.acme.com
8. Deploy the GlobalProtect App Software. Follow the procedure to Host App Updates on the Portal.
9. (Optional) Enable use of the GlobalProtect mobile app.

   Purchase and install a GlobalProtect subscription (DeviceLicenses) to enable use of the app.
10. Save the GlobalProtect configuration.

    Click Commit.