Prisma Access
Prisma Access Internal Gateway
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access Internal Gateway
Prisma Access
Internal GatewayLearn how to set up the
Prisma Access
internal gateway and its
requirements.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Previously, to generate IP user mappings and HIP for hosts running GlobalProtect client
software in
Prisma Access
remote networks, you have to deploy an on-premises NGFW as
an internal gateway. This solution isn't cloud-native. With Prisma Access
cloud-native internal gateway, you can avoid using on-premises internal gateways, and
Prisma Access internal gateway generates the IP user mappings and HIPs locally in remote
networks. Remote networks consume IP user mappings, HIPs from the local database for
posture checks instead of learning them from other firewalls.Note that you cannot deploy an internal gateway when a remote site has multiple IPsec
tunnels to different remote network sites (for example, an active/active tunnel), or a
high-bandwidth site. The following diagram shows an example of an supported environment
for an internal gateway deployment.
The following diagram provides examples of deployments where internal gateways are not
supported.
Before you set up the
Prisma Access
internal gateway, onboard your mobile users.Prisma Access Internal Gateway (Strata Cloud Manager)
Prisma Access
Internal Gateway (Strata Cloud Manager
)Learn how to set up the
Prisma Access
internal gateway and its
requirements.Complete the following steps to set up the
Prisma Access
internal gateway.- Notice that there are no internal host detection and internal gateway configurations at present.
- Make a note of theRemote Networks DNS IP Addressfrom.WorkflowsPrisma AccessSetupPrisma Access
- Make a note of theGateway FQDNsfrom.WorkflowsPrisma AccessSetupGlobalProtectInfrastructureInfrastructure SettingsGateway FQDNs
- Select.WorkflowsPrisma AccessSetupRemote NetworksAdvanced Settings
- Edit the settings ofto enable the internal gateway andPrisma AccessInternal GatewaySavethe changes.(Optional)Enable Internal Host Detectionfor IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you selectEnable Internal Gateway.When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection,Prisma Accesscreates PTR records on the remote network DNS proxy servers for the internal host detection process.
- Select.WorkflowsPrisma AccessSetupGlobalProtectGlobalProtect App
- Select an app setting and view the internal host detection details and internal gateway details.When you enable the internal gateway and internal host detection in step 5, Prisma Access enables IPv4 internal host detection and internal gateway here as well.Prisma Accesspopulates theRemote Networks DNS IP Addressvalue, from step 2, as the IP address.You can't remove thisNote that IPv6 internal host detection onPrisma AccessDNS proxies isn't supported.entry. However, you can add your self-deployed internal gateways. You can deploy your own DNS servers in the internal network for internal host detection, but ensure to add PTR records so that the internal host detection is possible.Prisma AccessInternal GatewayPrisma Accessappends theGateway FQDNsvalue, from step 3, to the address.You can view the DNS proxy server IP address details by selecting.WorkflowsPrisma AccessSetupPrisma AccessIf you enableInternal Host Detection, verify that the DNS resolution is working, perform a reverse DNS lookup from your internal network to DNS proxy server IP, and ensure it returns an FQDN starting withany-igw.
- Pushthe changes to mobile users and remote networks at the same time.
- Log into the endpoint.When you connect to GlobalProtect, first you authenticate with the GlobalProtect portal. The internal host detection triggers GlobalProtect to connect to the internal gateway. Then, as GlobalProtect agent continues to operate in the non-tunnel mode, the second authentication appears and submits the host information to the internal gateway on remote networks.
Prisma Access Internal Gateway (Panorama)
Prisma Access
Internal Gateway (Panorama
)- Notice that there are no internal host detection and internal gateway configurations at present.
- Go to.PanoramaCloud ServicesConfigurationRemote NetworksSettings
- Enable Internal Gatewayand save the changes.(Optional)Enable Prisma Access Internal Host Detectionfor IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you selectEnable Internal Gateway.When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection,Prisma Accesscreates PTR records on the remote network DNS proxy servers for the internal host detection process.When you enable the internal gateway,Prisma Accesscreates an internal gateway configuration in a remote network template.
- Go toand selectTemplatesNetworkGlobalProtectGatewaysRemote_Network_Template.You will find theGlobalProtect_Internal_Gatewaytemplate created for the internal gateway.
- Create an authentication profile for this remote network template similar to the authentication profile in the mobile user template.
- Select the remote network template,GlobalProtect_Internal_Gatewaytemplate, hyperlink.
- Go to.AuthenticationClient Authentication
- Edit the authentication profile details of theDEFAULTclient authentication.. Ensure to selectTemplateDeviceAuthentication ProfileMobile_User_Template.You can also view the authentication profile for the remote network template by selecting. SelectTemplatesDeviceAuthentication ProfileRemote_Network_Template.
- Create a device certificate for the remote network template similar to the device certificate in the mobile user template.
- Select the remote network template,GlobalProtect_Internal_Gateway, hyperlink.
- Go to.AgentClient Settings
- Select theDEFAULTconfiguration, and go toAuthentication Overridesettings.
- Edit theCertificate to Encrypt/Decrypt Cookiesettings, and create a new device certificate.. Ensure to selectTemplateDeviceCertificate ManagementCertificatesDevice CertificatesMobile_User_Template. TheDEFAULTconfiguration references theAuthentication Cookie CAcertificate. Follow the same hierarchy as the one inMobile_User_Templatefor successful authentication.You can also view the device certificate for the remote network template by selecting. SelectTemplateDeviceCertificate ManagementCertificatesDevice CertificatesRemote_Network_Template.
- Pushthe changes to mobile users and remote networks at the same time.