GlobalProtect
Define the GlobalProtect Agent Configurations
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Define the GlobalProtect Agent Configurations
After a GlobalProtect user connects to the
portal and is authenticated by the GlobalProtect portal, the portal
sends the agent configuration to the app, based on the settings
you define. If you have different roles for users or groups that
need specific configurations, you can create a separate agent configuration
for each user type or user group. The portal uses the OS of the
endpoint and the username or group name to determine which agent
configuration to deploy. As with other security rule evaluations,
the portal starts to search for a match at the top of the list.
When it finds a match, the portal sends the configuration to the app.
The
configuration can include the following:
- A list of gateways to which the endpoint can connect.
- Among the external gateways, any gateway that the user can manually select for the session.
- The root CA certificate required to enable the app to establish an SSL connection with the GlobalProtect gateway(s).
- The root CA certificate for SSL forward proxy decryption.
- The client certificate that the endpoint should present to the gateway when it connects. This configuration is required only if mutual authentication between the app and the portal or gateway is required.
- A secure encrypted cookie that the endpoint should present to the portal or gateway when it connects. The cookie is included only if you enable the portal to generate one.
- The settings the endpoint uses to determine whether it is connected to the local network or to an external network.
- App behavior settings, such as what the end users can see in their display, whether users can save their GlobalProtect password, and whether users are prompted to upgrade their software.
If
the portal is down or unreachable, the app uses the cached version
of its agent configuration from its last successful portal connection
to obtain settings, including the gateway(s) to which the app can
connect, what root CA certificate(s) to use to establish secure
communication with the gateway(s), and what connect method to use.
Use
the following procedure to create an agent configuration.
- Add one or more trusted root CA certificates to the portal agent configuration to enable the GlobalProtect app to verify the identity of the portal and gateways.The portal deploys the certificate in a certificate file which is read only by GlobalProtect.
- Select.NetworkGlobalProtectPortals
- Select the portal configuration to which you are adding the agent configuration, and then select theAgenttab.
- In theTrusted Root CAfield,Addand select the CA certificate that was used to issue the gateway and/or portal server certificates.The web interface presents a list of CA certificates that are imported on the firewall serving as the GlobalProtect portal. The web interface also excludes end-entity certificates, sometimes referred to as leaf certificates, from the list of certificates you can select. You can alsoImporta new CA certificate.Use the following best practices when creating and adding certificates:
- Use the same certificate issuer to issue certificates for all of your gateways.
- Add the entire certificate chain (trusted root CA and intermediate CA certificates) to the portal agent configuration.
- (Optional) Deploy additional CA certificates for purposes other than GlobalProtect (for example, SSL forward proxy decryption).This option enables you to use the portal to deploy certificates to the endpoint and the agent to install them in the local root certificate store. This can be useful if you do not have another method for distributing these server certificates or prefer to use the portal for certificate distribution.For SSL forward proxy decryption, you specify the forward trust certificate that the firewall uses (on Windows and macOS endpoints only) to terminate the HTTPS connection, inspect the traffic for policy compliance, and re-establish the HTTPS connection to forward the encrypted traffic.
- Add the certificate as described in the previous step.
- Enable the option toInstall in Local Root Certificate Store.The portal automatically sends the certificate when the user logs in to the portal and installs it in the endpoint's local store, thus eliminating the need for you to install the certificate manually.
- Add an agent configuration.The agent configuration specifies the GlobalProtect configuration settings to deploy to the connecting apps. You must define at least one agent configuration. You can add up to 512 agent configuration entries for each portal.
- From your portal configuration (),NetworkGlobalProtectPortals<portal-config>Adda new agent configuration.
- Enter aNameto identify the configuration. If you plan on creating multiple configurations, make sure the name you define for each configuration is descriptive enough to distinguish them.
- (Optional) Configure settings to specify how users with this configuration authenticate with the portal.If the gateway authenticates endpoints using a client certificate, you must select the source that distributes the certificate.Configure any of the followingAuthenticationsettings:
- To enable users to authenticate with the portal using client certificates, select theClient Certificatesource (SCEP,Local, orNone) that distributes the certificate and its private key to an endpoint. If you use an internal CA to distribute certificates to endpoints, selectNone(default). To enable the portal to generate and send a machine certificate to the app for storage in the local certificate store and use the certificate for portal and gateway authentication, selectSCEPand the associated SCEP profile. These certificates are device-specific and can only be used on the endpoint to which it was issued. To use the same certificate for all endpoints, select a certificate that isLocalto the portal. WithNone, the portal does not push a certificate to the endpoint, but you can use can other ways to get a certificate to the endpoint.
- Specify whether toSave User Credentials. SelectYesto save the username and password (default),Save Username Onlyto save only the username,Only with User Fingerprintto save the user’s biometric (fingerprint) or, on iOS X endpoints only, face ID credentials, orNoto never save credentials.If you configure the portal or gateways to prompt for a dynamic password, such as a one-time password (OTP), the user must enter a new password at each login. In this case, the GlobalProtect app ignores the selection to save both the username and password, if specified, and saves only the username. For more information, see Enable Two-Factor Authentication Using One-Time Passwords (OTPs).If you select GlobalProtect toSave User CredentialsOnly with User Fingerprint, GlobalProtect can leverage the app’s operating system capabilities for validating the user before allowing authentication with GlobalProtect. End users must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways. On iOS X, GlobalProtect also supports facial recognition with Face ID. GlobalProtect does not store the fingerprint or facial template used for authentication, but relies on the operating system scanning capabilities to determine the validity of a scan match.
