GlobalProtect

Administrators
Guide
Version7.1
ContactInformation

CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
[Link]/company/contactsupport

AboutthisGuide

ThisguidedescribeshowtodeployGlobalProtecttoextendthesamenextgenerationfirewallbasedpoliciesthat
areenforcedwithinthephysicalperimetertoyourroamingusers,nomatterwheretheyarelocated:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:[Link]
searchthedocumentation.

Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
[Link]

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,referto[Link]

ForthemostcurrentPANOSandGlobalProtect7.1releasenotes,goto
[Link]
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@[Link].

PaloAltoNetworks,Inc.
[Link]
2016PaloAltoNetworks,[Link]
at[Link]
respectivecompanies.

RevisionDate:November21,2016

2 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
 TableofContents

GlobalProtectOverview............................................... 7
AbouttheGlobalProtectComponents ................................................ 8
GlobalProtectPortal ............................................................ 8
GlobalProtectGateways ......................................................... 8
GlobalProtectClient ............................................................ 9
WhatClientOSVersionsareSupportedwithGlobalProtect? ...........................10
WhatFeaturesDoesGlobalProtectSupport? .........................................11
AboutGlobalProtectLicenses .......................................................13

SetUptheGlobalProtectInfrastructure ................................ 15
CreateInterfacesandZonesforGlobalProtect........................................16
EnableSSLBetweenGlobalProtectComponents......................................18
AboutGlobalProtectCertificateDeployment......................................18
GlobalProtectCertificateBestPractices..........................................18
DeployServerCertificatestotheGlobalProtectComponents .......................21
SetUpGlobalProtectUserAuthentication ............................................25
AboutGlobalProtectUserAuthentication.........................................25
SetUpExternalAuthentication ..................................................28
SetUpClientCertificateAuthentication ..........................................32
SetUpTwoFactorAuthentication ...............................................38
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients..................47
EnableGroupMapping.............................................................54
ConfigureGlobalProtectGateways..................................................57
PrerequisiteTasksforConfiguringtheGlobalProtectGateway ......................57
ConfigureaGlobalProtectGateway ..............................................57
ConfiguretheGlobalProtectPortal..................................................65
PrerequisiteTasksforConfiguringtheGlobalProtectPortal .........................65
SetUpAccesstotheGlobalProtectPortal ........................................66
DefinetheGlobalProtectClientAuthenticationConfigurations ......................67
GatewayPriorityinaMultipleGatewayConfiguration..............................68
DefinetheGlobalProtectAgentConfigurations....................................69
CustomizetheGlobalProtectAgent ..............................................74
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages ................82
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer .......................84
DeploytheGlobalProtectClientSoftware ............................................85
DeploytheGlobalProtectAgentSoftware ........................................85
DownloadandInstalltheGlobalProtectMobileApp ...............................90
DownloadandInstalltheGlobalProtectAppforChromeOS........................93

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 3
 TableofContents

DeployAgentSettingsTransparently................................................. 97
CustomizableAgentSettings .................................................... 98
DeployAgentSettingstoWindowsClients .......................................104
DeployAgentSettingstoMacClients ...........................................113
Reference:GlobalProtectAgentCryptographicFunctions..............................117
GlobalProtectMIBSupport........................................................118

MobileEndpointManagement....................................... 119
MobileEndpointManagementOverview............................................120
SetUpaMobileEndpointManagementSystem ......................................121
ManagetheGlobalProtectAppUsingAirWatch......................................122
DeploytheGlobalProtectMobileAppUsingAirWatch.............................122
ConfiguretheGlobalProtectAppforiOSUsingAirWatch ..........................123
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch......................126
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch ............130
ManagetheGlobalProtectAppUsingaThirdPartyMDM.............................133
ConfiguretheGlobalProtectAppforiOS.........................................133
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration ..................134
Example:GlobalProtectiOSAppAppLevelVPNConfiguration .....................135
ConfiguretheGlobalProtectAppforAndroid.....................................136
Example:SetVPNConfiguration ................................................137
Example:RemoveVPNConfiguration............................................137

UseHostInformationinPolicyEnforcement .......................... 139

AboutHostInformation...........................................................140
WhatDataDoestheGlobalProtectAgentCollect? ................................140
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?................142
HowDoUsersKnowifTheirSystemsareCompliant? .............................143
HowDoIGetVisibilityintotheStateoftheEndClients? ..........................143
ConfigureHIPBasedPolicyEnforcement............................................144
CollectApplicationandProcessDataFromClients ....................................151
BlockDeviceAccess..............................................................156

GlobalProtectQuickConfigs ........................................ 157

RemoteAccessVPN(AuthenticationProfile) .........................................158
RemoteAccessVPN(CertificateProfile) .............................................161
RemoteAccessVPNwithTwoFactorAuthentication .................................164
AlwaysOnVPNConfiguration .....................................................168
RemoteAccessVPNwithPreLogon ................................................169
GlobalProtectMultipleGatewayConfiguration .......................................175
GlobalProtectforInternalHIPCheckingandUserBasedAccess........................179
MixedInternalandExternalGatewayConfiguration...................................183

4 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

GlobalProtectReferenceArchitecture .................................189
GlobalProtectReferenceArchitectureTopology...................................... 190
GlobalProtectPortal .......................................................... 190
GlobalProtectGateways ....................................................... 191
GlobalProtectReferenceArchitectureFeatures...................................... 192
EndUserExperience .......................................................... 192
ManagementandLogging ..................................................... 192
MonitoringandHighAvailability ................................................ 193
GlobalProtectReferenceArchitectureConfigurations ................................. 194
GatewayConfiguration ........................................................ 194
PortalConfiguration .......................................................... 194
PolicyConfigurations.......................................................... 194

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 5
 TableofContents

6 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
 GlobalProtectOverview
Whethercheckingemailfromhomeorupdatingcorporatedocumentsfromtheairport,themajorityof
today'[Link]
[Link]
usersleavethebuildingwiththeirlaptopsormobiledevicestheyarebypassingthecorporatefirewalland
[Link]
securitychallengesintroducedbyroamingusersbyextendingthesamenextgenerationfirewallbased
policiesthatareenforcedwithinthephysicalperimetertoallusers,nomatterwheretheyarelocated.
ThefollowingsectionsprovideconceptualinformationaboutthePaloAltoNetworksGlobalProtectoffering
anddescribethecomponentsofGlobalProtectandthevariousdeploymentscenarios:
AbouttheGlobalProtectComponents
WhatClientOSVersionsareSupportedwithGlobalProtect?
WhatFeaturesDoesGlobalProtectSupport?
AboutGlobalProtectLicenses

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 7
AbouttheGlobalProtectComponents GlobalProtectOverview

AbouttheGlobalProtectComponents

GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallyourusers,[Link]
infrastructureincludesthefollowingcomponents:
GlobalProtectPortal
GlobalProtectGateways
GlobalProtectClient

GlobalProtectPortal

[Link]
clientsystemthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromthe
portal,includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequired
toconnecttotheGlobalProtectgateway(s).Inaddition,theportalcontrolsthebehavioranddistributionof
theGlobalProtectagentsoftwaretobothMacandWindowslaptops.(Onmobiledevices,theGlobalProtect
appisdistributedthroughtheAppleAppStoreforiOSdevicesorthroughGooglePlayforAndroiddevices.)
IfyouareusingtheHostInformationProfile(HIP)feature,theportalalsodefineswhatinformationtocollect
fromthehost,[Link]
interfaceonanyPaloAltoNetworksnextgenerationfirewall.

GlobalProtectGateways

GlobalProtectgatewaysprovidesecurityenforcementfortrafficfromGlobalProtectagents/apps.
Additionally,iftheHIPfeatureisenabled,thegatewaygeneratesaHIPreportfromtherawhostdatathe
clientssubmitandcanusethisinformationinpolicyenforcement.
ExternalgatewaysProvidesecurityenforcementand/orvirtualprivatenetwork(VPN)accessforyour
remoteusers.
InternalgatewaysAninterfaceontheinternalnetworkconfiguredasaGlobalProtectgatewayfor
[Link]/or
HIPchecks,aninternalgatewaycanbeusedtoprovideasecure,accuratemethodofidentifyingand
controllingtrafficbyuserand/[Link]
[Link]
eithertunnelmodeornontunnelmode.
YouConfigureGlobalProtectGatewaysonaninterfaceonanyPaloAltoNetworksnextgeneration
[Link],oryoucanhavemultiple,
distributedgatewaysthroughoutyourenterprise.

8 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AbouttheGlobalProtectComponents

GlobalProtectClient

TheGlobalProtectclientsoftwarerunsonendusersystemsandenablesaccesstoyournetworkresources
[Link]:
TheGlobalProtectAgentRunsonWindowsandMacOSsystemsandisdeployedfromthe
[Link],whichtabstheuserscansee,
whetherornotuserscanuninstalltheagentintheclientconfiguration(s)[Link]
DefinetheGlobalProtectAgentConfigurations,CustomizetheGlobalProtectAgent,andDeploythe
GlobalProtectAgentSoftwarefordetails.
TheGlobalProtectAppRunsoniOS,Android,WindowsUWP,[Link]
obtaintheGlobalProtectappfromtheAppleAppStore(foriOS),GooglePlay(forAndroid),Microsoft
Store(forWindowsUWP),orChromeWebStore(forChromebook).
SeeWhatClientOSVersionsareSupportedwithGlobalProtect?formoredetails.
ThefollowingdiagramillustrateshowtheGlobalProtectportals,gateways,andagents/appsworktogether
toenablesecureaccessforallyourusers,regardlessofwhatdevicestheyareusingorwheretheyare
located.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 9
WhatClientOSVersionsareSupportedwithGlobalProtect? GlobalProtectOverview

WhatClientOSVersionsareSupportedwithGlobalProtect?

PaloAltoNetworkssupportstheGlobalProtectapp(alsoreferredtoastheGlobalProtectagent)oncommon
desktop,laptop,[Link]
PANOS6.1oralaterreleaseandthatyouinstallonlysupportedreleasesoftheGlobalProtectappon
[Link];todeterminetheminimum
GlobalProtectappreleaseforaspecificoperatingsystem,refertothefollowingtopicsinthePaloAlto
NetworksCompatibilityMatrix:
WhereCanIInstalltheGlobalProtectApp?
WhatXAuthIPSecClientsareSupported?
OlderversionsoftheGlobalProtectapp(releases1.0through2.1)arestillsupportedontheoperating
[Link]
GlobalProtectapp2.1andolderreleases,refertotheGlobalProtectagent(app)releasenotesforyour
specificreleaseontheSoftwareUpdatessite(youmustbearegisteredusertoaccessthissite).

10 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview WhatFeaturesDoesGlobalProtectSupport?

WhatFeaturesDoesGlobalProtectSupport?

[Link]
[Link]
recommendedminimumGlobalProtectagentandappversions,seeWhatClientOSVersionsareSupported
withGlobalProtect?

Feature Android iOS Chrome Windows Windows10 Mac

UWP

ConnectMethods

Userlogon(always 1.0.0 3.1.3 1.0.0

on) (AlwaysOn
configured
from
thirdparty
MDM)

Prelogon(alwayson) 1.1.0 1.1.0

Prelogon(then 3.1.0 3.1.0

ondemand)

Ondemand 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

Modes

Internalmode 1.0.0 1.0.0 3.1.1 1.0 1.0.0

Externalmode 1.0.0 1.0.0 3.1.1 1.0.0 3.1.3 1.0.0

SingleSignOn(SSO)

SSO(Credential 1.2.0
Provider)

KerberosSSO 3.0.0

Customization

Enforce 3.1.0 3.1.3 3.1.0

GlobalProtectfor (VPN
networkaccess Lockdown
configured
from
thirdparty
MDM)

DeploymentofSSL 3.0.0 3.0.0

ForwardProxyCA
certificatesinthe
truststore

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 11
WhatFeaturesDoesGlobalProtectSupport? GlobalProtectOverview

Feature Android iOS Chrome Windows Windows10 Mac

UWP

HIPreports 1.0.0 1.0.0 3.0.0 1.0.0 3.1.3 1.0.0

(Host
information
only;
Notifications
not
supported)

Scriptactionsthatrun 2.3.0 2.3.0

beforeandafter
sessions

Certificateselection 3.0.0 3.0.0

byOID

Allowuserstodisable 2.2.0 2.2.0

GlobalProtect

Welcomeandhelp 1.0.0 1.0.0 3.0.0 1.0.0 1.0.0

pages

Endpoint 1.0.0 1.0.0 3.0.0 3.1.3

managementsystem (Chromebook
(EDM/MDM) Management
Console)

12 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
GlobalProtectOverview AboutGlobalProtectLicenses

AboutGlobalProtectLicenses

IfyousimplywanttouseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivatenetwork(VPN)
solutionviasingleormultipleinternal/externalgateways,youdonotneedanyGlobalProtectlicenses.
However,tousesomeofthemoreadvancedfeatures,suchHIPchecksandassociatedcontentupdatesand
supportfortheGlobalProtectmobileapp,[Link]
mustbeinstalledoneachfirewallrunningagateway(s)thatperformsHIPchecksandthatsupportsthe
GlobalProtectapponmobiledevices.

Feature GatewaySubscription

Single,externalgateway(WindowsandMac)

Singleormultipleinternalgateways

Multipleexternalgateways

HIPChecks

MobileappforiOSendpoints,Androidendpoints,
Chromebooks,andWindows10UWPendpoints

SeeActivateLicensesforinformationoninstallinglicensesonthefirewall.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 13
AboutGlobalProtectLicenses GlobalProtectOverview

14 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
 SetUptheGlobalProtectInfrastructure
ForGlobalProtecttowork,youmustsetuptheinfrastructurethatallowsallofthecomponentsto
[Link],thismeanssettinguptheinterfacesandzonestowhichtheGlobalProtectend
[Link]
communicateoversecurechannels,youmustacquireanddeploytherequiredSSLcertificatestothevarious
[Link]:
CreateInterfacesandZonesforGlobalProtect
EnableSSLBetweenGlobalProtectComponents
SetUpGlobalProtectUserAuthentication
EnableGroupMapping
ConfigureGlobalProtectGateways
ConfiguretheGlobalProtectPortal
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer
DeploytheGlobalProtectClientSoftware
DeployAgentSettingsTransparently
Reference:GlobalProtectAgentCryptographicFunctions
GlobalProtectMIBSupport

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 15
CreateInterfacesandZonesforGlobalProtect SetUptheGlobalProtectInfrastructure

CreateInterfacesandZonesforGlobalProtect

YoumustconfigurethefollowinginterfacesandzonesforyourGlobalProtectinfrastructure:
GlobalProtectportalRequiresaLayer3orloopbackinterfacefortheGlobalProtectclientsconnection.
Iftheportalandgatewayareonthesamefirewall,[Link]
inazonethatisaccessiblefromoutsideyournetwork,forexample:DMZ.
GlobalProtectgatewaysTheinterfaceandzonerequirementsforthegatewaydependonwhetherthe
gatewayyouareconfiguringisexternalorinternal,asfollows:
ExternalgatewaysRequiresaLayer3orloopbackinterfaceandalogicaltunnelinterfaceforthe
clienttoestablishaVPNtunnel.TheLayer3/loopbackinterfacemustbeinanexternalzone,such
[Link]
resources(forexampletrust).Foraddedsecurityandbettervisibility,youcancreateaseparate
zone,[Link],youmustcreate
securitypoliciesthatenabletraffictoflowbetweentheVPNzoneandthetrustzone.
[Link]
atunnelinterfaceforaccesstoyourinternalgateways,butthisisnotrequired.

FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsandaddresses,
refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?

Formoreinformationaboutportalsandgateways,seeAbouttheGlobalProtectComponents.

SetUpInterfacesandZonesforGlobalProtect

Step1 ConfigureaLayer3interfaceforeach 1. SelectNetwork > Interfaces > EthernetorNetwork >

portaland/orgatewayyouplanto Interfaces > Loopbackandthenselecttheinterfaceyouwant
deploy. [Link],weare
Ifthegatewayandportalareon configuringethernet1/1astheportalinterface.
thesamefirewall,youcanusea 2. (Ethernetonly)SelectLayer3 fromtheInterface Type
singleinterfaceforboth. dropdown.
AsabestpracticeusestaticIP 3. OntheConfigtab,selectthezonetowhichtheportalor
addressesfortheportaland gatewayinterfacebelongsasfollows:
gateway.
Placeportalsandexternalgatewaysinanuntrustzonefor
accessbyhostsoutsideyournetwork,suchasl3untrust.
Placeinternalgatewaysinaninternalzone,suchasl3trust.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity [Link],definea
NameforthenewzoneandthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
[Link]/24.
6. Tosavetheinterfaceconfiguration,clickOK.

16 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure CreateInterfacesandZonesforGlobalProtect

SetUpInterfacesandZonesforGlobalProtect(Continued)

Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtectagents. 3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou Touseyourtrustzoneastheterminationpointforthe
[Link] tunnel,selectthezonefromthedropdown.
addition,assigninganIPaddress (Recommended)TocreateaseparatezoneforVPNtunnel
tothetunnelinterfacecanbe termination,clickNew [Link],definea
usefulfortroubleshooting Namefornewzone(forexample,corpvpn),selectthe
connectivityissues. Enable User Identificationcheckbox,andthenclickOK.
BesuretoenableUserIDinthe 4. IntheVirtual Routerdropdown,selectNone.
zonewheretheVPNtunnels
5. (Optional)IfyouwanttoassignanIPaddresstothetunnel
terminate.
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample10.31.32.1/32.
6. Tosavetheinterfaceconfiguration,clickOK.

Step3 Ifyoucreatedaseparatezonefortunnel Forexample,thefollowingpolicyruleenablestrafficbetweenthe

terminationofVPNconnections,create corpvpnzoneandthel3trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.

Step4 Savetheconfiguration. ClickCommit.

Ifyouenabledmanagement
accesstotheinterfacehosting
theportal,youmustadda:4443
[Link],to
accessthewebinterfaceforthe
portalconfiguredinthisexample,
youwouldenterthefollowing:
[Link]
Or,ifyouconfiguredaDNS
recordfortheFQDN,suchas
[Link],youwouldenter:
[Link]
Toaccesstheportalloginpage,
youwouldentertheURLwithout
theportnumber:
[Link]
or
[Link]

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 17
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure

EnableSSLBetweenGlobalProtectComponents

AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/[Link],you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)[Link]
methodsofcertificatedeployment,descriptionsandbestpracticeguidelinesforthevariousGlobalProtect
certificates,andprovideinstructionsforgeneratinganddeployingtherequiredcertificates:
AboutGlobalProtectCertificateDeployment
GlobalProtectCertificateBestPractices
DeployServerCertificatestotheGlobalProtectComponents

AboutGlobalProtectCertificateDeployment

TherearethreebasicapproachestoDeployServerCertificatestotheGlobalProtectComponents:
(Recommended)CombinationofthirdpartycertificatesandselfsignedcertificatesBecausetheend
clientswillbeaccessingtheportalpriortoGlobalProtectconfiguration,theclientmusttrustthe
certificatetoestablishanHTTPSconnection.
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterpriseCA,youcanusethisinternal
CAtoissuecertificatesforeachoftheGlobalProtectcomponentsandthenimportthemontothe
firewallshostingyourportalandgateway(s).Inthiscase,youmustalsoensurethattheenduser
systems/mobiledevicestrusttherootCAcertificateusedtoissuethecertificatesfortheGlobalProtect
servicestowhichtheymustconnect.
SelfSignedCertificatesYoucangenerateaselfsignedCAcertificateontheportalanduseittoissue
[Link],thissolutionislesssecurethantheother
[Link],enduserswillseeacertificate
[Link],youcandeploytheselfsignedrootCA
certificatetoallendusersystemsmanuallyorusingsomesortofcentralizeddeployment,suchasan
ActiveDirectoryGroupPolicyObject(GPO).

GlobalProtectCertificateBestPractices

ThefollowingtablesummarizestheSSL/TLScertificatesyouwillneed,dependingonwhichfeaturesyou
plantouse:

Table:GlobalProtectCertificateRequirements
Certificate Usage IssuingProcess/BestPractices

CAcertificate Usedtosigncertificatesissued Ifyouplantouseselfsignedcertificates,abestpracticeisto

totheGlobalProtect generateaCAcertificateontheportalandthenusethat
components. certificatetoissuetherequiredGlobalProtectcertificates.

18 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents

Certificate Usage IssuingProcess/BestPractices

Portalserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththeportal. associatedserviceprofileinaportalconfiguration.
Useacertificatefromawellknown,[Link]
themostsecureoptionandensuresthattheuserendpoints
canestablishatrustrelationshipwiththeportalandwithout
requiringyoutodeploytherootCAcertificate.
Ifyoudonotuseawellknown,publicCA,youshouldexport
therootCAcertificatethatwasusedtogeneratetheportal
servercertificatetoallendpointsthatruntheGlobalProtect
[Link]
endusersfromseeingcertificatewarningsduringtheinitial
portallogin.
TheCommonName(CN)and,ifapplicable,theSubject
AlternativeName(SAN)fieldsofthecertificatemustmatch
theIPaddressorFQDNoftheinterfacethathoststhe
portal.
Ingeneral,aportalmusthaveitsownservercertificate.
However,ifyouaredeployingasinglegatewayandportal
onthesameinterfaceforbasicVPNaccess,youmustuse
thesamecertificateforboththegatewayandtheportal.

Gatewayserver EnablesGlobalProtectagents ThiscertificateisidentifiedinanSSL/TLSserviceprofile.

certificate andappstoestablishanHTTPS Youassigntheportalservercertificatebyselectingits
connectionwiththegateway. associatedserviceprofileinagatewayconfiguration.
GenerateaCAcertificateontheportalandusethatCA
certificatetogenerateallgatewaycertificates.
TheCNand,ifapplicable,theSANfieldsofthecertificate
mustmatchtheFQDNorIPaddressoftheinterfacewhere
youplantoconfigurethegateway.
TheportaldistributesthegatewayrootCAcertificatesto
agentsintheclientconfiguration,sothegateway
certificatesdonotneedtobeissuedbyapublicCA.
IfyoudonotdeploytherootCAcertificatesforthe
GlobalProtectgatewaysintheclientconfiguration,the
agent/appwillnotperformcertificatecheckswhen
connecting,therebymakingtheconnectionvulnerableto
maninthemiddleattacks.
Ingeneral,eachgatewaymusthaveitsownserver
[Link],ifyouaredeployingasinglegateway
andportalonthesameinterfaceforbasicVPNaccess,you
[Link]
abestpractice,useacertificatethatapublicCAsigned.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 19
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure

Certificate Usage IssuingProcess/BestPractices

(Optional)Client Usedtoenablemutual Forsimplifieddeploymentofclientcertificates,configure

certificate authenticationinestablishing theportaltodeploytheclientcertificatetotheagentsupon
anHTTPSsessionbetweenthe successfulloginusingeitherofthefollowingmethods:
GlobalProtectagentsandthe UseasingleclientcertificateacrossallGlobalProtect
gateways/[Link] [Link]
thatonlydeviceswithvalid theLocalclientcertificatebyuploadingthecertificate
clientcertificatesareableto totheportalandselectingitinaportalagent
authenticateandconnectto configuration.
thenetwork. Usesimplecertificateenrollmentprotocol(SCEP)to
enabletheGlobalProtectportaltodeployuniqueclient
[Link]
thisbyconfiguringaSCEPprofileandthenselecting
thatprofileinaportalagentconfiguration.
Useoneofthefollowingsupporteddigestalgorithmswhen
yougenerateclientcertificatesforGlobalProtectendpoints:
sha1,sha256,orsha384.Sha512isnotsupportedwith
clientcertificates.
Youcanuseothermechanismstodeployuniqueclient
certificatestoeachclientsystemforuseinauthenticating
theenduser.
Considertestingyourconfigurationwithouttheclient
certificatefirst,andthenaddtheclientcertificateafteryou
aresurethatallotherconfigurationsettingsarecorrect.

(Optional)Machine Amachinecertificateisaclient Useoneofthefollowingsupporteddigestalgorithmswhen

certificates certificatethatisissuedtoa yougenerateclientcertificatesforGlobalProtectendpoints:
[Link] sha1,sha256,orsha384.Sha512isnotsupportedwith
certificateidentifiesthedevice clientcertificates.
inthesubjectfield(forexample, Ifyouplantousetheprelogonfeature,useyourownPKI
CN=[Link]) infrastructuretodeploymachinecertificatestoeachclient
[Link] [Link]
certificateensuresthatonly approachisimportantforensuringsecurity.
trustedendpointscanconnect Formoreinformation,seeRemoteAccessVPNwith
togatewaysortheportal. PreLogon.
Machinecertificatesare
requiredforuserswhose
connectmethodisprelogon,
whichenablesGlobalProtectto
establishaVPNtunnelbefore
theuserlogsin.

FordetailsaboutthetypesofkeysforsecurecommunicationbetweentheGlobalProtectendpointandthe
portalsandgateways,seeReference:GlobalProtectAgentCryptographicFunctions.

20 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents

DeployServerCertificatestotheGlobalProtectComponents

ThefollowingtableshowsthebestpracticestepsfordeployingSSL/TLScertificatestotheGlobalProtect
components:

DeploySSLServerCertificatestotheGlobalProtectComponents

Importaservercertificatefromawellknown, Beforeyouimportacertificate,makesurethecertificateandkey
thirdpartyCA. filesareaccessiblefromyourmanagementsystemandthatyou
Useaservercertificatefroma havethepassphrasetodecrypttheprivatekey.
wellknown,thirdpartyCAforthe 1. SelectDevice > Certificate Management > Certificates >
[Link] Device Certificates.
ensuresthattheendusersareableto
2. ClickImport.
establishanHTTPSconnectionwithout
seeingwarningsaboutuntrusted 3. UsetheLocalcertificatetype(thedefault).
certificates. 4. EnteraCertificate Name.
TheCNand,ifapplicable,theSANfields
5. EnterthepathandnametotheCertificate Filereceivedfrom
ofthecertificatemustmatchtheFQDN
theCA,orBrowsetofindthefile.
orIPaddressoftheinterfacewhereyou
plantoconfiguretheportalorthedevice 6. SelectEncrypted Private Key and Certificate (PKCS12)asthe
checkininterfaceonathirdparty File Format.
mobileendpointmanagementsystem. 7. EnterthepathandnametothePKCS#12fileintheKey File
Wildcardmatchesaresupported. fieldorBrowsetofindit.
8. EnterandreenterthePassphrasethatwasusedtoencrypt
theprivatekeyandthenclickOKtoimportthecertificateand
key.

