Configure a GlobalProtect Gateway

Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users.
After you have completed the prerequisite tasks, configure the GlobalProtect Gateways:
  1. Add a gateway.
    1. Select
      Network
      GlobalProtect
      Gateways
      and click
      Add
      .
    2. In the
      General
      screen, enter a
      Name
      for the gateway. The gateway name should have no spaces and, as a best practice, should include the location or other descriptive information to help users and administrators identify the gateway.
    3. (
      Optional
      ) Select the virtual system to which this gateway belongs from the
      Location
      field.
  2. Specify the network information that enables clients to connect to the gateway.
    If you haven’t created the network interface for the gateway, see Create Interfaces and Zones for GlobalProtect for instructions.
    Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have configured a GlobalProtect portal or gateway because this enables access to your management interface from the Internet. Follow the Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.
    1. Select the
      Interface
      that clients will use for communication with the gateway.
    2. Specify the
      IP Address Type
      and
      IP address
      for the gateway web service:
      • The IP address type can be
        IPv4
        (for IPv4 traffic only),
        IPv6
        (for IPv6 traffic only, or
        IPv4 and IPv6.
        Use
        IPv4 and IPv6
        if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
      • The IP address must be compatible with the IP address type. For example,
        172.16.1/0
        for IPv4 addresses or
        21DA:D3:0:2F3B
        for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
    3. Click
      OK
      to save changes.
  3. Specify how the gateway authenticates users.
    If you haven’t created an SSL/TLS service profile for the gateway, see Deploy Server Certificates to the GlobalProtect Components.
    If you haven’t set up the authentication profiles or certificate profiles, see Authentication for instructions.
    Select
    Authentication
    and then configure any of the following:
    • To secure communication between the gateway and the agents, select the
      SSL/TLS Service Profile
      for the gateway.
      To provide the strongest security, set the
      Min Version
      of the SSL/TLS service profile to
      TLSv1.2
      .
    • To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP),
      Add
      a Client Authentication configuration with the following settings:
      • Enter a
        Name
        to identify the client authentication configuration.
      • Identify the type of client to which this configuration applies. By default, the configuration applies to
        Any
        client, but you can customize the type of endpoint by
        OS
        (
        Android
        ,
        Chrome
        ,
        iOS
        ,
        Mac
        ,
        Windows
        , or
        WindowsUWP
        ) or by third-party IPSec VPN clients (
        X-Auth
        ).
      • Select or add an
        Authentication Profile
        to authenticate an endpoint seeking access to the gateway.
      • Enter an
        Authentication Message
        to help end users understand which credentials to use when logging in. The message can be up to 100 characters in length (default is
        Enterlogin credentials
        ).
      • To authenticate users based on a client certificate or a smart card/CAC, select the corresponding
        Certificate Profile
        .
    • To use two-factor authentication, select both an authentication profile and a certificate profile. Keep in mind that the user must successfully authenticate using both methods to be granted access.
      (
      Chrome only
      ) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks:
      1. Log in to the Google Admin console and select
        Device management
        Chrome management
        User settings
        .
      2. In the Client Certificates section, enter the following URL pattern to
        Automatically Select Client Certificate for These Sites
        :
        {"pattern": "https://[*.]","filter":{}}
      3. Click
        Save
        . The Google Admin console deploys the policy to all devices within a few minutes.
  4. Enable tunneling and configure the tunnel parameters.
    The tunnel parameters are required if you are setting up an external gateway. If you are configuring an internal gateway, they are optional.
    If you want to force use of SSL-VPN tunnel mode, clear the
    Enable IPSec
    check box. By default, SSL-VPN will only be used if the endpoint fails to establish an IPSec tunnel.
    Extended authentication (X-Auth) is only supported on IPSec tunnels.
    If you
    Enable X-Auth Support
    , GlobalProtect IPSec Crypto profiles are not applicable.
    For more information on supported cryptographic algorithms, see Reference: GlobalProtect Agent Cryptographic Functions.
    1. On the GlobalProtect Gateway Configuration dialog, select
      Agent
      Tunnel Settings.
    2. Select the
      Tunnel Mode
      check box to enable tunneling.
    3. Select the
      Tunnel Interface
      you defined when you created the network interface for the gateway.
    4. (
      Optional
      ) Specify
      Max User
      for the maximum number of users that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect agent updates (range varies based on the platform and is displayed when the field is empty).
