Set Up GlobalProtect on Panorama Managed Prisma Access
Focus
Focus

Set Up GlobalProtect on Panorama Managed Prisma Access

Table of Contents

Set Up GlobalProtect on Panorama Managed Prisma Access

To configure a Mobile Users—GlobalProtect deployment, complete the following steps. Before you begin, be sure that you understand how Prisma Access works and use the checklist to plan for your GlobalProtect deployment.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Mobile Users—GlobalProtect
    .
  2. Configure the template stack and device group hierarchy that the cloud service will push to the portal and gateway.
    1. Edit the
      Settings
      .
    2. In the Templates section of the
      Settings
      tab,
      Add
      the template that contains the configuration you want to push to Prisma Access for users.
      Although you can add existing templates to the stack from the plugin, you cannot create a new template from the plugin. Instead, use the workflow to add a new template.
      You can
      Add
      more than one existing template to the stack and then order them appropriately using
      Move Up
      and
      Move Down
      . This is important because Panorama evaluates the templates in the stack from top to bottom and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the default Mobile_User_Template from the top of the stack; this prevents you from overriding any settings that Prisma Access requires to create the network infrastructure in the cloud.
      If you want to customize the agent configuration that the Prisma Access for users pushes to clients from the portal, you must edit the GlobalProtect Portal configuration in the Mobile_User_Template to add a new agent configuration. After configuring the Agent configuration, move it above the DEFAULT agent configuration that is predefined in the template to ensure that your settings take precedence over the default settings. When editing this template, do not remove or change the External Gateway entry.
    3. In the Device Group section, select the
      Parent Device Group
      that contains the configuration settings you want to push to Prisma Access for users, or leave the parent device group as
      Shared
      to use the Prisma Access device group shared hierarchy.
      You will push all of the configuration—including the address groups, Security policy, Security profiles, and other policy objects (such as application groups and objects), HIP objects and profiles and authentication policy—that Prisma Access for users needs to enforce consistent policy to your mobile users using the device group hierarchy you specify here. In addition, you must make sure that you have configured a Log Forwarding profile that forwards the desired log types to
      Panorama/Cortex Data Lake
      in a device group that gets pushed to Prisma Access for users; this is the only way that the cloud service knows which logs to forward to Cortex Data Lake.
    4. (
      Optional
      ) If you have configured a next-generation firewall as a master device or added a Cloud Identity Engine profile to make user and group information selectable in security policies, select
      User-ID Master Device
      or
      Cloud Identity Engine
      ; then, select either the Master Device or the Cloud Identity Engine profile that you created.
  3. (
    Optional
    ) Configure Prisma Access to use the Directory Sync component of the Cloud Identity Engine to retrieve user and group information.
    You must configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from cloud directory or Active Directory (AD) before you enable and configure Directory Sync integration in Prisma Access
    Group Mapping Settings
    .
  4. Click
    OK
    to save the mobile user settings.
  5. Map the zones configured within the selected template stack as trusted or untrusted.
    On a Palo Alto Networks next-generation firewall, Security policy is enforced between zones, which map to physical or virtual interfaces on the firewall. However, with Prisma Access for users, the networking infrastructure is automatically set up for you, which means you no longer need to configure interfaces and associate them with zones. However, to enable consistent security policy enforcement, you must map the zones you use within your organization as trust or untrust so that Prisma Access for users can translate the policy rules you push to the cloud service to the internal zones within the networking infrastructure.
    1. Edit the Zone Mapping settings.
      By default, all of the zones in the Mobile_User_Template_Stack are classified as Untrusted Zones.
    2. For each zone you want to designate as trusted, select it and click
      Add
      to move it to the list of
      Trusted Zones
      .
    3. Click
      OK
      to save your changes.
  6. Configure the GlobalProtect portal and external gateway settings.
    You can configure Prisma Access gateways as external gateways only—not as internal gateways.
    1. In the Onboarding section, click
      Configure
      .
    2. On the
      General
      tab, specify the
      Portal Name Type
      :
      • Use Default Domain
        —If you select this option, your portal hostname uses the default domain name:
        .gpcloudservice.com
        . In this case, simply enter a
        Portal Hostname
        to append to the default domain name. Prisma Access for users will automatically create the necessary certificates and publish the hostname to public DNS servers.
        If you already have a GlobalProtect deployment with an existing portal name and you want to continue to use that portal name, add a CNAME entry that maps Prisma Access portal name to your existing portal name. For example, if you have an existing portal named portal.acme.com and you want to map the new Prisma Access portal to this same name, you would add a CNAME of gpcs2.gpcloudservice.com to the DNS entry for your existing portal.