CreatetherootCAcertificateforissuing Beforedeployingselfsignedcertificates,youmustcreatetheroot
selfsignedcertificatesfortheGlobalProtect CAcertificatethatsignsthecertificatesfortheGlobalProtect
components. components:
CreatetheRootCAcertificateonthe 1. SelectDevice > Certificate Management > Certificates >
portalanduseittoissueserver Device Certificates andthenclickGenerate.
certificatesforthegatewaysand,
2. UsetheLocalcertificatetype(thedefault).
optionally,forclients.
3. EnteraCertificate Name,suchasGlobalProtect_CA.The
certificatenamecannotcontainspaces.
4. DonotselectavalueintheSigned Byfield.(Withouta
selectionforSigned By,thecertificateisselfsigned.)
5. SelecttheCertificate Authoritycheckbox.
6. ClickOKtogeneratethecertificate.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 21
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

UsetherootCAontheportaltogeneratea 1. SelectDevice > Certificate Management > Certificates >

selfsignedservercertificate. Device Certificates andthenclickGenerate.
Generateservercertificatesforeach 2. UsetheLocalcertificatetype(thedefault).
gatewayyouplantodeployand
3. EnteraCertificate [Link].
optionallyforthemanagementinterface
ofthethirdpartymobileendpoint 4. IntheCommon Namefield,entertheFQDN(recommended)
managementsystem(ifthisinterfaceis orIPaddressoftheinterfacewhereyouplantoconfigurethe
wherethegatewaysretrieveHIP gateway.
reports). 5. IntheSigned Byfield,selecttheGlobalProtect_CAyou
Inthegatewayservercertificates,the created.
valuesintheCNandSANfieldsmustbe
6. IntheCertificateAttributessection,Addanddefinethe
[Link],the
[Link]
GlobalProtectagentdetectsthe
thatifyouaddaHost Nameattribute(whichpopulatesthe
mismatchanddoesnottrustthe
SANfieldofthecertificate),itmustbethesameasthevalue
[Link]
youdefinedfortheCommon Name.
containaSANfieldonlyifyouaddaHost
Nameattribute. 7. Configurecryptographicsettingsfortheservercertificate
Asanalternativemethod,youcanUseSimple includingencryptionAlgorithm,keylength(Number of Bits),
CertificateEnrollmentProtocol(SCEP)to DigestalgorithmandExpiration(days).
requestaservercertificatefromyourenterprise 8. ClickOKtogeneratethecertificate.
CA.

22 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableSSLBetweenGlobalProtectComponents

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

UseSimpleCertificateEnrollmentProtocol 1. ConfigureaSCEPProfileforeachGlobalProtectportalor
(SCEP)torequestaservercertificatefromyour gateway:
enterpriseCA. a. EnteraNamethatidentifiestheSCEPprofileandthe
ConfigureseparateSCEPprofilesfor [Link]
eachportalandgatewayyouplanto thisprofileisforafirewallwithmultiplevirtualsystems
[Link] capability,selectavirtualsystemorSharedastheLocation
profiletogeneratetheservercertificate wheretheprofileisavailable.
foreachGlobalProtectcomponent. b. (Optional)ConfigureaSCEP Challengeresponse
Inportalandgatewayservercertificates, mechanismbetweenthePKIandportalforeachcertificate
thevalueoftheCNfieldmustincludethe [Link]
FQDN(recommended)orIPaddressof obtainfromtheSCEPserveroraDynamicpasswordwhere
theinterfacewhereyouplanto theportalclientsubmitsausernameandOTPofyour
configuretheportalorgatewayandmust [Link],
beidenticaltotheSANfield. thiscanbethecredentialsofthePKIadministrator.
[Link] c. ConfiguretheServer URLthattheportalusestoreachthe
InformationProcessingStandard(FIPS), SCEPserverinthePKI(forexample,
youmustalsoenablemutualSSL [Link]
authenticationbetweentheSCEPserver d. Enterastring(upto255charactersinlength)inthe
andtheGlobalProtectportal.(FIPSCC CA-IDENT NamefieldtoidentifytheSCEPserver.
operationisindicatedonthefirewall e. EntertheSubjectnametouseinthecertificatesgenerated
loginpageandinitsstatusbar.) [Link]
Afteryoucommittheconfiguration,theportal name(CN)keyintheformatCN=<value>where<value> is
attemptstorequestaCAcertificateusingthe theFQDNorIPaddressoftheportalorgateway.
[Link],the f. SelecttheSubject Alternative Name [Link]
firewallhostingtheportalsavestheCA emailnameinacertificatessubjectorSubjectAlternative
certificateanddisplaysitinthelistofDevice Nameextension,selectRFC 822 [Link]
Certificates. theDNS Name tousetoevaluatecertificates,orthe
Uniform Resource Identifier toidentifytheresourcefrom
whichtheclientwillobtainthecertificate.
g. Configureadditionalcryptographicsettingsincludingthe
keylength(Number of Bits),andDigestalgorithmforthe
certificatesigningrequest.
h. Configurethepermittedusesofthecertificate,eitherfor
signing(Use as digital signature)orencryption(Use for
key encipherment).
i. ToensurethattheportalisconnectingtothecorrectSCEP
server,entertheCA Certificate [Link]
fingerprintfromtheSCEPserverinterfaceinthe
Thumbprintfield.
j. EnablemutualSSLauthenticationbetweentheSCEPserver
andtheGlobalProtectportal.
k. ClickOKandthenCommittheconfiguration.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. EnteraCertificate [Link].
4. SelecttheSCEP Profiletousetoautomatetheprocessof
issuingaservercertificatethatissignedbytheenterpriseCA
toaportalorgateway,andthenclickOKtogeneratethe
[Link]
SCEPprofiletosubmitaCSRtoyourenterprisePKI.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 23
EnableSSLBetweenGlobalProtectComponents SetUptheGlobalProtectInfrastructure

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)

Assigntheservercertificateyouimportedor 1. SelectDevice > Certificate Management > SSL/TLS Service

generatedtoanSSL/TLSserviceprofile. ProfileandclickAdd.
2. EnteraNametoidentifytheprofileandselecttheserver
Certificateyouimportedorgenerated.
3. DefinetherangeofSSL/TLSversions(Min VersiontoMax
Version)forcommunicationbetweenGlobalProtect
components.
4. ClickOKtosavetheSSL/TLSserviceprofile.
5. Committhechanges.

Deploytheselfsignedservercertificates. Exportthecertificatefromtheportal:
Exporttheselfsignedserver 1. SelectDevice > Certificate Management > Certificates >
certificatesissuedbytherootCAon Device Certificates.
theportalandimportthemontothe
2. Selectthegatewaycertificateyouwanttodeployandclick
gateways.
Export.
Besuretoissueauniqueserver
certificateforeachgateway. 3. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
Ifspecifyingselfsigned
certificates,youmustdistributethe 4. Enter(andreenter)aPassphrasetoencrypttheprivatekey.
RootCAcertificatetotheend 5. ClickOKtodownloadthePKCS12filetoalocationofyour
clientsintheportalclient choice.
configurations.
Importthecertificateonthegateway:
1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImport.
3. EnteraCertificate Name.
4. BrowsetofindandselecttheCertificate Fileyou
downloadedinstep5,above.
5. IntheFile Format dropdown,selectEncrypted Private Key
and Certificate (PKCS12).
6. Enter(andreenter)thePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportal.
7. ClickOKtoimportthecertificateandkey.
8. Committhechangestothegateway.

24 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

SetUpGlobalProtectUserAuthentication

TheGlobalProtectportalandgatewaymustauthenticatetheenduserbeforeitallowsaccessto
[Link]
[Link]
configurethem:
AboutGlobalProtectUserAuthentication
SetUpExternalAuthentication
SetUpClientCertificateAuthentication
SetUpTwoFactorAuthentication
SetUpAuthenticationforstrongSwanUbuntuandCentOSClients

AboutGlobalProtectUserAuthentication

ThefirsttimeaGlobalProtectclientconnectstotheportal,theuserispromptedtoauthenticatetothe
[Link],theGlobalProtectportalsendstheGlobalProtectconfiguration,which
includesthelistofgatewaystowhichtheagentcanconnect,andoptionallyaclientcertificateforconnecting
[Link],theclientattemptsto
[Link]
yournetworkresourcesandsettings,theyalsorequiretheendusertoauthenticate.
Theappropriatelevelofsecurityrequiredontheportalandgatewaysvarieswiththesensitivityofthe
[Link]
youtochoosetheauthenticationprofileandcertificateprofilethatareappropriatetoeachcomponent.
SupportedGlobalProtectAuthenticationMethods
HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?

SupportedGlobalProtectAuthenticationMethods

ThefollowingtabledescribestheauthenticationmethodsthatGlobalProtectsupportsandprovidesusage
guidelines.

AuthenticationMethod Description

LocalAuthentication Boththeuseraccountcredentialsandtheauthenticationmechanismsarelocaltothe
[Link]
everyGlobalProtectuserandis,therefore,advisableforonlyverysmalldeployments.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 25
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

AuthenticationMethod Description

Externalauthentication TheuserauthenticationfunctionsareperformedbyanexternalLDAP,Kerberos,
TACACS+,orRADIUSservice(includingsupportfortwofactor,tokenbased
authenticationmechanisms,suchasonetimepassword(OTP)authentication).Toenable
externalauthentication:
Createaserverprofilewithsettingsforaccesstotheexternalauthenticationservice.
Createanauthenticationprofilethatreferstotheserverprofile.
Specifyclientauthenticationintheportalandgatewayconfigurationsandoptionally
specifytheOSoftheendpointthatwillusethesesettings.
[Link]
[Link](Authentication
Profile)foranexampleconfiguration.

Clientcertificate Forenhancedsecurity,youcanconfiguretheportalorgatewaytouseaclientcertificate
authentication toobtaintheusernameandauthenticatetheuserbeforegrantingaccesstothesystem.
Toauthenticatetheuser,oneofthecertificatefields,suchastheSubjectNamefield,
mustidentifytheusername.
Toauthenticatetheendpoint,theSubjectfieldofthecertificatemustidentifythedevice
typeinsteadoftheusername.(Withtheprelogonconnectmethods,theportalor
gatewayauthenticatestheendpointbeforetheuserlogsin.)
Foranagentconfigurationprofilethatspecifiesclientcertificates,eachuserreceivesa
[Link]
certificateisuniquetoeachclientorthesameforallclientsunderthatagentconfiguration:
Todeployclientcertificatesthatareuniquetoeachuseranddevice,[Link]
userfirstlogsin,[Link]
obtainsauniquecertificateanddeploysittotheclient.
Todeploythesameclientcertificatetoallusersthatreceiveanagentconfiguration,
deployacertificatethatisLocaltothefirewall.
Useanoptionalcertificateprofiletoverifytheclientcertificatethataclientpresentswith
[Link]
userdomainfields;listsCAcertificates;criteriaforblockingasession;andofferswaysto
[Link]
incertificateprofilestotheendpointsbeforetheusersinitialportalloginbecausethe
certificateispartoftheauthenticationoftheendpointoruserforanewsession.
[Link]
certificateprofilespecifiesSubjectintheUsernameField,thecertificatepresentedbythe
[Link]
specifiesaSubjectAltwithanEmailorPrincipalNameastheUsernameField,the
certificatefromtheclientmustcontainthecorrespondingfields,whichwillbeusedasthe
usernamewhentheGlobalProtectagentauthenticatestotheportalorgateway.
GlobalProtectalsosupportsauthenticationbycommonaccesscards(CACs)andsmart
cards,[Link],thecertificateprofilemust
containtherootCAcertificatethatissuedthecertificatetothesmartcardorCAC.
Ifyouspecifyclientcertificateauthentication,youshouldnotconfigureaclientcertificate
intheportalconfigurationbecausetheclientsystemprovidesitwhentheuserconnects.
Foranexampleofhowtoconfigureclientcertificateauthentication,seeRemoteAccess
VPN(CertificateProfile).

26 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

AuthenticationMethod Description

Twofactor Withtwofactorauthentication,theportalorgatewayusestwomechanismsto
authentication authenticateauser,[Link]
canenabletwofactorauthenticationontheportalandgatewaysbyconfiguringa
certificateprofileandanauthenticationprofileandaddingthembothtotheportaland/or
gatewayconfiguration.
Youcanconfiguretheportalandgatewaystousethesameauthenticationmethodsoruse
[Link],withtwofactorauthentication,theclientmustsuccessfully
authenticatebythetwomechanismsthatthecomponentdemandsbeforeitgrantsaccess.
IfthecertificateprofilespecifiesaUsernameFieldfromwhichGlobalProtectcanobtaina
username,theexternalauthenticationserviceautomaticallyusestheusernameto
authenticatetheusertotheexternalauthenticationservicespecifiedintheauthentication
[Link],iftheUsernameFieldinthecertificateprofileissettoSubject,the
valueinthecommonnamefieldofthecertificateisusedastheusernamewhenthe
[Link]
authenticatewithausernamefromthecertificate,makesurethecertificateprofileissetto
[Link]
anexampleconfiguration.

HowDoestheAgentorAppKnowWhatCredentialstoSupplytothePortalandGateway?

Bydefault,theGlobalProtectagentattemptstousethesamelogincredentialsforthegatewaythatitused
[Link],wherethegatewayandtheportalusethesameauthenticationprofile
and/orcertificateprofile,theagentwillconnecttothegatewaytransparently.
Onaperagentconfigurationbasis,youcanalsocustomizewhichGlobalProtectportalandgateways
internal,external,ormanualonlyrequiredifferentcredentials(suchasuniqueOTPs).Thisenablesthe
GlobalProtectportalorgatewaytopromptfortheuniqueOTPwithoutfirstpromptingforthecredentials
specifiedintheauthenticationprofile.
Therearetwooptionsformodifyingthedefaultagentauthenticationbehaviorsothatauthenticationisboth
strongerandfaster:
CookieAuthenticationonthePortalorGateway
CredentialForwardingtoSomeorAllGateways

CookieAuthenticationonthePortalorGateway

Cookieauthenticationsimplifiestheauthenticationprocessforendusersbecausetheywillnolongerbe
requiredtologintoboththeportalandthegatewayinsuccessionorentermultipleOTPsforauthenticating
[Link]
[Link],cookiesenableuseofatemporarypasswordtoreenableVPNaccessaftertheusers
passwordexpires.
Youcanconfigurecookieauthenticationsettingsindependentlyfortheportalandforindividualgateways,
(forexample,youcanimposeashortercookielifetimeongatewaysthatprotectsensitiveresources).After
theportalorgatewaysdeployanauthenticationcookietotheendpoint,theportalandgatewaysbothrely
[Link],theportalorgateway
[Link],

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 27
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

[Link]
authenticationissuccessful,theportalorgatewayissuesthereplacementauthenticationcookietothe
endpointandthevalidityperiodstartsover.
Considerthefollowingexamplewhereyouconfigurethecookielifetimefortheportalwhichdoesnot
protectsensitiveinformationas15days,butconfigurethecookielifetimeforgatewayswhichdoprotect
[Link],theportalissuesthe
[Link],theuserattemptedtoconnecttotheportal,theauthentication
[Link],ifafterfivedaystheuserattemptedtoconnecttothegateway,the
gatewaywouldevaluatethecookielifetimeanddetermineitexpired(5days>24hours).Theagentwould
thenautomaticallyprompttheusertoauthenticatewiththegatewayand,onsuccessfulauthentication,
[Link]
15daysontheportalandanother24hoursonthegateways.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.

CredentialForwardingtoSomeorAllGateways

Withtwofactorauthentication,youcanspecifytheportaland/ortypesofgateways(internal,external,or
manualonly)[Link]
whentheportalandthegatewayrequiredifferentcredentials(eitherdifferentOTPsordifferentlogin
credentialsentirely).Foreachportalorgatewaythatyouselect,theagentwillnotforwardcredentials,
[Link],youcanhave
thesamesecurityonyourportalsandinternalgateways,whilerequiringasecondfactorOTPoradifferent
passwordforaccesstothosegatewaysthatprovideaccesstoyourmostsensitiveresources.
Foranexampleofhowtousethisoption,seeSetUpTwoFactorAuthentication.

SetUpExternalAuthentication

ThefollowingworkflowdescribeshowtosetuptheGlobalProtectportalandgatewaystouseanexternal
[Link],Kerberos,RADIUS,orTACACS+.
Thisworkflowalsodescribeshowtocreateanoptionalauthenticationprofilethataportalorgatewaycanuse
[Link]
authenticationprofilealsocanspecifythelocalauthenticationdatabaseorNone.

[Link],createalocaluserdatabase(Device
> Local User Database)thatcontainstheusersandgroupstowhichyouwanttoallowVPNaccessandthen
refertothatdatabaseintheauthenticationprofile.

Formoreinformation,seeSupportedGlobalProtectAuthenticationMethodsorwatchavideo.

28 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

SetUpExternalUserAuthentication

Step1 Createaserverprofile. 1. SelectDevice > Server Profiles andselectthetypeofprofile

Theserverprofileidentifiestheexternal (LDAP,Kerberos,RADIUS,orTACACS+).
authenticationserviceandinstructsthe 2. ClickAddandenteraNamefortheprofile,suchas
firewallhowtoconnecttothat GPUserAuth.
authenticationserviceandaccessthe
3. (LDAPonly)SelecttheTypeofLDAPserver.
authenticationcredentialsforyourusers.
IfyouwanttoEnableDeliveryof 4. ClickAddintheServerssectionandthenenterthenecessary
GlobalProtectClientVSAstoa informationforconnectingtotheauthenticationserver,
RADIUSServer,youmustcreate includingtheserverName,IPaddressorFQDNoftheServer,
aRADIUSserverprofile. andPort.
IfyouareusingLDAPtoconnect 5. (RADIUS,TACACS+,andLDAPonly)Specifysettingsto
toActiveDirectory(AD),you enabletheauthenticationservicetoauthenticatethefirewall,
mustcreateaseparateLDAP asfollows:
serverprofileforeveryAD RADIUSandTACACS+EnterthesharedSecretwhen
domain. addingtheserverentry.
LDAPEntertheBind DNandPassword.
6. (LDAPonly)IfyouwantthedevicetouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
[Link]
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothatthedevice
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/[Link],youalsohaveto
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,thecertificatemustmeetoneof
thefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device [Link]
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
8. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 29
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

SetUpExternalUserAuthentication(Continued)

Step2 (Optional)Createanauthentication 1. SelectDevice > Authentication ProfileandAddanewprofile.

profile. 2. EnteraNamefortheprofileandthenselectthe
Theauthenticationprofilespecifiesthe authenticationType:None,Local Database(the
serverprofilefortheportalorgateways authenticationdatabaseonthefirewall),RADIUS,TACACS+,
[Link] LDAP,orKerberos.
aportalorgateway,youcanassignone
3. IftheauthenticationTypeisRADIUS,TACACS+,LDAP,or
ormoreauthenticationprofilesinoneor
Kerberos,selecttheauthenticationServer Profilethatyou
[Link]
createdinStep 1fromthedropdown.
descriptionsofhowanauthentication
profilewithinaclientauthentication 4. [Link]
profilesupportsgranularuser combinestheUser DomainandUsername Modifiervaluesto
authentication,seeConfigurea modifythedomain/usernamestringthatauserentersduring
GlobalProtectGatewayandSetUp [Link]
AccesstotheGlobalProtectPortal. andusestheUser DomainvalueforUserIDgroupmapping.
Toenableuserstoconnectand Modifyinguserinputisusefulwhentheauthenticationservice
changetheirownexpired requiresdomain/usernamestringsinaparticularformatand
passwordswithout youdontwanttorelyonuserstocorrectlyenterthedomain.
administrativeintervention, Youcanselectfromthefollowingoptions:
considerusingaprelogon Tosendonlytheunmodifieduserinput,leavetheUser
[Link] Domainblank(thedefault)andsettheUsername Modifier
AccessVPNwithPreLogonfor tothevariable%USERINPUT%(thedefault).
details. Toprependadomaintotheuserinput,enteraUser
Ifusersallowtheirpasswordsto DomainandsettheUsername Modifierto
expire,youmayassigna %USERDOMAIN%\%USERINPUT%.
temporaryLDAPpasswordto Toappendadomaintotheuserinput,enteraUser Domain
enablethemtologintotheVPN. andsettheUsername Modifierto
Inthiscase,thetemporary %USERINPUT%@%USERDOMAIN%.
passwordmaybeusedto IftheUsername Modifierincludesthe
authenticatetotheportal,butthe %USERDOMAIN%variable,theUser Domainvalue
gatewayloginmayfailbecause [Link]
thesametemporarypassword theUser Domainisblank,thatmeansthedevice
[Link] removesanyuserentereddomainstring.
this,enableanauthentication
overrideintheportal 5. (Kerberosonly)ConfigureKerberossinglesignon(SSO)if
configuration(Network > yournetworksupportsit:
GlobalProtect > Portal)toenable EntertheKerberos Realm(upto127characters).Thisis
theagenttouseacookieto [Link],
authenticatetotheportalanduse theuseraccountnameuser@[Link]
thetemporarypasswordto [Link].
authenticatethegateway. SpecifyaKerberos Keytabfile:clicktheImportlink,
Browsetothekeytabfile,[Link]
authentication,theendpointfirsttriestousethekeytabto
[Link],andtheuserattempting
accessisintheAllow List,authenticationsucceeds
[Link],theauthenticationprocessfalls
backtomanual(username/password)authenticationofthe
[Link]
changethisbehaviorsothatuserscanauthenticateonly
usingKerberos,setUse Default Authentication on
Kerberos Authentication FailuretoNoinaGlobalProtect
portalagentconfiguration.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.

30 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

SetUpExternalUserAuthentication(Continued)

7. (LDAPonly)SetthePassword Expiry Warning tospecifythe

numberofdaysbeforepasswordexpirationthatuserswillbe
[Link],userswillbenotifiedsevendayspriorto
passwordexpiration(rangeis1255).Becauseusersmust
changetheirpasswordsbeforetheendoftheexpiration
period,makesureyouprovideanotificationperiodthatis
adequateforyouruserbasetoensurecontinuedaccesstothe
[Link],youmustspecifyoneofthe
followingtypesofLDAPserversinyourLDAPserverprofile:
active-directory,e-directory,orsun.
UserscannotaccesstheVPNiftheirpasswordsexpireunless
youenableprelogon.
8. (LDAPonly)Configureanoptionalcustomexpirymessageto
includeadditionalinstructions,suchashelpdeskcontact
informationoralinktoapasswordportalwhereuserscan
changetheirpasswords(seeStep 5inCustomizethe
GlobalProtectAgent).
9. SelecttheAdvancedtab.
10. IntheAllowList,Addandthenselecttheusersandgroups
[Link]
[Link]
default,thelisthasnoentries,whichmeansnouserscan
authenticate.
11. ClickOK.

Step3 Committheconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 31
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

SetUpClientCertificateAuthentication

Withtheoptionalclientcertificateauthentication,theagent/apppresentsaclientcertificatealongwithits
[Link]
uniqueclientcertificatetovalidatethattheuserordevicebelongstoyourorganization.
Themethodsfordeployingclientcertificatesdependonthesecurityrequirementsforyourorganization:
DeploySharedClientCertificatesforAuthentication
DeployMachineCertificatesforAuthentication
DeployUserSpecificClientCertificatesforAuthentication

DeploySharedClientCertificatesforAuthentication

Toconfirmthatanendpointuserbelongstoyourorganization,youcanusethesameclientcertificateforall
[Link]
workflowtoissueselfsignedclientcertificatesforthispurposeanddeploythemfromtheportal.

DeploySharedClientCertificatesforAuthentication

Step1 Generateacertificatetodeployto 1. CreatetherootCAcertificateforissuingselfsigned

multipleGlobalProtectclients. certificatesfortheGlobalProtectcomponents.
2. SelectDevice > Certificate Management > Certificates >
Device Certificates andthenclickGenerate.
3. UsetheLocalcertificatetype(thedefault).
4. EnteraCertificate [Link].
5. IntheCommon Namefieldenteranametoidentifythis
certificateasanagentcertificate,forexample
GP_Windows_clients.Becausethissamecertificatewillbe
deployedtoallagentsusingthesameconfiguration,itdoes
notneedtouniquelyidentifyaspecificuserorendpoint.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. ClickOKtogeneratethecertificate.

Step2 SetUpTwoFactorAuthentication. ConfigureauthenticationsettingsinaGlobalProtectportalagent

configurationtoenabletheportaltotransparentlydeploythe
clientcertificatethatisLocaltothefirewalltoclientsthatreceive
theconfiguration.

32 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

DeployMachineCertificatesforAuthentication

Toconfirmthattheendpointbelongstoyourorganization,useyourownpublickeyinfrastructure(PKI)to
issueanddistributemachinecertificatestoeachendpoint(recommended)orgenerateaselfsignedmachine
[Link],amachinecertificateisrequiredandmustbe
installedontheendpointbeforeGlobalProtectcomponentswillgrantaccess.
Toconfirmthattheendpointbelongstoyourorganization,youmustalsoconfigureanauthenticationprofile
[Link].
[Link]
information,[Link],seeRemote
AccessVPN(CertificateProfile).