    5. Select a
      GlobalProtect IPSec Crypto
      profile to secure the VPN tunnels between GlobalProtect agents and gateways. The
      default
      profile uses AES-128-CBC encryption and sha1 authentication.
      You can also create a new IPSec crypto profile. To create a new profile, select
      New GlobalProtect IPSec Crypto
      in the same drop-down and configure the following:
      1. Enter a
        Name
        to identify the profile.
      2. Add
        the
        Authentication
        and
        Encryption
        algorithms that the VPN peers can use to negotiate the keys for securing the data in the tunnel:
        • Encryption
          —If you are not certain of what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows:
          aes-256-gcm
          ,
          aes-128-gcm
          ,
          aes-128-cbc
          . The peers negotiate the strongest algorithm to establish the tunnel.
        • Authentication
          —Select the authentication algorithm (
          sha1
          ) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting only applies to the AES-CBC cipher (
          aes-128-cbc
          ). If you use an AES-GCM encryption algorithm (
          aes-256-gcm
          or
          aes-128-gcm
          ), the setting is ignored because these ciphers natively provide ESP integrity protection.
      3. Click
        OK
        to save the profile.
    6. (
      Optional
      ) Select
      Enable X-Auth Support
      if any endpoint needs to connect to the gateway by using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the
      Group
      name and
      Group Password
      if the endpoint requires it. By default, the user is not required to re-authenticate if the key used to establish the IPSec tunnel expires. To require users to re-authenticate, clear the option to
      Skip Auth on IKE Rekey
      .
      To
      Enable X-Auth Support
      for strongSwan endpoints, you must also disable the option to
      Skip Auth on IKE Rekey
      because these endpoints require re-authentication during IKE SA negotiation. In addition, you must add the
      closeaction=restart
      setting
      to the
      conn %default
      section of the strongSwan IPSec configuration file. See Set Up Authentication for strongSwan Ubuntu and CentOS Clients for more information on the StrongSwan IPSec configuration.
      Although X-Auth access is supported on iOS and Android endpoints, it provides limited GlobalProtect functionality on these endpoints. Instead, use the GlobalProtect app for simplified access to all the security features that GlobalProtect provides on iOS and Android endpoints. The GlobalProtect app for iOS is available at the Apple App Store. The GlobalProtect app for Android is available at Google Play.
  5. (
    Optional
    ) Modify the default timeout settings for endpoints.
    On the GlobalProtect Gateway Configuration dialog, select
    Agent
    Timeout Settings
    and then configure the following settings:
    • Modify the maximum
      Login Lifetime
      for a single gateway login session. The default login lifetime is 30 days—during the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the
      Inactivity Logout
      period. After this time, the login session automatically logs out.
    • Modify the amount of time after which an inactive session is automatically logged out. The default
      Inactivity Logout
      period is 3 hours. A user is logged out of GlobalProtect if the gateway does not receive a HIP check from the endpoint during the configured amount of time.
    • Modify the number of minutes after which idle users are logged out of GlobalProtect. The default period for
      Disconnect on Idle
      is 180 minutes. Users are logged out of GlobalProtect if the GlobalProtect agent has not routed traffic through the VPN tunnel in the configured amount of time. This setting applies to GlobalProtect agents that use the on-demand connect method only.
  6. (
    Optional
    ) Configure authentication override settings to enable the gateway to generate and accept secure, encrypted cookies to authenticate the user. This capability allows the user to provide login credentials only once during a specified period of time (for example, every 24 hours).
    By default, a gateway authenticates the user with an authentication profile and optional certificate profile. When authentication override is enabled, GlobalProtect caches the result of a successful login and uses the cookie to authenticate the user instead of prompting the user for credentials. For more information, see Cookie Authentication on the Portal or Gateway. If client certificates are required, the endpoint must also provide a valid certificate to be granted access.
    In the event that you need to immediately block access to a device whose cookie has not yet expired (for example, if the device is lost or stolen), you can immediately Block Device Access by adding the device to a block list.
    1. On the GlobalProtect Gateway Configuration dialog, select
      Agent
      Client Settings
      .
    2. Add
      a new agent configuration or select an existing configuration.
    3. Enter a
      Name
      to identify the agent configuration.
    4. Configure the following settings in the
      Authentication Override
      section:
      • Generate cookie for authentication override
        —Enable the gateway to generate encrypted, endpoint-specific cookies and issue the authentication cookies to the endpoint.
      • Accept cookie for authentication override
        —Enable the gateway to authenticate users with a valid, encrypted cookie. When the agent presents a valid cookie, the gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user.