        The *.gpcloudservice.com domain is associated with the Palo Alto Networks application.
      • Use Company Domain
        —Select this option if you want the domain in the portal hostname to match your company domain name (for example, myportal.mydomain.com). If you want to use this option, you must first obtain your own certificate and configure an SSL/TLS service profile that points to it. Then you can configure the portal name by selecting the
        SSL/TLS Service Profile
        and entering the
        Portal Hostname
        . If you use this option, you must point your internal DNS servers to the
        Portal DNS CNAME
        , which is the hostname of the portal with the
        .gpcloudservice.com
        domain. For example, if you specified a DNS hostname of acme-portal.acme.com, you would need to create a DNS CNAME entry that maps that hostname to acme-portal.gpcloudservice.com on your internal DNS servers.
      If you need to upload a new certificate, import the certificate and private key; then, view the SSL/TLS service being used by Prisma Access under
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Authentication
      and check the
      SSL/TLS Service Profile
      name. This field only displays if you are using a company domain instead of the default domain. You can then select
      Device
      Certificate Management
      SSL/TLS Certificate Profile
      and replace the certificate in the SSL/TLS profile used by the portal with the certificate you imported.
    3. Select an
      Authentication Profile
      that specifies how Prisma Access should authenticate mobile users or create a new one.
      If you added a parent device group that contains an authentication profile configuration, you should see it on the list of available profiles. If you did not push the profile in the device group, you can create an authentication profile now.
      After you commit and push your changes, you cannot make any changes to the authentication profile and authentication override certificate in this area and the choices become read-only. To make changes after initial onboarding, modify or add one or more GlobalProtect client authentication configurations under the
      Mobile_User_Template
      .
    4. Select an
      Authentication Override Certificate
      to encrypt the secure cookies that mobile users authenticate to the portal and gateway.
      If you added a parent device group that contains the certificate you want to use to encrypt authentication cookies, you should see it on the list of available certificates. If you did not push a certificate in the device group, you can import or generate one now.
    5. (
      Optional
      ) If you do not require GlobalProtect endpoints to have tunnel connections when on the internal network, enable
      Internal Host Detection
      .
      1. Select the
        Internal Host Detection
        check box.
      2. Enter the
        IP Address
        of a host that users can reach only from the internal network.
      3. Enter the DNS
        Hostname
        for the IP address you entered. Clients that try to connect perform a reverse DNS lookup on the specified address. If the lookup fails, the client determines that it needs a tunnel connection to Prisma Access for users.
      Prisma Access copies the internal host detection settings you specify here to the default agent settings in your GlobalProtect portal configuration (
      Network
      GlobalProtect
      Portals
      <
      portal-config
      >
      Agent
      DEFAULT
      Internal
      ). If you have entered internal host detection settings for the default agent in the GlobalProtect portal, you will not be able to change the options here and must change it in the portal. If you require multiple agent configs, enter settings for the default agent config in the GlobalProtect portal and use those settings for Prisma Access, then select
      Network
      GlobalProtect
      Portals
      <
      portal-config
      >
      Agent
      and
      Add
      a non-default config, and specify that config in other parts of your deployment.
    6. (
      Optional
      ) To ensure that your mobile users have redundancy connectivity to the services and applications that are accessible from service connections, Enable Network Redundancy between the portals or gateways and service connections.
      If you have a Mobile Users–GlobalProtect deployment that includes service connections, and are running a Cloud Services plugin version of 3.0 or later, Palo Alto Networks recommends that, as a best practice, you create two service connections in two different Prisma Access compute locations and enable Mobile User Regional Redundancy. This change will improve your resiliency posture and will mitigate any outages that could occur in the event of a tunnel failure between the GlobalProtect mobile user and service connection dataplane.
    7. (
      Optional
      ) If your organization uses allow lists to control access to public or SaaS applications, specify whether or not you are
      Using IP Allow Lists in SaaS Apps
      .
      To enable you to add the public (egress) IP addresses for your GlobalProtect—Mobile User deployment to any SaaS application allow lists you use within your organization, Prisma Access provides you with the IP addresses and lets you verify that you have added them to your allow list before using them in your environment. You can implement allow listing for Prisma Access egress IP addresses for both existing deployments and new deployments.
    8. (
      Optional
      ) Customize the GlobalProtect app settings (for example, specify the connect method GlobalProtect uses) by selecting
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Agent
      , selecting the config you want to customize or selecting
      DEFAULT
      , selecting
      App
      , then customizing the GlobalProtect app.