DeployMachineCertificatesforAuthentication

Step1 IssueclientcertificatestoGlobalProtect 1. CreatetherootCAcertificateforissuingselfsigned

[Link] certificatesfortheGlobalProtectcomponents.
GlobalProtectportalandgatewaysto 2. SelectDevice > Certificate Management > Certificates >
validatethatthedevicebelongstoyour Device Certificates andthenclickGenerate.
organization.
3. EnteraCertificate [Link]
anyspaces.
4. Configurecryptographicsettingsforthecertificateincluding
theencryptionAlgorithm,keylength(Number of Bits),Digest
algorithm(usesha1,sha256,orsha384;sha512isnot
supportedwithclientcertificates),andExpiration (indays)for
thecertificate.
IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
5. IntheCertificateAttributessection,Addanddefinethe
attributesthatuniquelyidentifytheGlobalProtectclientsas
[Link]
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustbethesameasthevalueyoudefinedfor
theCommon Name.
6. IntheSigned Byfield,selectyourrootCA.
7. SelectanOSCP Respondertoverifytherevocationstatusof
certificates.
8. (Optional)IntheCertificateAttributessection,clickAddand
definetheattributestoidentifytheGlobalProtectclientsas
belongingtoyourorganizationifrequiredaspartofyour
securityrequirements.
9. ClickOKtogeneratethecertificate.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 33
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

DeployMachineCertificatesforAuthentication(Continued)

Step2 Installcertificatesinthepersonal Forexample,toinstallacertificateonaWindowssystemusingthe

certificatestoreontheendpoints. MicrosoftManagementConsole:
Ifyouareusinguniqueusercertificates 1. Fromthecommandprompt,entermmctolaunchtheconsole.
ormachinecertificates,youmustinstall
2. SelectFile > Add/Remove Snap-in.
eachcertificateinthepersonal
certificatestoreontheendpointpriorto 3. SelectCertificates,clickAddandthenselectoneofthe
thefirstportalorgatewayconnection. following,dependingonwhattypeofcertificateyouare
InstallmachinecertificatestotheLocal importing:
ComputercertificatestoreonWindows Computer accountSelectthisoptionifyouareimportinga
andintheSystemKeychainonMacOS. machinecertificate.
InstallusercertificatestotheCurrent My user accountSelectthisoptionifyouareimportinga
UsercertificatestoreonWindowsandin usercertificate.
thePersonalKeychainonMacOS.

4. ExpandCertificatesandselectPersonalandtheninthe
ActionscolumnselectPersonal > More Actions > All Tasks >
ImportandfollowthestepsintheCertificateImportWizardto
importthePKCSfileyougotfromtheCA.

5. Browsetothe.p12certificatefiletoimport(selectPersonal
Information Exchangeasthefiletypetobrowsefor)andenter
[Link]
PersonalastheCertificate store.

34 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

DeployMachineCertificatesforAuthentication(Continued)

Step3 Verifythatthecertificatehasbeen Navigatetothepersonalcertificatestore:

addedtothepersonalcertificatestore.

Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificateusedtoissuetheclient

issuetheclientcertificatesontothe certificates(Base64format).
firewall. 2. ImporttherootCAcertificatefromtheCAthatgeneratedthe
Thisstepisrequiredonlyifanexternal clientcertificatesontothefirewall:
CAissuedtheclientcertificates,suchas a. SelectDevice > Certificate Management > Certificates >
[Link] Device Certificates andclickImport.
youareusingselfsignedcertificates,the
b. UsetheLocalcertificatetype(thedefault).
rootCAisalreadytrustedbytheportal
andgateways. c. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
d. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
e. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
f. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
g. SelectTrusted Root CAandthenclickOK.

Step5 Createaclientcertificateprofile. 1. SelectDevice > Certificates > Certificate Management >

Certificate Profile,clickAdd,andenteraprofileName.
2. SelectavaluefortheUsername Fieldtospecifywhichfieldin
thecertificatewillcontaintheusersidentityinformation.
Ifyouplantoconfiguretheportalorgatewaystoauthenticate
userswithcertificatesonly,youmustspecifytheUsername
[Link]
thecertificate.
Ifyouplantosetuptheportalorgatewayfortwofactor
authentication,youcanleavethedefaultvalueofNone,or,to
addanadditionallayerofsecurity,[Link]
specifyausername,yourexternalauthenticationservice
verifiesthattheusernameintheclientcertificatematchesthe
[Link]
useristheonetowhichthecertificatewasissued.
Userscannotchangetheusernamethatisincludedinthe
certificate.
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificateyouimportedinStep 4andthenclickOK.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 35
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

DeployMachineCertificatesforAuthentication(Continued)

Step6 Savetheconfiguration. ClickCommit.

DeployUserSpecificClientCertificatesforAuthentication

Toauthenticateindividualusers,youmustissueauniqueclientcertificatetoeachGlobalProtectuserand
[Link]
anddeploymentofuserspecificclientcertificates,youcanconfigureyourGlobalProtectportaltoactasa
SimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprisePKI.
SCEPoperationisdynamicinthattheenterprisePKIgeneratesauserspecificcertificatewhentheportal
[Link]
[Link],theagentorappcanthenpresenttheclientcertificatetoauthenticate
withtheportalorgateway.
TheGlobalProtectportalorgatewayusesidentifyinginformationaboutthedeviceandusertoevaluate
[Link]
[Link]
aninvalidSCEPbasedclientcertificate,theGlobalProtectclienttriestoauthenticatewiththeportalperthe
[Link]
fromtheportal,thedeviceisnotabletoconnect.

DeployUserSpecificClientCertificatesforAuthentication

Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.

Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserverinthePKIinfrastructureandthenenterthe
Afteryouconfigurethismechanism,its passwordintothePasswordfield.
operationisinvisible,andnofurther DynamicEnterausernameandpasswordofyourchoice
inputfromyouisnecessary. (possiblythecredentialsofthePKIadministrator)andtheSCEP
[Link] Server URLwheretheportalclientsubmitsthesecredentials.
InformationProcessingStandard(FIPS), TheusesthecredentialstoauthenticatewiththeSCEPserver
useaDynamicSCEPchallengeand whichtransparentlygeneratesanOTPpasswordfortheportal
specifyaServer URLthatusesHTTPS uponeachcertificaterequest.(YoucanseethisOTPchange
(seeStep 7). afterascreenrefreshinThe enrollment challenge password
isfieldaftereachcertificaterequest.)ThePKItransparently
passeseachnewpasswordtotheportal,whichthenusesthe
passwordforitscertificaterequest.

36 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

DeployUserSpecificClientCertificatesforAuthentication(Continued)

Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand [Link]
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Whenauserattemptstologintothe NamefieldtoidentifytheSCEPserver.
portal,theendpointsendsidentifying
3. EntertheSubjectnametouseinthecertificatesgeneratedby
informationaboutitthatincludesitshost
[Link]
[Link]
the<attribute>=<value>formatandmustincludea
devicetype,eitherGUID(Windows)
commonname(CN)[Link]
MACaddressoftheinterface(Mac),
dynamicvariables:$USERNAME,$EMAILADDRESS,and$HOSTID.
AndroidID(Androiddevices),UDID(iOS
Usetheusernameoremailaddressvariabletoensurethatthe
devices),orauniquenamethat
[Link]
GlobalProtectassigns(Chrome).
certificatesforthedeviceonly,specifythehostIDvariable.
Youcanincludeadditionalinformation WhentheGlobalProtectportalpushestheSCEPsettingsto
abouttheclientdeviceoruserby theagent,theCNportionofthesubjectnameisreplacedwith
specifyingtokensintheSubjectnameof theactualvalue(username,hostid,oremailaddress)ofthe
thecertificate. certificateowner(forexample,O=acme,CN=$HOSTID).
Theportalincludesthetokenvalueand
4. SelecttheSubject Alternative Name Type:
hostIDintheCSRrequesttotheSCEP
server. RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.

Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.

settingsforthecertificate. IfthefirewallisinFIPSCCmodeandthekeygeneration
algorithmisRSA.TheRSAkeysmustbe2,048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):sha1,sha256,orsha384.
Sha512isnotsupportedasadigestalgorithmforclient
certificatesonGlobalProtectendpoints.

Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor signature [Link]
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
[Link]
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.

Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

connectingtothecorrectSCEPserver, example,[Link] or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 37
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

DeployUserSpecificClientCertificatesforAuthentication(Continued)

Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA [Link],youcan

betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
[Link] theGlobalProtectportalbyselectingaClient Certificate.
[Link]
ProcessingStandard(FIPS).
FIPSCCoperationisindicatedon
thefirewallloginpageandinits
statusbar.

Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
[Link]
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.

Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate [Link].
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.

Step10 SetUpTwoFactorAuthentication. AssigntheSCEPprofileaGlobalProtectportalagentconfiguration

toenabletheportaltotransparentlyrequestanddeployclient
certificatestoclientsthatreceivetheconfiguration.

SetUpTwoFactorAuthentication

Ifyourequirestrongauthenticationtoprotectsensitiveassetsortocomplywithregulatoryrequirements,
suchasPCI,SOX,orHIPAA,configureGlobalProtecttouseanauthenticationservicethatusesatwofactor
[Link]:somethingtheenduser
knows(suchasaPINorpassword)andsomethingtheenduserhas(ahardwareorsoftwaretoken/OTP,
smartcard,orcertificate).Youcanalsoenabletwofactorauthenticationusingacombinationofexternal
authenticationservices,andclientandcertificateprofiles.
ThefollowingtopicsprovideexamplesforhowtosetuptwofactorauthenticationonGlobalProtect:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards

38 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles

ThefollowingworkflowdescribeshowtoconfigureGlobalProtectclientauthenticationrequiringtheuserto
[Link]
authenticateusingbothmethodsinordertoconnecttotheportal/[Link]
configuration,seeRemoteAccessVPNwithTwoFactorAuthentication.

EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles

Step1 Createanauthenticationserverprofile. 1. SelectDevice > Server Profilesandaprofiletype(LDAP,

Theauthenticationserverprofile Kerberos,RADIUS,orTACACS+).
determineshowthefirewallconnectsto 2. Addanewserverprofile.
anexternalauthenticationserviceand
3. EnteraProfileNamefortheprofile,suchasGPUserAuth.
retrievestheauthenticationcredentials
foryourusers. 4. (LDAPonly)SelecttheTypeofLDAPserver(active-directory,
IfyouareusingLDAPtoconnect e-directory,sun,orother).
toActiveDirectory(AD),you 5. ClickAddintheServerslistsectionandthenentertherequired
mustcreateaseparateLDAP informationforconnectionstotheauthenticationservice,
serverprofileforeveryAD includingtheserverName,IPaddressorFQDNoftheServer,
domain. andPort.
6. (RADIUS,TACACS+,andLDAPonly)Specifysettingstoenable
thefirewalltoauthenticatetotheauthenticationserviceas
follows:
RADIUSandTACACS+EnterthesharedSecretwhen
addingtheserverentry.
LDAPEntertheBind DNandPassword.
7. (LDAPonly)IfyouwanttheendpointtouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(selectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPortinthe Server list:
389(default)TLS(specifically,thedeviceusestheStartTLS
operationtoupgradetheinitialplaintextconnectiontoTLS).
636SSL.
[Link]
directoryserverdoesnotsupportTLS,thedeviceusesSSL.
8. (LDAPonly)Foradditionalsecurity,selecttheVerify Server
Certificate for SSL sessionscheckboxsothattheendpoint
verifiesthecertificatethatthedirectoryserverpresentsfor
SSL/[Link],youalsomust
selecttheRequire SSL/TLS secured connectioncheckbox.
Forverificationtosucceed,oneofthefollowingconditions
mustbetrue:
Thecertificateisinthelistofdevicecertificates:Device >
Certificate Management > Certificates > Device
[Link]
necessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
9. ClickOKtosavetheserverprofile.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 39
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles(Continued)

Step2 Createanauthenticationprofilethat 1. SelectDevice > Authentication ProfileandAddanewprofile.

identifiestheserviceforauthenticating 2. EnteraNamefortheprofile.
users.(Youlaterhavetheoptionof
assigningtheprofileontheportalandon 3. SelecttheLocation.
gateways.) 4. SelecttheTypeofAuthentication(LDAP,Kerberos,RADIUS,
orTACACS+).
5. SelecttheServer ProfileyoucreatedinStep 1.
6. (LDAPonly)EntersAMAccountNameastheLogin Attribute.
7. ClickOK tosavetheauthenticationprofile.

Step3 Createaclientcertificateprofilethatthe 1. SelectDevice > Certificates > Certificate Management >

portalusestoauthenticatetheclient Certificate ProfileandclickAddandenteraprofileName.
certificatesthatcomefromuserdevices. 2. SelectavaluefortheUsername Field:
Whenyouconfiguretwofactor Ifyouintendfortheclientcertificatetoauthenticate
authenticationtouseclient individualusers,selectthecertificatefieldthatidentifiesthe
certificates,theexternal user.
authenticationserviceusesthe
Ifyouaredeployingtheclientcertificatefromtheportal,
usernamevaluetoauthenticate
leavethisfieldsettoNone.
theuser,ifspecified,intheclient
[Link] Ifyouaresettingupacertificateprofileforusewitha
userwhoisloggingisinisactually prelogonconnectmethod,leavethefieldsettoNone.
theusertowhomthecertificate 3. IntheCA Certificatesarea,clickAddandthen:
wasissued. a. SelecttheCA certificate,eitheratrustedrootCAcertificate
ortheCAcertificatefromaSCEPserver.(Ifnecessary,
importthecertificate).
b. (Optional)EntertheDefault OCSP URL.
c. (Optional)SelectacertificateforOCSP Verify CA.
4. (Optional)Selectoptionsthatspecifywhentoblocktheusers
requestedsession:
a. Statusofcertificateisunknown.
b. GlobalProtectcomponentdoesnotretrievecertificate
statuswithinthenumberofsecondsinCertificate Status
Timeout.
c. Theauthenticatingdevicethatisconsideringthelogin
requestdidnotissuethecertificatethattheuserisoffering.
5. ClickOK.

Step4 (Optional)Issueclientcertificatesto 1. UseyourenterprisePKIorapublicCAtoissueaclient

GlobalProtectusers/machines. certificatetoeachGlobalProtectuser.
Totransparentlydeployclient 2. Fortheprelogonconnectmethods,installcertificatesinthe
certificates,configureyourportalto personalcertificatestoreontheclientsystems.
distributeasharedclientcertificateto
yourendpointsorconfiguretheportalto
useSCEPtorequestanddeployunique
clientcertificatesforeachuser.

Step5 SavetheGlobalProtectconfiguration. ClickCommit.

40 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)

Usethisworkflowtoconfiguretwofactorauthenticationusingonetimepasswords(OTPs)ontheportal
[Link],[Link]
authenticationservicesendstheOTPasatokentotheusersRSAdevice.
Settingupatwofactorauthenticationschemeissimilartosettingupothertypesofauthenticationand
requiresyoutoconfigure:
Aserverprofile(usuallyforaRADIUSservicefortwofactorauthentication)assignedtoan
authenticationprofile.
Aclientauthenticationprofilethatincludestheauthenticationprofilefortheservicethatthese
componentsuse.
Bydefault,[Link]
caseofOTPauthentication,thisbehaviorwillcausetheauthenticationtoinitiallyfailonthegatewayand,
becauseofthedelaythiscausesinpromptingtheuserforalogin,[Link]
this,youmustconfiguretheportalsandgatewaysthatpromptfortheOTPinsteadofusingthesame
credentialsonaperagentconfigurationbasis.
YoucanalsoreducethefrequencyinwhichusersarepromptedforOTPsbyconfiguringanauthentication
[Link]
[Link]/orgatewayswillnotrequireanewOTP
untilthecookieexpiresthusreducingthenumberoftimesusersmustprovideanOTP.

EnableTwoFactorAuthenticationUsingOTPs

Step1 Afteryouhaveconfiguredthebackend Forspecificinstructions,refertothedocumentationforyour

RADIUSservicetogeneratetokensfor [Link],youneedtosetupanauthentication
theOTPsandensuredusershaveany agentandaclientconfigurationontheRADIUSservertoenable
necessarydevices(suchasahardware [Link]
token),setupaRADIUSserverto alsodefinethesharedsecrettouseforencryptingsessions
interactwiththefirewall. betweenthefirewallandtheRADIUSserver.

Step2 Oneachfirewallthathoststhegateways 1. SelectDevice > Server Profiles > RADIUS.

and/orportal,createaRADIUSserver 2. Addanewprofile.
profile.(Forasmalldeployment,one
firewallcanhosttheportaland 3. EnteraNameforthisRADIUSprofile.
gateways.) 4. EnteraRADIUSDomainname.
WhencreatingtheRADIUS 5. IntheServersarea,AddaRADIUSinstanceandenter:
serverprofile,alwaysentera
AdescriptiveNametoidentifythisRADIUSserver
[Link]
asthedefaultdomainforUserID TheRADIUS ServerIPaddress
mappingifusersdontsupplya ThesharedSecretforencryptingsessionsbetweenthe
UserIDuponlogin. firewallandtheRADIUSserver
ThePortnumberonwhichtheRADIUSserverlistensfor
authenticationrequests(default1812)
6. ClickOKtosavetheprofile.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 41
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step3 Createanauthenticationprofile. 1. SelectDevice > Authentication Profile.

2. Addanewprofile.
3. [Link].
4. Select RADIUSastheTypeofauthenticationservice.
5. SelecttheServer Profileyoucreatedforaccessingyour
RADIUSserver.
6. ClickOKtosavetheauthenticationprofile.

Step4 Assigntheauthenticationprofiletothe 1. SelectNetwork > GlobalProtect > Gatewaysandanexisting

GlobalProtectgateway(s)and/orportal. gatewayconfigurationbyname(orAddone).Ifyouareadding
YoucanconfiguremultipleClient anewgateway,specifyitsname,location,andnetwork
Authenticationconfigurationsforthe parameters.
[Link] 2. OntheAuthenticationtab,selectanSSL/TLSserviceprofileor
Authenticationconfigurationyoucan Addanewprofile.
specifytheauthenticationprofileto
3. AddaClientAuthenticationconfigurationandenteritsName.
applytoendpointsofaspecificOS.
Thisstepdescribesonlyhowtoaddthe 4. SelecttheendpointOStowhichthisconfigurationapplies.
authenticationprofiletothegatewayor 5. SelecttheAuthentication ProfileyoucreatedinCreatean
[Link] authenticationprofile.
detailsonsettingupthesecomponents,
6. (Optional)Enteracustomauthenticationmessage.
seeConfigureGlobalProtectGateways
andConfiguretheGlobalProtectPortal. 7. ToaddadditionalClientAuthenticationconfigurations,repeat
steps3through6.
8. ClickOKtosavetheconfiguration.
9. Toaddothergateways,repeatsteps2through8.
10. Toassigntheauthenticationprofiletotheportal,select
Network > GlobalProtect > Portalsandrepeatsteps2
through 8.

Step5 (Optional)Configuretheportalor 1. SelectNetwork > GlobalProtect > Portalsandselectan

gatewaystopromptforausernameand existingportalconfiguration.
passwordoronlyapasswordeachtime 2. SelectAgent.
[Link]
notsupportedwithtwofactor 3. SelectanexistingagentconfigurationorAddone.
authenticationusingOTPsbecausethe 4. SetSave User CredentialstoSave Username [Link]
usermustenteradynamicpassword settingenablesGlobalProtecttopromptfordynamic
eachtimetheylogin. passwordsforeachcomponentyouselectinthefollowing
Thisstepdescribesonlyhowto step.
configurethepasswordsettingina 5. ClickOKtwicetosavetheconfiguration.
[Link]
details,seeCustomizetheGlobalProtect
Agent.

42 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step6 SelecttheGlobalProtectcomponents 1. SelectNetwork > GlobalProtect > Portalsandselectan

portalandtypesofgatewaysthat existingportalconfiguration.
promptfordynamicpasswords,suchas 2. SelectAgent.
OTPs,insteadofusingsavedcredentials.
3. SelectanexistingagentconfigurationorAddone.
4. SelecttheAuthenticationtab,andthenselectthe
ComponentsthatRequireDynamicPasswords(TwoFactor
Authentication).Whenselected,theportaland/ortypesof
gatewayspromptforOTPs.
5. ClickOKtwicetosavetheconfiguration.

Step7 Ifsinglesignon(SSO)isenabled,disable 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

[Link] configuration.
RADIUSastheauthenticationserviceso 2. SelectAgentandthenselecttheagentconfiguration(orAdd
KerberosSSOisnotsupported. one).
Thisstepdescribesonlyhowtodisable
3. SelecttheApptab.
[Link],seeDefinethe
GlobalProtectAgentConfigurations. 4. SetUse Single Sign-ontoNo.
5. ClickOKtwicetosavetheconfiguration.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 43
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step8 (Optional)Tominimizethenumberof 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

timesausermustprovidecredentials, selecttheconfiguration(orAddone).
configureanauthenticationoverride. 2. SelectAgent > Client Settings(onthegateway)orAgent(on
Bydefault,theportalorgateways theportal)andthenselecttheconfiguration(orAddone).
authenticatetheuserwithan
3. IntheAuthentication Overridearea,configurethefollowing:
authenticationprofileandoptional
[Link] Generate cookie for authentication overrideEnablethe
override,theportalorgateway portalorgatewaytogenerateencrypted,endpointspecific
authenticatestheuserwithanencrypted [Link],theportalor
cookiethatithasdeployedtothe gatewayissuetheauthenticationcookietotheendpoint.
[Link],the Cookie LifetimeSpecifythehours,days,orweeksthatthe
usercanloginwithoutenteringregular cookieisvalid.Typicallifetimeis24hoursforgateways
[Link] whichprotectsensitiveinformationor15daysforthe
information,seeCookieAuthentication portal.Therangeforhoursis172;forweeks,152;andfor
onthePortalorGateway. days,[Link]
Ifyouneedtoimmediatelyblock gateway(whicheveroccursfirst),theportalorgateway
accesstoadevicewhosecookie promptstheusertoauthenticateandsubsequently
hasnotyetexpired(forexample, encryptsanewcookietosendtotheendpoint.
ifthedeviceislostorstolen),you Accept cookie for authentication overrideSelectthe
canBlockDeviceAccessby checkboxtoinstructtheportalorgatewaytoauthenticate
addingthedevicetoablocklist. theuserthroughavalid,[Link]
Formoredetails,seeConfigure endpointpresentsavalidcookie,theportalorgateway
GlobalProtectGatewaysand verifiesthatthecookiewasencryptedbytheportalor
ConfiguretheGlobalProtect gateway,decryptsthecookie,andthenauthenticatesthe
Portal. user.
Certificate to Encrypt/Decrypt CookieSelecttheRSA
[Link]
mustusethesamecertificateontheportalandgateways.
Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).
4. ClickOKtwicetosavetheconfiguration.

Step9 Committheconfiguration. ClickCommit.

44 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableTwoFactorAuthenticationUsingOTPs(Continued)

Step10 Verifytheconfiguration. FromanendpointrunningtheGlobalProtectagent,trytoconnect

Thegatewayandportalmustbe toagatewayorportalonwhichyouenabledOTPauthentication.
[Link] Youshouldseetwopromptssimilartothefollowing:
detailsonsettingupthesecomponents, ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
seeConfigureGlobalProtectGateways PIN):
andConfiguretheGlobalProtectPortal.

ThesecondpromptrequestsyourtokenorOTP:

EnableTwoFactorAuthenticationUsingSmartCards

Ifyouwanttoenableyourenduserstoauthenticateusingasmartcardorcommonaccesscard(CAC),you
mustimporttheRootCAcertificatethatissuedthecertificatescontainedontheenduserCACorsmart
[Link]
applyittoyourportaland/orgatewayconfigurationstoenableuseofthesmartcardintheauthentication
process.

EnableSmartCardAuthentication

Step1 Setupyoursmartcardinfrastructure. Forspecificinstructions,refertothedocumentationfortheuser

Thisprocedureassumesthatyouhave authenticationprovidersoftware.
deployedsmartcardsandsmartcard Inmostcases,settingupthesmartcardinfrastructureinvolvesthe
readerstoyourendusers. generatingofcertificatesforendusersandfortheparticipating
servers,whicharetheGlobalProtectportalandgateway(s)inthis
usecase.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 45
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableSmartCardAuthentication(Continued)

Step2 ImporttheRootCAcertificatethat Makesurethecertificateisaccessiblefromyourmanagement

issuedtheclientcertificatescontained systemandthencompletethefollowingsteps:
ontheendusersmartcards. 1. SelectDevice > Certificate Management > Certificates >
Device Certificates.
2. ClickImportandenteraCertificate Name.
3. EnterthepathandnametotheCertificate Filereceivedfrom
theCA,orBrowsetofindthefile.
4. SelectBase64 Encoded Certificate (PEM) astheFile Format
andthenclickOKtoimportthecertificate.

Step3 Createthecertificateprofile. Createthecertificateprofileoneachportal/gatewayonwhichyou

Fordetailsonothercertificate plantouseCACorsmartcardauthentication:
profilefields,suchaswhetherto 1. SelectDevice > Certificate Management > Certificate Profile
useCRLorOCSP,refertothe andclickAddandenteraprofileName.
onlinehelp.
2. IntheUsernamefield,selectthecertificatefieldthatPANOS
usestomatchtheIPaddressforUserID,eitherSubjecttouse
acommonname,Subject Alt: Emailtouseanemailaddress,
orSubject Alt: Principal Name tousethePrincipalName.
3. IntheCA Certificatesfield,clickAdd,selectthetrustedroot
CA CertificateyouimportedinStep 2andthenclickOK.
4. ClickOKtosavethecertificateprofile.

Step4 Assignthecertificateprofiletothe 1. SelectNetwork > GlobalProtect > GatewaysorPortalsand

gateway(s)[Link] selecttheconfiguration(orAddanewone).
describesonlyhowtoaddthecertificate 2. OntheAuthenticationtab,selecttheCertificate Profileyou
profiletothegatewayorportal justcreated.
[Link]
thesecomponents,seeConfigure 3. ClickOKtosavetheconfiguration.
GlobalProtectGatewaysandConfigure
theGlobalProtectPortal.

Step5 Savetheconfiguration. ClickCommit.

46 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableSmartCardAuthentication(Continued)

Step6 Verifytheconfiguration. FromaclientsystemrunningtheGlobalProtectagent,tryto

Thegatewayandportalmustbe connecttoagatewayorportalonwhichyouenabledOTP
[Link] [Link]
detailsonsettingupthesecomponents, following:
seeConfigureGlobalProtectGateways ThefirstpromptrequestsaPIN(eitherauserorsystemgenerated
andConfiguretheGlobalProtectPortal. PIN):

ThesecondpromptrequestsyourtokenorOTP:

SetUpAuthenticationforstrongSwanUbuntuandCentOSClients

ToextendGlobalProtectVPNremoteaccesssupporttostrongSwanUbuntuandCentOSclients,setup
authenticationforthestrongSwanclients.