- If the GlobalProtect endpoint does not require tunnel connections when it is on the internal network, configure internal host detection.
- SelectInternal.
- EnableInternal Host Detection(IPv4orIPv6).
- Enter theIP Addressof a host that can be reached from the internal network only. The IP address you specify must be compatible with the IP address type (IPv4orIPv6). For example, 172.16.1.0 for IPv4 or 21DA:D3:0:2F3b for IPv6.
- Enter the DNSHostnamefor the IP address you enter. Endpoints that try to connect to GlobalProtect attempt to do a reverse DNS lookup on the specified address. If the lookup fails, the endpoint determines that it is on the external network and then initiates a tunnel connection to a gateway on its list of external gateways.
- (Optional) Enter a source address pool for endpoints. When users connect, GlobalProtect recognizes the source address of the device. Only GlobalProtect apps with IP addresses that are included in the source IP address pool can authenticate with the gateway and send HIP reports.IPv4 subnet must be /30 or larger. Otherwise, a specific IP range must be specified. For example, 192.168.1.0/30 or 192.168.2.6-192.168.2.7
- Set up access to a third-party mobile endpoint management system.This step is required if the mobile endpoints using this configuration will be managed by a third-party mobile endpoint management system. All endpoints initially connect to the portal and, if a third-party mobile endpoint management system is configured on the corresponding portal agent configuration, the endpoint is redirected to it for enrollment.
- Enter the IP address or FQDN of the endpoint check-in interface associated with your mobile endpoint management system. The value you enter here must exactly match the value of the server certificate associated with the endpoint check-in interface. You can specify an IPv6 or IPv4 address.
- Specify theEnrollment Porton which the mobile endpoint management system listens for enrollment requests. This value must match the value set on the mobile endpoint management system (default=443).
- Specify the selection criteria for your portal agent configuration.The portal uses the selection criteria that you specify to determine which configuration to deliver to the GlobalProtect apps that connect. Therefore, if you have multiple configurations, you must make sure to order them properly. As soon as the portal finds a match, it delivers the configuration. Therefore, more specific configurations must precede more general ones. See step 12 for instructions on ordering the list of agent configurations.SelectConfig Selection Criteriaand then configure any of the following options:
- To specify the user, user group, and/or operating system to which this configuration applies, selectUser/User Groupand then configure any of the following options:
- To deliver this configuration to apps running on a specific operating system,Addand select theOS(Android,Chrome,iOS,Linux,Mac,Windows, orWindowsUWP) to which this configuration applies. Set theOStoAnyto deploy the configuration to all operating systems.
- To restrict this configuration to a specific user and/or group,Addand then select theUser/User Groupyou want to receive this configuration. Repeat this step for each user/group you want to add. To restrict the configuration to users who have not yet logged in to their endpoints, selectpre-logonfrom theUser/User Groupdrop-down. To deploy the configuration to any user regardless of login status (both pre-logon and logged in users), selectanyfrom theUser/User Groupdrop-down.Before you can restrict the configuration to specific groups, you must map users to groups as described in Enable Group Mapping.
- To deliver this configuration to apps based on specific device attributes, selectDevice Checksand then configure any of the following options:
- To deliver this configuration based on the presence of the endpoint serial number in the Active Directory or Azure AD, select an option from theMachine account exists with device serial numberdrop-down. If you set this option toYes, the agent configuration applies only to endpoints with a serial number that exists (managed endpoints). If you set this option toNo, the agent configuration applies only to endpoints for which a serial number does not exist (unmanaged endpoints). If you set this option toNone, the configuration is not delivered to apps based on the presence of the endpoint serial number.
- To deliver this configuration based on the endpoint’s machine certificate, select aCertificate Profileto match against the machine certificate installed on the endpoint.
Device checks are supported on Windows and Mac operating systems. - To deliver this configuration to apps based on custom host information, selectCustom Checks. EnableCustom Checksand then define any of the following registry and plist data:
- To verify whether Windows endpoints have a specific registry key, use the following steps:
- Adda new registry key ().Custom ChecksRegistry Key
- When prompted, enter theRegistry Keyto match.
- (Optional) To deliver this configuration only if the endpoint does not have the specified registry key or key value, selectKey does not exist or match the specified value data.
- (Optional) To deliver this configuration based on specific registry values,AddtheRegistry Valueand correspondingValue Data. To deliver this configuration only endpoints that do not have the specifiedRegistry ValueorValue Data, selectNegate.
- To verify whether macOS endpoints have a specific entry in the plist, use the following steps:
- Adda new plist ().Custom ChecksPlist
- When prompted, enter thePlistname.
- (Optional) To deliver this configuration only if the endpoint does not have the specified plist, selectPlist does not exist.