  7. Select the
    Locations
    and the regions associated with those locations where you want to deploy your mobile users.
    The
    Locations
    tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.
    Prisma Access uses the Hong Kong, Netherlands Central, and US Northwest locations as fallback mobile user locations if other locations are not available. For this reason, Palo Alto Networks strongly recommends that you enable at least one of these locations during mobile user onboarding.
    1. Click the
      Locations
      tab and select a region.
    2. Select one or more Prisma Access gateways within your selected region using the map.
      Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.
      In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select
      All
      sites within a region (top of the dialog).
  8. Set up the IP address pools used to assign IP addresses to GlobalProtect endpoints by selecting the
    IP Pools
    tab and
    Add
    an IP address pool.
    1. Specify a
      Region
      for the IP address pool.
      You can use a single IP address pool for all GlobalProtect endpoints in the world (
      Worldwide
      ), you can use separate pools for each theater where you have mobile users, or you can specify pools per location group (a group of locations that is smaller than the theater). You can also specify a combination of worldwide, per-theater, or per-location group IP pools. For example, you could add a pool for a specific location group and then add a
      Worldwide
      pool to use for all other locations.
      Use location group-specific IP address pools if you have services that depend on the source IP address of the user to identify the user’s details (such as location-based services or services based on a user group or function) so you can apply access control policies, or to perform routing or policy operations on different countries if the countries are in different compute regions. For example, you could use a separate IP address pool for Canada and one for Brazil, which are in different compute locations, to provide distinct access and security controls.
      To use location group-specific IP address pools, you must also specify a Worldwide or theater-specific pool.
      GlobalProtect mobile users consume the IP addresses in the location group first, then theater-specific IP addresses, then Worldwide IP addresses. For example, if you specify a pool for a location group and Worldwide, and you then exhaust the available IP addresses in the location group pool, Prisma Access then takes IP addresses from the
      Worldwide
      pool to use in that location group.
      • To specify IP pools that can be used by all GlobalProtect mobile users, select
        Worldwide
        .
      • To specify IP pools that can be used by GlobalProtect users in a specific theater, select the theater.
      • To specify IP pools that are specific to the location group, select it from the list.
    2. Enter an
      IP Pool
      to assign to the endpoints in the region you selected.
      • Enter a minimum required subnet of /23 (512 IP addresses) per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet, the minimum required subnet is /23 but we recommend providing enough subnets to allocate a of IP addresses that is equal to or greater than the number of licensed mobile users so that they can log in at the same time.
        Do not specify addresses that overlap with other networks you use internally or with the pools you assigned when you Enable the Service Infrastructure. In addition, do not use the following IP addresses and subnets, because Prisma Access reserves those IP addresses and subnets for its internal use:
        169.254.169.253, 169.254.169.254, 169.254.201.0/24, 169.254.202.0/24, and 100.64.0.0/10.
        We recommend using an RFC 1918-compliant IP address pool. While we support the use of non-RFC 1918-compliant (public) IP addresses for mobile users, we do not recommend using them due to possible conflicts with internet public IP address space.
  9. To specify the DNS resolution settings for your internal and external (public) domains, select
    Network Services
    tab and
    Add
    the settings.
    GlobalProtect endpoints with an active tunnel connection use their virtual network adapters rather than their physical network adapters and therefore require separate DNS resolution settings.
    Configure network settings in the
    Network Services
    window.
    • Select a
      Region
      from the drop-down.
      Select
      Worldwide
      , select a theater, or select a location group to apply the DNS settings globally. If you specify multiple proxy settings with a mix of Worldwide, theater, and location group-specific settings, Prisma Access uses the settings for the location group, then theater, then Worldwide. Prisma Access evaluates the rules from top to bottom in the list.
    • Add
      one or more rules to configure the DNS settings for
      Internal Domains
      .
      • Enter a unique
        Rule Name
        for the rule.
      • you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the
        Domain List
        . Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
        Prisma Access has a predefined rule to resolve *.amazonaws.com domains using the Cloud Default server. If you want your internal DNS servers to resolve a more-specific *.amazonaws.com domain (for example, *.s3.amazonaws.com), enter the URL in the
        Domain List
        . Prisma Access evaluates the domain names from longest to shortest, then from top to bottom in the list.
      • If you have a
        Custom DNS server
        that can access your internal domains, specify the
        Primary DNS
        and
        Secondary DNS
        server IP addresses, or select
        Use Cloud Default
        to use the default Prisma Access DNS server.
    • Specify the DNS settings for
      Public Domains
      .
