Select Network > GlobalProtect > Gateways to configure a GlobalProtect gateway. A gateway can provide VPN connections for GlobalProtect agents or apps or for GlobalProtect satellites.
From the GlobalProtect Gateway dialog, Add a new gateway configuration or select an existing gateway configuration to modify it.
What do you want to know? See:
What general settings can I configure for the GlobalProtect gateway? GlobalProtect Gateways General Tab
How do I configure the gateway client authentication? GlobalProtect Gateways Authentication Tab
How do I configure the tunnel and network settings that enable an agent or app to establish a VPN tunnel with the gateway? GlobalProtect Gateways Agent Tab
How do I configure the tunnel and network settings to enable the satellites to establish VPN connections with a gateway acting as a satellite? GlobalProtect Gateways Satellite Configuration Tab
Looking for more? For detailed, step-by-step instructions on setting up the portal, refer to Configure GlobalProtect Gateways in the GlobalProtect Administrator’s Guide .
GlobalProtect Gateways General Tab
Select Network > GlobalProtect > Gateways > General to define the gateway interface to which the agents or apps can connect and specify how the gateway authenticates endpoint clients.
GlobalProtect Gateway General Setting Description
Name Enter a name for the gateway (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is the virtual system (vsys) where the GlobalProtect gateway is available. For a firewall that is not in multi-vsys mode, the Location field does not appear in the GlobalProtect Gateway dialog. After you save the gateway configuration, you cannot change the Location.
Network Settings Area
Interface Select the name of the firewall interface that will serve as the ingress interface for remote endpoints. (These interfaces must already exist.)
IP Address (Optional) Specify the IP address for gateway access.
GlobalProtect Gateways Authentication Tab
Select Network > GlobalProtect > Gateways > Authentication to identify the SSL/TLS service profile and to configure the details of client authentication. You can add multiple client authentication configurations.
GlobalProtect Gateway Authentication Setting Description
SSL/TLS Service Profile Select an SSL/TLS service profile for securing this GlobalProtect gateway. For details about the contents of a service profile, see Device > Certificate Management > SSL/TLS Service Profile.
Client Authentication Area
Name Enter a unique name to identify this configuration.
OS By default, the configuration applies to all clients. You can refine the list of client endpoints by OS ( Android, Chrome, iOS, Mac, Windows, or WindowsUWP), by Satellite devices, or by third-party IPSec VPN clients ( X-Auth). The OS is the main differentiator between multiple configurations. If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile. A best practice is to order the configurations from most specific at the top of the list to most general at the bottom.
Authentication Profile Choose an authentication profile or sequence from the drop-down to authenticate access to the gateway. Refer to Device > Authentication Profile.
Authentication Message To help end users know what credentials they should use for logging into this gateway, you can enter a message or keep the default message. The message can have a maximum of 100 characters.
GlobalProtect Gateways Agent Tab
Select Network > GlobalProtect > Gateways > Agent to configure the tunnel settings that enable an agent or app to establish a VPN tunnel with the gateway. In addition, this tab lets you specify timeouts for VPNs, network services of DNS and WINS, and HIP notification messages for end users upon matching or not matching a HIP profile attached to a security policy.
Configure Agent settings on the following tabs:
GlobalProtect Gateways Agent Tunnel Settings Tab
Select Network > GlobalProtect > Gateways > Agent > Tunnel Settings to enable tunneling and configure the tunnel parameters.
Tunnel parameters are required if you are setting up an external gateway. If you are configuring an internal gateway, tunnel parameters are optional.
