Define the GlobalProtect Agent Configurations

After a GlobalProtect user connects to the portal and is authenticated by the GlobalProtect portal, the portal sends the agent configuration to the agent or app, based on the settings you defined. If you have different roles for users or groups that need specific configurations, you can create a separate agent configuration for each user type or user group. The portal uses the OS of the endpoint and the username or group name to determine the agent configuration to deploy. As with other security rule evaluations, the portal starts to search for a match at the top of the list. When it finds a match, the portal sends the right configuration to the agent or app.
The configuration can include the following:
  • A list of gateways to which the client can connect.
  • Among the external gateways, any gateway that the user can manually select for the session.
  • The root CA certificate required to enable the agent or app to establish an SSL connection with the GlobalProtect gateway(s).
  • The root CA certificate for SSL forward proxy decryption.
  • The client certificate that the endpoint should present to the gateway when it connects. This configuration is required only if mutual authentication between the client and the portal or gateway is required.
  • A secure encrypted cookie that the endpoint should present to the portal or gateway when it connects. The cookie is included only if you enable the portal to generate one.
  • The settings the endpoint uses to determine whether it is connected to the local network or to an external network.
  • Settings for the behavior of the agent or app, such as what the end users can see in their display, whether they can save their GlobalProtect password, and whether they are prompted to upgrade their software.
If the portal is down or unreachable, the agent will use the cached version of its agent configuration from its last successful portal connection to obtain settings, including the gateway(s) to which the agent can connect, what root CA certificate(s) to use to establish secure communication with the gateway(s), and what connect method to use.
Use the following procedure to create an agent configuration.
  1. Add one or more trusted root CA certificates to the portal agent configuration to enable the GlobalProtect client to verify the identity of the portal and gateways.
    The portal deploys the certificate in a certificate file which is read only by GlobalProtect.
    1. Select
      Network
      GlobalProtect
      Portals
      .
    2. Select the portal configuration to which you are adding the agent configuration and then select the
      Agent
      tab.
    3. In the
      Trusted Root CA
      field,
      Add
      and then select the CA certificate that was used to issue the gateway and/or portal server certificates.
      The web interface presents a list of CA certificates that are imported on the firewall serving as the GlobalProtect portal. The web interface also excludes end-entity certificates, sometimes referred to as leaf certificates, from the list of certificates you can select. You can also
      Import
      a new CA certificate.
      Use the following best practices when creating and adding certificates:
      • Use the same certificate issuer to issue certificates for all of your gateways.
      • Add the entire certificate chain (trusted root CA and intermediate CA certificates) to the portal agent configuration.
    4. (Optional) Deploy additional CA certificates for purposes other than GlobalProtect (for example, SSL forward proxy decryption).
      This option enables you to use the portal to deploy certificates to the endpoint and the agent to install them in the local root certificate store. This can be useful if you do not have another method for distributing these server certificates or prefer to use the portal for certificate distribution.
      For SSL forward proxy decryption, you specify the forward trust certificate the firewall uses (on Windows and Mac endpoints only) to terminate the HTTPS connection, inspect the traffic for policy compliance, and re-establish the HTTPS connection to forward the encrypted traffic.
      1. Add the certificate as described in the previous step.
      2. To the right of the certificate, select
        Install in Local Root Certificate Store
        .
        The portal automatically sends the certificate when the user logs in to the portal and installs it in the client's local store thus eliminating the need for you to install the certificate manually.
  2. Add an agent configuration.
    The agent configuration specifies the GlobalProtect configuration settings to deploy to the connecting agents/apps. You must define at least one agent configuration.
    1. In the Agent area,
      Add
      a new configuration.
    2. Enter a
      Name
      to identify the configuration. If you plan to create multiple configurations, make sure the name you define for each is descriptive enough to allow you to distinguish them.
  3. (
    Optional
    ) Configure settings to specify how users with this configuration will authenticate with the portal.
    If the gateway is to authenticate the clients by using a client certificate, you must select the source that distributes the certificate.
