Remote Access VPN (Authentication Profile)

In the GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are configured on
ethernet1/2
, so this is the physical interface where GlobalProtect users connect. After a user connects and authenticates to the portal and gateway, the endpoint establishes a tunnel from its virtual adapter, which has been assigned an IP address from the IP pool associated with the gateway tunnel.2 configuration—10.31.32.3-10.31.32.118 in this example. Because GlobalProtect VPN tunnels terminate in a separate
corp-vpn
zone, you have visibility into the connection traffic as well as the ability to customize security policies for remote users.
GlobalProtect VPN for Remote Access
gp-remote-access-example.png
  1. Use the
    default
    virtual router for all interface configurations to avoid having to create inter-zone routing.
    • Select
      Network
      Interfaces
      Ethernet
      . Configure
      ethernet1/2
      as a Layer 3 Ethernet interface with IP address 203.0.113.1, and then assign it to the
      l3-untrust
      Security Zone
      and the default
      Virtual Router
      .
    • Create a DNS “A” record that maps IP address
      203.0.113.1
      to
      gp.acme.com
      .
    • Select
      Network
      Interfaces
      Tunnel
      and
      Add
      the
      tunnel.2
      interface.
      Add
      the tunnel interface to a new
      Security Zone
      called
      corp-vpn
      , and then assign it to the default
      Virtual Router
      .
    • Enable User Identification on the
      corp-vpn
      zone.
  2. Create security policies to enable traffic flow between the
    corp-vpn
    zone and the
    l3-trust
    zone, which enables access to your internal resources.
    1. Select
      Policies
      Security
      , and then
      Add
      a new rule.
    2. For this example, you would define the rule with the following settings:
      • Name
        (
        General
        tab)—VPN Access
      • Source Zone
        (
        Source
        tab)—corp-vpn
      • Destination Zone
        (
        Destination
        tab)—l3-trust
      vpn-policy-example.png
  3. Use one of the following methods to obtain a server certificate for the interface hosting the GlobalProtect portal and gateway:
    Select
    Device
    Certificate Management
    Certificates
    to manage certificates as follows:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN,
      gp.acme.com
      .
    • To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
  4. The server profile instructs the firewall on how to connect to the authentication service. Local, RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example shows an LDAP authentication profile for authenticating users against the Active Directory.
    Create the server profile for connecting to the LDAP server (
    Device
    Server Profiles
    LDAP
    ).
    server-profile-examle.png
  5. Attach the server profile to an authentication profile (
    Device
    Authentication Profile
    ).
    authentication-profile-example.png
  6. Select
    Network
    GlobalProtect
    Gateways
    , and then
    Add
    the following configuration:
    Interface
    ethernet1/2
    IP Address
    203.0.113.1
    Server Certificate
    GP-server-cert.pem issued by GoDaddy
    Authentication Profile
    Corp-LDAP
    Tunnel Interface
    tunnel.2
    IP Pool
    10.31.32.3 - 10.31.32.118
  7. Configure the GlobalProtect Portals.
    Select
    Network
    GlobalProtect
    Portals
    , and then
    Add
    the following configuration:
    1. Interface
      ethernet1/2
      IP Address
      203.0.113.1
      Server Certificate
      GP-server-cert.pem issued by GoDaddy
      Authentication Profile
      Corp-LDAP
    2. Connect Method
      On-demand
      (Manual user initiated connection)
      External Gateway Address
      gp.acme.com
  8. Select
    Device
    GlobalProtect Client
    . Follow the procedure to Host App Updates on the Portal.
  9. (
    Optional
    ) Enable use of the GlobalProtect mobile app.
    Purchase and install a GlobalProtect subscription (
    Device
    Licenses
    ) to enable use of the app.
  10. Save the GlobalProtect configuration.
    Click
    Commit
    .

Related Documentation