Plan the Service Infrastructure and Service Connections

Plan the Service Infrastructure

To Enable the Service Infrastructure in the cloud for your remote network locations and mobile users, you must provide a subnet that does not overlap with other IP addresses you use internally. The GlobalProtect cloud service will use the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users, and service connections to your headquarters and/or data center (if applicable). This will enable the GlobalProtect cloud service to determine the service routes for services such as LDAP, DNS, or SCEP, as well as enable other inter-service communication. Because a large number of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for example, 172.16.55.0/24). This subnetwork will be an extension to your existing network and therefore cannot overlap with any IP subnets you use within your corporate network, or with the IP address pools you assign for the GlobalProtect cloud service for mobile users.
Use the following recommendations and requirements when adding an infrastructure subnet:
  • We recommend using an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, we do not recommend it because of possible conflicts with internet public IP address space.
  • Do not specify any subnets that overlap with the 100.64.0.0/15 and 169.254.0.0/16 subnet ranges because the GlobalProtect cloud service reserves those subnets for its internal use.
  • The subnet you specify cannot overlap with any subnets you use in your corporate network, or with the IP address pools you plan to use for your GlobalProtect cloud service for mobile users IP address pools.
  • Because the service infrastructure can be very large, you must designate a /24 subnetwork.

Plan the Service Connections

We recommend always creating a service connection, because it allows GlobalProtect cloud service to perform the following tasks:
  • A service connection allows access to the resources in your HQ or data center.
    For example, if your security policy requires user authentication using an on-premise authentication service, such as your Active Directory, you will need to enable the GlobalProtect cloud service to access the corporate location where the service resides (and set up a service account that the service can use to access it). Similarly, if you have corporate resources that your remote networks and mobile users will need to access, you must enable the GlobalProtect cloud service to access the corresponding corporate network.
  • A service connection allows remote networks and mobile users to communicate with each other.
    Even if you don’t need access to your HQ or data center, you might have a need to allow your mobile users to access your remote network locations. In this case, you can create a service connection with placeholder values. This is required because, while all remote network connections are fully meshed, mobile users connect to remote networks using the service connection in a hub-and-spoke network. For this reason, you might also create a service connection with placeholder values if your existing service connection is not in an ideal geographical location.
Your GlobalProtect cloud service license includes the option to establish service connections to up to 100 of your headquarters and/or data center sites. The first three service connections are included with no license cost; each connection after the third uses 300 Mbps from your licensed remote networks bandwidth pool. GlobalProtect cloud service does not limit the bandwidth over these connections.
For this use case, before you begin to Set Up Access to Your Corporate Network, gather the following information for each of your HQ/data center sites that you want the cloud service to be able to connect to:
This checklist is only required if you are setting up a service connection to access resources in your HQ or data center. If you are only creating a service connection to allow mobile users access to remote network locations, you do not need this information.
  • IPSec-capable firewall, router, or SD-WAN device connection.
  • IPSec settings for terminating the primary VPN tunnel from the GlobalProtect cloud service to the IPSec-capable device on your corporate network.
  • IPSec settings for terminating the secondary VPN tunnel from the GlobalProtect cloud service to the IPSec-capable device on your corporate network.
    If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can add that template to the template stack to simplify the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template that gets created automatically and create the IPSec configurations required to create the IPSec tunnel back to the corporate site. GlobalProtect cloud service also provides you with a set of predefined IPSec templates for some commonly-used network devices, and a generic template for any device that is not included in the predefined templates.
  • List of IP subnetworks at the site.
  • List of internal domains that the cloud service will need to be able to resolve.
  • IP address of a node at your network’s site to which the GlobalProtect cloud service can send ICMP ping requests for IPSec tunnel monitoring.
    Make sure that this address is reachable by ICMP from the entire GlobalProtect cloud service infrastructure subnet.
  • Service account for your authentication service, if required for access.
  • Network reachability settings for the service infrastructure subnet.
    We recommend that you make the entire service infrastructure subnet reachable from the HQ or Data Center site. The GlobalProtect cloud service uses IP addresses for all control plane traffic, including tunnel monitoring, LDAP, User-ID, and so on from this subnet.
Traffic over the service connections does not count towards the remote network bandwidth pool that you purchased and GlobalProtect cloud service does not limit the bandwidth over this connection.

Related Documentation