Components of the GlobalProtect Infrastructure

• The GlobalProtect agent/app is installed on each end-user system that is allowed to access corporate applications and resources. The agent first connects to the portal to obtain information on the gateways and then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection between the end-user system and the gateway ensures data privacy.
• The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every end-user system receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In this use case, the GlobalProtect portal is a hardware-based firewall that is deployed in the corporate headquarters.
• The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications, users, content, device, and device state. In this use case, the VM-Series firewalls on AWS function as the GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats, and, if policy allows, sends the request to the internet or to the corporate network over the IPSec tunnel (to the LSVPN gateway).
• For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and the GlobalProtect Satellites (spokes).
  In this use case, the hardware-based firewall in the corporate office is deployed as the GlobalProtect portal and the LSVPN gateway. The VM-Series firewalls on AWS are configured to function as GlobalProtect satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that terminates on the gateway. When a mobile user requests an application or resource that resides on the corporate network, the VM-Series firewall routes the request over the IPSec tunnel.