ToviewtheminimumGlobalProtectreleaseversionthatsupportsstrongSwanonUbuntuLinuxandCentOS,see
WhatClientOSVersionsareSupportedwithGlobalProtect?.

ToconnecttotheGlobalProtectgateway,[Link]
[Link]
strongSwan,seethestrongSwanwiki.
EnableAuthenticationUsingaCertificateProfile
EnableAuthenticationUsinganAuthenticationProfile
EnableAuthenticationUsingTwoFactorAuthentication

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 47
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableAuthenticationUsingaCertificateProfile

ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusingacertificate
profile.

EnableAuthenticationUsingaCertificateProfile

Step1 ConfigureanIPSectunnelfortheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysandthen

gatewayforcommunicatingwithastrongSwan selectthegatewayname.
client. 2. SelecttheCertificate Profileyouwanttousefor
authenticationintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesettings.

Step2 Verifythatthedefaultconnectionsettingsinthe Modifythefollowingsettingsintheconn %default

conn %defaultsectionoftheIPSectunnel [Link]
configurationfile([Link])arecorrectly settings.
definedforthestrongSwanclient. ikelifetime=20m
[Link]/etc reauth=yes
folder. rekey=yes
Theconfigurationsinthisprocedureare keylife=10m
testedandverifiedforthefollowing rekeymargin=3m
releases: rekeyfuzz=0%
Ubuntu14.0.4withstrongSwan5.1.2 keyingtries=1
andCentOS6.5withstrongSwan5.1.3 type=tunnel
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
[Link]
thestrongSwanwikiformore
information.

Step3 ModifythestrongSwanclientsIPSec [Link]

configurationfile([Link])andtheIPSec recommendedsettings.
passwordfile([Link])touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=rsasig
[Link] fileisusuallyfoundinthe ike=aes-sha1-modp1024,aes256
/etc folder. left=<strongSwan/Linux-client-IP-address>
leftcert=<client certificate with the
UsethestrongSwanclientusernameasthe strongSwan client username used as the
certificatescommonname. certificates common name>
leftsourceip=%config
leftauth2=xauth
right=<GlobalProtect-Gateway-IP-address>
rightid=CN=<Subject-name-of-gateway-certifica
te>
rightsubnet=[Link]/0
auto=add
[Link]
recommendedsettings.
:RSA <private key file> <passphrase if used>

48 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableAuthenticationUsingaCertificateProfile(Continued)

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntuclients:

theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOSclients:
Usetheconfig <name>variabletonamethe
tunnelconfiguration. strongSwan start
strongswan up <name>
Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific
VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > [Link],in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
[Link]
Current Users.

EnableAuthenticationUsinganAuthenticationProfile

ThefollowingworkflowshowshowtoenableauthenticationforstrongSwanclientsusinganauthentication
[Link]
clients.

EnableAuthenticationUsinganAuthenticationProfile

Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheAuthentication Profileyouwanttousein
theAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
EnteraGroup NameandGroup Passwordifthey
arenotalreadyconfigured.
ClickOKtosavethesetunnelsettings.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 49
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableAuthenticationUsinganAuthenticationProfile(Continued)

Step2 Verifythatthedefaultconnectionsettingsinthe Intheconn %defaultsectionofthe [Link] file,

conn %defaultsectionoftheIPSectunnel configurethefollowingrecommendedsettings:
configurationfile([Link])arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
[Link]/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Theconfigurationsinthisprocedurecan
beusedforreferenceifyouareusinga
[Link]
thestrongSwanwikiformore
information.

Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile([Link])andtheIPSec [Link]:
passwordfile([Link])touse conn <connection name>
recommendedsettings. keyexchange=ikev1
ikelifetime=1440m
[Link] keylife=60m
/etcfolder. aggressive=yes
ike=aes-sha1-modp1024,aes256
UsethestrongSwanclientusernameasthe esp=aes-sha1
certificatescommonname. xauth=client
left=<strongSwan/Linux-client-IP-address>
leftid=@#<hex of Group Name configured in the
GlobalProtect gateway>
leftsourceip=%modeconfig
leftauth=psk
rightauth=psk
leftauth2=xauth
right=<gateway-IP-address>
rightsubnet=[Link]/0
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
[Link]:
:PSK <Group Name configured in the gateway>
<username> :XAUTH <user password>

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntuclients:

theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOSclients:
strongSwan start
strongswan up <name>

50 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableAuthenticationUsinganAuthenticationProfile(Continued)

Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific

VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > [Link],in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
[Link]
Current Users.

EnableAuthenticationUsingTwoFactorAuthentication

Withtwofactorauthentication,thestrongSwanclientneedstosuccessfullyauthenticateusingbotha
[Link]
workflowshowshowtoenableauthenticationforstrongSwanclientsusingtwofactorauthentication.

EnableAuthenticationUsingTwoFactorAuthentication

Step1 SetuptheIPSectunnelthattheGlobalProtect 1. SelectNetwork > GlobalProtect > Gatewaysand

gatewaywilluseforcommunicatingwitha selectthegatewayname.
strongSwanclient. 2. SelecttheCertificate Profile andAuthentication
Profile youwanttouseintheAuthentication tab.
3. SelectAgent > Tunnel Settingsandspecifythe
followingsettingstosetupatunnel:
SelectthecheckboxtoEnable X-Auth Support.
IfaGroup NameandGroup Passwordarealready
configured,removethem.
ClickOKtosavethesetunnelsettings.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 51
SetUpGlobalProtectUserAuthentication SetUptheGlobalProtectInfrastructure

EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Step2 Verifythatthedefaultconnectionsettingsinthe Configurethefollowingrecommendedsettingsinthe

conn %defaultsectionoftheIPSectunnel [Link]:
configurationfile([Link])arecorrectly ikelifetime=20m
definedforthestrongSwanclient. reauth=yes
[Link]/etc rekey=yes
folder. keylife=10m
Theconfigurationsinthisprocedureare rekeymargin=3m
testedandverifiedforthefollowing rekeyfuzz=0%
releases:
keyingtries=1
Ubuntu14.0.4withstrongSwan5.1.2 type=tunnel
andCentOS6.5withstrongSwan5.1.3
forPANOS6.1.
Ubuntu14.0.4withstrongSwan5.2.1
forPANOS7.0.
Usetheconfigurationsinthisprocedure
asareferenceifyouareusingadifferent
[Link]
strongSwanwikiformoreinformation.

Step3 ModifythestrongSwanclientsIPSec Configurethefollowingrecommendedsettingsinthe

configurationfile([Link])andtheIPSec [Link]:
passwordfile([Link])touse conn <connection name>
recommendedsettings. keyexchange=ikev1
authby=xauthrsasig
[Link] ike=aes-sha1-modp1024
/etcfolder. esp=aes-sha1
xauth=client
UsethestrongSwanclientusernameasthe left=<strongSwan/Linux-client-IP-address>
certificatescommonname. leftcert=<client-certificate-without-password>
leftsourceip=%config
right=<GlobalProtect-gateway-IP-address>
rightid=%anyCN=<Subject-name-of-gateway-cert>
rightsubnet=[Link]/0
leftauth2=xauth
xauth_identity=<LDAP username>
auto=add
Configurethefollowingrecommendedsettingsinthe
[Link]:
<username> :XAUTH <user password>
:RSA <private key file> <passphrase if used>

Step4 StartstrongSwanIPSecservicesandconnectto Ubuntuclients:

theIPSectunnelthatyouwantthestrongSwan ipsec start
clienttousewhenauthenticatingtothe ipsec up <name>
GlobalProtectgateway.
CentOSclients:
strongSwan start
strongswan up <name>

52 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure SetUpGlobalProtectUserAuthentication

EnableAuthenticationUsingTwoFactorAuthentication(Continued)

Step5 Verifythatthetunnelissetupcorrectlyandthe 1. Verifythedetailedstatusinformationonaspecific

VPNconnectionisestablishedtoboththe connection(bynamingtheconnection)orverifythe
strongSwanclientandtheGlobalProtect statusinformationforallconnectionsfromthe
gateway. strongSwanclient:
Ubuntuclients:
ipsec statusall [<connection name>]
CentOSclients:
strongswan statusall [<connection name>]
2. SelectNetwork > GlobalProtect > [Link],in
theInfocolumn,selectRemote Usersforthegateway
configuredfortheconnectiontothestrongSwan
[Link]
Current Users.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 53
EnableGroupMapping SetUptheGlobalProtectInfrastructure

EnableGroupMapping

Becausetheagentorapprunningonyourendusersystemsrequirestheusertosuccessfullyauthenticate
beforebeinggrantedaccesstoGlobalProtect,[Link],if
youwanttobeabletodefineGlobalProtectconfigurationsand/orsecuritypoliciesbasedongroup
membership,thefirewallmustretrievethelistofgroupsandthecorrespondinglistofmembersfromyour
[Link].
Toenablethisfunctionality,youmustcreateanLDAPserverprofilethatinstructsthefirewallhowto
connectandauthenticatetothedirectoryserverandhowtosearchthedirectoryfortheuserandgroup
[Link],youcanselect
[Link]
LDAPdirectoryservers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONE
DirectoryServer.
UsethefollowingproceduretoconnecttoyourLDAPdirectorytoenablethefirewalltoretrieve
usertogroupmappinginformation:

54 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure EnableGroupMapping

MapUserstoGroups

Step1 CreateanLDAPServerProfilethat 1. SelectDevice > Server Profiles > LDAPandclickAdd.

specifieshowtoconnecttothe 2. EnteraProfile Nametoidentifytheserverprofile.
directoryserverstowhichthefirewall
shouldconnecttoobtaingroupmapping 3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
information. capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
4. ForeachLDAPserver(uptofour),AddandenteraName(to
identifytheserver),serverIPaddress(LDAP Serverfield),and
serverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthedevicetouseSSLorTLSforamoresecure
connectionwiththedirectoryserver,selecttheRequire
SSL/TLS secured connectioncheckbox(itisselectedby
default).Theprotocolthatthedeviceusesdependsonthe
serverPort:
389(default)TLS(Specifically,thedeviceusesthe
StartTLSoperation,whichupgradestheinitialplaintext
connectiontoTLS.)
636SSL
[Link]
directoryserverdoesntsupportTLS,thedevicefallsback
toSSL.
7. Foradditionalsecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthedeviceverifiesthecertificatethatthe
directoryserverpresentsforSSL/[Link]
verification,youalsohavetoselecttheRequire SSL/TLS
secured [Link],
thecertificatemustmeetoneofthefollowingconditions:
Itisinthelistofdevicecertificates:Device > Certificate
Management > Certificates > Device [Link]
thecertificateintothedevice,ifnecessary.
Thecertificatesignerisinthelistoftrustedcertificate
authorities:Device > Certificate Management >
Certificates > Default Trusted Certificate Authorities.
8. ClickOK.

Step2 AddtheLDAPserverprofiletothe 1. SelectDevice > User Identification > Group Mapping Settings
UserIDGroupMappingconfiguration. andclickAdd.
2. EnteraNamefortheconfiguration.
3. SelecttheServer Profileyoujustcreated.
4. MakesuretheEnabledcheckboxisselected.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 55
EnableGroupMapping SetUptheGlobalProtectInfrastructure

MapUserstoGroups(Continued)

Step3 (Optional)Limitwhichgroupscanbe 1. Addexistinggroupsfromthedirectoryservice:

selectedinpolicyrules. a. SelecttheGroup Include Listtab.
Bydefault,ifyoudontspecifygroups,all b. IntheAvailableGroupslist,selectthegroupsyouwantto
groupsareavailableinpolicyrules. appearinpolicyrulesandclicktheAddicon .
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
[Link]
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters,
[Link].
TooptimizeLDAPsearchesandminimizethe
performanceimpactontheLDAPdirectoryserver,
useonlyindexedattributesinthefilter.

Step4 Commityourchanges. ClickOKandCommit.

56 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways

ConfigureGlobalProtectGateways

BecausetheGlobalProtectconfigurationthattheportaldeliverstotheagentsincludesthelistofgateways
theclientcanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
TheGlobalProtectGatewayscanbeconfiguredtoprovidetwomainfunctions:
[Link]
[Link]
checks,seeUseHostInformationinPolicyEnforcement.
Providevirtualprivatenetwork(VPN)[Link]
anIPSecorSSLtunnelbetweentheclientandatunnelinterfaceonthegatewayfirewall.

[Link]
theVMSeriesfirewallintheAWScloudyoucanquicklyandeasilydeployGlobalProtectgatewaysinanyregion
withouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyourown
[Link],seeUseCase:VMSeriesFirewallsasGlobalProtectGatewaysinAWS.

PrerequisiteTasksforConfiguringtheGlobalProtectGateway

BeforeyoucanconfiguretheGlobalProtectgateway,youmusthavecompletedthefollowingtasks:
Createdtheinterfaces(andzones)[Link]
gatewaysthatrequiretunnelconnectionsyoumustconfigureboththephysicalinterfaceandthevirtual
[Link].
SetupthegatewayservercertificatesandSSL/TLSserviceprofilerequiredfortheGlobalProtectagent
[Link].
Definedtheauthenticationprofilesand/orcertificateprofilesthatwillbeusedtoauthenticate
[Link].

ConfigureaGlobalProtectGateway

Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectGateways:

ConfiguretheGateway

Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

2. IntheGeneralscreen,[Link]
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 57
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure

ConfiguretheGateway(Continued)

Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatclientswilluseforcommunication

enablesclientstoconnecttothe withthegateway.
gateway. 2. SelecttheIP Addressforthegatewaywebservice.
Ifyouhaventcreatedthenetwork
3. ClickOKtosavechanges.
interfaceforthegateway,seeCreate
InterfacesandZonesforGlobalProtect
forinstructions.

Step3 Specifyhowthegatewayauthenticates SelectAuthenticationandthenconfigureanyofthefollowing:

users. Tosecurecommunicationbetweenthegatewayandtheagents,
IfyouhaventcreatedanSSL/TLSservice selecttheSSL/TLS Service Profileforthegateway.
profileforthegateway,seeDeploy Toauthenticateuserswithalocaluserdatabaseoranexternal
ServerCertificatestotheGlobalProtect authenticationservice,suchasLDAP,Kerberos,TACACS+,or
Components. RADIUS(includingOTP),AddaClientAuthentication
Ifyouhaventsetuptheauthentication configurationwiththefollowingsettings:
profilesorcertificateprofiles,seeSetUp EnteraNametoidentifytheclientauthentication
GlobalProtectUserAuthenticationfor configuration.
instructions. Identifythetypeofclienttowhichthisconfiguration
[Link],theconfigurationappliestoAnyclient,
butyoucancustomizethetypeofendpointbyOS (Android,
Chrome,iOS,Mac,Windows,orWindowsUWP)orby
thirdpartyIPSecVPNclients(X-Auth).
SelectoraddanAuthentication Profiletoauthenticatean
endpointseekingaccesstothegateway.
EnteranAuthentication Message tohelpendusers
[Link]
messagecanbeupto100charactersinlength(defaultis
Enter login credentials).
Toauthenticateusersbasedonaclientcertificateora
smartcard/CAC,selectthecorrespondingCertificate
Profile.
Tousetwofactorauthentication,selectbothanauthentication
[Link]
successfullyauthenticateusingbothmethodstobegranted
access.

58 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways

ConfiguretheGateway(Continued)

Step4 Enabletunnelingandconfigurethe 1. OntheGlobalProtectGatewayConfigurationdialog,select

tunnelparameters. Agent > Tunnel Settings.
Thetunnelparametersarerequiredif 2. SelecttheTunnel Modecheckboxtoenabletunneling.
[Link]
3. SelecttheTunnel InterfaceyoudefinedinStep 2inCreate
youareconfiguringaninternalgateway,
InterfacesandZonesforGlobalProtect.
theyareoptional.
Ifyouwanttoforceuseof 4. (Optional)SpecifyMax User forthemaximumnumberof
SSLVPNtunnelmode,clearthe usersthatcanaccessthegatewayatthesametimefor
Enable [Link] authentication,HIPupdates,andGlobalProtectagentupdates
default,SSLVPNwillonlybe (rangevariesbasedontheplatformandisdisplayedwhenthe
usediftheendpointfailsto fieldisempty).
establishanIPSectunnel. 5. SelectaGlobalProtect IPSec CryptoprofiletosecuretheVPN
Extendedauthentication [Link]
(XAuth)isonlysupportedon defaultprofileusesAES128CBCencryptionandsha1
IPSectunnels. authentication.
IfyouEnable X-Auth Support, [Link]
GlobalProtectIPSecCrypto newprofile,selectNewGlobalProtect IPSec Cryptointhe
profilesarenotapplicable. samedropdownandconfigurethefollowing:
Forinformationonsupported a. EnteraNametoidentifytheprofile.
cryptographicalgorithms,see b. AddtheAuthenticationandEncryptionalgorithmsthatthe
Reference:GlobalProtectAgent VPNpeerscanusetonegotiatethekeysforsecuringthe
CryptographicFunctions. datainthetunnel:
EncryptionIfyouarenotcertainofwhattheVPNpeers
support,youcanaddmultipleencryptionalgorithmsin
toptobottomorderofmosttoleastsecure,asfollows:
aes-256-gcm,aes-128-gcm,[Link]
negotiatethestrongestalgorithmtoestablishthetunnel.
AuthenticationSelecttheauthenticationalgorithm
(sha1)toprovidedataintegrityandauthenticity
[Link]
requiredfortheprofile,thissettingonlyappliestothe
AESCBCcipher(aes-128-cbc).IfyouuseanAESGCM
encryptionalgorithm(aes-256-gcmor aes-128-gcm),
thesettingisignoredbecausetheseciphersnatively
provideESPintegrityprotection.
c. ClickOKtosavetheprofile.
6. (Optional)SelectEnable X-Auth Support ifanyendpoint
needstoconnecttothegatewaybyusingathirdpartyVPN
(forexample,aVPNCclientrunningonLinux).Ifyouenable
XAuth,youmustprovidetheGroupnameandGroup
[Link],theuserisnot
requiredtoreauthenticateifthekeyusedtoestablishthe
[Link],clear
theoptiontoSkip Auth on IKE Rekey.
AlthoughXAuthaccessissupportedoniOSand
Androidendpoints,itprovideslimitedGlobalProtect
[Link],usethe
GlobalProtectappforsimplifiedaccesstoallthe
securityfeaturesthatGlobalProtectprovidesoniOS
[Link]
[Link]
appforAndroidisavailableatGooglePlay.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 59
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure

ConfiguretheGateway(Continued)

Step5 (Optional)Modifythedefaulttimeout OntheGlobalProtectGatewayConfigurationdialog,selectAgent

settingsforendpoints. > Timeout Settingsandthenconfigurethefollowingsettings:
ModifythemaximumLogin Lifetimeforasinglegatewaylogin
session.Thedefaultloginlifetimeis30daysduringthe
lifetime,theuserstaysloggedinaslongasthegatewayreceives
aHIPcheckfromtheendpointwithintheInactivity Logout
[Link],theloginsessionautomaticallylogsout.
Modifytheamountoftimeafterwhichaninactivesessionis
[Link] Logoutperiodis
[Link]
doesnotreceiveaHIPcheckfromtheendpointduringthe
configuredamountoftime.
Modifythenumberofminutesafterwhichidleusersarelogged
[Link] on Idle
[Link]
GlobalProtectagenthasnotroutedtrafficthroughtheVPN
[Link]
GlobalProtectagentsthatusetheondemandconnectmethod
only.

60 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways

ConfiguretheGateway(Continued)

Step6 (Optional)Configureauthentication 1. OntheGlobalProtectGatewayConfigurationdialog,select

overridesettingstoenablethegateway Agent > Client Settings.
togenerateandacceptsecure, 2. Addanewagentconfigurationorselectanexisting
encryptedcookiestoauthenticatethe configuration.
[Link]
providelogincredentialsonlyonce 3. EnteraNametoidentifytheagentconfiguration.
duringaspecifiedperiodoftime(for 4. ConfigurethefollowingsettingsintheAuthentication
example,every24hours). Override section:
Bydefault,agatewayauthenticatesthe Generate cookie for authentication overrideEnablethe
userwithanauthenticationprofileand gatewaytogenerateencrypted,endpointspecificcookies
[Link] andissuetheauthenticationcookiestotheendpoint.
authenticationoverrideisenabled, Cookie LifetimeSpecifythehours,days,orweeksthatthe
GlobalProtectcachestheresultofa [Link]
successfulloginandusesthecookieto 172;forweeks,152;andfordays,[Link]
authenticatetheuserinsteadof cookieexpires,theusermustenterlogincredentials,and
[Link] thegatewaysubsequentlyencryptsanewcookietosendto
moreinformation,seeCookie [Link]
AuthenticationonthePortalorGateway. theCookie Lifetimeyouconfigurefortheportal.
Ifclientcertificatesarerequired,the
Accept cookie for authentication overrideEnablethe
endpointmustalsoprovideavalid
gatewaytoauthenticateuserswithavalid,encrypted
certificatetobegrantedaccess.
[Link],the
Intheeventthatyouneedto gatewayverifiesthatthecookiewasencryptedbythe
immediatelyblockaccesstoa portalorgateway,decryptsthecookie,andthen
devicewhosecookiehasnotyet authenticatestheuser.
expired(forexample,ifthe
Certificate to Encrypt/Decrypt CookieSelecttheRSA
deviceislostorstolen),youcan
[Link]
immediatelyBlockDeviceAccess
mustusethesamecertificateontheportalandgateways.
byaddingthedevicetoablock
list. Asabestpractice,configuretheRSAcertificatetouse
thestrongestdigestalgorithmthatyournetwork
supports.
TheportalandgatewaysusetheRSAencryptpadding
schemePKCS#1V1.5togeneratethecookie(usingthe
publickeyofthecertificate)anddecryptthecookie(using
theprivatekeyofthecertificate).

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 61
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure

ConfiguretheGateway(Continued)

Step7 Configuretheuserorusergroupandthe Inagatewayagentconfiguration,selecttheUser/User Grouptab

endpointOStowhichtheagent andconfigurethefollowingsettings:
configurationapplies. Todeliverthisconfigurationtoagentsorappsrunningon
Thegatewayusestheuser/usergroup specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
settingsyouspecifytodeterminewhich Mac,Windows,orWindowsUWP)towhichthisconfiguration
configurationtodelivertothe [Link]
GlobalProtectagentsthatconnect. theconfigurationbasedonuser/grouponly.
Therefore,ifyouhavemultiple Torestrictthisconfigurationtoaspecificuserand/orgroup,
configurations,youmustmakesureto clickAddintheUser/UserGroupsectionofthewindowand
[Link] thenselecttheuserorgroupyouwanttoreceivethis
gatewayfindsamatch,itwilldeliverthe [Link]
[Link],morespecific user/groupyouwanttoadd.
configurationsmustprecedemore Beforeyoucanrestricttheconfigurationtospecific
[Link] 9forinstructions groups,youmustmapuserstogroupsasdescribedin
onorderingthelistofagent EnableGroupMapping.
configurations.
Torestricttheconfigurationtouserswhohavenotyetlogged
Networksettingsarenot intotheirsystems,selectpre-logonfromtheUser/UserGroup
requiredininternalgateway dropdown.
configurationsinnontunnel
Toapplytheconfigurationtoanyuserregardlessofloginstatus
mode,becauseagentsusethe
(bothprelogonandloggedinusers),selectanyfromthe
networksettingsassignedtothe
User/UserGroupdropdown.
physicalnetworkadapter.

62 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfigureGlobalProtectGateways

ConfiguretheGateway(Continued)

Step8 (TunnelModeonly)Configurethe Inagatewayagentconfiguration,selecttheAgent > Network

networksettingstoassigntothevirtual Settings tabandconfigureanyofthefollowingsettingsandthen
networkadapterontheendpointwhen clickOK:
anagentestablishesatunnelwiththe TospecifytheauthenticationserverIPaddresspooltoassign
gateway. addressestoendpointsthatrequirestaticIPaddresses,select
Networksettingsarenot theRetrieve Framed-IP-Address attribute from
requiredininternalgateway authentication server checkboxandthenAddthesubnetorIP
configurationsinnontunnel addressrangetousetoassigntoremoteusersinthe
modebecauseagentsusethe Authentication Server IP [Link]
networksettingsassignedtothe established,aninterfaceiscreatedontheremoteusers
physicalnetworkadapter. computerwithanaddressinthesubnetorIPrangethatmatches
Youcanoptionallyuseaddress theFramedIPattributeoftheauthenticationserver.
objectswhichallowyouto TheauthenticationserverIPaddresspoolmustbelarge
groupspecificsourceor [Link]
destinationaddresseswhen addressassignmentisstaticandisretainedaftertheuser
configuringgatewayIPaddress disconnects.
poolsoraccessroutes. TospecifytheIP PooltousetoassignIPaddresses,clickAdd
andthenspecifytheIPaddressrangeoraddressobjecttouse.
Asabestpractice,useadifferentrangeofIPaddressesfrom
thoseassignedtoendpointsthatarephysicallyconnectedto
yourLANtoensureproperroutingbacktothegateway.
Todisablesplittunnelingincludingdirectaccesstolocal
networksonWindowsandMacOSsystems,enableNo direct
access to local [Link],userscannotsendtraffic
toproxiesorlocalresourceswhileconnectedtoGlobalProtect.
Todefinewhatdestinationsubnetstoroutethroughthetunnel
clickAddintheAccess Routeareaandthenentertheroutesas
follows:
FulltunnelingTorouteallendpointtrafficGlobalProtect,
enter0.0.0.0/[Link]
usesecuritypolicytodefinewhatzonestheendpointcan
access(includinguntrustzones).Thebenefitofthis
configurationisthatyouhavevisibilityintoallVPNtraffic
andyoucanensurethatendpointsaresecuredaccordingto
yourpolicyevenwhentheyarenotphysicallyconnectedto
[Link]
thelocalsubnetgoesthroughthephysicaladapter,rather
thanbeingtunneledtothegateway.
SplittunnelingTorouteonlysometrafficlikelytraffic
destinedforyourLANtoGlobalProtect,specifythe
destinationsubnetsoraddressobject(oftypeIP Netmask)
[Link],trafficthatisnot
destinedforaspecifiedaccessroutewillberoutedthrough
theendpointsphysicaladapterratherthanthroughthe
virtualadapter(thetunnel).
Thefirewallsupportsupto100accessroutes.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 63
ConfigureGlobalProtectGateways SetUptheGlobalProtectInfrastructure

ConfiguretheGateway(Continued)

Step9 Arrangethegatewayagent Tomoveagatewayconfigurationuponthelistofconfigurations,

configurationssothattheproper selecttheconfigurationandclickMove Up.
configurationisdeployedtoeachagent. Tomoveagatewayconfigurationdownonthelistof
Whenanagentconnects,thegateway configurations,selecttheconfigurationandclickMove Down.
willcomparethesourceinformationin
thepacketagainsttheagent
[Link]
securityruleevaluation,thegateway
looksforamatchstartingfromthetopof
[Link],itdelivers
thecorrespondingconfigurationtothe
agentorapp.

