Configure the GlobalProtect Cloud Service for Remote Networks
For each remote network that you want to secure using the GlobalProtect cloud service for remote networks, you must use the following workflow to push the required policy configuration to the cloud service and onboard each remote network so that you can start sending traffic from the remote site through the IPSec tunnel to the firewalls in the cloud.
Before you begin onboarding your remote networks, be sure you go through the steps to plan the GlobalProtect cloud service for remote networks.
If you need to onboard many remote network locations, onboard a remote network using this workflow and then import the remote network configuration.
To configure a DNS proxy for remote networks, enable the service infrastructure, select the Internal Domain List tab, and Add the Domain Names, Primary DNS, and Secondary DNS servers that the cloud service can use to resolve your internal domain names.
- Select PanoramaCloud ServicesConfigurationRemote Networks and edit the
settings by clicking the gear icon in the Settings area.
- In the Templates section, Add any
templates that contain configuration you want to push to the GlobalProtect
cloud service for remote networks. For example, if you have existing
templates that contain your zone configurations, or IPSec tunnel, IKE
Gateway, or crypto profile settings, you can add them to the predefined Remote_Network_Template_Stack
to simplify the onboarding process.You can Add more than one template to the stack and then order them appropriately using Move Up and Move Down. This is important because Panorama evaluates in the stack from top to bottom, with settings in templates higher in the stack taking priority over the same settings specified in templates lower in the stack. Note that you cannot move the default template from the top of the stack.
- Select the Parent Device Group for the
GlobalProtect cloud service for remote networks. You can select
an existing device group or use Shared.You will push all of the configuration—including the security policy, security profiles, and other policy objects (such as application groups and objects, and address groups), HIP objects and profiles and authentication policy—that the GlobalProtect cloud service for remote networks needs to enforce consistent policy to your remote network users using the device group hierarchy you specify here.You don’t need to define all of the policy that you will push to the remote network yet. Instead, configure the settings to onboard the remote site. You can then go back and add the templates and device groups with the complete configurations to push consistent policy out to your remote networks.
- If you will be configuring remote networks that have
overlapping subnets, select the Overlapped Subnets check
box to enable outbound internet access for those locations.While we do not recommend configuring remote network locations with overlapping subnets because of its limitations, it is acceptable in some cases (for example, if you want to add a guest network at a retail store location).
- In the Templates section, Add any templates that contain configuration you want to push to the GlobalProtect cloud service for remote networks. For example, if you have existing templates that contain your zone configurations, or IPSec tunnel, IKE Gateway, or crypto profile settings, you can add them to the predefined Remote_Network_Template_Stack to simplify the onboarding process.
- Create new zones in the one of the templates in the stack (Network
> Zones> Add) or map the zones referenced
in existing templates you added to the stack as trusted or untrusted.
On Panorama, policy rules are defined in device groups, and zones are
defined in templates. Therefore, you need to make sure that you
add the templates that reference the zones included in your policy
rules to the template stack.On a Palo Alto Networks® next-generation firewall, security policy is enforced between zones, which map to physical or virtual interfaces on the firewall. But as the GlobalProtect cloud service for remote networks has only two zones, trust and untrust, you need to map any zone with traffic bound to the Internet (including your sanctioned SaaS applications) as untrust and all internal zones as trust.
- (Optional) Edit the zone
mapping settings.By default, all of the zones in the GlobalProtect cloud service for remote networks template stack a are classified as Untrusted Zones. If you have not yet defined zones or if the templates in the Remote_Network_Template_Stack do not have zone configurations, you can come back and add them when you push policy to the GlobalProtect cloud service for remote networks.
- For each zone you want to designate as trusted, select it and click Add to move it to the list of Trusted Zones.
- Click OK to save the mappings.
- (Optional) Edit the zone mapping settings.
- Click Add in the Onboarding settings,
and specify a Name to identify the infrastructure
that will secure the remote network location you are onboarding.You cannot change the name of the remote network location after you enter it. Make sure you know your naming scheme for your remote networks before you begin onboarding.
- Select the Bandwidth you want
to allocate to this remote network location. The bandwidth you select
cannot exceed the total amount of bandwidth you have licensed. Use
this setting to define the amount of the total licensed bandwidth
you want to allocate to this location.To help you determine how much bandwidth a specific site needs, consider the bandwidth available from your ISP at each location. See How To Calculate Remote Network Bandwidth for more details and suggestions.