      • Use Cloud Default
        —Use the default Prisma Access DNS server.
      • Same as Internal Domains
        —Use the same server that you use to resolve internal domains. When you select this option, the DNS Server used to resolve public domains is same as the server configured for the first rule in the
        Internal Domains
        section.
      • Custom DNS server
        —If you have a DNS server that can access your public (external) domains, enter the Primary DNS server address in that field.
      (
      Optional
      ) You can
      Add
      a
      DNS Suffix
      to specify the suffix that the client should use locally when an unqualified hostname is entered that it cannot resolve, for example, acme.local. Do not enter a wildcard (*) character in front of the domain suffix (for example, acme.com). You can add multiple suffixes.
    • If you want Prisma Access to proxy DNS requests, configure values for UDP queries (the
      Interval
      to retry the query in seconds and the number of retry
      Attempts
      to perform.
      For more information about how Prisma Access proxies DNS requests, see DNS Resolution for Mobile Users—GlobalProtect Deployments.
  10. (
    Optional
    ) If your deployment uses Windows Internet Name Service (WINS) based, you can specify WINS servers to resolve NetBIOS name-to-IP address mapping by selecting
    WINS Configuration
    ; selecting a region for the WINS server or selecting Worldwide to apply the WINS configuration worldwide, then specifying a
    Primary WINS
    and, optionally,
    Secondary WINS
    server address.
    After you enable WINS, Prisma Access can push WINS configuration to mobile users’ endpoints over GlobalProtect.
  11. (
    Optional
    ) Select Advanced RCODE Support to allow the primary DNS server to fail over to the secondary DNS server if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code is received.
    A DNS response code of SERVFAIL refers to a communication error with the primary DNS server, and a DNS response code of REFUSED means that the primary DNS server refused to provide the requested information. In both cases, the service fails over to the secondary DNS server.
  12. (
    Optional
    ) If you allow your mobile users to manually select gateways from the GlobalProtect app, select the
    Manual Gateway Locations
    that the users can view from their GlobalProtect app.
    Choosing a subset of onboarded locations reduces the number of available gateways that mobile users can view in their GlobalProtect app for manual gateway selection.
    If you do not select manual gateways in this tab, Prisma Access selects the following list of gateways by default.
    • Australia Southeast
    • Belgium
    • Brazil South
    • Canada East
    • Finland
    • France North
    • Germany Central
    • Hong Kong
    • India West
    • Ireland
    • Israel
    • Japan Central
    • Netherlands Central
    • Saudi Arabia
    • Singapore
    • South Africa Central
    • South Korea
    • Taiwan
    • UK
    • US East
    • US West
    Prisma Access lets you select only gateways that you have onboarded. For example, if you don’t choose
    UK
    when you select locations, you cannot select
    UK
    as a manual gateway (the location is grayed out).
    If you need to delete a location after you onboard it, and it is selected as one of the
    Manual Gateway Locations
    , be sure to deselect it here as well as in the
    Locations
    tab.
  13. Click
    OK
    to save the Onboarding settings.
  14. Configure
    IPv6 Availability
    options.
    If you use IPv6 networking in your Mobile Users—GlobalProtect deployment, you can configure Prisma Access to use IPv6 addresses in your mobile user networking. You also need to enable IPv6 networking globally in your Prisma Access infrastructure before you can use IPv6 addressing.
  15. (
    Optional, Windows and macOS only
    ) Exclude video traffic from the GlobalProtect tunnel.
    Exclude video traffic from the tunnel
    ; then,
    Add
    or
    Delete
    video streaming applications that you want to exclude from the GlobalProtect tunnel.
  16. Create security policy rules to secure traffic for your mobile users.
    1. Select the
      Device Group
      in which to add policy rules. You can select the Mobile_User_Device_Group or the parent device group that you selected when setting up Prisma Access for mobile users.
    2. Create security policy rules. Make sure that you do not define security policy rules to allow traffic from any zone to any zone. In the security policy rules, use the zones that you defined in the template stack you are pushing to the cloud service.
  17. Configure logs to forward to Cortex Data Lake.
    The Cloud Services plugin automatically adds the following Log Settings (
    Device
    Log Settings
    ) after a new installation or when removing non-Prisma Access templates from a Prisma Access template stack:
    • Log Settings for System logs (
      system-gpcs-default
      ), User-ID logs (
      userid-gpcs-default
      ), HIP Match logs (
      hipmatch-gpcs-default
      ), and GlobalProtect logs (
      gp-prismaaccess-default
      ) are added to the Mobile_User_Template.
