Secure Mobile Users With GlobalProtect
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
Secure Mobile Users With GlobalProtect
When you secure mobile users using GlobalProtect,
you will need to define the settings to configure the portal and
gateways in the cloud. For example, you will define a portal hostname,
set up the IP address pool for your mobile users, and configure
DNS settings for your internal domains. You may be able to leverage
using existing configurations for some of the required settings, such
as what authentication profile to use to authenticate mobile users.
If you already have a template with your authentication profiles,
certificates, certificate profiles, and server profiles, you can
add that template to the predefined template stack during onboarding
to simplify the setup process.
While it is not necessary to
push your Security policy settings and objects to the cloud during
the onboarding process, if you already have device groups and templates
with the configuration objects you need (for example, Security policy,
zones, User-ID configuration, and other policy objects) go ahead
and add them when you onboard. This way you can to complete the zone mapping that
is required to enable Prisma Access to map the zones in your policy
to the appropriate interfaces and zones within the cloud. However,
if you don’t have your policy set yet, you can go back later and
push it to Prisma Access for users.
In addition, if you want
your mobile users to be able to connect to your remote network locations, or
if you have mobile users in different geographical areas who need
direct access to each other’s endpoints, you must configure at least
one service connection
with placeholder values, even if you don’t plan to use the
connection to provide access to your data center or HQ locations.
The reason this is required is because, while all remote network
locations are fully meshed, Prisma Access gateways (also known as
locations
)
connect to the service connection in a hub-and-spoke architecture
to provide access to the internal networks in your Prisma Access
infrastructure.- Select.PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect
- Configure the template stack and device group hierarchy that the cloud service will push to the portal and gateway.
- Edit theSettings.
- In the Templates section of theSettingstab,Addthe template that contains the configuration you want to push to Prisma Access for users.Although you can add existing templates to the stack from the plugin, you cannot create a new template from the plugin. Instead, use the workflow to add a new template.You canAddmore than one existing template to the stack and then order them appropriately usingMove UpandMove Down. This is important because Panorama evaluates the templates in the stack from top to bottom and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the default Mobile_User_Template from the top of the stack; this prevents you from overriding any settings that Prisma Access requires to create the network infrastructure in the cloud.If you want to customize the agent configuration that the Prisma Access for users pushes to clients from the portal, you must edit the GlobalProtect Portal configuration in the Mobile_User_Template to add a new agent configuration. After configuring the Agent configuration, move it above the DEFAULT agent configuration that is predefined in the template to ensure that your settings take precedence over the default settings. When editing this template, do not remove or change the External Gateway entry.
- In the Device Group section, select theParent Device Groupthat contains the configuration settings you want to push to Prisma Access for users, or leave the parent device group asSharedto use the Prisma Access device group shared hierarchy.You will push all of the configuration—including the address groups, Security policy, Security profiles, and other policy objects (such as application groups and objects), HIP objects and profiles and authentication policy—that Prisma Access for users needs to enforce consistent policy to your mobile users using the device group hierarchy you specify here. In addition, you must make sure that you have configured a Log Forwarding profile that forwards the desired log types toPanorama/Cortex Data Lakein a device group that gets pushed to Prisma Access for users; this is the only way that the cloud service knows which logs to forward to Cortex Data Lake.
- (Optional) If you have configured an on-premises next-generation firewall as a master device, select theMaster Deviceyou configured.When you select theMaster Device, Prisma Access auto-populates user and group information in the security policy rules in Panorama for mobile user and remote network device groups.
- (Optional) Configure Prisma Access to use Directory Sync to retrieve user and group information.You must configure Directory Sync to retrieve user and group information from your cloud directory or Active Directory (AD) before you enable and configure Directory Sync integration in Prisma Access using the settings in theGroup Mapping Settingstab. See Get User and Group Information Using the Cloud Identity Engine for details.
- ClickOKto save the mobile user settings.
- Map the zones configured within the selected template stack as trusted or untrusted.On a Palo Alto Networks next-generation firewall, Security policy is enforced between zones, which map to physical or virtual interfaces on the firewall. However, with Prisma Access for users, the networking infrastructure is automatically set up for you, which means you no longer need to configure interfaces and associate them with zones. However, to enable consistent security policy enforcement, you must map the zones you use within your organization as trust or untrust so that Prisma Access for users can translate the policy rules you push to the cloud service to the internal zones within the networking infrastructure.
