Configure the Router Instances

Configure the Router 2 instance.

Open a secure CLI session with the router 2 instance by entering the
ssh -i
key-file
root@
instance-ip
, where
key-file
is the file location where you saved the key and
instance-ip
is the IP address of the router 2 instance.
Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
net.ipv4.ip_forward = 1
Enter
sysctl -p
to load the new configuration.
Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name
iptables-rule.sh
and adding the following lines to the file, substituting
prisma-access-service-connection-ip-address
with the Service IP Address of the Prisma Access service connection (
Panorama
Cloud Services
Status
Network Details
Service Connection
),
router-1-private-ip-address
with the private IP address of Router 1, and
router-2-private-ip-address
with the private IP address of Router 2.
#!/bin/sh
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s
router-1-private-ip-address
/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination
prisma-access-service-connection-ip-address
iptables -t nat -A PREROUTING -s
router-1-private-ip-address
/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination
prisma-access-service-connection-ip-address
iptables -t nat -A POSTROUTING -d
prisma-access-service-connection-ip-address
/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source
router-2-private-ip-address
iptables -t nat -A POSTROUTING -d
prisma-access-service-connection-ip-address
/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source
router-2-private-ip-address
Save and close the file.
Enter the
chmod +x iptables-rule-sh
command to make the file executable.
Enter the
./iptables-rule.sh
shell script to execute the iptables rule.
Enter the
iptables-save
command to verify that the rules have been added.

Configure the VM-series firewall (Router 1).

If you want to configure an additional GlobalProtect gateway for redundancy, configure two VM-series firewalls; you configure the redundant GlobalProtect gateway in a later task.

Log in to the VM-series firewall.

Set a secure password for the admin account, if you have not done so already.

Activate the VM-series license.

Select

Network

Interfaces

and create two interfaces, and assign security zones and IP addresses to them.

Create an
ethernet1/1
interface and assign this interface to the
Internet
zone.
Create an
ethernet1/2
interface and assign this interface to the
Trust
zone.

Set an

Interface Type

of

Layer 3

for the interfaces and assign

Static

private IP addresses on the interfaces for the ENIs.

The following screenshots show the configuration for the ethernet1/1 interface.





The following screenshots show the configuration for ethernet1/2 interface.





Select

Policies

NAT

and

Add

a NAT policy rule that enables source NAT (SNAT) on internet-bound traffic.



Select

Policies

Security

and

Add

policies that allow the following traffic:

Allow DNS and LDAP from the Trust to the Untrust zone.
Allow HTTP and HTTPS traffic from the Trust to the Untrust zone.
Allow all traffic in the Trust zone.



Select

Network

Tunnel

and create two new tunnel interfaces (

tunnel.1

and

tunnel.51

).

You use

tunnel.1

as a site-to-site IPSec tunnel between GlobalProtect and the GlobalProtect gateway; you use

tunnel.51

as a site-to-site tunnel between GlobalProtect and the Prisma Access service connection.

Add static routes to the default virtual router.

Add a default route, specifying the gateway from the ENI-Untrust interface you configure as the Elastic IP interface when you created elastic IP addresses in Alibaba Cloud for the next hop.
Add a route to the private subnet of VPC 2 (outside China), specifying the gateway from ENI-Untrust as the next hop.
Add routes to the headquarters or data center networks on the other side of the service connection, specifying the next hop as the site-to-site tunnel
tunnel.51
.



Assign an IP address to the

tunnel.1

interface from the mobile user IP address pool (192.168.200.0/24 for the example used in the following screenshot). This IP address becomes the gateway for GlobalProtect clients.



Configure an IPSec tunnel between the VM-series firewall and Prisma Access.

In the Panorama that manages Prisma Access, select

Network

Network Profiles

IKE Crypto

Add

and

Add

an IKE crypto profile for the IPSec tunnel.

Select the template you want to use for the connection. If you are creating a service connection, select

Service_Conn_Template

; if you are creating a remote network connection, select

Remote_Network_Template

.

Give the profile a name and specify IKE settings.

Make a note of these settings; you specify the same settings on the other side of the IPSec tunnel.

Select

Network

Network Profiles

IPSec Crypto

and create a new IPSec crypto profile in Panorama, making a note of the settings you specify.

Skip this step if you have already created an IPSec crypto profile.

Select

Network

Network Profiles

IKE Gateways

and

Add

a new IKE gateway, specifying the private IP address of router 2 in VPC 2 as the

Peer Address

.

Make sure to specify

User FQDN (email address)

for

Local Identification

and

Peer Identification

, and match the

Pre-Shared Key

,

Local Identification

, and

Peer Identification

values that you used when you created the service connection.



Select

Network

IPSec Tunnels

and

Add

an IPSec tunnel with the interface

tunnel.51

.



Save

and

Commit

your changes to the VM-series firewall.

Check the status of the IPSec tunnel.

If the tunnel status does not show up, the cause might be that there is no interesting traffic. The firewall will attempt to establish the tunnel when mobile users connect to the GlobalProtect gateway.

Set up new certificates.

To use your own public key infrastructure (PKI), create a server certificate and key pair and have the certificate signed by the organization’s root certification authority (CA); then, import this key pair along with the root CA to the firewall instance. The examples in this section use self-signed certificates.

Select

Device

Certificate Management

Certificates

and

Generate

a CA certificate.



Select the certificate you generated and edit the certificate information.

Use the public IP address of the

ENI-Untrust

elastic IP as the common name (CN) of the certificate. Do not use FQDN as a common name in the certificate.



Select

Device

Certificate Management

SSL/TLS Service Profile

and

Add

a new SSL/TLS service profile.



Select

Device

Server Profiles

LDAP

and

Add

a new LDAP server profile.

The following screen uses an LDAP server authentication. This LDAP server is located in the headquarters location outside of mainland China, and Prisma Access can reach this headquarters location over another service connection.



Select

Device

Authentication Profile

and

Add

an authentication profile, specifying the LDAP server profile you created in the previous step.