GlobalProtect Cloud Service with On-Premise Gateways
GlobalProtect cloud service enables you to extend the Palo Alto Networks security platform out to your remote network locations and your mobile users without having to build out your own global security infrastructure and expand your operational capacity. In cases where you have already deployed GlobalProtect gateways in regions where you already have the infrastructure to manage it, you can leverage this investment by configuring the GlobalProtect cloud service to direct mobile users to your existing external gateways when appropriate.
You can Manage Priorities for GlobalProtect Cloud Service and On-Premise Gateways, which allow you to specify priorities for on-premise and GlobalProtect cloud service gateways. Administrators cannot specify mobile users to connect to a specific GlobalProtect cloud service gateway; however administrators can Allow Mobile Users to Manually Select Specific GlobalProtect Cloud Gateways using the GlobalProtect app.
You cannot use your own portal with the GlobalProtect cloud service. You can only use the portal that is deployed when your GlobalProtect cloud service for mobile users is provisioned.
To configure one of these hybrid GlobalProtect cloud service deployments, you must edit the GlobalProtect_Portal configuration within the Mobile_User_Template to add your on-premise gateways to the appropriate regions:
- Edit the GlobalProtect cloud service portal configuration.
- To add an existing gateway to the list of available gateways, select NetworkGlobalProtectPortals.
- Select Mobile_User_Template from the Template drop-down.
- Select GlobalProtect_Portal to edit the GlobalProtect cloud service portal configuration.
- Add your on-premise gateway to the list of gateways in
the agent configuration.
- Select the Agent tab and select the DEFAULT agent configuration or Add a new one.
- Select the External tab and Add your
on-premise gateway.If you add a new agent configuration and you want to add the GlobalProtect cloud service gateways to the list of external gateways in that configuration, you must set the Name to GP cloud service and the Address to gpcloudservice.com. You must enter these values exactly as shown, and you cannot use either of these values for non-cloud gateways.
- Enter the Name of the gateway and specify either the FQDN or IP address of the gateway in the Address field; this value must exactly match the common name (CN) in the gateway certificate.
- (Optional) If you want mobile users to only
connect to the gateway when they are in the corresponding region, Add the Source
Region to restrict the gateway to. For example, if you
have a gateway in France, you would select FR (France). If you have
a gateway in Sweden, you would select (SE) Sweden.One benefit of this is that users will then be able to access a gateway that enables access to internet resources in their own language.
- Configure other agent settings as necessary to complete the agent configuration.
- Click OK to save the portal configuration.
- Commit all your changes to Panorama and push the configuration
changes to the GlobalProtect cloud service.
- Click CommitCommit to Panorama.
- Click CommitPush to Devices and click Edit Selections.
- On the GlobalProtect cloud service tab, make sure GlobalProtect cloud service for mobile users is selected and then click OK.
- Click Push.
Configure Priorities for GlobalProtect Cloud Service and On-Premise Gateways
Configure Priorities for GlobalProtect Cloud Service and On-Premise Gateways Use this workflow to configure priorities for a deployment that uses on-premise gateways with the GlobalProtect ...
Manage Priorities for GlobalProtect Cloud Service and On-Premise Gateways
Manage Priorities for GlobalProtect Cloud Service and On-Premise Gateways GlobalProtect cloud service enables you to extend the Palo Alto Networks security platform out to your ...
How the GlobalProtect App Selects a GlobalProtect Cloud Service Gateway
How the GlobalProtect App Selects a GlobalProtect Cloud Service Gateway When a mobile user connects to a GlobalProtect cloud service gateway, the app uses the ...
Set Higher Priorities for Multiple On-Premise Gateways
Set Higher Priorities for Multiple On-Premise Gateways To ensure that traffic to the internet stays in language-specific regions, you can configure multiple gateways in multiple ...
Set Equal Gateway Priorities in GlobalProtect Cloud Service for On-Premise and Cloud Gateways
Set Equal Gateway Priorities in GlobalProtect Cloud Service for On-Premise and Cloud Gateways To enable secure access for your mobile workforce no matter where they ...
Set a Higher Gateway Priority for an On-Premise Gateway
Set a Higher Gateway Priority for an On-Premise Gateway In situations where you want to direct mobile users to use an on-premise gateway instead of ...
Quick Configs for Mobile User Deployments
Quick Configs for Mobile User Deployments The following topics show some common GlobalProtect cloud service deployment scenarios for remote networks and provide instructions for how ...
Allow Mobile Users to Manually Select Specific GlobalProtect Cloud Gateways
Allow Mobile Users to Manually Select Specific GlobalProtect Cloud Gateways When system administrators specify priorities for gateways in Panorama, they can only specify priorities for ...
Redistribute User-ID Information for Mobile Users and Remote Networks
Redistribute User-ID Information Between GlobalProtect Cloud Service and On-Premise Firewalls After you configure User-ID, you consistently enforce user-based policy for all mobile users and users ...