- Edit the Zone Mapping settings.By default, all of the zones in the Mobile_User_Template_Stack are classified as Untrusted Zones.
- For each zone you want to designate as trusted, select it and clickAddto move it to the list ofTrusted Zones.
- ClickOKto save your changes.
- Configure the GlobalProtect portal and external gateway settings.You can configure Prisma Access gateways as external gateways only—not as internal gateways.
- In the Onboarding section, clickConfigure.
- On theGeneraltab, specify thePortal Name Type:
- Use Default Domain—If you select this option, your portal hostname uses the default domain name:.gpcloudservice.com. In this case, simply enter aPortal Hostnameto append to the default domain name. Prisma Access for users will automatically create the necessary certificates and publish the hostname to public DNS servers.If you already have a GlobalProtect deployment with an existing portal name and you want to continue to use that portal name, add a CNAME entry that maps Prisma Access portal name to your existing portal name. For example, if you have an existing portal named portal.acme.com and you want to map the new Prisma Access portal to this same name, you would add a CNAME of gpcs2.gpcloudservice.com to the DNS entry for your existing portal.
- Use Company Domain—Select this option if you want the domain in the portal hostname to match your company domain name (for example, myportal.mydomain.com). If you want to use this option, you must first obtain your own certificate and configure an SSL/TLS service profile that points to it. Then you can configure the portal name by selecting theSSL/TLS Service Profileand entering thePortal Hostname. If you use this option, you must point your internal DNS servers to thePortal DNS CNAME, which is the hostname of the portal with the.gpcloudservice.comdomain. For example, if you specified a DNS hostname of acme-portal.acme.com, you would need to create a DNS CNAME entry that maps that hostname to acme-portal.gpcloudservice.com on your internal DNS servers.
- Select anAuthentication Profilethat specifies how Prisma Access should authenticate mobile users or create a new one.If you added a parent device group that contains an authentication profile configuration, you should see it on the list of available profiles. If you did not push the profile in the device group, you can create an authentication profile now.After you commit and push your changes, you cannot make any changes to the authentication profile and authentication override certificate in this area and the choices become read-only. To make changes after initial onboarding, modify or add one or more GlobalProtect client authentication configurations under theMobile_User_Template.
- Select anAuthentication Override Certificateto encrypt the secure cookies that mobile users authenticate to the portal and gateway.If you added a parent device group that contains the certificate you want to use to encrypt authentication cookies, you should see it on the list of available certificates. If you did not push a certificate in the device group, you can import or generate one now.
- (Optional) If you do not require GlobalProtect endpoints to have tunnel connections when on the internal network, enableInternal Host Detection.
- Select theInternal Host Detectioncheck box.
- Enter theIP Addressof a host that users can reach only from the internal network.
- Enter the DNSHostnamefor the IP address you entered. Clients that try to connect perform a reverse DNS lookup on the specified address. If the lookup fails, the client determines that it needs a tunnel connection to Prisma Access for users.
Prisma Access copies the internal host detection settings you specify here to the default agent settings in your GlobalProtect portal configuration (). If you have entered internal host detection settings for the default agent in the GlobalProtect portal, you will not be able to change the options here and must change it in the portal. If you require multiple agent configs, enter settings for the default agent config in the GlobalProtect portal and use those settings for Prisma Access, then selectNetworkGlobalProtectPortals<portal-config>AgentDEFAULTInternalandNetworkGlobalProtectPortals<portal-config>AgentAdda non-default config, and specify that config in other parts of your deployment.
- Select theLocationsand the regions associated with those locations where you want to deploy your mobile users.TheLocationstab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See List of Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.Specify a single region to reduce the minimum IP address pool that you need in Step 8. See Specify IP Address Pools for Mobile Users for more information.Prisma Access uses the Hong Kong, Netherlands Central, and US Northwest locations as fallback mobile user locations if other locations are not available. For this reason, Palo Alto Networks strongly recommends that you enable at least one of these locations during mobile user onboarding.
- Click theLocationstab and select a region.
- Select one or more Prisma Access gateways within your selected region using the map.Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can selectAllsites within a region (top of the dialog).