- Select the Region in which the
GlobalProtect cloud service will deploy the infrastructure required
to secure your remote network location. This region should be geographically
located close to your remote network location.GlobalProtect cloud service supports the following regions:
- Asia Pacific (Mumbai)
- Asia Pacific (Seoul)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Canada (Montreal)
- EU (Frankfurt)
- EU (Ireland)
- EU (London)
- EU (Paris)
- South America (Sao Paulo)
- US East (N. Virginia)
- US East (Ohio)
- US West (N. California)
- US West (Oregon)
- Select or add a new IPSec
Tunnel configuration to access the firewall, router,
or SD-WAN device at the corporate location:
- If you have added a template to the Remote_Network_Template_Stack (or modified the predefined Remote_Network_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel from the drop-down. Note that the tunnel you are creating for each remote network connection connects the GlobalProtect cloud service to the IPSec-capable device at each branch location. The peer addresses in the IKE Gateway configuration must be unique for each tunnel. You can, however, re-use some of the other common configuration elements, such as Crypto profiles.The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4 only.
- To create a new IPSec Tunnel configuration,
click New IPSec Tunnel, give it a Name and
configure the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
- If the IPSec-capable device at your branch location uses policy-based VPN, on the Proxy IDs tab, Add a proxy ID that matches the settings configured on your local IPSec device to ensure that the GlobalProtect cloud service can successfully establish an IPSec tunnel with your local device.
- Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
- Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information.
- To enable tunnel monitoring for the service connection, select Tunnel Monitor.
To find the destination IP address to use for tunnel monitoring from your branch location to the GlobalProtect cloud service, select PanoramaCloud ServicesStatusNetwork Details, click the Service Infrastructure radio button, and find the Tunnel Monitor IP Address.
- Enter a Destination IP address.Specify an IP address at your branch location to which the GlobalProtect cloud service can send ICMP ping requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the entire GlobalProtect cloud service infrastructure subnet.
- If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or add a New Proxy ID that allows access from the infrastructure subnet to your branch location.The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24 in this example) as the Local IP subnet and the branch location’s subnet (10.1.1.0/24 in this example) as the Remote subnet.The following figure shows the Proxy ID you created being applied to the tunnel monitor configuration by specifying it in the Proxy ID field.
- If required, enable Quality of Service for the
remote network connection and specify a QoS profile or add a New
QoS Profile.You can create QoS profiles to shape QoS traffic for remote network and service connections and apply those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an on-premise device, or both PAN-OS-marked and on-premise-marked traffic. See Configure Quality of Service in GlobalProtect Cloud Service for details.
- If you have a secondary WAN link at this location, select Enable
Secondary WAN and then select or configure an IPSec
Tunnel the same way you did earlier.If you use static routes, tunnel failover time is less than 15 seconds from the time of detection, depending on your WAN provider.If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer determines the amount of time that the tunnel is down before removing the route. The GlobalProtect cloud service uses the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait time before GlobalProtect cloud service removes a route for an inactive SPI. If the peer BGP device has a shorter configured hold time, the BGP hold timer uses the lower value.When the secondary tunnel is successfully installed, the secondary route takes precedence until the primary tunnel comes back up. If the primary and secondary are both up, the primary route takes priority.
- Commit the configuration changes to Panorama and push
the configuration out to the GlobalProtect cloud service for remote
- Click CommitCommit to Panorama.
- Click CommitCommit and Push. Click Edit SelectionsGlobalProtect Cloud Service, and select both GlobalProtect cloud service for remote networks and GlobalProtect cloud service for service setup to push the configuration out to the service.
- Click OK and Push.
- Configure the IPSec-capable device at the remote network
location to set up an IPSec connection with the GlobalProtect cloud
service for remote networks.
- Find the Service IP Address for this firewall by selecting PanoramaCloud ServicesStatusNetwork Details, clicking the Remote Networks radio button, and viewing the Service IP Address field. The GlobalProtect cloud service for remote networks infrastructure has assigned this IP address for your cloud firewall, and you must configure this as the peer IP address to set up the IPSec tunnel between the remote network location and the GlobalProtect cloud service for remote networks.
- Check the Local IP address for the device at the remote network location on the PanoramaCloud ServicesStatusNetwork DetailsRemote Networks page. If you are performing NAT at the remote network location, the Local IP address displays the IP address of the device after NAT.