        The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to the portal or gateway for user authentication.
        (
        Windows only
        ) If you set the Use Single Sign-On option to
        Yes
        (SSO is enabled) in the portal agent configuration (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>.
        App
        ), the GlobalProtect app uses the Windows username to retrieve the local authentication cookie for the user. If you set the
        Use Single Sign-On
        option to
        No
        (SSO is disabled), you must enable the GlobalProtect app to Save User Credentials in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
        (
        Mac only
        ) Because Mac endpoints do not support single sign-on, you must enable the GlobalProtect app to
        Save User Credentials
        in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
      • Cookie Lifetime
        —Specify the hours, days, or weeks that the cookie is valid. Default is 24 hours. The range for hours is 1–72; for weeks, 1–52; and for days, 1–365. After the cookie expires, the user must enter login credentials, and the gateway subsequently encrypts a new cookie to send to the agent. This value can be the same as or different from the
        Cookie Lifetime
        you configure for the portal.
      • Certificate to Encrypt/Decrypt Cookie
        —Select the RSA certificate to use to encrypt and decrypt the cookie. You must use the same certificate on the portal and gateways.
        As a best practice, configure the RSA certificate to use the strongest digest algorithm that your network supports.
        The portal and gateways use the RSA encrypt padding scheme PKCS#1 V1.5 to generate the cookie (using the public key of the certificate) and decrypt the cookie (using the private key of the certificate).
  7. Configure the user or user group and the endpoint OS to which the agent configuration applies.
    The gateway uses the user/user group settings you specify to determine which configuration to deliver to the GlobalProtect agents that connect. Therefore, if you have multiple configurations, you must make sure to order them properly. As soon as the gateway finds a match, it will deliver the configuration. Therefore, more specific configurations must precede more general ones. See 10 for instructions on ordering the list of agent configurations.
    Network settings are not required in internal gateway configurations in non-tunnel mode, because agents use the network settings assigned to the physical network adapter.
    In a gateway agent configuration, select the
    User/User Group
    tab and configure the following settings:
    • To deliver this configuration to agents or apps running on specific operating system,
      Add
      the OS (
      Android
      ,
      Chrome
      ,
      iOS
      ,
      Mac
      ,
      Windows
      , or
      WindowsUWP
      ) to which this configuration applies. Or leave the value in this section set to
      Any
      to deploy the configuration based on user/group only.
    • To restrict this configuration to a specific user and/or group, click
      Add
      in the User/User Group section of the window and then select the user or group you want to receive this configuration from the drop-down. Repeat this step for each user/group you want to add.
      Before you can restrict the configuration to specific groups, you must map users to groups as described in Enable Group Mapping.
    • To restrict the configuration to users who have not yet logged in to their systems, select
      pre-logon
      from the User/User Group drop-down.
    • To apply the configuration to any user regardless of login status (both pre-logon and logged in users), select
      any
      from the User/User Group drop-down.
  8. (
    Tunnel Mode only
    ) Configure the ip pools available to assign to the virtual network adapter on the endpoint when an agent establishes a tunnel with the gateway.
    IP pools and split tunnel settings are not required in internal gateway configurations in non-tunnel mode because agents use the network settings assigned to the physical network adapter.
    You can optionally use address objects—which allow you to group specific source or destination addresses—when configuring gateway IP address pools or access routes.
    In a gateway agent configuration, select
    Agent
    IP Pools
    and configure any of the following settings and then click
    OK
    :
    • To specify the authentication server IP address pool to assign addresses to endpoints that require static IP addresses, select the
      Retrieve Framed-IP-Address attribute from authentication server
      check box and then
      Add
      the subnet or IP address range to use to assign to remote users in the
      Authentication Server IP Pool
      area. When the tunnel is established, an interface is created on the remote user’s computer with an address in the subnet or IP range that matches the Framed-IP attribute of the authentication server.
      The authentication server IP address pool must be large enough to support all concurrent connections. IP address assignment is static and is retained after the user disconnects.
    • To specify the
      IP Pool
      to use to assign IP addresses, click
      Add
      and then specify the IP address range or address object to use. You can configure IPv6 or IPv4 addresses. As a best practice, use a different range of IP addresses from those assigned to endpoints that are physically connected to your LAN to ensure proper routing back to the gateway.
  9. (
    Tunnel Mode only
    ) Configure the split tunnel settings to assign to the virtual network adapter on the endpoint when an agent establishes a tunnel with the gateway.