    On the
    Authentication
    tab, configure any of the following authentication settings:
    • To enable users to authenticate with the portal using client certificates, select the
      Client Certificate
      source (
      SCEP
      ,
      Local
      , or
      None
      ) that distributes the certificate and its private key to an endpoint. If you use an internal CA to distribute certificates to clients, select
      None
      (
      default
      ). To enable the portal to generate and send a machine certificate to the agent for storage in the local certificate store and use the certificate for portal and gateway authentication, select
      SCEP
      and the associated SCEP profile. These certificates are device-specific and can only be used on the endpoint to which it was issued. To use the same certificate for all endpoints, select a certificate that is
      Local
      to the portal. With
      None
      , the portal does not push a certificate to the client, but you can use can other ways to get a certificate to the client’s endpoint.
    • Specify whether to
      Save User Credentials
      . Select
      Yes
      to save the username and password (default),
      Save Username Only
      to save only the username, or
      No
      to never save credentials.
      If you configure the portal or gateways to prompt for a dynamic password such as a one-time password (OTP), the user must enter a new password at each login. In this case, the GlobalProtect agent/app ignores the selection to save both the username and password, if specified, and saves only the username. For more information, see Enable Two-Factor Authentication Using One-Time Passwords (OTPs).
  4. If the GlobalProtect endpoint does not require tunnel connections when it is on the internal network, configure internal host detection.
    1. On the
      Internal
      tab, select the
      Internal Host Detection
      check box.
    2. Enter the
      IP Address
      of a host that can be reached from the internal network only. You can configure
      IPv4
      or
      IPv6
      addressing for
      Internal Host Detection
      . The IP address you specify must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 or 21DA:D3:0:2F3b for IPv6.
    3. Enter the DNS
      Hostname
      for the IP address you entered. Clients that try to connect to GlobalProtect attempt to do a reverse DNS lookup on the specified address. If the lookup fails, the client determines that it is on the external network and then initiates a tunnel connection to a gateway on its list of external gateways.
  5. Set up access to a third-party mobile endpoint management system.
    This step is required if the mobile devices using this configuration will be managed by a third-party mobile endpoint management system. All devices will initially connect to the portal and, if a third-party mobile endpoint management system is configured on the corresponding portal agent configuration, the device will be redirected to it for enrollment.
    1. Enter the IP address or FQDN of the device check-in interface associated with your mobile endpoint management system. The value you enter here must exactly match the value of the server certificate associated with the device check-in interface. You can specify an IPv6 or IPv4 address.
    2. Specify the
      Enrollment Port
      on which the mobile endpoint management system will be listening for enrollment requests. This value must match the value set on the mobile endpoint management system (default=443).
  6. Configure the user or user group and the endpoint OS to which the agent configuration applies.
    The portal uses the user/user group settings you specify to determine which configuration to deliver to the GlobalProtect agents that connect. Therefore, if you have multiple configurations, you must make sure to order them properly. As soon as the portal finds a match, it will deliver the configuration. Therefore, more specific configurations must precede more general ones. See 12 for instructions on ordering the list of agent configurations.
    Select the
    User/User Group
    tab and then specify any users, user groups, and/or operating systems to which this configuration should apply:
    • To deliver this configuration to agents or apps running on specific operating system,
      Add
      the OS (
      Android
      ,
      Chrome
      ,
      iOS
      ,
      Mac
      ,
      Windows
      , or
      WindowsUWP
      ) to which this configuration applies. Or leave the value in this section set to
      Any
      to deploy the configuration based on user/group only.
    • To restrict this configuration to a specific user and/or group, click
      Add
      in the User/User Group section of the window and then select the user or group you want to receive this configuration from the drop-down. Repeat this step for each user/group you want to add.
    Before you can restrict the configuration to specific groups, you must map users to groups as described in Enable Group Mapping.
    • To restrict the configuration to users who have not yet logged in to their systems, select
      pre-logon
      from the User/User Group drop-down.
    • To apply the configuration to any user regardless of login status (both pre-logon and logged in users), select
      any
      from the User/User Group drop-down.
  7. Specify the external gateways to which users with this configuration can connect.
    Consider the following best practices when you configure the gateways:
    1. Click
      Add
      on the
      External
      tab.
    2. Enter a descriptive
      Name
      for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway they are connected to.
    3. Enter the FQDN or IP address of the interface where the gateway is configured in the
      Address
      field. You can configure an IPv4 or IPv6 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
    4. Add
      one or more
      Source Regions
      for the gateway, or select
      Any
      to make the gateway available to all regions. When users connect, GlobalProtect recognizes the device region and only allows uses to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.
