GlobalProtect Cloud Service

As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it can be challenging to ensure that your business remains connected and always secure. GlobalProtect cloud service, a cloud-based security infrastructure service, simplifies the process of scaling your Palo Alto Networks® next-generation security platform so that you can extend the same best-in-breed security to your remote network locations and your mobile users without having to build out your own global security infrastructure and expand your operational capacity. With the GlobalProtect cloud service, Palo Alto Networks automatically deploys next-gen firewalls and GlobalProtect portals and gateways in the locations where you need them.
gpcs-overview.png
With the GlobalProtect cloud service, Palo Alto Networks deploys and manages the security infrastructure globally to secure your remote networks and mobile users. The GlobalProtect cloud service is comprised of five components:
  • Cloud Services Plugin—Panorama plugin that enables both the GlobalProtect cloud service and Cortex Data Lake.
    This plugin provides a simple and familiar interface for configuring and viewing the status of GlobalProtect cloud service. You can also create Panorama templates and device groups, or leverage the templates and device groups you may have already created, to push configurations and quickly enforce consistent security policy across all locations.
  • Service Infrastructure—GlobalProtect cloud service uses an internal service infrastructure to secure your organization’s network. You supply a subnet for the infrastructure, and GlobalProtect cloud service uses the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users, and service connections to your internal network resources (if applicable). Internal communication within the cloud is established using dynamic routing.
  • Mobile Users—You select locations in the GlobalProtect cloud service that function as cloud-based GlobalProtect gateways to secure your mobile users. To configure this service, you designate one or more IP address pools to allow the service to assign IP addresses for the client VPN tunnels.
  • Service Connections—Your GlobalProtect cloud service license includes the option to establish IPSec tunnels to allow communication between internal resources in your network and mobile users and users in your remote network locations. You could, for example, create a service connection to an authentication server in your organization’s HQ or data center.
    Even if you don’t require a service connection, we recommend that you create one with placeholder values to allow network communication between mobile users and remote network locations and between mobile users in different geographical locations.
  • Remote Networks—Use remote networks to secure remote network locations, such as branches, and users in those branches with cloud-based next-generation firewalls. You can enable access to the subnetworks at each remote network location using either static routes, dynamic routing using BGP, or a combination of static and dynamic routes. All remote network locations that you onboard are fully meshed.
GlobalProtect cloud service forwards all logs to Cortex Data Lake. You can view the logs, ACC, and reports from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for GlobalProtect cloud service, you must purchase a Cortex Data Lake license. Log traffic does not use the licensed bandwidth you purchased for GlobalProtect cloud service.

Related Documentation