Plan the GlobalProtect Cloud Service for Remote Networks
The GlobalProtect cloud service for remote networks allows you to pick the geographic locations where you want to deploy a firewall in the cloud-based security infrastructure to secure your remote network locations.
Before you begin to Configure the GlobalProtect Cloud Service for Remote Networks, make sure you have the following configuration items ready to ensure that you will be able to successfully enable the service and enforce policy for users in your remote network locations:
- Service Connection—If your remote network locations require access to infrastructure in your corporate headquarters to authenticate users or to enable access to critical network assets, you must Set Up Access to Your Corporate Network so that headquarters and the remote network locations are connected. If the remote network location is autonomous and does not need to access to infrastructure at other locations, you do not need to set up the service connection (unless your mobile users need access).
- Template—The GlobalProtect cloud service automatically creates a template stack (Remote_Network_Template_Stack) and a top-level template (Remote_Network_Template) for the GlobalProtect cloud service for remote networks. To Configure the GlobalProtect Cloud Service for Remote Networks, you will either need to configure the top-level template from scratch or leverage your existing configuration, if you are already running a Palo Alto networks firewall on premise. The template requires the settings to establish the IPSec tunnel and Internet Key Exchange (IKE) configuration for protocol negotiation between your remote network location and the GlobalProtect cloud service for remote networks, zones that you can reference in security policy, and a log forwarding profile so that you can forward logs from the GlobalProtect cloud service for remote networks to Cortex Data Lake.
- Parent Device Group—The GlobalProtect cloud service for remote
networks requires you to specify a parent device group that will
include your security policy, security profiles, and other policy objects
(such as application groups and objects, and address groups), as well
as authentication policy so that the GlobalProtect
cloud service for remote networks can consistently enforce policy
for traffic that is routed through the IPSec tunnel to the GlobalProtect
cloud service for remote networks. You will need to either define
policy rules and objects on Panorama or use an existing device group
to secure users in the remote network location. If you use an existing device group that references zones, make sure to add the corresponding template that defines the zones to the Remote_Network_Template_Stack. Doing so will allow you to complete the zone mapping when you Configure the GlobalProtect Cloud Service for Remote Networks.
- IP Subnets—In order for the GlobalProtect cloud service
to route traffic to your remote networks, you must provide routing
information for the subnetworks that you want to secure using the
GlobalProtect cloud service. You can do this in several ways. You
can either define a static route to each subnetwork at the remote
network location, or configure BGP between your service connection
locations and the GlobalProtect cloud service, or use a combination
of both methods. If you configure both static routes and enable BGP,
the static routes take precedence. While it might be convenient
to use static routes if you have just a few subnetworks at your
remote network locations, in a large deployment with many remote
networks with overlapping subnets, BGP will enable you to scale
more easily. While we do not recommend deploying Remote Network Locations with Overlapping Subnets, it is an allowed configuration with some routing restrictions as long as the overlapping subnets are in different regions.
Quick Configs for Remote Network Deployments
Quick Configs for Remote Network Deployments The following topics show some common GlobalProtect cloud service deployment scenarios for remote network deployments and provide instructions for ...
Plan the Service Infrastructure and Service Connections
Plan the Service Infrastructure and Service Connections Plan the Service Infrastructure To Enable the Service Infrastructure in the cloud for your remote network locations and ...
Remote Network Locations with Overlapping Subnets
Learn how to onboard two remote network locations that have overlapping subnets to the GlobalProtect cloud service. ...
Configure the GlobalProtect Cloud Service for Remote Networ...
Configure the GlobalProtect Cloud Service for Remote Networks For each remote network that you want to secure using the GlobalProtect cloud service for remote networks, ...
GlobalProtect Cloud Service
GlobalProtect Cloud Service As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it ...
Remote Network Location with High Bandwidth Requirements
Learn how to onboard a GlobalProtect cloud service remote network location at a site with high bandwidth or redundancy requirements. ...
Features Introduced in GlobalProtect Cloud Service
Features Introduced in GlobalProtect Cloud Service The following table describes the new features introduced in the Cloud Services plugin version 1.3.1. This release has changes ...
Dual ISPs in Active-Active Mode
Learn how to support dual ISPs in an active-active configuration at a GlobalProtect cloud service remote network location. ...
Service Connection Overview
Service Connection Overview Use service connections to connect users to the resources they need in your data center or HQ locations (for example, provide users ...