In this topology, a PA-3020 in the co-location space
functions as a GlobalProtect portal.
Employees and contractors can authenticate to the portal using
two-factor authentication (2FA) consisting of Active Directory (AD)
credentials and a one-time password (OTP). The portal deploys GlobalProtect
client configurations based on user and group membership and operating
By configuring a separate portal client configuration that applies
to a small group or set of pilot users, you can test features before
rolling them out to a wider user base. Any client configuration
containing new features—such as the Enforce GlobalProtect or Simple
Certificate Enrollment Protocol (SCEP) features which were made
available with PAN-OS 7.1 and content updates that followed—is enabled
in the pilot configuration first and validated by those pilot users,
before it is made available to other users.
The GlobalProtect portal also pushes configurations to GlobalProtect
satellites. This configuration includes the GlobalProtect gateways
to which satellites can connect and establish a site-to-site tunnel.