GlobalProtect Gateway Client Tunnel Mode Configuration Setting Description
Tunnel Mode Select Tunnel Mode to enable tunnel mode and then specify the following settings: Tunnel Interface —Choose a tunnel interface for access to this gateway. Max User —Specify the maximum number of users that can simultaneously access the gateway for authentication, HIP updates, and GlobalProtect agent and app updates. If the maximum number of users is reached, subsequent users are denied access with a message that indicates the maximum number of users has been reached (range varies based on the platform and is displayed when the field is empty; by default, there is no limit). Enable IPSec —Select this option to enable IPSec mode for client traffic, making IPSec the primary method and SSL-VPN the fallback method. The remaining options are not available until IPSec is enabled. GlobalProtect IPSec Crypto —Select a GlobalProtect IPSec Crypto profile that specifies authentication and encryption algorithms for the VPN tunnels. The default profile uses AES-128-CBC encryption and SHA1 authentication. For details, see Network > Network Profiles > GlobalProtect IPSec Crypto. If you Enable X-Auth Support, GlobalProtect IPSec Crypto profiles are not applicable. Enable X-Auth Support —Select this option to enable Extended Authentication (X-Auth) support in the GlobalProtect gateway when IPSec is enabled. With X-Auth support, third party IPSec VPN clients that support X-Auth (such as the IPSec VPN client on Apple iOS and Android devices and the VPNC client on Linux) can establish a VPN tunnel with the GlobalProtect gateway. The X-Auth option provides remote access from the VPN client to a specific GlobalProtect gateway. Because X-Auth access provides limited GlobalProtect functionality, consider using the GlobalProtect App for simplified access to the full security feature set GlobalProtect provides on iOS and Android devices. Selecting X-Auth Support activates the Group Name and Group Password options: If the group name and group password are specified, the first authentication phase requires both parties to use this credential to authenticate. The second phase requires a valid username and password, which is verified through the authentication profile configured in the Authentication section. If no group name and group password are defined, the first authentication phase is based on a valid certificate presented by the third-party VPN client. This certificate is then validated through the certificate profile configured in the authentication section. By default, the user is not required to re-authenticate when the key used to establish the IPSec tunnel expires. To require the user to re-authenticate, clear the Skip Auth on IKE Rekey option.
GlobalProtect Gateways Agent Timeout Settings Tab
Select Network > GlobalProtect > Gateways > Agent > Timeout Settings to define the maximum value that a user session or tunnel connection can be idle.
GlobalProtect Gateway Client Tunnel Mode Timeout Settings
Specify the following timeout settings: Login Lifetime —Specify the number of days, hours, or minutes allowed for a single gateway login session. Inactivity Logout —Specify the number of days, hours, or minutes after which an inactive session is automatically logged out. Disconnect on Idle —Specify the number of minutes at which a client is logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel in the specified amount of time.
GlobalProtect Gateways Agent Client Settings Tab
Select Network > GlobalProtect > Gateways > Agent > Client Settings to configure settings for the virtual network adapter on the client system when an agent establishes a tunnel with the gateway.
Some Client Settings options are available only after you enable tunnel mode and define a tunnel interface on the GlobalProtect Gateways Agent Tunnel Settings Tab.
GlobalProtect Gateway Client Setting or Network Configuration Description
Authentication
Name Enter a name to identify the client settings configuration (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Authentication Override Enable the gateway to use secure, device-specific, encrypted cookies to authenticate the user after the user first authenticates using the authentication scheme specified by the authentication or certificate profile. Generate cookie for authentication override —During the lifetime of the cookie, the agent presents this cookie each time the user authenticates with the gateway. Cookie Lifetime —Specify the hours, days, or weeks that the cookie is valid. The typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52 weeks, or 1–365 days. After the cookie expires, the user must enter login credentials and the gateway subsequently encrypts a new cookie to send to user device. Accept cookie for authentication override —Select this option to configure the gateway to accept authentication using the encrypted cookie. When the agent presents the cookie, the gateway validates that the cookie was encrypted by the gateway before authenticating the user. Certificate to Encrypt/Decrypt Cookie —Select the certificate the gateway uses to use when encrypting and decrypting the cookie. Ensure that the gateway and portal both use the same certificate to encrypt and decrypt cookies.
User/User Group tab Specify the user or user group and client operating system to which this agent configuration applies.
User/User Group Add a specific user or user group to which this configuration applies. You must configure group mapping ( Device > User Identification > Group Mapping Settings) before you can select users and groups. You can also create configurations that are deployed to agents or apps in pre-logon mode (before the user logs in to the endpoint) or configurations to deploy to any user.
OS To deploy configurations based on the operating system running on the endpoint, Add an OS ( Android, Chrome, iOS, Mac, Windows, or WindowsUWP). Alternatively, you can leave this value set to Any so that configuration deployment is based only on the user or user group and not on the operating system of the endpoint.
Network Settings tab
Retrieve Framed-IP-Address attribute from authentication server Select this option to enable the GlobalProtect gateway to assign fixed IP addresses by use of an external authentication server. When this option is enabled, the GlobalProtect gateway allocates the IP address for connecting to devices by using the Framed-IP-Address attribute from the authentication server.