    • Log Settings for System logs (
      system-gpcs-default
      ), User-ID logs (
      userid-gpcs-default
      ), and GlobalProtect logs (
      gp-prismaaccess-default
      ) are added to the Remote_Network_Template.
    • Log Settings for System logs (
      system-gpcs-default
      ) and GlobalProtect logs (
      gp-prismaaccess-default
      ) are added to the Service_Conn_Template.
    These Log Setting configurations automatically forward System, User-ID, and HIP Match logs to Cortex Data Lake.
  18. (
    Optional
    ) Forward logs for other log types to Cortex Data Lake.
    To do this, you must create and attach a log forwarding profile to each policy rule for which you want to forward logs.
    1. Select the
      Device Group
      in which you added the policy rules.
    2. Select
      Objects
      Log Forwarding
      and
      Add
      a profile. In the Log Forwarding Profile Match List,
      Add
      each log type that you want to forward.
      The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL Filtering, Data Filtering, and Authentication logs.
    3. Select
      Panorama/Cortex Data Lake
      as the Forward Method. When you select Panorama, the logs are forwarded to Cortex Data Lake. You will be able to monitor the logs and generate reports from Panorama. Cortex Data Lake provides a seamless integration to store logs without backhauling them to your Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as needed.
    4. Select
      Policies
      Security
      and edit the policy rule. In
      Actions
      , select the Log Forwarding profile you created.
  19. Commit all your changes to Panorama and push the configuration changes to Prisma Access.
    1. Click
      Commit
      Commit and Push
      .
    2. Edit Selections
      and, in the
      Prisma Access
      tab, make sure that
      Mobile Users
      is selected in the
      Push Scope
      , then click
      OK
      .
    3. Click
      Commit and Push
      .
  20. To verify that Prisma Access for users is deployed and active, select
    Panorama
    Cloud Services
    Status
    Status
    .
    After the provisioning completes, the mobile users
    Status
    and
    Config Status
    should show
    OK
    .
    The
    Deployment Status
    area allows you to view the progress of onboarding and deployment jobs before they complete, as well as see more information about the status of completed jobs. See Prisma Access Deployment Progress and Status for details.
    To view the number of unique users who are currently logged in, or to log out a logged in user, click the hyperlinked number next to
    Current Users
    .
    To view historical information of previously-logged in users for a 90-day time period, click the number next to
    Users (Last 90 days)
    .
    When the number of users in the Users (Last 90 days) field reaches 80% of the total licensed number, the number displays in a red color.
    To export the list of users to a csv file, select
    Export to CSV
    . Note that a maximum of 45,000 users can be exported to a CSV file.
    To display a map that shows the locations of Prisma Access portals and gateways running in the regions you have selected, select
    Monitor
    ; then, select
    Mobile Users
    .
    Select a region to get more detail about that region.
    • Location
      —The location where your cloud service infrastructure is deployed to secure mobile users on your network.
    • Current Users
      —The number of users who are connected and being secured by the service.
      When the current mobile user count reaches 80% of its total licensed number, this number displays in red.
    • Peak Users
      —The count for the maximum number of concurrent users.
    • Peak Users Timestamp
      —The timestamp when the Peak Users data was last retrieved.
    • Status
      —The operational status of the connection between Prisma Access and your mobile users.
    • Config Status
      —The status of your last configuration push to the service. If you have made a change locally, and not yet pushed the configuration to the cloud, this may display the status
      Out of sync
      . Hover over the status indicator for more detailed information. After committing and pushing the configuration to Prisma Access, the Config Status changes to
      In sync
      .
  21. If you chose to
    Use Company Domain
    for your portal hostname, you must add a DNS entry on your internal DNS servers to map the portal hostname you defined to the Portal DNS CNAME displayed on the
    Cloud Services
    Configuration
    Mobile Users
    Onboarding
    General
    tab (for example,
    <
    portal_hostname
    >.gpcloudservice.com
    ).
  22. Deploy the GlobalProtect app software to your end users.
    For Mac OS or Windows users, you can direct users to the Prisma Access portal address, where they can download the GlobalProtect app from the portal.
    Prisma Access manages the version of the GlobalProtect app on the portal and you can select the active version from the versions that Prisma Access hosts, as well as control the ability of users to download it.
    Alternatively, you can host GlobalProtect app software on a web server for your Mac OS and Windows users. Prisma Access is compatible with any GlobalProtect app versions that are not listed as end of life.
    Mobile app users can download and install the GlobalProtect mobile app from the appropriate app store for their operating systems.

Recommended For You