Remote Access VPN (Certificate Profile)
With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or gateway. In addition to the certificate itself, the portal or gateway can use a certificate profile to determine whether the client that sent the certificate is the client to which the certificate was issued.
When a client certificate is the only means of authentication, the certificate that the client presents must contain the username in one of the certificate fields; typically the username corresponds to the common name (CN) in the Subject field of the certificate.
Upon successful authentication, the GlobalProtect agent establishes a VPN tunnel with the gateway and is assigned an IP address from the IP pool in the gateway’s tunnel configuration. To support user-based policy enforcement on sessions from the corp-vpn zone, the username from the certificate is mapped to the IP address that the gateway assigned. Also, if a security policy requires a domain name in addition to user name, the specified domain value in the certificate profile is appended to the username.
This quick configuration uses the same topology as Figure: GlobalProtect VPN for Remote Access. The only configuration difference is that instead of authenticating users against an external authentication server, this configuration uses client certificate authentication only.
Interfaces and Zones for GlobalProtect.Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
- Select NetworkInterfacesEthernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 203.0.113.1 and assign it to the l3-untrust security zone and the default virtual router.
- Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
- Select NetworkInterfacesTunnel.
- Add tunnel.2 interface to a new zone called corp-vpn. Assign the interface to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create security policy to enable traffic flow between
the corp-vpn zone and the l3-trust zone to enable access to your
- Select PoliciesSecurity and then Add a new rule.
- For this example, you would define the rule with the
- Name—VPN Access
- Source Zone—corp-vpn
- Destination Zone—l3-trust
- Obtain a server certificate for the interface hosting
the GlobalProtect portal and gateway using one of the following
methods:Select DeviceCertificate ManagementCertificates to manage certificates as follows:
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN, gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
client certificates to GlobalProtect clients and endpoints. This
enables the GlobalProtect portal and gateways to validate that the
device belongs to your organization.
- Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
- Install certificates in the personal certificate store on the endpoints.
a client certificate profile.
- Select DeviceCertificate ManagementCertificate Profile, click Add and enter a profile Name such as GP-client-cert.
- Select Subject from the Username Field drop-down.
- Click Add in the CA Certificates section, select the CA Certificate that issued the client certificates, and click OK twice.
a GlobalProtect Gateway.See the topology diagram shown in Figure: GlobalProtect VPN for Remote Access.Select NetworkGlobalProtectGateways and add the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
the GlobalProtect Portal.Select NetworkGlobalProtectPortals and add the following configuration:
Up Access to the GlobalProtect Portal:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-cert
the GlobalProtect Agent Configurations:Connect Method—On-demand (Manual user initiated connection)External Gateway Address—gp.acme.com
- Set Up Access to the GlobalProtect Portal:
the GlobalProtect Agent Software.Select DeviceGlobalProtect Client.In this example, use the procedure to Host Agent Updates on the Portal.
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect Gateway subscription (DeviceLicenses) to enable use of the app.
- Save the GlobalProtect configuration.Click Commit.
Remote Access VPN (Authentication Profile)
Remote Access VPN (Authentication Profile) In the Figure: GlobalProtect VPN for Remote Access , the GlobalProtect portal and gateway are configured on ethernet1/2, so this ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
GlobalProtect Multiple Gateway Configuration
GlobalProtect Multiple Gateway Configuration In GlobalProtect Multiple Gateway Topology , a second external gateway has been added to the configuration. Multiple gateways are supported in ...
Pre-logon then On-Demand Connect Method
Pre-logon then On-Demand Connect Method This feature requires Content Release version 590-3397 or later. You can now configure a new hybrid connect method called pre-logon ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: GlobalProtect Certificate Requirements ...
Mixed Internal and External Gateway Configuration
Mixed Internal and External Gateway Configuration In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN access and for access ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Enable SSL Between GlobalProtect LSVPN Components
Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...