Step10 (TunnelModeonly)Specifythenetwork InaGlobalProtectGatewayConfiguration,selecttheAgent >

configurationsettingsfortheendpoints. Network Servicestabandconfigurethesettingsforendpointsin
Networksettingsarenot oneofthefollowingways:
requiredininternalgateway IfthefirewallhasaninterfacethatisconfiguredasaDHCP
configurationsinnontunnel client,settheInheritance Sourcetothatinterfaceandthe
modebecauseinthiscaseagents GlobalProtectagentwillbeassignedthesamesettingsreceived
usethenetworksettingsassigned [Link] DNS Suffixesfromthe
tothephysicalnetworkadapter. inheritancesource.
ManuallyassigntheDNSserver(s)andsuffix,andWINSservers
bycompletingthecorrespondingfields.

Step11 (Optional)Definethenotification InaGlobalProtectGatewayConfiguration,selecttheAgent > HIP

messagesenduserswillseewhena NotificationtabandAddanewHIPNotificationconfiguration:
securityrulewithahostinformation 1. FromtheHost Informationdropdown,selecttheHIPobject
profile(HIP)isenforced. orprofiletowhichthismessageapplies.
Thissteponlyappliesifyouhavecreated
2. SelectMatch MessageorNot Match Messageandthen
hostinformationprofilesandadded
Enablenotifications,dependingonwhetheryouwantto
[Link]
displaythemessagewhenthecorrespondingHIPprofileis
onconfiguringtheHIPfeatureandfor
[Link],
moredetailedinformationaboutcreating
youmightwanttocreatemessagesforbothamatchanda
HIPnotificationmessages,seeUseHost
nonmatch,dependingontheobjectsonwhichyouare
InformationinPolicyEnforcement.
[Link]
MatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App Listtoindicatewhatapplicationscantriggerthe
HIPmatch.
3. SelectwhetheryouwanttodisplaythemessageasaSystem
Tray BalloonorasaPop Up Message.
4. EnterandformatthetextofyourmessageintheTemplate
textboxandthenclickOK.
5. Repeatthesestepsforeachmessageyouwanttodefine.

Step12 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

GatewayConfigurationdialog.
2. Committhechanges.

64 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

ConfiguretheGlobalProtectPortal

[Link]
endpointthatparticipatesintheGlobalProtectnetworkreceivesconfigurationinformationfromtheportal,
includinginformationaboutavailablegatewaysaswellasanyclientcertificatesthatmayberequiredto
[Link],theportalcontrolsthebehavioranddistributionoftheGlobalProtect
agentsoftwaretobothMacandWindowslaptops.

[Link]
mobiledevices,endusersmustdownloaditfromthestorefortheirdevice:AppStoreforiOS,GooglePlayfor
Android,ChromeWebStoreforChromebooks,[Link],theagent
configurationsthatgetdeployedtomobileappusersdoescontrolthegateway(s)towhichthemobiledevices
[Link],seeWhatClientOSVersionsareSupportedwith
GlobalProtect?

Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasksforConfiguringtheGlobalProtectPortal
SetUpAccesstotheGlobalProtectPortal
DefinetheGlobalProtectClientAuthenticationConfigurations
DefinetheGlobalProtectAgentConfigurations
CustomizetheGlobalProtectAgent
CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages

PrerequisiteTasksforConfiguringtheGlobalProtectPortal

BeforeyoucanconfiguretheGlobalProtectPortal,youmustcompletethefollowingtasks:
Createtheinterfaces(andzones)[Link]
CreateInterfacesandZonesforGlobalProtect.
Setuptheportalservercertificate,gatewayservercertificate,SSL/TLSserviceprofiles,and,optionally,
anyclientcertificatestodeploytoenduserstoenableSSL/TLSconnectionsfortheGlobalProtect
[Link].
Definetheoptionalauthenticationprofilesandcertificateprofilesthattheportalcanuseto
[Link].
ConfigureGlobalProtectGatewaysandunderstandGatewayPriorityinaMultipleGateway
Configuration.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 65
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

SetUpAccesstotheGlobalProtectPortal

Afteryouhavecompletedtheprerequisitetasks,configuretheGlobalProtectPortalasfollows:

SetUpAccesstothePortal

Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > PortalsandclickAdd.

2. OntheGeneralpage,[Link]
cannotcontainspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.

Step2 Specifynetworksettingstoenable 1. SelecttheInterface.

agentstocommunicatewiththeportal. 2. SelecttheIP Addressfortheportalwebservice.
Ifyouhavenotyetcreatedthenetwork
3. SelectanSSL/TLS Service Profile.
interfacefortheportal,seeCreate
InterfacesandZonesforGlobalProtect
[Link]
createdanSSL/TLSserviceprofilefor
theportal,seeDeployServerCertificates
totheGlobalProtectComponents.

Step3 Disabletheloginpageentirelyorchoose SelecttheoptiontoDisable login pagetodisableaccesstothe

yourownloginpageorhelppage. GlobalProtectportalloginpagefromawebbrowser.
Althoughoptional,acustomloginorhelp ChooseaCustom Login Pageforuseraccesstotheportalor
pageletsyoudecideonthelookand importanewone.
[Link] ChooseaCustom Help Pagetoassisttheuserwith
GlobalProtectPortalLogin,Welcome, GlobalProtectorimportanewone.
andHelpPages.

Step4 Specifyhowtheportalauthenticatesthe OntheGlobalProtectPortalConfigurationdialog,select

users. Authentication,andthenconfigureanyofthefollowing:
Ifyouhavenotyetcreatedaserver Tosecurecommunicationbetweentheportalandtheagents,
certificatefortheportalandissued selecttheSSL/TLS Service Profileyouconfiguredforthe
gatewaycertificates,seeDeployServer portal.
CertificatestotheGlobalProtect Toauthenticateusersusingalocaluserdatabaseoranexternal
Components. authenticationservice,suchasLDAP,Kerberos,TACACS+,or
RADIUS(includingOTP),DefinetheGlobalProtectClient
AuthenticationConfigurations.

Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
2. Committhechanges.

66 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

DefinetheGlobalProtectClientAuthenticationConfigurations

EachGlobalProtectclientauthenticationconfigurationspecifiesthesettingsthatenabletheuserto
[Link]
[Link],youcanconfigureAndroiduserstouseRADIUS
[Link]
authenticationforuserswhoaccesstheportalfromawebbrowser(todownloadtheGlobalProtectagent)
orforthirdpartyIPSecVPN(XAuth)accesstoGlobalProtectgateways.

DefinetheGlobalProtectClientAuthenticationConfigurations

Step1 SetUpAccesstotheGlobalProtect 1. SelectNetwork > GlobalProtect > Portals.

Portal. 2. Selecttheportalconfigurationtowhichyouareaddingthe
clientconfigurationandthenselecttheAuthenticationtab.

Step2 Specifyhowtheportalauthenticatesthe IntheClientAuthenticationarea,Addanewconfigurationwiththe

users. followingsettings:
YoucanconfiguretheGlobalProtect EnteraNametoidentifytheclientauthenticationconfiguration.
portaltoauthenticateusersusingalocal [Link]
userdatabaseoranexternal default,[Link],
authenticationservice,suchasLDAP, youcanapplytheconfigurationtoendpointsrunningaspecific
Kerberos,TACACS+,orRADIUS OS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP)or
(includingOTP).Ifyouhavenotyetset toendpointsthataccesstheportalfromawebBrowserwith
uptheauthenticationprofilesand/or theintentofdownloadingtheGlobalProtectagent.
certificateprofiles,seeSetUp SelectoraddanAuthentication Profileforauthenticatingan
GlobalProtectUserAuthenticationfor endpointthattriestoaccessthegateway.
instructions.
EnteranAuthentication Messagetohelpendusersunderstand
[Link]
upto100charactersinlength(defaultisEnter login
credentials).

Step3 Arrangetheclientauthentication Tomoveaclientauthenticationconfigurationuponthelistof

configurationswithOSspecific configurations,selecttheconfigurationandclickMove Up.
configurationsatthetopofthelist,and Tomoveaclientauthenticationconfigurationdownonthelistof
configurationsthatapplytoAnyOSat configurations,selecttheconfigurationandclickMove Down.
[Link]
ruleevaluation,theportallooksfora
matchstartingfromthetopofthelist.
Whenitfindsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.

Step4 (Optional)Toenabletwofactor SelectthecorrespondingCertificate Profiletoauthenticateusers

authenticationusinganauthentication basedonaclientcertificateorsmartcard.
profileandacertificateprofile,configure TheCommonName(CN)and,ifapplicable,theSubject
bothinthisportalconfiguration. AlternativeName(SAN)fieldsofthecertificatemust
Keepinmindtheportalmust exactlymatchtheIPaddressorFQDNoftheinterface
authenticatetheclientbyusingboth whereyouconfiguretheportalorHTTPSconnectionsto
methodsbeforetheusercangainaccess. theportalwillfail.

Step5 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.
2. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 67
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

GatewayPriorityinaMultipleGatewayConfiguration

Toenablesecureaccessforyourmobileworkforcenomatterwheretheyarelocated,youcanstrategically
deployadditionalPaloAltoNetworksnextgenerationfirewallsandconfigurethemasGlobalProtect
[Link],addthegatewaystoaportal
[Link]
Configurations.
IfaGlobalProtectportalagentconfigurationcontainsmorethanonegateway,theagentwillattemptto
[Link]
[Link]
responsetimeforthehigherprioritygatewayisgreaterthantheaverageresponsetimeacrossallgateways.
Forexample,considerthefollowingresponsetimesforgw1andgw2:

Name Priority ResponseTime

gw1 Highest 80ms

gw2 High 25ms

Theagentdeterminesthattheresponsetimeforthegatewaywiththehighestpriority(highernumber)is
greaterthantheaverageresponsetimeforbothgateways(52.5ms)and,asaresult,[Link]
example,theagentdidnotconnecttogw1eventhoughithadahigherprioritybecausearesponsetimeof
80mswashigherthantheaverageforboth.
Nowconsiderthefollowingresponsetimesforgw1,gw2,andathirdgateway,gw3:

Name Priority ResponseTime

gw1 Highest 30ms

gw2 High 25ms

gw3 Medium 50ms

Inthisexample,[Link]
gatewaysrespondedfasterthantheaverageresponsetimeandseethatgw1andgw2bothhadfaster
[Link]
example,theagentconnectstogw1becausegw1hasthehighestpriorityofallthegatewayswithresponse
timesbelowtheaverage.

68 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

DefinetheGlobalProtectAgentConfigurations

AfteraGlobalProtectuserconnectstotheportalandisauthenticatedbytheGlobalProtectportal,theportal
sendstheagentconfigurationtotheagentorapp,[Link]
rolesforusersorgroupsthatneedspecificconfigurations,youcancreateaseparateagentconfigurationfor
[Link]
[Link],theportalstartsto
[Link],theportalsendstherightconfigurationto
theagentorapp.
Theconfigurationcanincludethefollowing:
Alistofgatewaystowhichtheclientcanconnect.
Amongtheexternalgateways,anygatewaythattheusercanmanuallyselectforthesession.
TherootCAcertificaterequiredtoenabletheagentorapptoestablishanSSLconnectionwiththe
GlobalProtectgateway(s).
TherootCAcertificateforSSLforwardproxydecryption.
[Link]
configurationisrequiredonlyifmutualauthenticationbetweentheclientandtheportalorgatewayis
required.
Asecureencryptedcookiethattheendpointshouldpresenttotheportalorgatewaywhenitconnects.
Thecookieisincludedonlyifyouenabletheportaltogenerateone.
Thesettingstheendpointusestodeterminewhetheritisconnectedtothelocalnetworkortoan
externalnetwork.
Settingsforthebehavioroftheagentorapp,suchaswhattheenduserscanseeintheirdisplay,whether
theycansavetheirGlobalProtectpassword,andwhethertheyarepromptedtoupgradetheirsoftware.

Iftheportalisdownorunreachable,theagentwillusethecachedversionofitsagentconfigurationfromitslast
successfulportalconnectiontoobtainsettings,includingthegateway(s)towhichtheagentcanconnect,what
rootCAcertificate(s)tousetoestablishsecurecommunicationwiththegateway(s),andwhatconnectmethod
touse.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 69
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

Usethefollowingproceduretocreateanagentconfiguration.

CreateaGlobalProtectAgentConfiguration

Step1 AddthetrustedRootCAcertificates 1. SelectNetwork > GlobalProtect > Portals.

thattheclientwillusetoperform 2. Selecttheportalconfigurationtowhichyouareaddingthe
certificatecheckswhenitconnectsto agentconfigurationandthenselecttheAgent tab.
theGlobalProtectgateway(s).Ifyoudo
notaddatrustedrootCAcertificateto 3. IntheTrusted Root CAfield,AddandthenselecttheCA
theagentconfiguration,theassociated certificatethatwasusedtoissuethegatewayserver
clientdoesnotperformcertificate [Link],allofyourgatewaysshoulduse
checkswhenitconnects. thesameissuer.
Asabestpractice,alwaysdeploy
thetrustedrootCAcertificatesin
[Link]
certificatedeploymentensures
thattheagentsorappsperforma
certificatechecktovalidatethe
identityofthegatewaybeforeit
[Link]
installationprotectstheagentor
appfrommaninthemiddle
attacks.

Step2 (Optional)AddthetrustedRootCA 1. AddthecertificateasdescribedinStep 1.

certificatethatthefirewallwillusefor 2. Totherightofthecertificate,selecttheInstall in Local Root
[Link] Certificate Storeoption.
firewallusesthiscertificate(onWindows
Theportalautomaticallysendsthecertificatewhentheuser
andMacendpointsonly)toterminatethe
logsintotheportalandinstallsitintheclient'slocalstorethus
HTTPSconnection,inspectthetrafficfor
eliminatingtheneedforyoutoinstallthecertificatemanually.
policycompliance,andreestablishthe
HTTPSconnectiontoforwardthe
encryptedtraffic.

Step3 Addanagentconfiguration. 1. IntheAgentarea,Addanewconfiguration.

Theagentconfigurationspecifiesthe 2. [Link]
GlobalProtectconfigurationsettingsto createmultipleconfigurations,makesurethenameyoudefine
deploytotheconnectingagents/apps. foreachisdescriptiveenoughtoallowyoutodistinguishthem.
Youmustdefineatleastoneagent
configuration.

70 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CreateaGlobalProtectAgentConfiguration(Continued)

Step4 (Optional)Configuresettingstospecify OntheAuthenticationtab,configureanyofthefollowing

howuserswiththisconfigurationwill authenticationsettings:
authenticatewiththeportal. Toenableuserstoauthenticatewiththeportalusingclient
Ifthegatewayistoauthenticatethe certificates,selecttheClient Certificatesource(SCEP,Local,or
clientsbyusingaclientcertificate,you None)thatdistributesthecertificateanditsprivatekeytoan
mustselectthesourcethatdistributes [Link]
thecertificate. clients,selectNone(default).Toenabletheportaltogenerate
andsendamachinecertificatetotheagentforstorageinthe
localcertificatestoreandusethecertificateforportaland
gatewayauthentication,selectSCEPandtheassociatedSCEP
[Link]
[Link]
certificateforallendpoints,selectacertificatethatisLocalto
[Link],theportaldoesnotpushacertificateto
theclient,butyoucanusecanotherwaystogetacertificateto
theclientsendpoint.
SpecifywhethertoSave User [Link]
theusernameandpassword(default),Save Username Onlyto
saveonlytheusername,orNotoneversavecredentials.
Ifyouconfiguretheportalorgatewaystopromptforadynamic
passwordsuchasaonetimepassword(OTP),theusermust
[Link],the
GlobalProtectagent/appignorestheselectiontosaveboththe
usernameandpassword,ifspecified,andsavesonlythe
[Link],seeEnableTwoFactor
AuthenticationUsingOneTimePasswords(OTPs).

Step5 IftheGlobalProtectendpointdoesnot 1. SelecttheInternal Host Detectioncheckbox.

requiretunnelconnectionswhenitison 2. EntertheIP Addressofahostthatcanbereachedfromthe
theinternalnetwork,configureinternal internalnetworkonly.
hostdetection.
3. EntertheDNSHostnamefortheIPaddressyouentered.
ClientsthattrytoconnecttoGlobalProtectattempttodoa
[Link]
fails,theclientdeterminesthatitisontheexternalnetwork
andtheninitiatesatunnelconnectiontoagatewayonitslist
ofexternalgateways.

Step6 Setupaccesstoathirdpartymobile 1. EntertheIPaddressorFQDNofthedevicecheckininterface

endpointmanagementsystem. associatedwithyourmobileendpointmanagementsystem.
Thisstepisrequiredifthemobiledevices Thevalueyouenterheremustexactlymatchthevalueofthe
usingthisconfigurationwillbemanaged servercertificateassociatedwiththedevicecheckin
byathirdpartymobileendpoint interface.
[Link] 2. SpecifytheEnrollment Portonwhichthemobileendpoint
initiallyconnecttotheportaland,ifa managementsystemwillbelisteningforenrollmentrequests.
thirdpartymobileendpoint Thisvaluemustmatchthevaluesetonthemobileendpoint
managementsystemisconfiguredonthe managementsystem(default=443).
correspondingportalagent
configuration,thedevicewillbe
redirectedtoitforenrollment.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 71
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CreateaGlobalProtectAgentConfiguration(Continued)

Step7 Configuretheuserorusergroupandthe SelecttheUser/User Grouptabandthenspecifyanyusers,user

endpointOStowhichtheagent groups,and/oroperatingsystemstowhichthisconfiguration
configurationapplies. shouldapply:
Theportalusestheuser/usergroup Todeliverthisconfigurationtoagentsorappsrunningon
settingsyouspecifytodeterminewhich specificoperatingsystem,AddtheOS(Android,Chrome,iOS,
configurationtodelivertothe Mac,Windows,orWindowsUWP)towhichthisconfiguration
GlobalProtectagentsthatconnect. [Link]
Therefore,ifyouhavemultiple configurationbasedonuser/grouponly.
configurations,youmustmakesureto Torestrictthisconfigurationtoaspecificuserand/orgroup,
[Link] clickAddintheUser/UserGroupsectionofthewindowand
portalfindsamatch,itwilldeliverthe thenselecttheuserorgroupyouwanttoreceivethis
[Link],morespecific [Link]
configurationsmustprecedemore user/groupyouwanttoadd.
[Link] 12for Beforeyoucanrestricttheconfigurationtospecific
instructionsonorderingthelistofagent groups,youmustmapuserstogroupsasdescribedin
configurations. EnableGroupMapping.
Torestricttheconfigurationtouserswhohavenotyetloggedin
totheirsystems,selectpre-logonfromtheUser/UserGroup
dropdown.
Toapplytheconfigurationtoanyuserregardlessofloginstatus
(bothprelogonandloggedinusers),selectanyfromthe
User/UserGroupdropdown.

Step8 Specifythegatewaystowhichuserswith 1. OntheGatewaystab,clickAddinthesectionforInternal

thisconfigurationcanconnect. GatewaysorExternalGateways,dependingonwhichtypeof
Considerthefollowingbest gatewayyouareadding.
practiceswhenyouconfigurethe 2. [Link]
gateways: hereshouldmatchthenameyoudefinedwhenyouconfigured
Ifyouareaddingbothinternal thegatewayandshouldbedescriptiveenoughforusersto
andexternalgatewaystothe knowthelocationofthegatewaytheyareconnectedto.
sameconfiguration,makesureto 3. EntertheFQDNorIPaddressoftheinterfacewherethe
enableInternalHostDetection. [Link]
SeeStep 5inDefinethe specifymustexactlymatchtheCommonName(CN)inthe
GlobalProtectAgent gatewayservercertificate.
Configurationsforinstructions.
4. (Externalgatewaysonly)SetthePriorityofthegatewayby
Makesureyoudonotuse
clickinginthefieldandselectingavalue:
ondemandastheconnect
methodifyourconfiguration Ifyouhaveonlyoneexternalgateway,youcanleavethe
includesinternalgateways. valuesettoHighest(thedefault).
Tolearnmoreabouthowa Ifyouhavemultipleexternalgateways,youcanmodifythe
GlobalProtectclientdetermines priorityvalues(rangingfromHighesttoLowest)toindicate
thegatewaytowhichitshould apreferenceforthespecificusergrouptowhichthis
connect,seeGatewayPriorityin [Link],ifyoupreferthatthe
aMultipleGateway usergroupconnectstoalocalgatewayyouwouldsetthe
Configuration. priorityhigherthanthatofmoregeographicallydistant
[Link]
agentsgatewayselectionalgorithm.
Ifyoudonotwantagentstoautomaticallyestablishtunnel
connectionswiththegateway,selectManual [Link]
settingisusefulintestingenvironments.
5. (Externalgatewaysonly)SelecttheManualcheckboxifyou
wanttoallowuserstobeabletomanuallyswitchtothe
gateway.

72 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CreateaGlobalProtectAgentConfiguration(Continued)

Step9 Customizethebehaviorofthe SelecttheApptabandthenmodifytheagentsettingsasdesired.

GlobalProtectagentforuserswiththis Formoredetailsabouteachoption,seeCustomizethe
configuration. GlobalProtectAgent.

Step10 (Optional)Defineanycustomhost 1. SelectData Collection andenabletheGlobalProtectagentto

informationprofile(HIP)datathatyou Collect HIP Data.
wanttheagenttocollectand/orexclude 2. SelectExclude Categoriestoexcludespecificcategories
HIPcategoriesfromcollection. and/orvendors,applications,[Link]
Thissteponlyappliesifyouplantouse moredetails,seeStep 3inConfigureHIPBasedPolicy
theHIPfeatureandthereisinformation Enforcement.
youwanttocollectthatcannotbe
3. SelectCustom Checkstodefineanycustomdatayouwantto
collectedusingthestandardHIPobjects
collectfromhostsrunningthisagentconfiguration,andadd
orifthereisHIPinformationthatyouare
[Link],seeStep 2inUse
[Link]
HostInformationinPolicyEnforcement.
InformationinPolicyEnforcementfor
detailsonsettingupandusingtheHIP
feature.

Step11 Savetheagentconfiguration. 1. ClickOKtosavethesettingsandclosetheConfigsdialog.

2. Ifyouwanttoaddanotheragentconfiguration,repeatStep 3
throughStep 11.

Step12 Arrangetheagentconfigurationssothat Tomoveanagentconfigurationuponthelistofconfigurations,

theproperconfigurationisdeployedto selecttheconfigurationandclickMove Up.
eachagent. Tomoveanagentconfigurationdownonthelistof
Whenanagentconnects,theportalwill configurations,selecttheconfigurationandclickMove Down.
comparethesourceinformationinthe
packetagainsttheagentconfigurations
[Link]
evaluation,theportallooksforamatch
[Link]
findsamatch,itdeliversthe
correspondingconfigurationtotheagent
orapp.

Step13 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtectPortal

Configurationdialog.
2. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 73
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CustomizetheGlobalProtectAgent

TheportalagentconfigurationallowsyoutocustomizehowyourendusersinteractwiththeGlobalProtect
[Link]
[Link]
informationonGlobalProtectclientrequirements,seeWhatClientOSVersionsareSupportedwith
GlobalProtect?
[Link],youcanspecifythefollowing:
Whatmenusandviewsuserscanaccess.
Whetheruserscandisabletheagent(appliestotheuserlogonconnectmethodonly).
[Link]
usercandismissthewelcomepageandyoucancreatecustomwelcomeandhelppagesthatexplainhow
[Link],Welcome,
andHelpPages.
Whetheragentupgradesoccurautomaticallyorwhetherusersarepromptedtoupgrade.

[Link]
WindowsclientsyoucanalsodefineagentsettingsdirectlyfromtheWindowsinstaller(Msiexec).
Settingsdefinedintheportalagentconfigurationsinthewebinterfacetakeprecedenceover
settingsdefinedintheWindowsregistry/[Link],seeDeploy
AgentSettingsTransparently.

AdditionaloptionsthatareavailablethroughtheWindowscommandline(Msiexec)orWindowsregistry
only,enableyouto(formoreinformation,seeCustomizableAgentSettings):
SpecifywhethertheagentshouldprompttheenduserforcredentialsifWindowsSSOfails.
SpecifythedefaultportalIPaddress(orhostname).
EnableGlobalProtecttoinitiateaVPNconnectionbeforetheuserlogsintotheendpoint.
DeployscriptsthatrunbeforeorafterGlobalProtectestablishesaVPNconnectionorafterGlobalProtect
disconnectstheVPNconnection.
EnabletheGlobalProtectagenttowrapthirdpartycredentialsontheWindowsclient,allowingforSSO
whenusingathirdpartycredentialprovider.

74 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

UsethefollowingproceduretocustomizetheGlobalProtectagent.

CustomizetheAgent

Step1 SelecttheAgenttabintheagent 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

configurationyouwanttocustomize. configurationforwhichyouwanttoaddanagent
Youcanalsoconfiguremost configuration(orAddanewconfiguration).
settingsthatareontheApptab 2. SelecttheAgent tabandselecttheconfigurationyouwantto
fromagrouppolicybyadding modify(orAddanewconfiguration).
settingstotheWindows
3. SelecttheApptab.
registry/[Link]
systems,youcanalsosetthem TheAppConfigurationsareadisplaystheoptionswithdefault
usingtheMsiexecutilityonthe valuesthatyoucancustomizeforeachagentconfiguration.
commandlineduringtheagent Whenyouchangethedefaultbehavior,thewebinterface
[Link],settings changesthecolorfromgraytothedefaulttextcolor.
definedinthewebinterfaceor
theCLItakeprecedenceover
registry/[Link]
DeployAgentSettings
Transparentlyfordetails.

