Next-Generation Firewall
Cheat Sheet: GlobalProtect for Cloud Management for NGFWs
Table of Contents
Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
Enable your cloud-managed NGFWs to work as GlobalProtect portals and gateways, to
provide flexible, secure remote access to users everywhere.
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
GlobalProtect with cloud-managed NGFWs offers a comprehensive infrastructure for
securing your mobile workforce. You can use
Strata Cloud Manager
to centrally
manage GlobalProtect and your cloud-managed NGFWs. Enable your cloud-managed NGFWs
as GlobalProtect gateways and portals, to provide flexible, secure remote access to
users everywhere. This infrastructure includes the following components:- GlobalProtect portal—The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every endpoint that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways as well as any client certificates that are required to connect to one or more GlobalProtect gateways. You can set up access to the GlobalProtect portal on an interface on the cloud-managed NGFWs.
- GlobalProtect gateways—The GlobalProtect gateways provide security enforcement for traffic originating from GlobalProtect applications. You can configure the NGFWs as external gateways by referencing the NGFWs' GlobalProtect gateway IP addresses, eliminating manual configuration and reducing the risk of configuration errors.
Get Started
To configure cloud-managed NGFWs to function as
GlobalProtect portals and gateways, follow these steps:
- Ensure you have completed the following prerequisites:
- Created interfaces and zones for each firewall hosting a portal and/or a gateway. For gateways that require tunnel connections, configure both the physical and virtual tunnel interfaces.
- Set up the portal server certificate, gateway server certificate, SSL/TLS service profile, and optionally deploy any client certificates to enable SSL/TLS connections for GlobalProtect services.
- Created the authentication profiles and certificate profiles that the portals and gateways can utilize to authenticate GlobalProtect users.
- Established a fully qualified domain name (FQDN) alias for the interface where you plan to configure the gateway. For example, paloaltonetworks.com. Utilizing FQDN simplifies management as DNS resolves to the IP addresses automatically, eliminating the need for manual updates when IP addresses change.
- Select .
- Choose the Configuration Scope where you want to configure cloud-managed NGFWs to work as GlobalProtect.SelectGlobalto apply configuration settings across all your NGFWs. Alternatively, you can choose a specific folder or firewall from yourFoldersor aSnippetto apply configuration to a group of objects associated with a folder.For example, you might create a folder named California and put 60 firewalls in it and then create another folder named Hawaii and put 15 firewalls in that. You then create a snippet called CA-HI and apply it to the California and Hawaii folders. When you want to import configuration settings only to firewalls in California, you set the scope as Folder and select the California folder. If you want to import the configuration settings to both California and Hawaii, set the scope as Snippet and select the CA-HI snippet.
- Define the GlobalProtect Agent Settings.Customize theAgent App Settings.Explore all GlobalProtect agent app settings available to you.
- Select .
![]()
- Enter aNamefor the agent app setting.
- Define theMatch Criteriato specify the users, devices, or systems that should receive the settings.
![]()
- Specify the external gateways to which users with this configuration can connect. You can configure the firewall gateways as external gateways only; not as internal gateways.
- AddtheExternal Gatewayto which users can connect.
- Enter a descriptiveNamefor the gateway. Ensure that the name matches the one defined during the gateway configuration to provide clarity for users regarding the gateway's location.
- Select either theFQDNorIPaddress of the interface where the gateway is configured.
- ForIPaddress, choose theDeviceandGatewayconfigured on that device, along with theIPv4address of the interface, instead of manually entering them.
![]()
- Addone or more source regions for the gateway, or selectAnyto make the gateway available to all regions. GlobalProtect recognizes the region when users connect and restricts access to gateways configured for that region. The source region is considered first for gateway selection, followed by gateway priority.
- Set thePriorityof the gateway by clicking the field and selecting one of the following values:
- If you have only one external gateway, leave the value set toHighest(the default).
- If you have multiple external gateways, adjust the priority values (ranging from Highest to Lowest) to indicate a preference for the specific user group. For example, if you prefer that the user group connects to a local gateway, set the priority higher than that of more geographically distant gateways.
- If you prefer applications not to automatically establish connections with the gateway, selectManual only. This setting is useful in testing environments.
- SelectManualto allow users to manually switch to the gateway.
- Saveyour changes.
![]()
Customize theAgent Tunnel Settings.Customize the settings for the VPN tunnel the GlobalProtect establishes to connect to the firewall. Explore all GlobalProtect agent tunnel settings available to you.- Select .
![]()
- Enter aNameand define theMatch Criteriato specify the users, devices, or systems that should receive the settings. For example, you could indicate that a tunnel settings rule applies to all instances of the GlobalProtect app in a specific region.
- Exclude Trafficto not send video streaming traffic from the listed applications to the firewall. Specify traffic to exclude from firewall policy inspection and enforcement based on application, domain, and route.
![]()
- Define how the GlobalProtect portals and gateways authenticate users usingProfiles.
![]()
ConfigureGP Authentication Profiles.Explore all GlobalProtect agent tunnel settings available to you.- Select . You can configure the GlobalProtect portal to authenticate users through a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, RADIUS (including OTP), or Cloud Identity Engine (CIE).
![]()
- Enter aNameto identify the client authentication configuration.
- Specify the endpoints to which you want to deploy this configuration. To apply this configuration to all endpoints, accept the defaultOSofAny.
- To enable users to authenticate to the portal or gateway using their user credentials, select or add anAuthentication Profile.
![]()
ConfigurePortal Agent Profiles.- Select
![]()
- Enter a portal agent profileName.
- Select the agent app setting you created in step 3 andSavethe portal agent profile.
![]()
ConfigureGateway Agent Profiles. - Attach the profiles created to the GlobalProtectPortals and Gateways.Attach the authentication profile to a portal.
- Select .
![]()
- Namethe portal.
- Specify the network settings such as interface and IP address type to enable the GlobalProtect app to communicate with the portal.
- Specify how the portal authenticates users by adding the SSL/TLS Service Profile and certificate profile that you configured for the portal.
- Savethe portal configuration.
![]()
Attach the authentication profile to a gateway.- Select .
- Namethe gateway.
- Specify the network settings such as interface and IP address type that enables endpoints to connect to the gateway.
- Specify how the gateway authenticates users by adding the SSL/TLS Service Profile and certificate profile that you configured for the gateway.
- Savethe gateway configuration.
![]()
- to push configuration changes to your NGFWs.