- Set up the IP address pools that Prisma Access for users uses to assign IP addresses to GlobalProtect endpoints by selecting theIP Poolstab andAddand IP address pool.
- Region—SelectWorldwideto use a single IP address pool for all GlobalProtect clients using the cloud service or select an available region.You can use a single IP address pool for all GlobalProtect endpointsWorldwide, you can set separate pools for each region where you have mobile users, or you can specify both Worldwide and region-specific IP pools. For example, you can add an pool for a specific region and then add aWorldwidepool to use for all other regions. Prisma Access then uses the Worldwide IP addresses to scale as you onboard additional gateways in other regions to accommodate more mobile users. If you specify a pool for a region, and you exhaust the available IP addresses in that pool, Prisma Access will take IP addresses from theWorldwidepool to use in that region.
- IP Pool—Enter an IP address pool to assign to the endpoints in the selected region. The addresses in this pool must not overlap with other networks you use internally or with the pools you assigned when you Enable the Service Infrastructure.If you deploy locations in a single region, the minimum required subnet is /23 (512 IP addresses) per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet, the minimum required subnet is /23 but we recommend providing enough subnets to allocate a number of IP addresses that is equal to or greater than the number of licensed mobile users so that they can log in at the same time. See Specify IP Address Pools for Mobile Users for more information.Do not specify any subnets that overlap with the following IP addresses and subnets, because Prisma Access reserves those IP addresses and subnets for its internal use.:
- 169.254.169.253 and 169.254.169.254
- 100.64.0.0/10
- 169.254.201.0/24
- 169.254.202.0/24
We recommend using an RFC 1918-compliant IP address pool. While we support the use of non-RFC 1918-compliant (public) IP addresses for mobile users, we do not recommend using these non-compliant IP addresses due to possible conflicts with internet public IP address space.
- To specify the DNS resolution settings for your internal and external (public) domains, selectNetwork Servicestab and then clickAdd.GlobalProtect endpoints with an active tunnel connection use their virtual network adapters rather than their physical network adapters and therefore require separate DNS resolution settings.Configure network settings in theNetwork Serviceswindow.
- Select aRegionfrom the drop-down at the top of the window.Select a specific region, or selectWorldwideto apply the DNS settings globally. If you specify multiple proxy settings with a mix of regional and Worldwide regions, Prisma Access uses the regional settings for the Locations in the region or regions you specify and uses the worldwide settings elsewhere. Prisma Access evaluates the rules from top to bottom in the list.
- Addone or more rules to configure the DNS settings forInternal Domains.
- Enter a uniqueRule Namefor the rule.
- you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in theDomain List. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
- If you have aCustom DNS serverthat can access your internal domains, specify thePrimary DNSandSecondary DNSserver IP addresses, or selectUse Cloud Defaultto use the default Prisma Access DNS server.
- Specify the DNS settings forPublic Domains.
- Use Cloud Default—Use the default Prisma Access DNS server.
- Same as Internal Domains—Use the same server that you use to resolve internal domains. When you select this option, the DNS Server used to resolve public domains is same as the server configured for the first rule in theInternal Domainssection.
- Custom DNS server—If you have a DNS server that can access your public (external) domains, enter the Primary DNS server address in that field.
(Optional) You canAddaDNS Suffixto specify the suffix that the client should use locally when an unqualified hostname is entered that it cannot resolve, for example, acme.local. Do not enter a wildcard (*) character in front of the domain suffix (for example, acme.com). You can add multiple suffixes. - If you want Prisma Access to proxy DNS requests, configure values for the use for UDP queries (theIntervalto retry the query in seconds and the number of retryAttemptsto perform.For more information about how Prisma Access proxies DNS requests, see DNS Resolution for Mobile Users—GlobalProtect Deployments.
- (Optional) If your deployment uses Windows Internet Name Service (WINS) based, you can specify WINS servers to resolve NetBIOS name-to-IP address mapping by selectingWINS Configuration; selecting a region for the WINS server or selecting Worldwide to apply the WINS configuration worldwide, then specifying aPrimary WINSand, optionally,Secondary WINSserver address.After you enable WINS, Prisma Access can push WINS configuration to mobile users’ endpoints over GlobalProtect.