- (Optional) To deliver this configuration based on specific key-value pairs within the plist, clickAddand then enter theKeyand correspondingValue. To match only endpoints that do not have the specified key or value, selectNegate.
- Specify the external gateways to which users with this configuration can connect.Consider the following best practices when you configure the gateways:
- If you are adding both internal and external gateways to the same configuration, make sure you enableInternal Host Detection(step 4).
- To learn more about how the GlobalProtect app determines the gateway to which it should connect, see Gateway Priority in a Multiple Gateway Configuration.
- SelectExternal.
- AddtheExternal Gatewaysto which users can connect.
- Enter a descriptiveNamefor the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway to which they are connected.
- Enter the FQDN or IP address of the interface where the gateway is configured in theAddressfield. You can configure an IPv4 or IPv6 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
- Addone or moreSource Regionsfor the gateway, or selectAnyto make the gateway available to all regions. When users connect, GlobalProtect recognizes the region and only allows users to connect to gateways that are configured for that region. For gateway selection, source region is considered first, then gateway priority.
- Set thePriorityof the gateway by clicking the field and selecting one of the following values:
- If you have only one external gateway, you can leave the value set toHighest(the default).
- If you have multiple external gateways, you can modify the priority values (ranging fromHighesttoLowest) to indicate a preference for the specific user group to which this configuration applies. For example, if you prefer that the user group connects to a local gateway you would set the priority higher than that of more geographically distant gateways. The priority value is then used to weight the agent’s gateway selection algorithm.
- If you do not want apps to automatically establish connections with the gateway, selectManual only. This setting is useful in testing environments.
- Select theManualcheck box to allow users to manually switch to the gateway.
- Specify the internal gateways to which users with this configuration can connect.Make sure you do not use on-demand as the connect method if your configuration includes internal gateways.
- SelectInternal.
- AddtheInternal Gatewaysto which users can connect.
- Enter a descriptiveNamefor the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough for users to know the location of the gateway they are connected to.
- Enter the FQDN or IP address of the interface where the gateway is configured in theAddressfield. You can configure an IPv4 or IPv6 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
- (Optional)Addone or moreSource Addressesto the gateway configuration. The source address can be an IP subnet, range, or predefined address. GlobalProtect supports both IPv6 and IPv4 addresses. When users connect, GlobalProtect recognizes the source address of the endpoint and only allows users to connect to gateways that are configured for that address.
- ClickOKto save your changes.
- (Optional)AddaDHCP Option 43 Codeto the gateway configuration. You can include one or more sub-option codes associated with the vendor-specific information (Option 43) that the DHCP server has been configured to offer the client. For example, you might have a sub-option code 100 that is associated with an IP address of 192.168.3.1.When a user connects, the GlobalProtect portal sends the list of option codes in the portal configuration to the GlobalProtect app, and the app selects gateways indicated by these options.When both the source address and DHCP options are configured, the list of available gateways presented to the endpoint is based on the combination (union) of the two configurations.DHCP options are supported on Windows and macOS endpoints only. DHCP options cannot be used to select gateways that use IPv6 addressing.
- (Optional) SelectInternal Host Detectionto allow the GlobalProtect app to determine if it is inside the enterprise network. When a user attempts to log in, the app performs a reverse DNS lookup of the internalHostnameto the specifiedIP Address.The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the app finds the host, the endpoint is inside the network and the app connects to an internal gateway; if the app fails to find the internal host, the endpoint is outside the network and the app connects to one of the external gateways.You can configureIPv4orIPv6addressing forInternal Host Detection. The IP address you specify must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 or 21DA:D3:0:2F3b for IPv6.
- Customize the GlobalProtect app behavior for users with this configuration.Modify theAppsettings as desired. For more details about each option, see Customize the GlobalProtect App.
- (Optional) Define any custom host information profile (HIP) data that you want the app to collect and/or exclude from collection.This step applies only if you plan on using the HIP feature, there is information you want to collect that cannot be collected using the standard HIP objects, or if there is HIP information that you are not interested in collecting. See Host Information for details on setting up and using the HIP feature.See Collect Application and Process Data From Endpoints for additional information on collecting custom HIP data.
- SelectHIP Data Collection.
- Enable the GlobalProtect app toCollect HIP Data.
- Specify theMax Wait Time (sec)that the app should search for HIP data before submitting the available data (range is 10-60 seconds; default is 20 seconds).
- Select theCertificate Profilethat the GlobalProtect portal uses to match the machine certificate send by the GlobalProtect app.
- SelectExclude Categoriesto exclude specific categories and/or vendors, applications, or versions within a category. For more details, see Configure HIP-Based Policy Enforcement.
- SelectCustom Checksto define any custom data you want to collect from hosts running this agent configuration.
- Save the agent configuration.ClickOKto save the agent configuration.
- Arrange the agent configurations so that the proper configuration is deployed to each app.When an app connects, the portal compares the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
- To move an agent configuration up on the list of configurations, select the configuration and clickMove Up.
- To move an agent configuration down on the list of configurations, select the configuration and clickMove Down.
- Save the portal configuration.
- ClickOKto save the portal configuration.
- Committhe changes.