Onboarding Workflow for Prisma Access GlobalProtect Deployments

1. Go to ConfigurationOnboardingOnboard Users.
2. In the Onboard Users area, Configure GlobalProtect agent-based access.

   You might not see the same choices in your Prisma Access deployment; the choices you see in the UI depend on the licenses you have. For example, if you don't have a site-based remote network license, you don't see a choice to onboard branch sites.

3. In the Agent-Based Access area, Enable GlobalProtect Mobile users.

4. Specify authentication for your mobile users.

   You can use either the Cloud Identity Engine or local authentication.

   • To use the Cloud Identity Engine for authentication:
     1. Select Cloud Identity Engine and, if you have already created an authentication profile, enter it.

     2. If you have not created a profile:
        1. Add New.
           To use the Cloud Identity Engine with an identity provider (IdP) vendor, configure a cloud-based directory in the Cloud Identity Engine before starting this procedure.

        2. Configure IdP for SAML authentication by selecting an Identity Provider Vendor for SAML 2.0.

     3. Download the Metadata file.
     4. Set up an IdP profile.
        You can either upload a metadata file you downloaded (Upload Metadata) or a URL (Enter URL).
        The Identity Provider ID, Identity Provider Certificate, Identity Provider SSO URL, and HTTP Binding for SSO Request to Identity Provider fields populate using the metadata file or URL you provided. If you see any issues with the information in these fields, correct it on the IdP vendor site and upload the metadata again.
        Test SAML setup to verify the SAML IdP configuration with Prisma Access.

     5. Select the Username Attribute for the Cloud Identity Engine to use for authentication and Confirm your changes.
        Select the username attribute that uses the Name (/identity/claims/name) format. If you don’t select the correct username attribute, user authentication for projects isn’t successful. For more information, refer to the Microsoft documentation.

     6. Enter a CIE Authentication Profile Name for the profile you created and Finish the setup.

   • To use local authentication, select Prisma Access Authentication.
     Prisma Access creates a local profile for you and you can add local users and groups to the profile. Confirm your changes when complete.
5. Set up portal information, access mode, and the infrastructure subnet to use.

   For local access mode, you can specify to use agent-based mobile user access only (Tunnel Mode), or using agent-based access with Explicit Proxy in either Proxy Mode or Tunnel and Proxy Mode.

   1. Select a Portal Name Type.

      • Default Domain—Your portal hostname uses the default domain name: <portal-hostname>.gpcloudservice.com. Enter a Portal Hostname to append to the default domain name. Prisma Access for Users will automatically create the necessary certificates and publish the hostname to public DNS servers.
      • Custom Domain—Customize the portal address if you want to change the domain in the portal hostname (for example, mycompanyportal.mycompanydomain.com).
   2. Enter the Portal Hostname.

   3. Select the Agent Mode for Prisma Access.

      • Tunnel Mode—Secure traffic with a tunnel from the users' endpoint devices to Prisma Access. This mode does not require setting up Explicit Proxy.
        The following modes require that you set up Explicit Proxy as well as an agent:
      • Proxy Mode—Use this mode if you want to use tunnel mode as a proxy service. This mode is useful if you have an existing (legacy) proxy architecture or have a requirement to maintain your proxy architecture for regulatory or compliance reasons. To use this mode, you also set up Explicit Proxy.
      • Tunnel and Proxy Mode—Use this mode to send internet-bound traffic to the internet-based rules defined in a PAC file. The remaining traffic uses split tunneling rules and logic defined in the PAC file to determine which traffic to send through the tunnel and which traffic can bypass the tunnel. To use this mode, you also set up an Explicit Proxy.
        If you select Proxy Mode or Tunnel and Proxy Mode, configure these additional options:
        • Select the locations to use with Explicit Proxy (Prisma Access Locations for Proxy), as well as the locations to use with agent-based access (Prisma Access Locations for Tunnel).
          Explicit Proxy locations are a subset of agent-based access locations.
        • If authentication traffic is used in Explicit Proxy, specify the Authentication Domains that are used in the authentication traffic flow. Explicit Proxy requires decryption to authenticate users.

        • Enter the PAC file to use with Explicit Proxy.
          Prisma Access provides you with a default PAC file. Edit the existing PAC file or create a new PAC file to use with Explicit Proxy.
          You can also use Forwarding Profiles with Explicit Proxy.

   4. If your license includes remote networks or service connections, Show Advanced Options and enter an Infrastructure Subnet and BGP AS.

      Prisma Access uses the infrastructure subnet to create the network backbone for communication between your branch sites, mobile users and the Prisma Access security infrastructure, as well as with the HQ and data center networks you plan to connect to Prisma Access over service connections.

      Prisma Access provides you with a default Infrastructure Subnet of 192.168.255.0/24. If you want to create a custom infrastructure subnet:

      Note: In addition to this Infrastructure Subnet, Prisma Access provides you a default Client IP Pool of 100.127.0.0/16. Prisma Access assigns an IP address from this pool to each GlobalProtect-connected device. We recommend that the number of IP addresses in this pool is 2 times the number of mobile user devices that will connect to Prisma Access. If you want to modify this subnet, you can do so after you complete the onboarding workflow.

      • Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, we don't recommend it because of possible conflicts with the internet public IP address space.
      • Don’t specify any subnets that overlap with the 169.254.0.0/16 and 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
      • This subnetwork is an extension to your existing network and therefore, can’t overlap with any IP subnets that you use within your corporate network or with the IP address pools that you assign for Prisma Access for users or Prisma Access for networks.
      • Because the service infrastructure requires a large number of IP addresses, you must designate a /24 subnetwork (for example, 172.16.55.0/24).

      For the BGP AS, enter an RFC 6996-compliant BGP AS number. This number identifies the routes through which BGP can send traffic. If you don’t supply an AS number, Prisma Access uses the default AS number (65534).

      The BGP Private AS number is the autonomous system (AS)

   5. Select the Prisma Access Locations for Tunnel.

      Prisma Access provides multiple locations within each region to ensure that your users connect to a location that provides a user experience tailored to the users’ locale. You can also select the specific locations within each selected region where your users will need access. By limiting your deployment to a single region, you have more granular control over your deployed regions and exclude regions required by your policy or industry regulations.

   6. Go to the Next setup screen.
6. (Optional) Enter DNS settings.

   If you have already added an infrastructure subnet or DNS information as part of another Prisma Access onboarding, skip this step and go to the Next screen.

   • (Optional) If you have a DNS server that can access your internal domains, enter Internal DNS Server information to have your internal resources use an alternative DNS server.
     • Specify the Primary DNS and, optionally, Secondary DNS server IP addresses.
     • If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain Name. You can specify an asterisk in front of the domain; for example, *.acme.local or *.acme.com. Prisma Access uses the DNS servers you have specified to resolve the domains you add here.

   • Go to the Next step when complete.
7. Configure Security Policy rules for your agent-based access Prisma Access deployment.

   To simplify the onboarding process, Prisma Access provides you with predefined internet access and decryption policy rules based on best practices. You can quickly set up IPSec tunnels using defaults suitable for the most common IPSec-capable devices and enable SSL decryption for recommended URL categories.

   There are also predefined, best practice settings for decryption bypass, Advanced Threat Protection, and Vulnerability Protection. You can modify these settings as required.

8. Finalize your configuration.

   1. Push Config to push your configuration changes to Prisma Access.

   2. Select the GlobalProtect version to use.

      Use the recommended version displayed in the web interface, or select the GlobalProtect version to use based on your company's policy.

   3. Deploy the GlobalProtect app to end users.

      You can use a mobile device management (MDM) system, or have your users download and install the agent.