Authentication Server IP Pool Add a subnet or range of IP addresses to assign to remote users. When the tunnel is established, the GlobalProtect gateway allocates the IP address in this range to connecting devices using the Framed-IP-Address attribute from the authentication server. You can enable and configure Authentication Server IP Pool only if you enable Retrieve Framed-IP-Address attribute from authentication server. The authentication server IP pool must be large enough to support all concurrent connections. IP address assignment is fixed and is retained after the user disconnects. Configure multiple ranges from different subnets to allow the system to offer clients an IP address that does not conflict with other interfaces on the client. The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user can receive the address 192.168.0.10.
IP Pool Add a range of IP addresses to assign to remote users. When the tunnel is established, an interface is created on the remote user’s computer with an address in this range. To avoid conflicts, the IP pool must be large enough to support all concurrent connections. The gateway maintains an index of clients and IP addresses so that the client automatically receives the same IP address the next time it connects. Configuring multiple ranges from different subnets allows the system to offer clients an IP address that does not conflict with other interfaces on the client. The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a remote user may be assigned the address 192.168.0.10.
No direct access to local network Select this option to disable split tunneling, including direct access to local networks on Windows and Mac OS endpoints. This function prevents a user from sending traffic to proxies or local resources, such as a home printer. When the tunnel is established, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall.
Access Route Add routes that the gateway pushes to the remote users’ endpoint and thereby determine what the users’ endpoint can send through the VPN connection. For example, you can set up split tunneling to allow remote users to access the Internet without going through the VPN tunnel. If you don’t add a route, every request is routed through the tunnel (no split tunneling). In this case, each Internet request passes through the firewall and then out to the network. This method can prevent the possibility of an external party accessing of the user’s endpoint and gaining access to the internal network (with the user’s endpoint acting as a bridge).
GlobalProtect Gateways Agent Network Services Tab
Select Network > GlobalProtect > Gateways > Agent > Network Services to configure DNS settings that will are assigned to the virtual network adapter on the client system when an agent establishes a tunnel with the gateway.
Network Services options are available only if you have enable tunnel mode and define a tunnel interface on the GlobalProtect Gateways Agent Tunnel Settings Tab.
GlobalProtect Gateway Client Network Services Configuration Setting Description
Inheritance Source Select a source to propagate DNS server and other settings from the selected DHCP client or PPPoE client interface into the GlobalProtect agents' or apps’ configuration. With this setting, all client network configurations, such as DNS servers and WINS servers, are inherited from the configuration of the interface selected in the Inheritance Source.
Check inheritance source status Click Inheritance Source to see the server settings that are currently assigned to the client interfaces.
Primary DNS Secondary DNS Enter the IP addresses of the primary and secondary servers that provide DNS to the clients.
Primary WINS Secondary WINS Enter the IP addresses of the primary and secondary servers that provide Windows Internet Naming Service (WINS) to the clients.
DNS Suffix Add a suffix that the client should use locally when an unqualified hostname is entered that it cannot resolve. You can enter multiple suffixes by separating them with commas.
Inherit DNS Suffixes Select this option to inherit the DNS suffixes from the inheritance source.
GlobalProtect Gateways Agent HIP Notification Tab
Select Network > GlobalProtect > Gateways > Agent > HIP Notification to define the notification messages that end users see when a security rule with a host information profile (HIP) is enforced.
These options are available only if you created HIP Profiles and added them to your security policies.
GlobalProtect Client HIP Notification Configuration Setting Description
HIP Notification Add HIP Notifications and configure the options. You can Enable notifications for the Match Message, the Not Match Message, or both and then specify whether to Show Notification As a System Tray Balloon or a Pop Up Message. Then specify the message to match or not match. Use these settings to notify the end user about the state of the machine, such as a warning message that the host system does not have a required application installed. For the Match Message, you can also enable the option to Include Mobile App List to indicate what applications triggered the HIP match. You can format HIP notification messages in rich HTML, which allows you to include links to external web sites and resources. Click hyperlink ( ) in the rich text settings toolbar to add links.
GlobalProtect Gateways Satellite Configuration Tab
A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect agent to enable it to establish VPN connectivity to a GlobalProtect gateway. Select Network > GlobalProtect > Gateways > Satellite Configuration to define the gateway tunnel and network settings to enable the satellites to establish VPN connections with it. You can also configure routes advertised by the satellites.
