GlobalProtect for Internal HIP Checking and User-Based Access

When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic by user and/or device state, replacing other network access control (NAC) services. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required.
In a configuration with only internal gateways, all clients must be configured with user-logon; on-demand mode is not supported. In addition, it is recommended that you configure all client configurations to use single sign-on (SSO). Additionally, because internal hosts do not need to establish a tunnel connection with the gateway, the IP address of the physical network adapter on the client system is used.
In this quick config, internal gateways are used to enforce group based policies that allow users in the Engineering group access to the internal source control and bug databases and users in the Finance group to the CRM applications. All authenticated users have access to internal web resources. In addition, HIP profiles configured on the gateway check each host to ensure compliance with internal maintenance requirements, such as whether the latest security patches and antivirus definitions are installed, whether disk encryption is enabled, or whether the required software is installed.
GlobalProtect Internal Gateway Configuration
Use the following procedure to quickly configure a GlobalProtect internal gateway.
  1. Create Interfaces and Zones for GlobalProtect.
    In this configuration, you must set up interfaces on each firewall hosting a portal and/or a gateway. Because this configuration uses internal gateways only, you must configure the portal and gateways on interfaces on the internal network.
    Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
    On each firewall hosting a portal/gateway:
    1. Select an Ethernet port to host the portal/gateway and then configure a Layer3 interface with an IP address in the l3-trust security zone. (NetworkInterfacesEthernet).
    2. Enable User Identification on the l3-trust zone.
  2. Purchase and install a GlobalProtect license for each firewall hosting an internal gateway if you have users who will be using the GlobalProtect app on their mobile devices or if you plan to use HIP-enabled security policy.
    After you purchase the gateway subscriptions and receive your activation code, install the gateway subscriptions on the firewalls hosting your gateways as follows:
    1. Select DeviceLicenses.
    2. Select Activate feature using authorization code.
    3. When prompted, enter the Authorization Code and then click OK.
    4. Verify that the license was successfully activated.
    Contact your Palo Alto Networks Sales Engineer or Reseller if you do not have the required licenses. For more information on licensing, see About GlobalProtect Licenses.
  3. Obtain server certificates for the GlobalProtect portal and each GlobalProtect gateway.
    In order to connect to the portal for the first time, the end clients must trust the root CA certificate used to issue the portal server certificate. You can either use a self-signed certificate on the portal and deploy the root CA certificate to the end clients before the first portal connection, or obtain a server certificate for the portal from a trusted CA.
    You can use self-signed certificates on the gateways.
    The recommended workflow is as follows:
    1. On the firewall hosting the portal:
    2. On each firewall hosting an internal gateway:
  4. Define how you will authenticate users to the portal and the gateways.
    You can use any combination of certificate profiles and/or authentication profiles as necessary to ensure the security for your portal and gateways. Portals and individual gateways can also use different authentication schemes. See the following sections for step-by-step instructions:
    You will then need to reference the certificate profile and/or authentication profiles you defined in the portal and gateway configurations you define.
  5. Create the HIP profiles you will need to enforce security policy on gateway access.
    See Use Host Information in Policy Enforcement for more information on HIP matching.
    1. Create the HIP objects to filter the raw host data collected by the agents. For example, if you are interested in preventing users that are not up to date with required patches, you might create a HIP object to match on whether the patch management software is installed and that all patches with a given severity are up to date.
    2. Create the HIP profiles that you plan to use in your policies.
      For example, if you want to ensure that only Windows users with up-to-date patches can access your internal applications, you might attach the following HIP profile that will match hosts that do NOT have a missing patch:
  6. Configure the internal gateways.
    Select NetworkGlobalProtectGateways and add the following settings:
    • Interface
    • IP Address
    • Server Certificate
    • Authentication Profile and/or Configuration Profile
    Notice that it is not necessary to configure the client configuration settings in the gateway configurations (unless you want to set up HIP notifications) because tunnel connections are not required. See Configure a GlobalProtect Gateway for step-by-step instructions on creating the gateway configurations.
  7. Configure the GlobalProtect Portal.
    Although all of the previous configurations could use a Connect Method of User-logon (Always On) or On-demand (Manual user initiated connection), an internal gateway configuration must always be on and therefore requires a Connect Method of User-logon (Always On).
    Select NetworkGlobalProtectPortals and add the following configuration:
    1. Set Up Access to the GlobalProtect Portal:
      IP Address10.31.34.13
      Server CertificateGP-server-cert.pem issued by GoDaddy with
    2. Define the GlobalProtect Agent Configurations:
      Use single sign-onenabled
      Connect MethodUser-logon (Always On)
      Internal Gateway,
      User/User Groupany
    3. Commit the portal configuration.
  8. Deploy the GlobalProtect Agent Software.
    Select DeviceGlobalProtect Client.
    In this example, use the procedure to Host Agent Updates on the Portal.
  9. Create the HIP-enabled and/or user/group-based security rules on your gateway(s).
    Add the following security rules for this example:
    1. Select PoliciesSecurity and click Add.
    2. On the Source tab, set the Source Zone to l3-trust.
    3. On the User tab, add the HIP profile and user/group to match.
      • Click Add in the HIP Profiles section and select the HIP profile Missing Patch.
      • Click Add in the Source User section and select the group (Finance or Engineering depending on which rule you are creating).
    4. Click OK to save the rule.
    5. Commit the gateway configuration.

Related Documentation