Remote Access VPN (Certificate Profile)

With certificate authentication, the user must present a valid client certificate that identifies them to the GlobalProtect portal or gateway. In addition to the certificate itself, the portal or gateway can use a certificate profile to determine whether the user that sent the certificate is the user to which the certificate was issued.
When a client certificate is the only means of authentication, the certificate that the user presents must contain the username in one of the certificate fields; typically the username corresponds to the common name (CN) in the Subject field of the certificate.
Upon successful authentication, the GlobalProtect app establishes a tunnel with the gateway and is assigned an IP address from the IP pool in the gateway’s tunnel configuration. To support user-based policy enforcement on sessions from the
corp-vpn
zone, the username from the certificate is mapped to the IP address assigned by the gateway. If a security policy requires a domain name in addition to the user name, the domain value specified in the certificate profile is appended to the username.
GlobalProtect Client Certificate Authentication Configuration
gp-client-cert-auth.png
This quick configuration uses the same topology as GlobalProtect VPN for Remote Access. The only configuration difference is that instead of authenticating users against an external authentication server, this configuration uses client certificate authentication only.
  1. Use the
    default
    virtual router for all interface configurations to avoid having to create inter-zone routing.
    • Select
      Network
      Interfaces
      Ethernet
      . Configure
      ethernet1/2
      as a Layer 3 Ethernet interface with IP address
      203.0.113.1
      , and then assign it to the
      l3-untrust
      Security Zone
      and the default
      Virtual Router
      .
    • Create a DNS “A” record that maps IP address
      203.0.113.1
      to
      gp.acme.com
      .
    • Select
      Network
      Interfaces
      Tunnel
      and
      Add
      the
      tunnel.2
      interface. Add the tunnel interface to a new
      Security Zone
      called
      corp-vpn
      , and then assign it to the default
      Virtual Router
      .
    • Enable User Identification on the
      corp-vpn
      zone.
  2. Create security policies to enable traffic flow between the
    corp-vpn
    zone and the
    l3-trust
    zone, which enables access to your internal resources.
    1. Select
      Policies
      Security
      , and then
      Add
      a new rule.
    2. For this example, you would define the rule with the following settings:
      • Name
        (
        General
        tab)—
        VPN Access
      • Source Zone
        (
        Source
        tab)—
        corp-vpn
      • Destination Zone
        (
        Destination
        tab)—
        l3-trust
      vpn-policy-example.png
  3. Use one of the following methods to obtain a server certificate for the interface hosting the GlobalProtect portal and gateway:
    Select
    Device
    Certificate Management
    Certificates
    to manage certificates as follows:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN,
      gp.acme.com
      .
    • To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
    1. Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
    1. Select
      Device
      Certificate Management
      Certificate Profile
      .
      Add
      a new certificate profile, and then enter a profile
      Name
      such as
      GP-client-cert
      .
    2. Select
      Subject
      from the
      Username Field
      drop-down.
    3. In the
      CA Certificates
      area,
      Add
      the CA certificate that issued the client certificates. Click
      OK
      twice.
  4. See the topology diagram shown in GlobalProtect VPN for Remote Access.
    Select
    Network
    GlobalProtect
    Gateways
    , and then
    Add
    the following configuration:
    Interface
    ethernet1/2
    IP Address
    203.0.113.1
    Server Certificate
    GP-server-cert.pem issued by GoDaddy
    Certificate Profile
    GP-client-cert
    Tunnel Interface
    tunnel.2
    IP Pool
    10.31.32.3 - 10.31.32.118
  5. Configure the GlobalProtect Portals.
    Select
    Network
    GlobalProtect
    Portals
    , and then
    Add
    the following configuration:
    1. Interface
      ethernet1/2
      IP Address
      203.0.113.1
      Server Certificate
      GP-server-cert.pem issued by GoDaddy
      Certificate Profile
      GP-client-cert
    2. Connect Method
      On-demand
      (Manual user initiated connection)
      External Gateway Address
      gp.acme.com
  6. Select
    Device
    GlobalProtect Client
    . Follow the procedure to Host App Updates on the Portal.
  7. (
    Optional
    ) Enable use of the GlobalProtect mobile app.
    Purchase and install a GlobalProtect subscription (
    Device
    Licenses
    ) to enable use of the app.
  8. Save the GlobalProtect configuration.
    Click
    Commit
    .

Related Documentation