The following table describes the GlobalProtect gateway satellite configuration settings.
GlobalProtect Gateway Satellite Configuration Setting Description
GlobalProtect Gateways Satellite Tunnel Settings tab
Tunnel Configuration Select Tunnel Configuration and select an existing Tunnel Interface, or select New Tunnel Interface from the drop-down. See Network > Interfaces > Tunnel for more information. Replay attack detection —Protect against replay attacks. Copy TOS —Copy the Type of Service (ToS) header from the inner IP header to the outer IP header of the encapsulated packets to preserve the original ToS information. Configuration refresh interval (hours) —Specify how often satellites should check the portal for configuration updates (range is 1-48; default is 2).
Tunnel Monitoring Select Tunnel Monitoring to enable the satellites to monitor gateway tunnel connections, allowing them to failover to a backup gateway if the connection fails. Destination IP —Specify an IP address for the tunnel monitor will use to determine if there is connectivity to the gateway (for example, an IP address on the network protected by the gateway). Alternatively, if you configured an IP address for the tunnel interface, you can leave this field blank and the tunnel monitor will instead use the tunnel interface to determine if the connection is active. Tunnel Monitor Profile Failover to another gateway is the only type of tunnel monitoring profile supported with LSVPN.
Crypto Profiles Select an IPSec Crypto Profile or create a new one. A crypto profile determines the protocols and algorithms for identification, authentication, and encryption for the VPN tunnels. Because both tunnel endpoints in an LSVPN are trusted firewalls within your organization, you typically use the default profile, which uses ESP protocol, DH group2, AES 128 CVC encryption, and SHA-1 authentication. See Network > Network Profiles > GlobalProtect IPSec Crypto for more details.
GlobalProtect Gateways Satellite Network Settings tab
Inheritance Source Select a source to propagate DNS server and other settings from the selected DHCP client or PPPoE client interface into the GlobalProtect satellite configuration. With this setting, all network configuration, such as DNS servers, are inherited from the configuration of the interface selected in the Inheritance Source.
Primary DNS Secondary DNS Enter the IP addresses of the primary and secondary servers that provide DNS to the satellites.
DNS Suffix Click Add to enter a suffix that the satellite should use locally when an unqualified hostname is entered that it cannot resolve. You can enter multiple suffixes by separating them with commas.
Inherit DNS Suffix Select this option to send the DNS suffix to the satellites to use locally when an unqualified hostname is entered that it cannot resolve.
IP Pool Add a range of IP addresses to assign to the tunnel interface on satellites upon establishment of the VPN tunnel. The IP pool must be large enough to support all concurrent connections. IP address assignment is dynamic and not retained after the satellite disconnects. Configuring multiple ranges from different subnets will allow the system to offer satellites an IP address that does not conflict with other interfaces on the satellites. The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a satellite can be assigned the address 192.168.0.10. If you are using dynamic routing, make sure that the IP address pool you designate for satellites does not overlap with the IP addresses you manually assigned to the tunnel interfaces on your gateways and satellites.
Access Route Click Add and then enter routes as follows: If you want to route all traffic from the satellites through the tunnel, leave this field blank. To route only some traffic through the gateway (called split tunneling), specify the destination subnets that must be tunneled. In this case, the satellite routes traffic that is not destined for a specified access route by using its own routing table. For example, you can choose to tunnel only the traffic destined for your corporate network and use the local satellite to enable safe Internet access. If you want to enable routing between satellites, enter the summary route for the network protected by each satellite.
GlobalProtect Gateways Satellite Route Filter tab
Enable Accept published routes to accept routes advertised by the satellite into the gateway’s routing table. If you do not select this option, the gateway does not accept any routes advertised by the satellites. If you want to be more restrictive about accepting the routes advertised by the satellites, Add Permitted subnets and define the subnets from which the gateway may accept routes; subnets advertised by the satellites that are not part of the list are filtered out. For example, if all the satellites are configured with 192.168.x.0/24 subnet on the LAN side, you can configure a permitted route of 192.168.0.0/16 on the gateway. This configuration causes the gateway to accept the routes from the satellite only if it is in the 192.168.0.0/16 subnet.

Related Documentation