Step2 SpecifytheConnect Method thatan IntheAppConfigurationsarea,configureanyofthefollowing

agentorappusesforitsGlobalProtect options:
connection. SelectaConnect Method:
Considerthefollowingbest User-logon (Always On)TheGlobalProtectagent
practiceswhenyouconfigurethe automaticallyconnectstotheportalassoonastheuserlogs
Connect Method: intotheendpoint(ordomain).Whenusedinconjunction
UseonlytheOn-demand withSSO(Windowsusersonly),GlobalProtectloginis
option(default)ifyouareusing transparenttotheenduser.
GlobalProtectforVPNaccessto Pre-logon (Always On)Authenticatestheuserand
externalgateways. establishesaVPNtunneltotheGlobalProtectgateway
DonotusetheOn-demand [Link]
optionifyouplantorunthe youuseanexternalPKIsolutiontopredeployamachine
GlobalProtectagentinhidden certificatetoeachendpointthatreceivesthisconfiguration.
mode. SeeRemoteAccessVPNwithPreLogonfordetailsabout
Forfasterconnectiontimes,use prelogon.
internalhostdetectionin On-demand (Manual user initiated connection)Userswill
configurationswhereyouhave havetomanuallylaunchtheagenttoconnectto
enabledSSO. [Link]
gatewaysonly.
Pre-logon then On-demandSimilartothePre-logon
(Always On)connectmethod,thisconnectmethod(which
requiresContentReleaseversion5903397orlater)
enablestheGlobalProtectagenttoauthenticatetheuser
andestablishaVPNtunneltotheGlobalProtectgateway
[Link]
connectionmethod,aftertheuserlogsintotheclient,users
mustmanuallylaunchtheagenttoconnecttoGlobalProtect
[Link]
ofthisoptionisthatyoucanallowausertospecifyanew
passwordafterpasswordexpirationorauserforgetstheir
passwordbutstillrequiretheusertomanuallyinitiatethe
connectionaftertheuserlogsin.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 75
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CustomizetheAgent(Continued)

Step3 Specifywhethertoenforce IntheAppConfigurationsarea,configureanyofthefollowing

GlobalProtectconnectionsfornetwork options:
access. ToforceallnetworktraffictotraverseaGlobalProtecttunnel,
ToenforceGlobalProtectfor setEnforce GlobalProtect Connection for Network Accessto
networkaccess,werecommend [Link],GlobalProtectisnotrequiredfornetworkaccess
thatyouenablethisfeatureonly meaninguserscanstillaccesstheinternetifGlobalProtectis
forusersthatconnectin [Link]
User-logonorPre-logonmodes. trafficisblocked,configureaTraffic Blocking Notification
Usersthatconnectin Messageandoptionallyspecifywhentodisplaythemessage
On-demandmodemaynotbe (Traffic Blocking Notification Delay).
abletoestablishaconnection Topermittrafficrequiredtoestablishaconnectionwitha
withinthepermittedgrace captiveportal,specifyaCaptive Portal Exception [Link]
periods. usermustauthenticatewiththeportalbeforethetimeout
[Link],configureaCaptive
Portal Detection Message.
ThesefeaturesrequireContentReleaseversion6073486or
later.

Step4 SpecifyadditionalGlobalProtect IntheAppConfigurationsarea,configureanyofthefollowing

connectionsettings. options:
Withsinglesignon(SSO) (Windowsonly)SetUse Single Sign-OntoNotodisallow
enabled(thedefault),the GlobalProtecttousetheWindowslogincredentialsto
GlobalProtectagentusesthe automaticallyauthenticatetheuseruponlogintoActive
usersWindowslogincredentials Directory.
toautomaticallyauthenticateto EntertheMaximum Internal Gateway Connection Attemptsto
andconnecttotheGlobalProtect specifythenumberoftimestheGlobalProtectagentshould
portalandgateway. retrytheconnectiontoaninternalgatewayafterthefirst
GlobalProtectwithSSOenabled attemptfails(rangeis0100;4or5isrecommended;defaultis
alsoallowsfortheGlobalProtect 0,whichmeanstheGlobalProtectagentdoesnotretrythe
agenttowrapthirdparty connection).Byincreasingthevalue,youenabletheagentto
credentialstoensurethat connecttoaninternalgatewaythatistemporarilydownor
Windowsuserscanauthenticate unreachableduringthefirstconnectionattemptbutcomesback
andconnect,evenwhena upbeforethespecifiednumberofretriesareexhausted.
thirdpartycredentialprovideris Increasingthevaluealsoensuresthattheinternalgateway
beingusedtowraptheWindows receivesthemostuptodateuserandhostinformation.
logincredentials. EntertheGlobalProtect App Config Refresh Interval (hours) to
specifythenumberofhourstheGlobalProtectportalwaits
beforeitinitiatesthenextrefreshofaclientsconfiguration
(rangeis1168;defaultis24).
SpecifywhethertoRetain Connection on Smart Card Removal.
Bydefault,theoptionissettoYes,meaningGlobalProtect
retainsthetunnelwhenauserremovesasmartcardcontaining
[Link],setthisoptiontoNo.
Thedecisiononwhethertoretaintheconnectiondependson
yoursecurityrequirements.
ThisfeaturerequiresContentReleaseversion5903397
oralaterversion.

76 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CustomizetheAgent(Continued)

Step5 ConfigurethemenusandUIviewsthat Configureanyorallofthefollowingoptions:

areavailabletouserswhohavethis Ifyouwantuserstobeabletoseeonlybasicstatusinformation
agentconfiguration. withintheapplication,setEnable Advanced [Link]
default,[Link]
detailedstatistical,host,andtroubleshootinginformationandto
performcertaintasks,suchaschangingtheirpassword.
IfyouwanthidetheGlobalProtectagentonendusersystems,
setDisplay GlobalProtect [Link],
userscannotperformothertaskssuchaschangingpasswords,
rediscoveringthenetwork,resubmittinghostinformation,
viewingtroubleshootinginformation,orperformingan
[Link],HIPnotificationmessages,
loginprompts,andcertificatedialogswillstilldisplayas
necessaryforinteractingwiththeenduser.
Topreventusersfromperforminganetworkrediscovery,setthe
Enable Rediscover Network [Link]
option,itisgrayedoutintheGlobalProtectmenu.
TopreventusersfrommanuallyresubmittingHIPdatatothe
gateway,setEnable Resubmit Host Profile Option [Link]
optionisenabledbydefault,andisusefulincaseswhere
HIPbasedsecuritypolicypreventsusersfromaccessing
resourcesbecauseitallowstheusertofixthecomplianceissue
onthecomputerandthenresubmittheHIP.
(Windowsonly)ToallowGlobalProtecttodisplaynotificationsin
thenotificationarea(systemtray),setShow System Tray
NotificationstoYes.
Tocreateacustommessagetodisplaytouserswhentheir
passwordisabouttoexpireconfiguretheCustom Password
Expiration Message (LDAP Authentication Only).Themaximum
messagelengthis200characters.

Step6 Definewhattheenduserswiththis SetAllow User to Change PortalAddresstoNotodisablethe

configurationcandointheirclient. [Link]
theuserwillthenbeunabletospecifyaportaltowhichto
connect,youmustsupplythedefaultportaladdressinthe
Windowsregistry(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal)orthe
Macplist
(/Library/Preferences/[Link]
[Link]
PanSetup).Formoreinformation,seeDeployAgentSettings
Transparently.
Topreventusersfromdismissingthewelcomepage,setAllow
User to Dismiss Welcome Page [Link],whensetto
Yes,theusercandismissthewelcomepageandprevent
GlobalProtectfromdisplayingthepageaftersubsequentlogins.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 77
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CustomizetheAgent(Continued)

Step7 Specifywhetheruserscandisablethe Topreventuserswiththeuserlogonconnectmethodfrom

GlobalProtectagent. disablingGlobalProtect,setAllow User to Disable GlobalProtect
TheAllow User to Disable GlobalProtect to Disallow.
optionappliestoagentconfigurations ToallowuserstodisableGlobalProtectiftheyprovidea
thathavetheConnect Methodsetto passcode,setAllow User to Disable GlobalProtect to Allow with
User-Logon (Always On).Inuserlogon [Link],intheDisableGlobalProtectApparea,enter
mode,theagentorappautomatically (andconfirm)thePasscodethattheendusersmustsupply.
connectstoGlobalProtectassoonasthe Toallowuserstodisconnectiftheyprovideaticket,setAllow
[Link] User to Disable GlobalProtect toAllow with [Link]
sometimesreferredtoasalwayson, option,thedisconnectactiontriggerstheagenttogeneratea
whichiswhytheusermustoverridethis [Link]
behaviortodisableGlobalProtectclient. [Link]
Bydefault,thisoptionissettoAllow clicksGenerate TicketontheNetwork > GlobalProtect > Portals
whichpermitsuserstodisable pageandenterstherequestnumberfromtheusertogenerate
GlobalProtectwithoutprovidinga [Link]
comment,passcode,orticketnumber. user,whoentersitintotheDisableGlobalProtectdialogtoenable
Iftheagenticonisnotvisible, theagenttodisconnect.
usersarenotabletodisablethe
[Link] 5
fordetails.

TolimitthenumberoftimesuserscandisabletheGlobalProtect
client,enteravalueintheMax Times User Can Disablefieldin
theDisableGlobalProtectApparea.Avalueof0(thedefault)
indicatesthatusersarenotlimitedinthenumberoftimesthey
candisabletheclient.
Torestricthowlongtheusermaybedisconnected,enteravalue
(inminutes)intheUser Can Disable Timeout (min)fieldinthe
DisableGlobalProtectApparea.Avalueof0(thedefault)means
thatthereisnorestrictiononhowlongtheusercankeepthe
clientdisabled.

78 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CustomizetheAgent(Continued)

Step8 Configurethecertificatesettingsand Client Certificate Store LookupSelectwhichstoretheagent

behaviorfortheusersthatreceivethis [Link]
configuration. storedintheCurrentUsercertificatestoreonWindowsandin
[Link]
storedintheLocalComputercertificatestoreonWindowsandin
[Link],theagentlooksfor
User and machinecertificatesinbothplaces.
SCEP Certificate Renewal Period (days)WithSCEP,theportal
canrequestanewclientcertificatebeforethecertificateexpires.
ThistimebeforethecertificateexpiresistheoptionalSCEP
[Link]
beforeaclientcertificateexpires,theportalcanrequestanew
certificatefromtheSCEPserverinyourenterprisePKI(rangeis
030;defaultis7).Avalueof0meanstheportaldoesnot
automaticallyrenewtheclientcertificatewhenitrefreshesthe
agentconfiguration.
Foranagentorapptoobtainthenewcertificateduringthe
renewalperiod,theusermustlogintotheGlobalProtectclient.
Forexample,ifaclientcertificatehasalifespanof90days,the
certificaterenewalperiodis7days,andtheuserlogsinduringthe
final7daysofthecertificatelifespan,theportalacquiresanew
certificateanddeploysitalongwithafreshagentconfiguration.
Formoreinformation,seeDeployUserSpecificClient
CertificatesforAuthentication.
Extended Key Usage OID for Client CertificateEnterthe
extendedkeyusageofaclientcertificatebyspecifyingitsobject
identifier(OID).ThissettingensuresthattheGlobalProtectagent
selectsonlyacertificatethatisintendedforclientauthentication
whenmultiplecertificatetypesarepresentandenables
[Link]
supportedonWindowsandMacendpointsonly.
Ifyoudonotwanttheagenttoestablishaconnectionwiththe
portalwhentheportalcertificateisnotvalid,setAllow User to
Continue with Invalid Portal Server [Link]
mindthattheportalprovidestheagentconfigurationonly;itdoes
notprovidenetworkaccessandthereforesecuritytotheportalis
[Link],ifyouhave
deployedatrustedservercertificatefortheportal,deselecting
thisoptioncanhelppreventmaninthemiddle(MITM)attacks.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 79
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CustomizetheAgent(Continued)

Step9 (Windowsonly)Configuresettingsfor Update DNS Settings at ConnectSelectYestoflushtheDNS

Windowsbasedendpointsthatreceive cacheandforcealladapterstousetheDNSsettingsinthe
thisconfiguration. [Link](thedefault)tousetheDNSsettings
fromthephysicaladapterontheendpoint.
Send HIP Report Immediately if Windows Security Center
(WSC) State ChangesSelectNotopreventtheGlobalProtect
agentfromsendingHIPdatawhenthestatusoftheWindows
SecurityCenter(WSC)[Link](default)to
immediatelysendHIPdatawhenthestatusoftheWSCchanges.
Detect Proxy for Each ConnectionSelectNotoautodetectthe
proxyfortheportalconnectionandusethatproxyfor
[Link](default)toautodetectthe
proxyateveryconnection.
Clear Single Sign-On Credentials on LogoutSelectNotokeep
[Link]
(default)toclearthemandforcetheusertoentercredentials
uponthenextlogin.
Use Default Authentication on Kerberos Authentication
[Link]
Yes(default)toretryusingthedefaultauthenticationmethod
afterauthenticationusingKerberosfails.

Step10 Ifyourendpointsfrequentlyexperience Configurevaluesforanyofthefollowingoptions:

latencyorslownesswhenconnectingto Portal Connection Timeout (sec)Thenumberofseconds
theGlobalProtectportalorgateways, beforeaconnectionrequesttotheportaltimesoutduetono
consideradjustingtheportalandTCP responsefromtheportal(rangeis1600;defaultis30).
timeoutvalues. TCP Connection Timeout (sec)Thenumberofsecondsbefore
Toallowmoretimeforyourendpointsto aTCPconnectionrequesttimesoutduetounresponsiveness
connecttoorreceivedatafromthe fromeitherendoftheconnection(rangeis1600;defaultis60).
portalorgateway,increasethetimeout TCP Receive Timeout (sec)Thenumberofsecondsbeforea
values,[Link] TCPconnectiontimesoutduetotheabsenceofsomepartial
increasingthevaluescanresultinlonger responseofaTCPrequest(rangeis1600;defaultis30).
waittimesiftheGlobalProtectagentis
[Link]
contrast,decreasingthevaluescan
preventtheGlobalProtectagentfrom
establishingaconnectionwhenthe
portalorgatewaydoesnotrespond
beforethetimeoutexpires.

80 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CustomizetheAgent(Continued)

Step11 Specifywhetherremotedesktop Bydefault,theUser Switch Tunnel Rename Timeoutfieldissetto

connectionsarepermittedoverexisting 0meaningtheGlobalProtectgatewayterminatestheconnectionif
VPNtunnelsbyspecifyingtheUser [Link]
Switch Tunnel Rename [Link] behavior,[Link]
anewuserconnectstoaWindows newuserdoesnotlogintothegatewaybeforethetimeoutvalue
machineusingRemoteDesktopProtocol expires,theGlobalProtectgatewayterminatestheVPNtunnel
(RDP),thegatewayreassignstheVPN assignedtothefirstuser.
[Link] ChangingtheUser Switch Tunnel Rename Timeoutvalue
thenenforcesecuritypoliciesonthenew onlyaffectstheRDPtunnelanddoesnotrenamea
user. prelogontunnelwhenconfigured.
Allowingremotedesktopconnections
overVPNtunnelscanbeusefulin
situationswhereanITadministrator
needstoaccessaremoteenduser
systemusingRDP.

Step12 SpecifyhowGlobalProtectagent Bydefault,theAllow User to Upgrade GlobalProtect App fieldis

upgradesoccur. [Link],
Ifyouwanttocontrolwhenuserscan selectoneofthefollowingoptions:
upgrade,forexampleifyouwanttotest Ifyouwantupgradestooccurautomaticallywithoutinteraction
areleaseonasmallgroupofusersbefore withtheuser,selectAllow Transparently.
deployingittoyourentireuserbase,you Topreventagentupgrades,selectDisallow.
cancustomizetheagentupgrade Toallowenduserstoinitiateagentupgrades,selectAllow
[Link] [Link],theuserwouldselecttheCheck Version
thiscase,youcouldcreatea optionintheagenttodetermineifthereisanewagentversion
configurationthatappliestousersin [Link]
yourITgrouponlytoallowthemto [Link] 6for
upgradeandtestanddisableupgradein details.
allotheruser/groupconfigurations.
Then,afteryouhavethoroughlytested
thenewversion,youcouldmodifythe
agentconfigurationsfortherestofyour
userstoallowtheupgrade.

Step13 Specifywhethertodisplayawelcome Todisplayawelcomepageafterasuccessfulloginselect

pageuponsuccessfullogin. factory-default fromtheWelcome Page dropdownontheright.
Awelcomepagecanbeausefulwayto GlobalProtectdisplaysthewelcomepageinthedefaultbrowseron
directuserstointernalresourcesthat Windows,Mac,andChromebookendpoints,orwithinthe
theycanonlyaccesswhenconnectedto [Link]
GlobalProtect,suchasyourIntranetor welcomepagethatprovidesinformationspecifictoyourusers,or
otherinternalservers. toaspecificgroupofusers(basedonwhichportalconfiguration
Bydefault,theonlyindicationthatthe getsdeployed).Fordetailsoncreatingcustompages,see
agenthassuccessfullyconnectedto CustomizetheGlobalProtectPortalLogin,Welcome,andHelp
GlobalProtectisaballoonmessagethat Pages.
displaysinthesystemtray/menubar.

Step14 Savetheagentconfigurationsettings. 1. Ifyouaredonecreatingagentconfigurations,clickOKtoclose

[Link],forinstructionsoncompleting
theagentconfigurations,returntoDefinetheGlobalProtect
AgentConfigurations.
2. Ifyouaredoneconfiguringtheportal,clickOKtoclosethe
GlobalProtectPortalConfigurationdialog.
3. Whenyoufinishtheportalconfiguration,Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 81
ConfiguretheGlobalProtectPortal SetUptheGlobalProtectInfrastructure

CustomizetheGlobalProtectPortalLogin,Welcome,andHelpPages

GlobalProtectprovidesdefaultlogin,welcome,and/[Link],youcancreateyourown
custompageswithyourcorporatebranding,acceptableusepolicies,andlinkstoyourinternalresources.

Youcanalternativelydisablebrowseraccesstotheportalloginpageinordertopreventunauthorizedattempts
toauthenticatetotheGlobalProtectportal(configuretheDisable login pageoptionfromNetwork >
GlobalProtect > Portals > portal_config > General).Withtheportalloginpagedisabled,youcaninsteaduse
asoftwaredistributiontool,suchasMicrosoftsSystemCenterConfigurationManager(SCCM),toallowyour
userstodownloadandinstalltheGlobalProtectagent.

CustomizethePortalLogin,Welcome,andHelpPages

Step1 Exportthedefaultportallogin,welcome, 1. SelectDevice > Response Pages.

orhelppage. 2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. SelecttheDefaultpredefinedpageandclickExport.

Step2 Edittheexportedpage. 1. UsetheHTMLtexteditorofyourchoicetoeditthepage.

2. Ifyouwanttoeditthelogoimagethatisdisplayed,hostthe
newlogoimageonawebserverthatisaccessiblefromthe
[Link],editthefollowing
lineintheHTMLtopointtothenewlogoimage:
<img src="[Link]
[Link]?1382722588"/>
3. [Link]
pageretainsitsUTF8encoding.

Step3 Importthenewpage(s). 1. SelectDevice > Response Pages.

2. SelectthelinkforthetypeofGlobalProtectportalpage.
3. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4. (Optional)Selectthevirtualsystemonwhichthispagewillbe
usedfromtheDestinationdropdownorselectshared
(default)tomakeitavailabletoallvirtualsystems.
5. ClickOKtoimportthefile.

Step4 Configuretheportaltousethenew Custom Login PageandCustom Help Page:

page(s). 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheGeneral tab,selectthenewpagefromtherelevant
dropdownintheAppearancearea.
Custom Welcome Page:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
towhichyouwanttoaddtheloginpage.
2. OntheAgent tab,selecttheagentconfigurationtowhichyou
wanttoaddthewelcomepage.
3. SelecttheApptab,andselectthenewpagefromtheWelcome
Pagedropdown.
4. ClickOKtosavetheagentconfiguration.

82 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure ConfiguretheGlobalProtectPortal

CustomizethePortalLogin,Welcome,andHelpPages(Continued)

Step5 Savetheportalconfiguration. ClickOKandthenCommityourchanges.

Step6 Verifythatthenewpagedisplays. TesttheloginpageOpenabrowser,gototheURLforyour

portal(besureyoudonotaddthe:4443portnumbertotheend
oftheURLoryouwillbedirectedtothewebinterfaceforthe
firewall).Forexample,enter[Link]
[Link]
Thenewportalloginpagewilldisplay.

TestthehelppageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),[Link]
pagewilldisplay.
TestthewelcomepageRightclicktheGlobalProtecticoninthe
notificationarea(systemtray),andselectWelcome [Link]
newwelcomepagewilldisplay.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 83
EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer SetUptheGlobalProtectInfrastructure

EnableDeliveryofGlobalProtectClientVSAstoaRADIUS
Server

WhencommunicatingwithGlobalProtectportalsorgateways,GlobalProtectclientssendinformationthat
includestheclientIPaddress,operatingsystem(OS),hostname,userdomain,andGlobalProtectagent/app
[Link](VSAs)toa
RADIUSserverduringauthentication(bydefault,thefirewalldoesnotsendtheVSAs).RADIUS
[Link],RADIUS
administratorsmightusetheclientOSattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authenticationforGoogle
Androidusers.
Thefollowingareprerequisitesforthisprocedure:
ImportthePaloAltoNetworksRADIUSdictionaryintoyourRADIUSserver.
ConfigureaRADIUSserverprofileandassignittoanauthenticationprofile:seeSetUpExternal
Authentication.
AssigntheauthenticationprofiletoaGlobalProtectportalorgateway:seeSetUpAccesstothe
GlobalProtectPortalorConfigureaGlobalProtectGateway.

EnableDeliveryofGlobalProtectClientVSAstoaRADIUSServer

Step1 LogintothefirewallCLI.

Step2 EnterthecommandforeachVSAyouwanttosend.
username@hostname> set authentication radius-vsa-on client-source-ip
username@hostname> set authentication radius-vsa-on client-os
username@hostname> set authentication radius-vsa-on client-hostname
username@hostname> set authentication radius-vsa-on user-domain
username@hostname> set authentication radius-vsa-on client-gp-version
IfyoulaterwanttostopthefirewallfromsendingparticularVSAs,runthesamecommandsbutusethe
radius-vsa-offoptioninsteadofradius-vsa-on.

84 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

DeploytheGlobalProtectClientSoftware

InordertoconnecttoGlobalProtect,[Link]
softwaredeploymentmethoddependsonthetypeofclientasfollows:
MacOSandMicrosoftWindowsendpointsRequiretheGlobalProtectagentsoftware,whichis
[Link],youmustdownloadthe
versionyouwantthehostsinyournetworktousetothefirewallhostingyourGlobalProtectportaland
[Link]
softwareonthefirewall,seeDeploytheGlobalProtectAgentSoftware.
[Link]
mobiledeviceapps,[Link]
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,seeDownloadandInstall
theGlobalProtectMobileApp.
[Link],theend
usermustdownloadtheGlobalProtectappeitherfromtheAppleAppStore(iOSdevices)orfromGoogle
Play(Androiddevices).ForinstructionsonhowtodownloadandtesttheGlobalProtectappinstallation,
seeDownloadandInstalltheGlobalProtectMobileApp.
[Link]
mobiledeviceapps,[Link]
[Link]
instructionsonhowtodownloadandtesttheGlobalProtectappinstallation,DownloadandInstallthe
GlobalProtectAppforChromeOS.
Formoredetails,seeWhatClientOSVersionsareSupportedwithGlobalProtect?

DeploytheGlobalProtectAgentSoftware

ThereareseveralwaystodeploytheGlobalProtectagentsoftware:
DirectlyfromtheportalDownloadtheagentsoftwaretothefirewallhostingtheportalandactivateit
[Link]
inthatitallowsyoutocontrolhowandwhenendusersreceiveupdatesbasedontheagentconfiguration
settingsyoudefineforeachuser,group,and/[Link],ifyouhavealargenumber
ofagentsthatrequireupdates,[Link]
Portalforinstructions.
FromawebserverIfyouhavealargenumberofhoststhatwillneedtoupgradetheagent
simultaneously,considerhostingtheagentupdatesonawebservertoreducetheloadonthefirewall.
SeeHostAgentUpdatesonaWebServerforinstructions.
TransparentlyfromthecommandlineForWindowsclients,youcanautomaticallydeployagent
settingsintheWindowsInstaller(Msiexec).However,toupgradetoalateragentversionusingMsiexec,
[Link],Msiexecallowsfordeploymentofagentsettings
[Link]
SettingsTransparently.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 85
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

UsinggrouppolicyrulesInActiveDirectoryenvironments,theGlobalProtectAgentcanalsobe
distributedtoendusers,[Link]
[Link]
[Link]
automaticallydistributeprogramstohostcomputersorusers.
FromamobileendpointmanagementsystemIfyouuseanmobilemanagementsystemsuchasan
MDMorEMMtomanageyourmobiledevices,youcanusethesystemtodeployandconfigurethe
[Link].

HostAgentUpdatesonthePortal

ThesimplestwaytodeploytheGlobalProtectagentsoftwareistodownloadthenewagentinstallation
packagetothefirewallthatishostingyourportalandthenactivatethesoftwarefordownloadtotheagents
[Link],thefirewallmusthaveaserviceroutethatenablesitto
[Link],youcan
manuallydownloadtheagentsoftwarepackagefromthePaloAltoNetworksSoftwareUpdatessupportsite
usinganInternetconnectedcomputerandthenmanuallyuploadittothefirewall.

YoumusthaveavalidPaloAltoNetworksaccounttologintoanddownloadsoftwarefromtheSoftwareUpdates
[Link],goto
[Link]

Youdefinehowtheagentsoftwareupdatesaredeployedintheagentconfigurationsyoudefineonthe
portalwhethertheyhappenautomaticallywhentheagentconnectstotheportal,whethertheuseris
promptedtoupgradetheagent,orwhethertheendusercanmanuallycheckforanddownloadanewagent
[Link],seeDefinetheGlobalProtectAgentConfigurations.