    When configuring the access routes, keep in mind the following:
    • More specific access routes take precedence over less specific routes.
    • Avoid specifying the same access route as both an include and exclude access route as this leads to a misconfiguration.
    To route only some traffic—likely traffic destined for your LAN—to GlobalProtect, specify the destination subnets or address object (of type
    IP Netmask
    ) that must be included or excluded from the tunnel. In this case, traffic that is not destined for a specified access route will be routed through the endpoint’s physical adapter rather than through the virtual adapter (the tunnel).
    In a gateway agent configuration, select
    Agent
    Split Tunnel
    and configure any of the following settings and then click
    OK
    :
    • To disable split tunneling including direct access to local networks on Windows and Mac OS systems, enable
      No direct access to local network
      . In this case, users cannot send traffic to proxies or local resources while connected to GlobalProtect.
    • To define what destination subnets to route through the tunnel click
      Add
      in the
      Access Route
      area and then enter the routes as follows:
      • (
        Optional
        ) In the
        Includes
        area,
        Add
        the destination subnets or address object (of type IP Netmask) to route only some traffic—likely traffic destined for your LAN—to GlobalProtect. These are the routes the gateway pushes to the remote users’ endpoint and thereby determines what traffic the users’ endpoint can send through the VPN connection. You can include IPv6 or IPv4 subnets.
        The number of access routes the firewall supports varies by PAN-OS release version:
        • PAN-OS 8.0.0 and PAN-OS 8.0.1—Up to 100 include access routes, and, with GlobalProtect agent 4.0.2 or a later release, up to 200 include access routes
        • PAN-OS 8.0.2—Up to 100 include access routes and, with GlobalProtect agent 4.0.2 or a later release, up to 1000 include access routes
      • (
        Optional
        ) In the
        Excludes
        area,
        Add
        the destination subnets or address object (of type IP Netmask) that you want the client to exclude. These routes will be sent through the endpoint’s physical adapter rather than through the virtual adapter (the tunnel). Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than you intended. You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100 exclude access routes, or with GlobalProtect agent 4.0.0 or a later release, up to 200 exclude access routes.
    Excluding routes is not supported on Android. Only IPv4 routes are supported on Chrome.
  10. Arrange the gateway agent configurations so that the proper configuration is deployed to each agent.
    When an agent connects, the gateway will compare the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the gateway looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the agent or app.
    • To move a gateway configuration up on the list of configurations, select the configuration and click
      Move Up
      .
    • To move a gateway configuration down on the list of configurations, select the configuration and click
      Move Down
      .
  11. (
    Tunnel Mode only
    ) Specify the network configuration settings for the endpoints.
    Network settings are not required in internal gateway configurations in non-tunnel mode because in this case agents use the network settings assigned to the physical network adapter.
    In a GlobalProtect Gateway Configuration, select the
    Agent
    Network Services
    tab and configure the settings for endpoints in one of the following ways:
    • If the firewall has an interface that is configured as a DHCP client, set the
      Inheritance Source
      to that interface and the GlobalProtect agent will be assigned the same settings received by the DHCP client. You can also
      Inherit DNS Suffixes
      from the inheritance source.
    • Manually assign the DNS server(s) and suffix, and WINS servers by completing the corresponding fields.
  12. (
    Optional
    ) Define the notification messages end users will see when a security rule with a host information profile (HIP) is enforced.
    This step only applies if you have created host information profiles and added them to your security policies. For details on configuring the HIP feature and for more detailed information about creating HIP notification messages, see Host Information.
    In a GlobalProtect Gateway Configuration, select the
    Agent
    HIP Notification
    tab and
    Add
    a new HIP Notification configuration:
    1. From the
      Host Information
      drop-down, select the HIP object or profile to which this message applies.
    2. Select
      Match Message
      or
      Not Match Message
      and then
      Enable
      notifications, depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when it is not matched. In some cases, you might want to create messages for both a match and a non-match, depending on the objects on which you are matching and what your objectives are for the policy. For the Match Message, you can also enable the option to
      Include Mobile App List
      to indicate what applications can trigger the HIP match.
    3. Select whether you want to display the message as a
      System Tray Balloon
      or as a
      Pop Up Message
      .
    4. Enter and format the text of your message in the Template text box and then click
      OK
      .
    5. Repeat these steps for each message you want to define.
  13. Save the gateway configuration.
    1. Click
      OK
      to save the settings and close the GlobalProtect Gateway Configuration dialog.
    2. Commit
      the changes.

Related Documentation