    5. Set the
      Priority
      of the gateway by clicking in the field and selecting a value:
      • If you have only one external gateway, you can leave the value set to
        Highest
        (the default).
      • If you have multiple external gateways, you can modify the priority values (ranging from
        Highest
        to
        Lowest
        ) to indicate a preference for the specific user group to which this configuration applies. For example, if you prefer that the user group connects to a local gateway you would set the priority higher than that of more geographically distant gateways. The priority value is then used to weight the agent’s gateway selection algorithm.
      • If you do not want agents to automatically establish tunnel connections with the gateway, select
        Manual only
        . This setting is useful in testing environments.
    6. Select the
      Manual
      check box if you want to allow users to be able to manually switch to the gateway.
  8. Specify the internal gateways to which users with this configuration can connect.
    Make sure you do not use on-demand as the connect method if your configuration includes internal gateways.
    1. On the
      Internal
      tab, click
      Add
      in the
      Internal Gateways
      section.
    2. Enter a descriptive
      Name
      for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway they are connected to.
    3. Enter the FQDN or IP address of the interface where the gateway is configured in the
      Address
      field. You can configure an IPv4 or IPv6 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
    4. (
      Optional
      )
      Add
      one or more
      Source Addresses
      to the gateway configuration. The source address can be an IP subnet or range. It can also be a predefined address. GlobalProtect supports both IPv6 and IPv4 addresses. When users connect, GlobalProtect recognizes the source address of the device and only allows users to connect to gateways that are configured for that address.
    5. Click
      OK
      to save your changes.
    6. (
      Optional
      )
      Add
      a
      DHCP Option 43 Code
      to the gateway configuration. You can include one or more sub-option codes associated with the vendor-specific information (Option 43) that the DHCP server has been configured to offer the client. For example, you might have a sub-option code 100 that is associated with an IP address of 192.168.3.1.
      When a user connects, the GlobalProtect portal sends the list of option codes in the portal configuration to the GlobalProtect agent and the agent selects gateways indicated by the options.
      When both the source address and DHCP options are configured, the list of available gateways presented to the client is based on the combination (union) of the two configurations.
      DHCP options are supported on Windows and Mac endpoints only. DHCP options cannot be used to select gateways that use IPv6 addressing.
    7. (
      Optional
      ) Select
      Internal Host Detection
      to allow the GlobalProtect agent to determine if it is inside the enterprise network. When the user attempts to log in, the agent does a reverse DNS lookup of the internal
      Hostname
      to the specified
      IP Address
      .
      The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways.
      You can configure
      IPv4
      or
      IPv6
      addressing for
      Internal Host Detection
      . The IP address you specify must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 or 21DA:D3:0:2F3b for IPv6.
  9. Customize the behavior of the GlobalProtect agent for users with this configuration.
    Select the
    App
    tab and then modify the agent settings as desired. For more details about each option, see Customize the GlobalProtect Agent.
  10. (
    Optional
    ) Define any custom host information profile (HIP) data that you want the agent to collect and/or exclude HIP categories from collection.
    This step only applies if you plan to use the HIP feature and there is information you want to collect that cannot be collected using the standard HIP objects or if there is HIP information that you are not interested in collecting. See Host Information for details on setting up and using the HIP feature.
    1. Select
      Data Collection
      and enable the GlobalProtect agent to
      Collect HIP Data
      .
    2. Select
      Exclude Categories
      to exclude specific categories and/or vendors, applications, or versions within a category. For more details, see 3 in Configure HIP-Based Policy Enforcement.
    3. Select
      Custom Checks
      to define any custom data you want to collect from hosts running this agent configuration, and add the category and vendor. For more details, see 2 in Host Information.
  11. Save the agent configuration.
    1. Click
      OK
      to save the settings and close the Configs dialog.
    2. If you want to add another agent configuration, repeat 2 through 11.
  12. Arrange the agent configurations so that the proper configuration is deployed to each agent.
    When an agent connects, the portal will compare the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the agent or app.
    • To move an agent configuration up on the list of configurations, select the configuration and click
      Move Up
      .
    • To move an agent configuration down on the list of configurations, select the configuration and click
      Move Down
      .
  13. Save the portal configuration.
    1. Click
      OK
      to save the settings and close the GlobalProtect Portal Configuration dialog.
    2. Commit
      the changes.

Related Documentation