- (Optional) If you allow your mobile users to manually select gateways from the GlobalProtect app, select theManual Gateway Locationsthat the users can view from their GlobalProtect app.Choosing a subset of onboarded locations reduces the number of available gateways that mobile users can view in their GlobalProtect app for manual gateway selection.If you do not select manual gateways in this tab, Prisma Access selects the following list of gateways by default.
- Australia Southeast
- Belgium
- Brazil South
- Canada East
- Finland
- France North
- Germany Central
- Hong Kong
- India West
- Ireland
- Israel
- Japan Central
- Netherlands Central
- Saudi Arabia
- Singapore
- South Africa Central
- South Korea
- Taiwan
- UK
- US East
- US West
Prisma Access lets you select only gateways that you have onboarded. For example, if you don’t chooseUKwhen you select locations, you cannot selectUKas a manual gateway (the location is grayed out). - ClickOKto save the Onboarding settings.
- To secure traffic for your mobile users, you must create security policy rules.
- Select theDevice Groupin which to add policy rules. You can select the Mobile_User_Device_Group or the parent device group that you selected when setting up Prisma Access for mobile users.
- Create security policy rules. Make sure that you do not define security policy rules to allow traffic from any zone to any zone. In the security policy rules, use the zones that you defined in the template stack you are pushing to the cloud service.
- Configure logs to forward to Cortex Data Lake.The Cloud Services plugin automatically adds the following Log Settings () after a new installation or when removing non-Prisma Access templates from a Prisma Access template stack:DeviceLog Settings
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Mobile_User_Template.
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
- Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-default) are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, and HIP Match logs to Cortex Data Lake. - (Optional) Forward logs for other log types to Cortex Data Lake.To do this, you must create and attach a log forwarding profile to each policy rule for which you want to forward logs. See the Cortex Data Lake Getting Started Guide for more information.
- Select theDevice Groupin which you added the policy rules.
- SelectandObjectsLog ForwardingAdda profile. In the Log Forwarding Profile Match List,Addeach log type that you want to forward.The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL Filtering, Data Filtering, and Authentication logs.
- SelectPanorama/Cortex Data Lakeas the Forward Method. When you select Panorama, the logs are forwarded to Cortex Data Lake. You will be able to monitor the logs and generate reports from Panorama. Cortex Data Lake provides a seamless integration to store logs without backhauling them to your Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as needed.
- Selectand edit the policy rule. InPoliciesSecurityActions, select the Log Forwarding profile you created.
- Commit all your changes to Panorama and push the configuration changes to Prisma Access.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sure thatMobile Usersis selected in thePush Scope, then clickOK.
- ClickCommit and Push.
- To verify that Prisma Access for users is deployed and active, select.PanoramaCloud ServicesStatusStatusAfter the provisioning completes, the mobile usersStatusandConfig Statusshould showOK.TheDeployment Statusarea allows you to view the progress of onboarding and deployment jobs before they complete, as well as see more information about the status of completed jobs. See Deployment Progress and Status for details.To view the number of unique users who are currently logged in, or to log out a logged in user, click the hyperlinked number next toCurrent Users. See View Logged In User Information and Log Out Current Users for details.To view historical information of previously-logged in users for a 90-day time period, click the number next toUsers (Last 90 days).To export the list of users to a csv file, selectExport to CSV. Note that a maximum of 45,000 users can be exported to a CSV file.To display a map that shows the locations of Prisma Access portals and gateways running in the regions you have selected, selectMonitor; then, selectMobile Users.Select a region to get more detail about that region.
- If you chose toUse Company Domainfor your portal hostname, you must add a DNS entry on your internal DNS servers to map the portal hostname you defined to the Portal DNS CNAME displayed on thetab (for example,Cloud ServicesConfigurationMobile UsersOnboardingGeneral<).portal_hostname>.gpcloudservice.com
- Deploy the GlobalProtect app software to your end users.For Mac OS or Windows users, you can direct users to the Prisma Access portal address, where they can download the GlobalProtect app from the portal.Prisma Access manages the version of the GlobalProtect app on the portal and you can select the active version from the versions that Prisma Access hosts, as well as control the ability of users to download it.Alternatively, you can host GlobalProtect app software on a web server for your Mac OS and Windows users. Prisma Access is compatible with any GlobalProtect app versions that are not listed as end of life.Mobile app users can download and install the GlobalProtect mobile app from the appropriate app store for their operating systems.