Remote Access VPN (Certificate Profile)
With certificate authentication, the user must present a valid client certificate that identifies them to the GlobalProtect portal or gateway. In addition to the certificate itself, the portal or gateway can use a certificate profile to determine whether the user that sent the certificate is the user to which the certificate was issued.
When a client certificate is the only means of authentication, the certificate that the user presents must contain the username in one of the certificate fields; typically the username corresponds to the common name (CN) in the Subject field of the certificate.
Upon successful authentication, the GlobalProtect app establishes a tunnel with the gateway and is assigned an IP address from the IP pool in the gateway’s tunnel configuration. To support user-based policy enforcement on sessions from the
corp-vpnzone, the username from the certificate is mapped to the IP address assigned by the gateway. If a security policy requires a domain name in addition to the user name, the domain value specified in the certificate profile is appended to the username.
This quick configuration uses the same topology as GlobalProtect VPN for Remote Access. The only configuration difference is that instead of authenticating users against an external authentication server, this configuration uses client certificate authentication only.
- Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.
- Select. ConfigureNetworkInterfacesEthernetethernet1/2as a Layer 3 Ethernet interface with IP address203.0.113.1, and then assign it to thel3-untrustSecurity Zoneand the defaultVirtual Router.
- Create a DNS “A” record that maps IP address203.0.113.1togp.acme.com.
- SelectandNetworkInterfacesTunnelAddthetunnel.2interface. Add the tunnel interface to a newSecurity Zonecalledcorp-vpn, and then assign it to the defaultVirtual Router.
- Enable User Identification on thecorp-vpnzone.
- Create security policies to enable traffic flow between thecorp-vpnzone and thel3-trustzone, which enables access to your internal resources.
- Select, and thenPoliciesSecurityAdda new rule.
- For this example, you would define the rule with the following settings:
- Name(Generaltab)—VPN Access
- Source Zone(Sourcetab)—corp-vpn
- Destination Zone(Destinationtab)—l3-trust
- Use one of the following methods to obtain a server certificate for the interface hosting the GlobalProtect portal and gateway:Selectto manage certificates as follows:DeviceCertificate ManagementCertificates
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN,gp.acme.com.
- To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
- Select.DeviceCertificate ManagementCertificate ProfileAdda new certificate profile, and then enter a profileNamesuch asGP-client-cert.
- SelectSubjectfrom theUsername Fielddrop-down.
- In theCA Certificatesarea,Addthe CA certificate that issued the client certificates. ClickOKtwice.
- See the topology diagram shown in GlobalProtect VPN for Remote Access.Select, and thenNetworkGlobalProtectGatewaysAddthe following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Configure the GlobalProtect Portals.Select, and thenNetworkGlobalProtectPortalsAddthe following configuration:
- Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-cert
- Connect Method—On-demand(Manual user initiated connection)External Gateway Address—gp.acme.com
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect subscription () to enable use of the app.DeviceLicenses
- Save the GlobalProtect configuration.ClickCommit.