Remote Access VPN (Authentication Profile)
In the Figure: GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are configured on ethernet1/2, so this is the physical interface where GlobalProtect clients connect. After a client connects and the portal and gateway authenticates it, the client establishes a VPN tunnel from its virtual adapter, which has been assigned an address in the IP address pool associated with the gateway tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels terminate in a separate corp-vpn zone, you have visibility into the VPN traffic as well as the ability to customize security policy for remote users.
The following procedure provides the configuration steps for this example. You can also watch the video.
Interfaces and Zones for GlobalProtect.Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
- Select NetworkInterfacesEthernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 203.0.113.1 and assign it to the l3-untrust zone and the default virtual router.
- Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
- Select NetworkInterfacesTunnel and add the tunnel.2 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create security policy to enable traffic flow between
the corp-vpn zone and the l3-trust zone to enable access to your
- Select PoliciesSecurity and then Add a new rule.
- For this example, you would define the rule with the
- Name—VPN Access
- Source Zone—corp-vpn
- Destination Zone—l3-trust
- Obtain a server certificate for the interface hosting
the GlobalProtect portal and gateway using one of the following
methods:Select DeviceCertificate ManagementCertificates to manage certificates as follows:
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN, gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
a server profile.The server profile instructs the firewall how to connect to the authentication service. Supported methods are Local, RADIUS, Kerberos, and LDAP authentication. This example shows an LDAP authentication profile for authenticating users against the Active Directory.Create the server profile for connecting to the LDAP server (DeviceServer ProfilesLDAP).
Create an authentication profile.Attach the server profile to an authentication profile (DeviceAuthentication Profile).
a GlobalProtect Gateway.Select NetworkGlobalProtectGateways and add the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyAuthentication Profile—Corp-LDAPTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
the GlobalProtect Portal.Select NetworkGlobalProtectPortals and add the following configuration:
Up Access to the GlobalProtect Portal. This example uses
the following settings:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyAuthentication Profile—Corp-LDAP
the GlobalProtect Agent Configurations using the following
settings:Connect Method—On-demand (Manual user initiated connection)External Gateway Address—gp.acme.com
- Set Up Access to the GlobalProtect Portal. This example uses the following settings:
the GlobalProtect Agent Software.Select DeviceGlobalProtect Client.In this example, use the procedure to Host Agent Updates on the Portal.
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect Gateway subscription (DeviceLicenses) to enable use of the app.
- Save the GlobalProtect configuration.Click Commit.
Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile) With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
GlobalProtect Multiple Gateway Configuration
GlobalProtect Multiple Gateway Configuration In GlobalProtect Multiple Gateway Topology , a second external gateway has been added to the configuration. Multiple gateways are supported in ...
Mixed Internal and External Gateway Configuration
Mixed Internal and External Gateway Configuration In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN access and for access ...
Pre-logon then On-Demand Connect Method
Pre-logon then On-Demand Connect Method This feature requires Content Release version 590-3397 or later. You can now configure a new hybrid connect method called pre-logon ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: GlobalProtect Certificate Requirements ...
Supported GlobalProtect Authentication Methods
Supported GlobalProtect Authentication Methods The following table describes the authentication methods that GlobalProtect supports and provides usage guidelines. Authentication Method Description Local Authentication Both the ...