- To secure traffic at the remote network location you
must create security policy rules.
- Select Policies.
- Select the Device Group in which to add policy rules. You can select the Remote_Network_Device_Group or the parent device group that you selected for defining policies to secure the remote network location.
- Create security policy rules.
Make sure that you do not define security policy rules to allow
traffic from any zone to any zone. In the security policy rules,
use the zones that you defined in your template.If a user on your network is denied access to a website, report website access issues before you open a ticket with Palo Alto Networks.
- Enable logging to the Cortex Data Lake. You must create
and attach a log forwarding profile to each policy rule for which
you want to forward logs.
- Select Objects > Log Forwarding.
- Select the Device Group in which you added the policy rules, for example, Remote_Network_Device_Group.
- Add a Log Forwarding profile. In the log forwarding profile match list, Add each Log Type that you want to forward.
- Select Panorama/Logging Service as the
Forward Method to enable the GlobalProtect cloud service to forward
the logs to Cortex Data Lake. You will be able to monitor the logs
and generate reports from Panorama. Cortex Data Lake provides a
seamless integration to store logs without backhauling them to your
Panorama at the corporate headquarters, and Panorama can query Cortex
Data Lake as needed.The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL Filtering, Data Filtering, and Authentication logs to Cortex Data Lake.
- Select Policies > Security and edit the policy rule. In Actions, select the Log Forwarding profile you created.
- Commit all your changes to Panorama and push the configuration
changes to the GlobalProtect cloud service.
- Click CommitCommit to Panorama.
- Click CommitPush to Devices and click Edit Selections.
- On the GlobalProtect Cloud Service tab, make sure GlobalProtect cloud service for remote networks is selected and then click OK.
- Click Push.
Verify Remote Network Connection Status
Select PanoramaCloud ServicesStatusStatus to verify that the service infrastructure has been successfully deployed.
To display a map that shows the locations of the remote networks in the regions you have selected, select PanoramaCloud ServicesStatusMonitor and click the Remote Networks tab. Hover over a circled region to see the number of remote network tunnels and their status.
Verify Remote Connection BGP Status
If you configured BGP, you can check its status by selecting PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksShow BGP Status.
The BGP Status dialog displays. This table provides you with the following information:
- Peer—Routing information for the BGP peer, including status, total number of routes, configuration, and runtime statistics and counters. The total number of routes display in the bgpAfiIpv4-unicast Counters area, in the Incoming Total and Outgoing Total fields.
- RIB In—Routing information that has been received from different peers and is stored in the Routing Information Base (RIB).
- RIB Out—Routing information that the GlobalProtect cloud service advertises to its peers through BGP update messages. See How BGP Advertises Mobile User IP Address Pools for an example of this table and for information about how BGP utilizes the IP address pool you create for mobile users.
Plan the GlobalProtect Cloud Service for Remote Networks
Plan the GlobalProtect Cloud Service for Remote Networks The GlobalProtect cloud service for remote networks allows you to pick the geographic locations where you want ...
Quick Configs for Remote Network Deployments
Quick Configs for Remote Network Deployments The following topics show some common GlobalProtect cloud service deployment scenarios for remote network deployments and provide instructions for ...
Prepare Panorama to Push Configuration to the GlobalProtect Cloud Service
Learn how you can apply consistent policy in the GlobalProtect cloud service by leveraging your Panorama configuration. ...
Use Remote Networks to Secure Branches
With the GlobalProtect cloud service for remote networks, Palo Alto Networks automatically deploys firewalls in the cloud to seamlessly protect your remote network locations. ...
Onboard Remote Networks with Configuration Import
Use the bulk import capability to speed up the process of onboarding remote networks ...
Onboard Remote Networks with Configuration Import
Use the bulk import capability to speed up the process of onboarding remote networks ...
Create a Service Connection
Create a Service Connection To create a service connection to allow access to your corporate resources, complete the following steps. Select Panorama Cloud Services Configuration ...
GlobalProtect Cloud Service
GlobalProtect Cloud Service As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it ...
GlobalProtect Cloud Service Known Issues
GlobalProtect Cloud Service Known Issues GlobalProtect cloud service now supports Panorama version 8.0.5 or later, 8.1.0 or later, or 9.0.0 or later. Refer to the ...