Mixed Internal and External Gateway Configuration

In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN access and for access to your sensitive internal resources. With this configuration, agents perform internal host detection to determine if they are on the internal or external network. If the agent determines it is on the external network, it will attempt to connect to the external gateways listed in its client configuration and it will establish a VPN (tunnel) connection with the gateway with the highest priority and the shortest response time.
Because security policies are defined separately on each gateway, you have granular control over which resources your external and internal users have access to. In addition, you also have granular control over which gateways users have access to by configuring the portal to deploy different client configurations based on user/group membership or based on HIP profile matching.
In this example, the portals and all three gateways (one external and two internal) are deployed on separate firewalls. The external gateway at gpvpn.acme.com provides remote VPN access to the corporate network while the internal gateways provide granular access to sensitive datacenter resources based on group membership. In addition, HIP checks are used to ensure that hosts accessing the datacenter are up-to-date on security patches.
GlobalProtect Deployment with Internal and External Gateways
gp-internal-external-gw.png
Use the following procedure to quickly configure a mix of internal and external GlobalProtect gateways.
  1. Create Interfaces and Zones for GlobalProtect.
    In this configuration, you must set up interfaces on the firewall hosting a portal and each firewall hosting a gateway.
    Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
    On the firewall hosting the portal gateway (gp.acme.com):
    • Select NetworkInterfacesEthernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 198.51.100.42 and assign it to the l3-untrust security zone and the default virtual router.
    • Create a DNS “A” record that maps IP address 198.51.100.42 to gp.acme.com.
    • Select NetworkInterfacesTunnel and add the tunnel.2 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
    On the firewall hosting the external gateway (gpvpn.acme.com):
    • Select NetworkInterfacesEthernet and configure ethernet1/5 as a Layer 3 Ethernet interface with IP address 192.0.2.4 and assign it to the l3-untrust security zone and the default virtual router.
    • Create a DNS “A” record that maps IP address 192.0.2.4 to gpvpn.acme.com.
    • Select NetworkInterfacesTunnel and add the tunnel.3 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
    On the firewall hosting the internal gateways (california.acme.com and newyork.acme.com):
    • Select NetworkInterfacesEthernet and configure Layer 3 Ethernet interface with IP addresses on the internal network and assign them to the l3-trust security zone and the default virtual router.
    • Create a DNS “A” record that maps the internal IP addresses california.acme.com and newyork.acme.com.
    • Enable User Identification on the l3-trust zone.
  2. Purchase and install a GlobalProtect license on each firewall hosting a gateway (internal and external) if you have users who will be using the GlobalProtect app on their mobile devices or if you plan to use HIP-enabled security policy.
    Gateway_license.png
    After you purchase the GlobalProtect licenses and receive your activation code, install the licenses on the firewalls hosting your gateways as follows:
    1. Select DeviceLicenses.
    2. Select Activate feature using authorization code.
    3. When prompted, enter the Authorization Code and then click OK.
    4. Verify that the license and subscriptions were successfully activated.
    Contact your Palo Alto Networks Sales Engineer or Reseller if you do not have the required licenses. For more information on licensing, see About GlobalProtect Licenses.
  3. Obtain server certificates for the GlobalProtect portal and each GlobalProtect gateway.
    In order to connect to the portal for the first time, the end clients must trust the root CA certificate used to issue the portal server certificate.
    You can use self-signed certificates on the gateways and deploy the root CA certificate to the agents in the client configuration. The best practice is to generate all of the certificates on firewall hosting the portal and deploy them to the gateways.
    The recommended workflow is as follows:
    1. On the firewall hosting the portal:
    2. On each firewall hosting an internal gateway:
  4. Define how you will authenticate users to the portal and the gateways.
    You can use any combination of certificate profiles and/or authentication profiles as necessary to ensure the security for your portal and gateways. Portals and individual gateways can also use different authentication schemes. See the following sections for step-by-step instructions:
    You will then need to reference the certificate profile and/or authentication profiles you defined in the portal and gateway configurations you define.
  5. Create the HIP profiles you will need to enforce security policy on gateway access.
    See Use Host Information in Policy Enforcement for more information on HIP matching.
    1. Create the HIP objects to filter the raw host data collected by the agents. For example, if you are interested in preventing users that are not up to date with required patches, you might create a HIP object to match on whether the patch management software is installed and that all patches with a given severity are up to date.
      not-missing-patch-hip-object.png
    2. Create the HIP profiles that you plan to use in your policies.
      For example, if you want to ensure that only Windows users with up-to-date patches can access your internal applications, you might attach the following HIP profile that will match hosts that do NOT have a missing patch:
      not-missing-patch-hip-profile.png
  6. Configure the internal gateways.
    Select NetworkGlobalProtectGateways and add the following settings:
    • Interface
    • IP Address
    • Server Certificate
    • Authentication Profile and/or Configuration Profile
    Notice that it is not necessary to configure the client configuration settings in the gateway configurations (unless you want to set up HIP notifications) because tunnel connections are not required. See Configure a GlobalProtect Gateway for step-by-step instructions on creating the gateway configurations.
  7. Configure the GlobalProtect Portal.
    Although this example shows how to create a single client configuration to be deployed to all agents, you could choose to create separate configurations for different uses and then deploy them based on user/group name and/or the operating system the agent/app is running on (Android, iOS, Mac, or Windows).
    Select NetworkGlobalProtectPortals and add the following configuration:
    1. Set Up Access to the GlobalProtect Portal:
      Interfaceethernet1/2
      IP Address10.31.34.13
      Server CertificateGP-server-cert.pem issued by GoDaddy with CN=gp.acme.com
    2. Define the GlobalProtect Client Authentication Configurations:
      Internal Host Detectionenabled
      Use single sign-onenabled
      Connect MethodUser-logon (Always On)
      External Gateway Addressgpvpn.acme.com
      Internal Gateway Addresscalifornia.acme.com, newyork.acme.com
      User/User Groupany
    3. Commit the portal configuration.
  8. Deploy the GlobalProtect Agent Software.
    Select DeviceGlobalProtect Client.
    In this example, use the procedure to Host Agent Updates on the Portal.
  9. Create security policy rules on each gateway to safely enable access to applications for your VPN users.
    • Create security policy (PoliciesSecurity) to enable traffic flow between the corp-vpn zone and the l3-trust zone.
    • Create HIP-enabled and user/group-based policy rules to enable granular access to your internal datacenter resources.
    • For visibility, create rules that allow all of your users web-browsing access to the l3-untrust zone, using the default security profiles to protect you from known threats.
    gp-policy-int-ext.png
  10. Save the GlobalProtect configuration.
    Click Commit on the portal and all gateways.

Related Documentation