HosttheGlobalProtectAgentonthePortal

Step1 Launchthewebinterfaceonthefirewall SelectDevice > GlobalProtect Client.

hostingtheGlobalProtectportalandgo
totheGlobalProtectClientpage.

Step2 Checkfornewagentsoftwareimages. IfthefirewallhasaccesstotheUpdateServer,clickCheck Now

[Link]
isDownloaditindicatesthatanupdateisavailable.
IfthefirewalldoesnothaveaccesstotheUpdateServer,goto
thePaloAltoNetworksSoftwareUpdatessupportsiteand
[Link]
tomanuallyUploadthefile.
YoumusthaveavalidPaloAltoNetworksaccounttolog
intoanddownloadsoftwarefromtheSoftwareUpdates
[Link],goto:
[Link]
[Link])

86 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

HosttheGlobalProtectAgentonthePortal(Continued)

Step3 Downloadtheagentsoftwareimage. [Link]

Ifyourfirewalldoesnothave thedownloadcompletes,thevalueintheActioncolumnchangesto
Internetaccessfromthe Activate.
managementport,youcan Ifyoumanuallyuploadedtheagentsoftwareasdetailedin
downloadtheagentupdatefrom Step 2,[Link]
thePaloAltoNetworksSupport nextstepforinstructionsonactivatinganimagethatwas
Site: manuallyuploaded.
([Link]
com/support/tabs/[Link]
l).
YoucanthenmanuallyUpload
theupdatetoyourfirewalland
thenactivateActivate From File.

Step4 Activatetheagentsoftwareimageso IfyoudownloadedtheimageautomaticallyfromtheUpdate

thatenduserscandownloaditfromthe Server,clickActivate.
portal. Ifyoumanuallyuploadedtheimagetothefirewall,clickActivate
Onlyoneversionofagent From FileandthenselecttheGlobalProtect Client Fileyou
softwareimagecanbeactivated [Link]
[Link] [Link]
version,buthavesomeagents displaysasCurrently Activated.
thatrequireapreviously
activatedversion,youwillhave
toactivatetherequiredversion
againtoenableitfordownload.

HostAgentUpdatesonaWebServer

Ifyouhavealargenumberofendpointsthatwillneedtoinstalland/orupdatetheGlobalProtectagent
software,[Link]
[Link],thefirewall
hostingtheportalmustberunningPANOS4.1.7oralaterrelease.

HostGlobalProtectAgentImagesonaWebServer

Step1 Downloadtheversionofthe Followthestepsfordownloadingandactivatingtheagentsoftware

GlobalProtectagentthatyouplanto onthefirewallasdescribedinHosttheGlobalProtectAgentonthe
hostonthewebservertothefirewall Portal.
andactivateit.

Step2 DownloadtheGlobalProtectagent Fromabrowser,gotothePaloAltoNetworksSoftwareUpdates

imageyouwanttohostonyourweb siteandDownloadthefiletoyourcomputer.
server.
Youshoulddownloadthesameimage
thatyouactivatedontheportal.

Step3 Publishthefilestoyourwebserver. Uploadtheimagefile(s)toyourwebserver.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 87
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

HostGlobalProtectAgentImagesonaWebServer(Continued)

Step4 Redirecttheenduserstothewebserver. Onthefirewallhostingtheportal,logintotheCLIandenterthe

followingoperationalmodecommands:
> set global-protect redirect on
> set global-protect redirect location
<path>
where<path>isthepathistheURLtothefolderhostingtheimage,
forexample[Link]

Step5 Testtheredirect. 1. LaunchyourwebbrowserandgotothefollowingURL:

[Link] address or name>
Forexample,[Link]
2. Ontheportalloginpage,enteryouruserNameandPassword
[Link],theportalshould
redirectyoutothedownload.

TesttheAgentInstallation

Usethefollowingproceduretotesttheagentinstallation.

TesttheAgentInstallation

Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theagentinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
Wheninitiallyinstallingthe responsibleforadministeringthefirewall:
GlobalProtectagentsoftwareon 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
theendpoint,theendusermust configurationtoedit.
beloggedintothesystemusing
2. SelecttheAgent tabandeitherselectanexistingconfiguration
anaccountthathas
orAddanewconfigurationtodeploytothetestusers/group.
administrativeprivileges.
Subsequentagentsoftware 3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
updatesdonotrequire section,selecttheuserorgroupwhowillbetestingtheagent,
administrativeprivileges. andthenclickOK.
4. OntheAgenttab,makesureAgent Upgradeissettoprompt
andthenclickOKtosavetheconfiguration.
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
6. Committhechanges.

88 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

TesttheAgentInstallation(Continued)

Step2 LogintotheGlobalProtectportal. 1. LaunchyourwebbrowserandgotothefollowingURL:

[Link]
Forexample,[Link]
2. Ontheportalloginpage,enteryouruserNameandPassword
andthenclickLogin.

Step3 Downloadtheagent. 1. Clickthelinkthatcorrespondstotheoperatingsystemyouare

runningonyourcomputertobeginthedownload.

2. Whenpromptedtorunorsavethesoftware,clickRun.
3. Whenprompted,clickRuntolaunchtheGlobalProtectSetup
Wizard.
WheninitiallyinstallingtheGlobalProtectagent
softwareontheendpoint,theendusermustbelogged
intothesystemusinganaccountthathas
[Link]
updatesdonotrequireadministrativeprivileges.

Step4 CompletetheGlobalProtectagentsetup. 1. FromtheGlobalProtectSetupWizard,clickNext.

2. ClickNexttoacceptthedefaultinstallationfolder
(C:\Program Files\Palo Alto Networks\GlobalProtect)
orBrowsetochooseanewlocationandthenclickNexttwice.
3. Aftertheinstallationsuccessfullycompletes,[Link]
GlobalProtectagentwillautomaticallystart.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 89
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

TesttheAgentInstallation(Continued)

Step5 LogintoGlobalProtect. EntertheFQDNorIPaddressofthePortal,yourUsername,and

[Link]
successful,[Link]
toaccessresourcesonthecorporatenetworkaswellasexternal
resources,asdefinedinthecorrespondingsecuritypolices.

Todeploytheagenttoendusers,createagentconfigurationsfor
theusergroupsforwhichyouwanttoenableaccessandsetthe
Agent Upgradesettingsappropriatelyandthencommunicatethe
[Link]
fordetailsonsettingupagentconfigurations.

DownloadandInstalltheGlobalProtectMobileApp

TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
[Link],themobileappprovidessecureaccess
[Link]
[Link],traffictoandfromthemobiledevice
isautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcandeploytheappfromyour
thirdpartyMDMandtransparentlypushtheapptoyourmanageddevices;or,youcaninstalltheapp
directlyfromtheofficialstoreforyourdevice:
iOSendpointsAppStore
AndroidendpointsGooglePlay
Windows10phonesandWindows10UWPendpointsMicrosoftStore
ChromebooksFordetailsoninstallingtheGlobalProtectappforChromeOS,seeDownloadandInstall
theGlobalProtectAppforChromeOS.
[Link]
onhowtodeploytheGlobalProtectappfromAirWatch,seeDeploytheGlobalProtectMobileAppUsing
AirWatch.

90 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

InstalltheGlobalProtectMobileApp

Step1 Createanagentconfigurationfortesting Asabestpractice,createanagentconfigurationthatislimitedtoa

theappinstallation. smallgroupofusers,suchasadministratorsintheITdepartment
responsibleforadministeringthefirewall:
1. SelectNetwork > GlobalProtect > Portalsandselecttheportal
configurationtoedit.
2. SelecttheAgenttabandeitherselectanexistingconfiguration
orAddanewconfigurationtodeploytothetestusers/group.
3. OntheUser/User Grouptab,clickAddintheUser/UserGroup
sectionandthenselecttheuserorgroupwhowillbetesting
theagent.
4. IntheOSsection,selecttheappyouaretesting(iOS,Android,
orWindowsUWP).
5. (Optional)Selecttheagentconfigurationyoujust
created/modifiedandclickMove Upsothatitisbeforeany
moregenericconfigurationsyouhavecreated.
6. Committhechanges.

Step2 Fromthemobiledevice,followthe OnAndroiddevices,searchfortheapponGooglePlay.

promptstodownloadandinstalltheapp. OniOSdevices,searchfortheappattheAppStore.
OnWindows10UWPdevices,searchfortheappatthe
MicrosoftStore.

Step3 Launchtheapp. Whensuccessfullyinstalled,theGlobalProtectappicondisplayson

[Link],[Link]
promptedtoenableGlobalProtectVPNfunctionality,tapOK.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 91
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

InstalltheGlobalProtectMobileApp(Continued)

Step4 Connecttotheportal. 1. Whenprompted,enterthePortalnameoraddress,

Username,[Link]
anditshouldnotincludethe[Link]

2. TapConnect andverifythattheappsuccessfullyestablishesa
VPNconnectiontoGlobalProtect.
Ifathirdpartymobileendpointmanagementsystemis
configured,theappwillpromptyoutoenroll.

92 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

DownloadandInstalltheGlobalProtectAppforChromeOS

TheGlobalProtectappforChromeOSprovidesasimplewaytoextendtheenterprisesecuritypoliciesout
[Link],theappprovidessecure
[Link],the
[Link],traffictoand
fromtheChromebookisautomaticallysubjecttothesamesecuritypolicyenforcementasotherhostson
[Link],theappcollectsinformationaboutthehost
configurationandcanusethisinformationforenhancedHIPbasedsecuritypolicyenforcement.
UsethefollowingprocedurestoinstallandtesttheGlobalProtectappforChromeOS.
InstalltheGlobalProtectAppfromtheChromeWebStore
DeploytheGlobalProtectAppUsingtheChromebookManagementConsole
TesttheGlobalProtectappforChromeOS

InstalltheGlobalProtectAppfromtheChromeWebStore

YoucaninstalltheGlobalProtectapponaChromebookbydownloadingtheappfromtheChromeWeb
[Link]
Console.

InstalltheGlobalProtectAppfromtheChromeWebStore

Step1 Createanagentconfigurationfortesting 1. SelectNetwork > GlobalProtect > Portalsandselecttheportal

theappinstallation. configurationtoedit.
Asabestpractice,createan 2. SelecttheAgent tabandeitherselectanexistingconfiguration
agentconfigurationthatis orAddanewconfigurationtodeploytothetestusers/group.
limitedtoasmallgroupofusers,
3. OntheUser/User Grouptab,clickAddintheUser/User
suchasadministratorsintheIT
Groupsectionandthenselecttheuserorgroupthatwilltest
departmentandwhoresponsible
theagent.
foradministeringthefirewall.
4. IntheOSarea,selecttheappyouaretesting(Chrome)and
clickOK.
5. (Optional)Selecttheagentconfigurationyoujustcreatedor
modifiedandclickMove Upsothatitisbeforeanymore
genericconfigurationsyouhavecreated.
6. Committhechanges.

Step2 InstalltheGlobalProtectappforChrome 1. FromtheChromebook,searchfortheappintheChromeWeb

OS. StoreorgodirectlytotheGlobalProtectapppage.
Youcanalsoforceinstalltheappon 2. ClickAdd to Chromeandthenfollowthepromptstodownload
managedChromebooksusingthe andinstalltheapp.
[Link]
DeploytheGlobalProtectAppUsingthe
ChromebookManagementConsole.

Step3 Launchtheapp. Whensuccessfullyinstalled,theChromeAppLauncherdisplaysthe

[Link],click
theicon.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 93
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

InstalltheGlobalProtectAppfromtheChromeWebStore(Continued)

Step4 Configuretheportal. 1. Whenprompted,entertheIPaddressorFQDNofthePortal.

Theportalshouldnotincludethe[Link]
2. ClickAdd ConnectiontoaddtheGlobalProtectVPN
configuration.
TheappdisplaysthehomescreenafteritaddstheVPN
configurationtotheInternetconnectionsettingsofyour
Chromebookbutdoesnotinitiateaconnection.

Step5 Testtheconnection. TesttheGlobalProtectappforChromeOS

DeploytheGlobalProtectAppUsingtheChromebookManagementConsole

TheChromebookManagementConsoleenablesyoutomanageChromebooksettingsandappsfroma
central,[Link],youcandeploytheGlobalProtectapptoChromebooksand
customizeVPNsettings.
UsethefollowingworkflowtomanagepoliciesandsettingsfortheGlobalProtectappforChromeOS:

ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole

Step1 Viewtheusersettingsforthe 1. FromtheChromebookManagementConsole,selectDevice

GlobalProtectapp. management > Chrome management > App management.
Theconsoledisplaysthelistofappsconfiguredinall
organization(org)unitsinyourdomainanddisplaysthestatus
[Link]
whichthatstatusisapplied.
2. SelecttheGlobalProtectappandthenselectUser settings.
Iftheappisnotpresent,SEARCHforGlobalProtectin
theChromeWebStore.

94 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeploytheGlobalProtectClientSoftware

ConfiguretheGlobalProtectAppUsingtheChromebookManagementConsole(Continued)

Step2 Configurepoliciesandsettingsfor 1. Selecttheorgunitwhereyouwanttoconfiguresettingsand

everyoneinanorgunit. configureanyofthefollowingoptions:
Selectingthetoplevelorgunitappliessettingsto
everyoneinthatunit;selectingachildorgunitapplies
settingsonlytouserswithinthatchildorgunit.
Allow installationAllowusersinstallthisappfromthe
[Link],anorgunitinheritsthe
[Link]
settings,selectInherit,whichtogglestheOverridesetting.
Force installationInstallthisappautomaticallyand
preventsusersfromremovingit.
Pin to taskbarIftheappisinstalled,pintheapptothe
taskbar(inChromeOSonly).
Add to Chrome Web Store collectionRecommendthis
apptoyourusersintheChromeWebStore.
2. Ifyouhavenotalreadydoneso,createatextfileinJSON
formatthatusesthefollowingsyntaxandincludestheFQDN
orIPaddressofyourGlobalProtectportal:
{
"PortalAddress": {
"Value": "[Link]"
}
}
3. OntheUser settingspage,selectUPLOAD CONFIGURATION
FILEandthenBrowsetotheGlobalProtectsettingsfile.
4. [Link]
minutes,butitmighttakeuptoanhourtopropagatethrough
yourorganization.

Step3 Testtheconnection. AfterChromeManagementConsolesuccessfullydeploystheapp,

TesttheGlobalProtectappforChromeOS

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 95
DeploytheGlobalProtectClientSoftware SetUptheGlobalProtectInfrastructure

TesttheGlobalProtectappforChromeOS

UsetheGlobalProtectapptoviewstatusandotherinformationabouttheapportocollectlogs,orresetthe
[Link],itisnotnecessarytoopentheappto
[Link],youcanconnectbyselectingtheportalfromtheVPNsettingsonthe
Chromebook.

TesttheGlobalProtectAppforChromeOS

Step1 LogintoGlobalProtect. 1. Clickthestatusareaatthebottomrightcornerofthe

Chromebook.
2. SelectVPN disconnectedandthenselecttheportalthatyou
enteredwhenconfiguringtheGlobalProtectVPNsettings.
ToviewVPNsettingsbeforeconnecting,selecttheportal
fromSettings > Private network,andthenclickConnect.
3. EntertheUsernameandPassword fortheportalandclick
[Link]
[Link],
[Link]
enabled,theGlobalProtectwelcomepagewilldisplay.

Step2 [Link] Toviewtheportaltowhichyouareconnected,clickthestatus

appisconnected,thestatusareadisplays area.
theVPNiconalongthebottomofthe
WiFiicon( ).

Toviewadditionalinformationabouttheconnectionincluding
thegatewaytowhichyouareconnected,launchthe
[Link]
informationand(ifapplicable)anyerrorsorwarnings.

96 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

DeployAgentSettingsTransparently

Asanalternativetodeployingagentsettingsfromtheportalconfiguration,youcandefinethemdirectly
fromtheWindowsregistryorglobalMacplistoronWindowsclientsonlyusingtheWindowsInstaller
(Msiexec).ThebenefitisthatitenablesdeploymentofGlobalProtectagentsettingstoendpointspriorto
theirfirstconnectiontotheGlobalProtectportal.
SettingsdefinedintheportalconfigurationalwaysoverridesettingsdefinedintheWindowsregistryorMac
[Link],buttheportalconfigurationspecifiesdifferentsettings,
[Link]
alsoappliestologinrelatedsettings,suchaswhethertoconnectondemand,whethertousesinglesignon
(SSO),[Link],youshouldavoid
[Link],theportalconfigurationiscachedontheendpointandthatcached
configurationisbeusedanytimetheGlobalProtectagentisrestartedortheclientmachineisrebooted.
Thefollowingsectionsdescribethecustomizableagentsettingsavailableandhowtodeploythesesettings
transparentlytoWindowsandMacclients:
CustomizableAgentSettings
DeployAgentSettingstoWindowsClients
DeployAgentSettingstoMacClients

InadditiontousingWindowsregistryandMacplisttodeployGlobalProtectagentsettings,youcanenablethe
GlobalProtectagenttocollectspecificWindowsregistryorMacplistinformationfromclients,includingdataon
applicationsinstalledontheclients,processesrunningontheclients,andattributesorpropertiesofthose
[Link].
Devicetrafficthatmatchesregistrysettingsyouhavedefinedcanbeenforcedaccordingtothesecurityrule.
Additionally,youcansetupcustomcheckstoCollectApplicationandProcessDataFromClients.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 97
DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

CustomizableAgentSettings

Inadditiontopredeployingtheportaladdress,[Link]
DeployAgentSettingstoWindowsClientsyoudefinekeysintheWindowsregistry
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect),or,toDeployAgent
SettingstoMacClientsyoudefineentriesinthePanSetupdictionaryoftheMacplist
(/Library/Preferences/[Link]).On
Windowsclientsonly,youcanalsousetheWindowsInstallertoDeployAgentSettingsfromMsiexec.
Table:[Link]
theGlobalProtectportalagentconfigurationtakeprecedenceoversettingsdefinedintheWindowsregistry
ortheMacplist.

Somesettingsdonothaveacorrespondingportalconfigurationsettingsonthewebinterface,andmustbe
[Link]:
can-prompt-user-credential,wrap-cp-guid,andfilter-non-gpcp.

AgentDisplayOptions
UserBehaviorOptions
AgentBehaviorOptions
ScriptDeploymentOptions

AgentDisplayOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethedisplayoftheGlobalProtectagent.

Table:CustomizableAgentSettings
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Enable Advanced View enable-advanced-view yes | no ENABLEADVANCEDVIEW=yes | no yes

Display GlobalProtect Icon show-agent-icon yes | no SHOWAGENTICON=yes | no yes

Enable Rediscover Network rediscover-network yes | n REDISCOVERNETWORK=yes | no yes

Option

Enable Resubmit Host Profile resubmit-host-info yes | no RESUBMITHOSTINFO=yes | no yes

Option

Show System Tray Notifications show-system-tray-notifications SHOWSYSTEMTRAYNOTIFICATIONS=yes | yes

yes | no no

98 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.
SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

UserBehaviorOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizehowtheusercaninteractwiththeGlobalProtectagent.

Table:CustomizableUserBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Allow User to Change Portal can-change-portal yes | no CANCHANGEPORTAL=yes | no yes

Address

Allow User to Dismiss Welcome enable-hide-welcome-page yes | ENABLEHIDEWELCOMEPAGE=yes | no yes

no
Page

Allow User to Continue with can-continue-if-portal-cert- CANCONTINUEIFPORTALCERTINVALID= yes

invalid yes | no yes | no
Invalid Portal Server
Certificate

Allow User to Disable disable-allowed yes | no DISABLEALLOWED="yes | no" no

GlobalProtect App

Save User Credentials save-user-credentials 0 | 1 | 2 SAVEUSERCREDENTIALS 0 | 1 | 2

Specifya0toprevent
GlobalProtectfromsaving
credentials,a1tosaveboth
usernameandpassword,ora2
tosavetheusernameonly.

Notinportal can-save-password yes | no CANSAVEPASSWORD=yes | no yes

TheAllow user to save

passwordsettingisdeprecated
inthewebinterfaceinPANOS
7.1andlaterreleasesbutis
configurablefromtheWindows
[Link]
specifiedintheSave User
Credentialsfieldoverwritesa
valuespecifiedhere.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 99
DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

AgentBehaviorOptions

ThefollowingtableliststheoptionsthatyoucanconfigureintheWindowsregistryandMacplistto
customizethebehavioroftheGlobalProtectagent.

Table:CustomizableAgentBehaviorOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Connect Method connect-method on-demand | CONNECTMETHOD=on-demand | user-logon

pre-logon | user-logon pre-logon | user-logon

GlobalProtect App Config refresh-config-interval <hours> REFRESHCONFIGINTERVAL=<hours> 24

Refresh Interval (hours)

Update DNS Settings at flushdns yes | no FLUSHDNS=yes | no no

Connect (Windows Only)

Send HIP Report Immediately if wscautodetect yes | no WSCAUTODETECT=yes | no no

Windows Security Center
(WSC) State Changes (Windows
Only)

Detect Proxy for Each ProxyMultipleAutoDetection yes PROXYMULTIPLEAUTODETECTION=yes | no

| no no
Connection (Windows Only)

Clear Single Sign-On LogoutRemoveSSO yes | no LOGOUTREMOVESSO=yes | no yes

Credentials on Logout
(Windows Only)

Use Default Authentication on krb-auth-fail-fallback yes | no KRBAUTHFAILFALLBACK=yes | no no

Kerberos Authentication
Failure (Windows Only)

Custom Password Expiration PasswordExpiryMessage <message> PASSWORDEXPIRYMESSAGE <message>

Message (LDAP Authentication
Only)

Portal Connection Timeout PortalTimeout <portaltimeout> PORTALTIMEOUT=<portaltimeout> 30

(sec)

TCP Connection Timeout (sec) ConnectTimeout <portaltimeout> CONNECTTIMEOUT=<portaltimeout> 60

TCP Receive Timeout (sec) ReceiveTimeout <portaltimeout> RECEIVETIMEOUT=<portaltimeout> 30

Client Certificate Store Lookup certificate-store-lookup user | CERTIFICATESTORELOOKUP="user | user and

machine | user and machine | machine | user and machine | machine
invalid invalid"

SCEP Certificate Renewal scep-certificate-renewal-period n/a 7

<renewalPeriod>
Period (days)

Maximum Internal Gateway max-internal-gateway-connection MIGCA="<maxValue>" 0

-attempts <maxValue>
Connection Attempts

Extended Key Usage OID for ext-key-usage-oid-for-client-ce EXTCERTOID=<oidValue> n/a

rt <oidValue>
Client Certificate

User Switch Tunnel Rename user-switch-tunnel-rename-timeo n/a 0

ut <renameTimeout>
Timeout (sec)

100 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Use Single Sign-On use-sso yes | no USESSO="yes | no" yes

(WindowsOnly)

Notinportal portal <IPaddress> PORTAL="<IPaddress>" n/a

Thissettingspecifiesthedefault
portalIPaddress(orhostname).

Notinportal prelogon 1 PRELOGON="1" 1

Thissettingenables
GlobalProtecttoinitiateaVPN
tunnelbeforeauserlogsinto
thedeviceandconnectstothe
GlobalProtectportal.

Windowsonly/Notinportal can-prompt-user-credential yes CANPROMPTUSERCREDENTIAL=yes | no yes

| no
Thissettingisusedin
conjunctionwithsinglesignon
(SSO)andindicateswhetheror
nottoprompttheuserfor
credentialsifSSOfails.

Windowsonly/Notinportal wrap-cp-guid {third party WRAPCPGUID={guid_value] no

credential provider guid} FILTERNONGPCP=yes | no
Thissettingfiltersthe
thirdpartycredentialproviders
tilefromtheWindowslogin
pagesothatonlythenative
Windowstileisdisplayed.*

Windowsonly/Notinportal filter-non-gpcp no n/a n/a

Thissettingisanadditional
optionforthesetting
wrap-cp-guid,andallowsthe
thirdpartycredentialprovider
tiletobedisplayedonthe
Windowsloginpage,inaddition
tothenativeWindowslogon
tile.*

*FordetailedstepstoenablethesesettingsusingtheWindowsregistryorWindowsInstaller(Msiexec),see
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 101

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

ScriptDeploymentOptions

ThefollowingtabledisplaysoptionsthatenableGlobalProtecttoinitiatescriptsbeforeandafterestablishing
[Link],
youmustdefinethevaluesfortherelevantkeyeitherpre-vpn-connect,post-vpn-connect,or
[Link],see
DeployScriptsUsingtheWindowsRegistry,DeployScriptsUsingMsiexec,orDeployScriptsUsingtheMac
Plist.

Table:CustomizableScriptDeploymentOptions
PortalAgentConfiguration WindowsRegistry/MacPlist MsiexecParameter Default

Executethescriptspecifiedin command <parameter1> PREVPNCONNECTCOMMAND=<parameter1> n/a

<parameter2> [...] <parameter2> [...]
thecommandsetting(including
anyparameterspassedtothe Windowsexample: POSTVPNCONNECTCOMMAND=<parameter1
> <parameter2> [...]
script). command
%userprofile%\vpn_script.bat c:
PREVPNDISCONNECTCOMMAND=<paramete
Environmentalvariables test_user
r1> <parameter2> [...]
aresupported. Macexample:
Specifythefullpathin command $HOME/vpn_script.sh
/Users/test_user test_user
commands.

(Optional)Specifytheprivileges context admin | user PREVPNCONNECTCONTEXT=admin | user

user
underwhichthecommand(s)
canrun(defaultisuser:ifyoudo POSTVPNCONNECTCONTEXT=admin |
user
notspecifythecontext,the
commandrunsasthecurrent PREVPNDISCONNECTCONTEXT=admin |
user
activeuser).

(Optional)Specifythenumberof timeout <value> PREVPNCONNECTTIMEOUT=<value> 0

secondstheGlobalProtectclient POSTVPNCONNECTTIMEOUT=<value>
waitsforthecommandto Example:
PREVPNDISCONNECTTIMEOUT=<value>
execute(rangeis0120).Ifthe timeout 60
commanddoesnotcomplete
beforethetimeout,theclient
proceedstoestablishor
disconnectfromtheVPNtunnel.
Avalueof0(thedefault)means
theclientwillnotwaitto
executethecommand.
Notsupportedfor
postvpnconnect.

