End-of-Life (EoL)

Remote Access VPN (Authentication Profile)

In the Figure: GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are configured on ethernet1/2, so this is the physical interface where GlobalProtect clients connect. After a client connects and the portal and gateway authenticates it, the client establishes a VPN tunnel from its virtual adapter, which has been assigned an address in the IP address pool associated with the gateway tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels terminate in a separate corp-vpn zone, you have visibility into the VPN traffic as well as the ability to customize security policy for remote users.
Figure: GlobalProtect VPN for Remote Access
The following procedure provides the configuration steps for this example. You can also watch the video.
  1. Use the
    default
    virtual router for all interface configurations to avoid having to create inter-zone routing.
    • Select
      Network
      Interfaces
      Ethernet
      and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address
      203.0.113.1
      and assign it to the l3-untrust zone and the default virtual router.
    • Create a DNS “A” record that maps IP address
      203.0.113.1
      to
      gp.acme.com
      .
    • Select
      Network
      Interfaces
      Tunnel
      and add the
      tunnel.2
      interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
  2. Create security policy to enable traffic flow between the corp-vpn zone and the l3-trust zone to enable access to your internal resources.
    1. Select
      Policies
      Security
      and then
      Add
      a new rule.
    2. For this example, you would define the rule with the following settings:
      • Name—
        VPN Access
      • Source Zone—
        corp-vpn
      • Destination Zone—
        l3-trust
  3. Obtain a server certificate for the interface hosting the GlobalProtect portal and gateway using one of the following methods:
    Select
    Device
    Certificate Management
    Certificates
    to manage certificates as follows:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN, gp.acme.com.
    • To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
  4. The server profile instructs the firewall how to connect to the authentication service. Supported methods are Local, RADIUS, Kerberos, and LDAP authentication. This example shows an LDAP authentication profile for authenticating users against the Active Directory.
    Create the server profile for connecting to the LDAP server (
    Device
    Server Profiles
    LDAP
    ).
  5. Attach the server profile to an authentication profile (
    Device
    Authentication Profile
    ).
  6. Select
    Network
    GlobalProtect
    Gateways
    and add the following configuration:
    Interface
    ethernet1/2
    IP Address
    203.0.113.1
    Server Certificate
    GP-server-cert.pem issued by GoDaddy
    Authentication Profile
    Corp-LDAP
    Tunnel Interface
    tunnel.2
    IP Pool
    10.31.32.3 - 10.31.32.118
  7. Select
    Network
    GlobalProtect
    Portals
    and add the following configuration:
    1. Set Up Access to the GlobalProtect Portal. This example uses the following settings:
      Interface
      ethernet1/2
      IP Address
      203.0.113.1
      Server Certificate
      GP-server-cert.pem issued by GoDaddy
      Authentication Profile
      Corp-LDAP
    2. Define the GlobalProtect Agent Configurations using the following settings:
      Connect Method
      On-demand
      (Manual user initiated connection)
      External Gateway Address
      gp.acme.com
  8. Select
    Device
    GlobalProtect Client
    .
    In this example, use the procedure to Host Agent Updates on the Portal.
  9. (Optional) Enable use of the GlobalProtect mobile app.
    Purchase and install a GlobalProtect Gateway subscription (
    Device
    Licenses
    ) to enable use of the app.
  10. Save the GlobalProtect configuration.
    Click
    Commit
    .

Recommended For You