Configure the Router Instances
After you create the VPCs and router instances, configure the router instances you created by completing the following steps.
- Configure the Router 2 instance.
- Open a secure CLI session with the router 2 instance by entering thessh -ikey-fileroot@instance-ip, wherekey-fileis the file location where you saved the key andinstance-ipis the IP address of the router 2 instance.
- Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:net.ipv4.ip_forward = 1
- Entersysctl -pto load the new configuration.
- Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the nameiptables-rule.shand adding the following lines to the file, substitutingprisma-access-service-connection-ip-addresswith the Service IP Address of the Prisma Access service connection (),PanoramaCloud ServicesStatusNetwork DetailsService Connectionrouter-1-private-ip-addresswith the private IP address of Router 1, androuter-2-private-ip-addresswith the private IP address of Router 2.#!/bin/shiptables -t filter -A FORWARD -i eth0 -j ACCEPTiptables -t filter -A FORWARD -o eth0 -j ACCEPTiptables -t nat -A PREROUTING -srouter-1-private-ip-address/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destinationprisma-access-service-connection-ip-addressiptables -t nat -A PREROUTING -srouter-1-private-ip-address/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destinationprisma-access-service-connection-ip-addressiptables -t nat -A POSTROUTING -dprisma-access-service-connection-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-sourcerouter-2-private-ip-addressiptables -t nat -A POSTROUTING -dprisma-access-service-connection-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-sourcerouter-2-private-ip-address
- Save and close the file.
- Enter thechmod +x iptables-rule-shcommand to make the file executable.
- Enter the./iptables-rule.shshell script to execute the iptables rule.
- Enter theiptables-savecommand to verify that the rules have been added.
- Configure the VM-series firewall (Router 1).If you want to configure an additional GlobalProtect gateway for redundancy, configure two VM-series firewalls; you configure the redundant GlobalProtect gateway in a later task.
- Log in to the VM-series firewall.
- Activate the VM-series license.
- Selectand create two interfaces, and assign security zones and IP addresses to them.NetworkInterfaces
Set anInterface TypeofLayer 3for the interfaces and assignStaticprivate IP addresses on the interfaces for the ENIs.The following screenshots show the configuration for the ethernet1/1 interface.The following screenshots show the configuration for ethernet1/2 interface.
- Create anethernet1/1interface and assign this interface to theInternetzone.Create anethernet1/2interface and assign this interface to theTrustzone.
- SelectandPoliciesNATAdda NAT policy rule that enables source NAT (SNAT) on internet-bound traffic.
- SelectandPoliciesSecurityAddpolicies that allow the following traffic:
- Allow DNS and LDAP from the Trust to the Untrust zone.
- Allow HTTP and HTTPS traffic from the Trust to the Untrust zone.
- Allow all traffic in the Trust zone.
- Selectand create two new tunnel interfaces (NetworkTunneltunnel.1andtunnel.51).You usetunnel.1as a site-to-site IPSec tunnel between GlobalProtect and the GlobalProtect gateway; you usetunnel.51as a site-to-site tunnel between GlobalProtect and the Prisma Access service connection.
- Add static routes to the default virtual router.
- Add a route to the private subnet of VPC 2 (outside China), specifying the gateway from ENI-Untrust as the next hop.
- Add routes to the headquarters or data center networks on the other side of the service connection, specifying the next hop as the site-to-site tunneltunnel.51.
- Assign an IP address to thetunnel.1interface from the mobile user IP address pool (192.168.200.0/24 for the example used in the following screenshot). This IP address becomes the gateway for GlobalProtect clients.
- Configure an IPSec tunnel between the VM-series firewall and Prisma Access.
- In the Panorama that manages Prisma Access, selectandNetworkNetwork ProfilesIKE CryptoAddAddan IKE crypto profile for the IPSec tunnel.Select the template you want to use for the connection. If you are creating a service connection, selectService_Conn_Template; if you are creating a remote network connection, selectRemote_Network_Template.
- Give the profile a name and specify IKE settings.Make a note of these settings; you specify the same settings on the other side of the IPSec tunnel.
- Selectand create a new IPSec crypto profile in Panorama, making a note of the settings you specify.NetworkNetwork ProfilesIPSec CryptoSkip this step if you have already created an IPSec crypto profile.
- SelectandNetworkNetwork ProfilesIKE GatewaysAdda new IKE gateway, specifying the private IP address of router 2 in VPC 2 as thePeer Address.Make sure to specifyUser FQDN (email address)forLocal IdentificationandPeer Identification, and match thePre-Shared Key,Local Identification, andPeer Identificationvalues that you used when you created the service connection.
- SelectandNetworkIPSec TunnelsAddan IPSec tunnel with the interfacetunnel.51.
- SaveandCommityour changes to the VM-series firewall.
- Check the status of the IPSec tunnel.If the tunnel status does not show up, the cause might be that there is no interesting traffic. The firewall will attempt to establish the tunnel when mobile users connect to the GlobalProtect gateway.
- Set up new certificates.To use your own public key infrastructure (PKI), create a server certificate and key pair and have the certificate signed by the organization’s root certification authority (CA); then, import this key pair along with the root CA to the firewall instance. The examples in this section use self-signed certificates.
- SelectandDeviceCertificate ManagementCertificatesGeneratea CA certificate.
- Select the certificate you generated and edit the certificate information.Use the public IP address of theENI-Untrustelastic IP as the common name (CN) of the certificate. Do not use FQDN as a common name in the certificate.
- SelectandDeviceCertificate ManagementSSL/TLS Service ProfileAdda new SSL/TLS service profile.
- SelectandDeviceServer ProfilesLDAPAdda new LDAP server profile.The following screen uses an LDAP server authentication. This LDAP server is located in the headquarters location outside of mainland China, and Prisma Access can reach this headquarters location over another service connection.
- SelectandDeviceAuthentication ProfileAddan authentication profile, specifying the LDAP server profile you created in the previous step.
Recommended For You
Recommended videos not found.