Remote Access VPN (Authentication Profile)
In the GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are configured on
ethernet1/2, so this is the physical interface where GlobalProtect users connect. After a user connects and authenticates to the portal and gateway, the endpoint establishes a tunnel from its virtual adapter, which has been assigned an IP address from the IP pool associated with the gateway tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels terminate in a separate
corp-vpnzone, you have visibility into the connection traffic as well as the ability to customize security policies for remote users.
- Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.
- Select. ConfigureNetworkInterfacesEthernetethernet1/2as a Layer 3 Ethernet interface with IP address 203.0.113.1, and then assign it to thel3-untrustSecurity Zoneand the defaultVirtual Router.
- Create a DNS “A” record that maps IP address203.0.113.1togp.acme.com.
- SelectandNetworkInterfacesTunnelAddthetunnel.2interface.Addthe tunnel interface to a newSecurity Zonecalledcorp-vpn, and then assign it to the defaultVirtual Router.
- Enable User Identification on thecorp-vpnzone.
- Create security policies to enable traffic flow between thecorp-vpnzone and thel3-trustzone, which enables access to your internal resources.
- Select, and thenPoliciesSecurityAdda new rule.
- For this example, you would define the rule with the following settings:
- Name(Generaltab)—VPN Access
- Source Zone(Sourcetab)—corp-vpn
- Destination Zone(Destinationtab)—l3-trust
- Use one of the following methods to obtain a server certificate for the interface hosting the GlobalProtect portal and gateway:Selectto manage certificates as follows:DeviceCertificate ManagementCertificates
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN,gp.acme.com.
- To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- The server profile instructs the firewall on how to connect to the authentication service. Local, RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example shows an LDAP authentication profile for authenticating users against the Active Directory.Create the server profile for connecting to the LDAP server ().DeviceServer ProfilesLDAP
- Attach the server profile to an authentication profile ().DeviceAuthentication Profile
- Select, and thenNetworkGlobalProtectGatewaysAddthe following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyAuthentication Profile—Corp-LDAPTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Configure the GlobalProtect Portals.Select, and thenNetworkGlobalProtectPortalsAddthe following configuration:
- Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyAuthentication Profile—Corp-LDAP
- Connect Method—On-demand(Manual user initiated connection)External Gateway Address—gp.acme.com
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect subscription () to enable use of the app.DeviceLicenses
- Save the GlobalProtect configuration.ClickCommit.