(Optional)Specifythefullpath file <path_file> PREVPNCONNECTFILE=<path_file> n/a

[Link] POSTVPNCONNECTFILE=<path_file>
GlobalProtectclientwillverify
PREVPNDISCONNECTFILE=<path_file>
theintegrityofthefileby
checkingitagainstthevalue
specifiedinthechecksumkey.
Environmentalvariables
aresupported.

102 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

(Continued)PortalAgent WindowsRegistry/MacPlist MsiexecParameter Default

Configuration

(Optional)Specifythesha256 checksum <value> PREVPNCONNECTCHECKSUM=<value> n/a

checksumofthefilereferredto
[Link] POSTVPNCONNECTCHECKSUM=<value>
isspecified,theGlobalProtect PREVPNDISCONNECTCHECKSUM=<value>
clientexecutesthecommand(s)
onlyifthechecksumgenerated
bytheGlobalProtectclient
matchesthechecksumvalue
specifiedhere.

(Optional)Specifyanerror error-msg <message> PREVPNCONNECTERRORMSG=<message> n/a

messagetoinformtheuserthat Example: POSTVPNCONNECTERRORMSG=<message>
thecommand(s)cannotexecute error-msg Failed executing
PREVPNDISCONNECTERRORMSG=<message
orifthecommand(s)exitedwith pre-vpn-connect action! >
anonzeroreturncode.
Themessagemustbe
1,024orfewerANSI
characters.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 103

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

DeployAgentSettingstoWindowsClients

UseWindowsregistryortheWindowsInstaller(Msiexec)todeploytheGlobalProtectagentandsettingsto
Windowsclientstransparently.
DeployAgentSettingsintheWindowsRegistry
DeployAgentSettingsfromMsiexec
DeployScriptsUsingtheWindowsRegistry
WindowsOSBatchScriptExamples
Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints
Example:MountaNetworkShareonWindowsEndpoints
DeployScriptsUsingMsiexec
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events
SSOWrappingforThirdPartyCredentialProvidersonWindowsClients
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

DeployAgentSettingsintheWindowsRegistry

YoucanenabledeploymentofGlobalProtectagentsettingstoWindowsclientspriortotheirfirst
[Link]
followingtabletobeginusingtheWindowsregistrytocustomizeagentsettingsforWindowsclients.

InadditiontousingWindowsregistrytodeployGlobalProtectagentsettings,youcanenabletheGlobalProtect
[Link]
[Link]
[Link],youcansetupcustomcheckstoCollectApplicationand
ProcessDataFromClients.

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings

LocatetheGlobalProtectagentcustomization OpentheWindowsregistry(enterregeditatthecommand
settingsintheWindowsregistry. prompt)andgoto:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\

104 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

UsetheWindowsRegistrytoDeployGlobalProtectAgentSettings(Continued)

Settheportalname. Ifyoudonotwanttheusertomanuallyentertheportaladdress
evenforthefirstconnection,youcanpredeploytheportaladdress
throughtheWindowsregistry:
(HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetup with key Portal).

DeployvarioussettingstotheWindowsclient ViewTable:CustomizableAgentBehaviorOptionsforafulllistof
fromtheWindowsregistry,including thecommandsandvaluesyoucansetupusingtheWindows
configuringtheconnectmethodforthe registry.
GlobalProtectagentandenablingsinglesignon
(SSO).

EnabletheGlobalProtectagenttowrap EnableSSOWrappingforThirdPartyCredentialswiththe
thirdpartycredentialsontheWindowsclient, WindowsRegistry.
allowingforSSOwhenusingathirdparty
credentialprovider.

DeployAgentSettingsfromMsiexec

OnWindowsendpoints,youhavetheoptiontodeploytheagentandthesettingsautomaticallyfromthe
WindowsInstaller(Msiexec)byusingthefollowingsyntax:
[Link] /i [Link] <SETTING>="<value>"

[Link]
runningMicrosoftWindowsXPoralaterOS,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.

MsiexecExample Description

[Link] /i [Link] /quiet InstallGlobalProtectinquietmode(nouserinteraction)

PORTAL=[Link] andconfiguretheportaladdress.

[Link] /i [Link] InstallGlobalProtectwiththeoptiontopreventusers

CANCONTINUEIFPORTALCERTINVALID=no fromconnectingtotheportalifthecertificateisnotvalid.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 105

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

Foracompletelistofsettingsandthecorrespondingdefaultvalues,seeTable:CustomizableAgentBehavior
Options.

TosetuptheGlobalProtectagenttowrapthirdpartycredentialsonaWindowsclientfromMsiexec,seeEnable
SSOWrappingforThirdPartyCredentialswiththeWindowsInstaller.

DeployScriptsUsingtheWindowsRegistry

YoucanenabledeploymentofcustomscriptstoWindowsendpointsusingtheWindowsregistry.
YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,[Link]
event,referencethebatchscriptfromacommandregistryentryforthatevent.
Dependingontheconfigurationsettings,theGlobalProtectagentcanrunascriptbeforeandaftertheagent
establishesaVPNtunnelwiththegateway,[Link]
followingworkflowtogetstartedusingtheWindowsregistrytocustomizeagentsettingsforWindows
clients.

TheregistrysettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.

DeployScriptsintheWindowsRegistry

Step1 OpentheWindowsregistry,andlocate OpentheWindowsregistry(enterregeditinthecommand

theGlobalProtectagentcustomization prompt)andgotothelocationofthekeydependingonwhenyou
settings. wanttoexecutescripts(pre/postconnectorpredisconnect):
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\pre-vpn-connect
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\post-vpn-connect
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\Settings\pre-vpn-disconne
ct
IfthekeydoesnotexistwithintheSettingskey,createit
(rightclickSettingsandselectNew > Key).

106 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

DeployScriptsintheWindowsRegistry

Step1 EnabletheGlobalProtectagenttorun 1. Ifthecommandstringdoesnotalreadyexist,createit

scriptsbycreatinganewStringValue (rightclickthepre-vpn-connect,post-vpn-connect,or
namedcommand. pre-vpn-disconnectkey,selectNew > String Value,and
Thebatchfilespecifiedhereshould nameitcommand).
containthespecificscript(includingany 2. RightclickcommandandselectModify.
parameterspassedtothescript)thatyou
3. EnterthecommandsorscriptthattheGlobalProtectagent
[Link],
[Link]:
seeWindowsOSBatchScriptExamples.
%userprofile%\pre_vpn_connect.bat c: test_user

Step2 (Optional)Addadditionalregistryentries Createormodifyregistrystringsandtheircorrespondingvalues,

asneededforeachcommand. includingcontext,timeout,file,checksum,[Link]
additionalinformation,seeCustomizableAgentSettings.

WindowsOSBatchScriptExamples

YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,[Link]
event,[Link]
examplesofscriptsyoucanrunonWindowssystemsatpreconnect,postconnect,andpredisconnect
events:

Example:ExcludeTrafficfromtheVPNTunnelonWindowsEndpoints

ToexcludetrafficfromtheVPNtunnelafterestablishingtheVPNconnection,referencethefollowingscript
[Link]
andtosendallothertrafficthroughtheVPNtunnel.

Asabestpractice,deleteanyexcludenetworkroutesthatwerepreviouslyaddedbeforeaddingthenewexclude
[Link],whenausermovesbetweennetworks(suchaswhenswitchingbetweenWiFiandalocal
network)[Link],
followingthisbestpracticeensuresthattrafficdestinedfortheexcluderouteswillgothroughthegatewayof
thenewnetworkinsteadofthegatewayoftheoldnetwork.

Forascriptthatyoucancopyandpaste,gohere.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 107

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

@echo off
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly
and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude [Link] [Link]
REM Example-2: route_exclude [Link] [Link] [Link] [Link]
REM Example-3: route_exclude [Link] [Link] [Link] [Link]
[Link] [Link]

REM Initialize 'DefaultGateway'

set "DefaultGateway="

REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'[Link] print ^|findstr "\<[Link]\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"

REM Use the route add command to add the exclude routes
:add_route
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%
shift
shift
goto add_route
:end

Example:MountaNetworkShareonWindowsEndpoints

TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfroma
commandregistryentryforapostvpnconnectevent:
@echo off
REM Mount filer1 to Z: drive
net use Z: \\[Link]\share /user:mycompany\user1

DeployScriptsUsingMsiexec

OnWindowsclients,youcanusetheWindowsInstaller(Msiexec)todeploytheagent,agentsettings,and
scriptsthattheagentwillrunautomatically(seeCustomizableAgentSettings).Todoso,usethefollowing
syntax:
[Link] /i [Link] <SETTING>="<value>"

[Link]
MicrosoftWindowsXPoralaterrelease,themaximumlengthofthestringthatyoucanuseatthecommand
promptis8,191characters.
Thislimitationappliestothecommandline,individualenvironmentvariables(suchastheUSERPROFILEvariable)
thatareinheritedbyotherprocesses,[Link]
commandline,thislimitationalsoappliestobatchfileprocessing.

108 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

Forexample,todeployscriptsthatrunatspecificconnectordisconnectevents,youcanusesyntaxsimilar
tothefollowingexamples:
Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent
Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,andPreDisconnect
Events

Example:UseMsiexectoDeployScriptsthatRunBeforeaConnectEvent

Forascriptthatyoucancopyandpaste,gohere.

[Link] /i [Link]
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,[Link],
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

Example:UseMsiexectoDeployScriptsthatRunatPreConnect,PostConnect,and
PreDisconnectEvents

Forascriptthatyoucancopyandpaste,gohere.

[Link] /i [Link]
PREVPNCONNECTCOMMAND="%userprofile%\pre_vpn_connect.bat c: test_user"
PREVPNCONNECTCONTEXT="user"
PREVPNCONNECTTIMEOUT="60"
PREVPNCONNECTFILE="C:\Users\test_user\pre_vpn_connect.bat"
PREVPNCONNECTCHECKSUM="a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599"
PREVPNCONNECTERRORMSG="Failed executing pre-vpn-connect action."
POSTVPNCONNECTCOMMAND="c:\users\test_user\post_vpn_connect.bat c: test_user"
POSTVPNCONNECTCONTEXT="admin"
POSTVPNCONNECTFILE="%userprofile%\post_vpn_connect.bat"
POSTVPNCONNECTCHECKSUM="b48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf598"
POSTVPNCONNECTERRORMSG="Failed executing post-vpn-connect action."
PREVPNDISCONNECTCOMMAND="%userprofile%\pre_vpn_disconnect.bat c: test_user"
PREVPNDISCONNECTCONTEXT="admin"
PREVPNDISCONNECTTIMEOUT="0"
PREVPNDISCONNECTFILE="C:\Users\test_user\pre_vpn_disconnect.bat"
PREVPNDISCONNECTCHECKSUM="c48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf597"
PREVPNDISCONNECTERRORMSG="Failed executing pre-vpn-disconnect action."
Foracompletelistofsettingsandthecorrespondingdefaultvalues,[Link],
forexamplesofbatchscripts,seeWindowsOSBatchScriptExamples.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 109

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

SSOWrappingforThirdPartyCredentialProvidersonWindowsClients

OnWindows7andWindowsVistaclients,theGlobalProtectagentutilizestheMicrosoftcredentialprovider
frameworktosupportsinglesignon(SSO).WithSSO,theGlobalProtectcredentialproviderwrapsthe
Windowsnativecredentialprovider,whichenablesGlobalProtecttouseWindowslogincredentialsto
automaticallyauthenticateandconnecttotheGlobalProtectportalandgateway.
Insomescenarioswhenotherthirdpartycredentialprovidersalsoexistontheclient,theGlobalProtect
credentialproviderisunabletogatherauser'sWindowslogincredentialsand,asaresult,GlobalProtectfails
[Link],youcanidentifythe
thirdpartycredentialproviderandthenconfiguretheGlobalProtectagenttowrapthosethirdparty
credentials,whichenablesuserstosuccessfullyauthenticatetoWindows,GlobalProtect,andthethirdparty
credentialproviderallinasinglestepusingonlytheirWindowslogincredentialswhentheylogintotheir
Windowssystem.
Optionally,youcanconfigureWindowstodisplayseparatelogintiles:oneforeachthirdpartycredential
[Link]
additionalfunctionalityinthelogintilethatdoesnotapplytoGlobalProtect.
UsetheWindowsregistryortheWindowsInstaller(Msiexec)toallowGlobalProtecttowrapthirdparty
credentials:
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

GlobalProtectSSOwrappingforthirdpartycredentialproviders(CPs)isdependentonthe
thirdpartyCPsettingsand,insomecases,GlobalProtectSSOwrappingmightnotworkcorrectly
ifthethirdpartyCPimplementationdoesnotallowGlobalProtecttosuccessfullywraptheirCP.

110 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry

UsethefollowingstepsintheWindowsregistrytoenableSSOtowrapthirdpartycredentialsonWindows
7andWindowsVistaclients.

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials

Step1 OpentheWindowsregistryandlocate 1. Fromthecommandprompt,enterthecommandregeditto

thegloballyuniqueidentifier(GUID)for opentheWindowsregistry.
thethirdpartycredentialproviderthat 2. Locatecurrentlyinstalledcredentialprovidersatthefollowing
youwanttowrap. location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\Credential Providers.
3. CopytheGUIDkeyforthecredentialproviderthatyouwant
towrap(includingthecurlybrackets{ and} oneitherend
oftheGUID):

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 111

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)

Step2 EnableSSOwrappingforthirdparty 1. GotothefollowingWindowsregistrylocation:

credentialprovidersbyaddingthe HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\
settingwrap-cp-guidtothe GlobalProtect:
GlobalProtectregistry.

2. AddanewString Value:

3. EntervaluesfortheString Value:
Name:wrap-cp-guid
Value data:{<third-party credential provider GUID>}
FortheValue datafield,theGUIDvaluethatyou
entermustbeenclosedwithcurlybrackets:{ and
}.
Thefollowingisanexampleofwhatathirdparty
credentialproviderGUIDintheValue data field
mightlooklike:
{A1DA9BCC-9720-4921-8373-A8EC5D48450F}
ForthenewStringValue,wrap-cp-guidisdisplayedasthe
StringValuesNameandtheGUIDisdisplayedastheData.

Step3 NextSteps: YoucanconfigureSSOwrappingforthirdpartycredential

[Link]
setup,[Link]
clickthetileandlogintothesystemwiththeirWindows
credentialsandthatsingleloginauthenticatestheusersto
Windows,GlobalProtect,andthethirdpartycredentialprovider.
(Optional)Ifyouwanttodisplaytwotilestousersatlogin,the
nativeWindowstileandthetileforthethirdpartycredential
provider,continuetoStep 4.

112 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

UsetheWindowsRegistrytoEnableSSOWrappingforThirdPartyCredentials(Continued)

Step4 (Optional)Allowthethirdparty AddasecondString Value withtheName filter-non-gpcpand

credentialprovidertiletobedisplayedto enternoforthestringsValue data:
usersatlogin.

WiththisstringvalueaddedtotheGlobalProtectsettings,twologin
optionsarepresentedtouserswhenloggingintotheirWindows
system:thenativeWindowstileandthethirdpartycredential
providerstile.

EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller

UsethefollowingoptionsintheWindowsInstaller(Msiexec)toenableSSOtowrapthirdpartycredential
providersonWindows7andWindowsVistaclients.

UsetheWindowsInstallertoEnableSSOWrappingforThirdPartyCredentials

[Link]
systemwiththeirnativeWindowscredentialsandthatsingleloginauthenticatesuserstoWindows,
GlobalProtect,andthethirdpartycredentialprovider.
UsethefollowingsyntaxfromtheWindowsInstaller(Msiexec):
[Link] /i [Link] WRAPCPGUID={guid_value} FILTERNONGPCP=yes
Inthesyntaxabove,theFILTERNONGPCP parametersimplifiesauthenticationfortheuserbyfilteringthe
optiontologintothesystemusingthethirdpartycredentials.

Ifyouwouldlikeuserstohavetheoptiontologinwiththethirdpartycredentials,usethefollowingsyntax
fromtheMsiexec:
[Link] /i [Link] WRAPCPGUID={guid_value} FILTERNONGPCP=no
Inthesyntaxabove,theFILTERNONGPCP parameterissettono,whichfiltersoutthethirdpartycredential
[Link],boththenativeWindowstileandthe
thirdpartycredentialprovidertileisdisplayedtouserswhenloggingintotheWindowssystem.

DeployAgentSettingstoMacClients

UsetheMacglobalplist(propertylist)filetosetGlobalProtectagentcustomizationsettingsforortodeploy
scriptstoMacendpoints.
DeployAgentSettingsintheMacPlist
DeployScriptsUsingtheMacPlist
MacOSScriptExamples
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 113

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

DeployAgentSettingsintheMacPlist

YoucansettheGlobalProtectagentcustomizationsettingsintheMacglobalplist(Propertylist)[Link]
enablesdeploymentofGlobalProtectagentsettingstoMacendpointspriortotheirfirstconnectiontothe
GlobalProtectportal.
OnMacsystems,plistfilesareeitherlocatedin/Library/Preferencesorin~/Library/[Link]
(~)symbolindicatesthatthelocationisinthecurrentuser'[Link]
[Link],the
GlobalProtectagentsearchesforplistsettingsin~/Library/Preferences.

InadditiontousingtheMacplisttodeployGlobalProtectagentsettings,youcanenabletheGlobalProtectagent
[Link]
[Link]
[Link],youcansetupcustomcheckstoCollectApplicationandProcessDataFrom
Clients.

UsetheMacPlisttoDeployGlobalProtectAgentSettings

OpentheGlobalProtectplistfileandlocatethe UseXcodeoranalternateplisteditortoopentheplistfile:
GlobalProtectagentcustomizationsettings. /Library/Preferences/[Link]
[Link]
Thengoto:
/Palo Alto Networks/GlobalProtect/Settings
IftheSettingsdictionarydoesnotexist,[Link]
keytotheSettingsdictionaryasastring.

Settheportalname. Ifyoudontwanttheusertomanuallyentertheportaladdresseven
forthefirstconnection,youcanpredeploytheportaladdress
[Link],configurean
entryforPortal.

DeployvarioussettingstotheMacclientfrom ViewCustomizableAgentSettingsforafulllistofthekeysand
theMacplist,includingconfiguringtheconnect valuesthatyoucanconfigureusingtheMacplist.
methodfortheGlobalProtectagent.

114 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure DeployAgentSettingsTransparently

DeployScriptsUsingtheMacPlist

WhenauserconnectstotheGlobalProtectgatewayforthefirsttime,theGlobalProtectagentdownloadsa
configurationfileandstoresagentsettingsinaGlobalProtectMacpropertyfile(plist).Inadditiontomaking
changestotheagentsettings,youusetheMacplisttodeployscriptsatanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,[Link]
togetstartedusingtheMacplisttodeployscriptstoMacendpoints.

TheMacplistsettingsthatenableyoutodeployscriptsaresupportedinGlobalProtectclientsrunning
GlobalProtectagent2.3andlaterreleases.

DeployScriptsUsingtheMacPlist

Step1 (ClientsrunningMacOSX10.9ora Toclearthedefaultpreferencescache,runthekillall cfprefsd

laterOS)[Link] commandfromaMacterminal.
preventstheOSfromusingthecached
preferencesaftermakingchangestothe
plist.

Step2 OpentheGlobalProtectplistfile,and UseXcodeoranalternateplisteditortoopentheplistfile

locateorcreatetheGlobalProtect (/Library/Preferences/[Link]
dictionaryassociatedwiththeconnect [Link])andgotothelocationofthedictionary:
[Link] /Palo Alto
underwhichyouwilladdthesettingswill Networks/GlobalProtect/Settings/pre-vpn-connect
determinewhentheGlobalProtectagent /Palo Alto
runsthescript(s). Networks/GlobalProtect/Settings/post-vpn-connect
/Palo Alto
Networks/GlobalProtect/Settings/pre-vpn-disconnect
IfSettingsdictionarydoesnotexist,[Link],in
Settings,createanewdictionaryfortheeventorevents
atwhichyouwanttorunscripts.

Step3 EnabletheGlobalProtectagenttorun Ifthecommandstringdoesnotalreadyexist,addittothedictionary

scriptsbycreatinganewStringnamed andspecifythescriptandparametersintheValuefield,for
command. example:
Thevaluespecifiedhereshould $HOME\pre_vpn_connect.sh /Users/username username
referencetheshellscript(andthe Environmentalvariablesaresupported.
parameterstopasstothescript)thatyou
[Link]
Asabestpractice,specifythefullpathincommands.
ScriptExamples.

Step4 (Optional)Addadditionalsettingsrelated Createormodifyadditionalstringsintheplist(context,timeout,

tothecommand,includingadministrator file,checksum,and/orerror-msg) andentertheir
privileges,atimeoutvalueforthescript, [Link],see
checksumvalueforthebatchfile,andan CustomizableAgentSettings.
errormessagetodisplayifthecommand
failstoexecutesuccessfully.

Step5 Savethechangestotheplistfile. Savetheplist.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 115

DeployAgentSettingsTransparently SetUptheGlobalProtectInfrastructure

MacOSScriptExamples

YoucanconfiguretheGlobalProtectagenttoinitiateandrunascriptforanyorallofthefollowingevents:
beforeandafterestablishingthetunnel,[Link]
event,[Link]
examplesofscriptsthatyoucanrunatpreconnect,postconnectandpredisconnectevents:
Example:TerminateAllEstablishedSSHSessionsonMacEndpoints
Example:MountaNetworkShareonMacEndpoints

Example:TerminateAllEstablishedSSHSessionsonMacEndpoints

ToforceterminationofallestablishedSSHsessionsbeforesettinguptheVPNtunnel,referencethe
[Link],youcanreestablishthe
sessionsafterestablishingtheGlobalProtectVPNtunnelbyusingascriptthatyoureferencefromthe
[Link]
traversetheGlobalProtectVPNtunnel.
#!bin/bash
# Identify all SSH sessions and force kill them
ps | grep ssh | grep -v grep | awk '{ print $1 }' | xargs kill -9

Example:MountaNetworkShareonMacEndpoints

TomountanetworkshareafterestablishingaVPNconnection,referencethefollowingscriptfromacommand
plistentryforapostvpnconnectevent:

Forascriptthatyoucancopyandpaste,gohere.

#!/bin/bash
mkdir $1
mount -t smbfs
//username:password@[Link]/shares/Departments/Engineering/SW_eng/username/folder
$1
sleep 1

116 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

SetUptheGlobalProtectInfrastructure Reference:GlobalProtectAgentCryptographicFunctions

Reference:GlobalProtectAgentCryptographicFunctions

TheGlobalProtectagentusestheOpenSSLlibrary1.0.1htoestablishsecurecommunicationwiththe
[Link]
functionthatrequiresacryptographicfunctionandthecryptographickeystheGlobalProtectagentuses:

CryptoFunction Key Usage

Winhttp(Windows)and Dynamickeynegotiatedbetween UsedtoestablishtheHTTPSconnection

NSURLConnection(MAC) theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
GlobalProtectportaland/or GlobalProtectportalandGlobalProtect
aes256sha
gatewayforestablishingthe gatewayforauthentication.
HTTPSconnection.

OpenSSL Dynamickeynegotiatedbetween UsedtoestablishtheSSLconnection

theGlobalProtectagentandthe betweentheGlobalProtectagentandthe
aes256sha
GlobalProtectgatewayduringthe GlobalProtectgatewayforHIPreport
SSLhandshake. submission,SSLtunnelnegotiation,and
networkdiscovery.

IPSecencryptionand Thesessionkeysentfromthe UsedtoestablishtheIPSectunnelbetween

authentication GlobalProtectgateway. theGlobalProtectagentandthe
[Link]
aes128sha1,aes128cbc,
algorithmsupportedbyyournetwork
aes128gcm,andaes256gcm (AESGCMisrecommended).
Toprovidedataintegrityandauthenticity
protection,theaes128cbccipherrequires
[Link]
AESGCMencryptionalgorithms
(aes128gcmandaes256gcm)natively
provideESPintegrityprotection,thesha1
authenticationalgorithmisignoredforthese
cipherseventhoughitisrequiredduring
configuration.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 117

GlobalProtectMIBSupport SetUptheGlobalProtectInfrastructure

GlobalProtectMIBSupport

PaloAltoNetworksdevicessupportstandardandenterprisemanagementinformationbases(MIBs)that
enableyoutomonitorthedevicesphysicalstate,utilizationstatistics,traps,andotherusefulinformation.
MostMIBsuseobjectgroupstodescribecharacteristicsofthedeviceusingtheSimpleNetwork
ManagementProtocol(SNMP)[Link]
theobjects(devicestatisticsandtraps)thataredefinedintheMIBs(fordetails,seeUseanSNMPManager
toExploreMIBsandObjectsinthePANOS7.1AdministratorsGuide).
ThePANCOMMONMIBwhichisincludedwiththeenterpriseMIBsusesthepanGlobalProtectobject
[Link].

Object Description

panGPGWUtilizationPct Utilization(asapercentage)oftheGlobalProtectgateway

panGPGWUtilizationMaxTunnels Maximumnumberoftunnelsallowed

panGPGWUtilizationActiveTunnels Numberofactivetunnels

[Link]
example,ifthenumberofactivetunnelsreaches80%orishigherthanthemaximumnumberoftunnels
allowed,youshouldconsideraddingadditionalgateways.

118 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

 MobileEndpointManagement
MobileEndpointManagementOverview
SetUpaMobileEndpointManagementSystem
DeploytheGlobalProtectMobileAppUsingAirWatch
ManagetheGlobalProtectAppUsingAirWatch
ManagetheGlobalProtectAppUsingaThirdPartyMDM

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 119

MobileEndpointManagementOverview MobileEndpointManagement

MobileEndpointManagementOverview

Asmobileendpointsbecomemorepowerful,endusersincreasinglyrelyonthemtoperformbusinesstasks.
However,thesesameendpointsthataccessyourcorporatenetworkalsoconnecttotheinternetwithout
[Link]
suchasamobiledevicemanagement(MDM)orenterprisemobilitymanagement(EMM)systemyoucan
easilymanagebothcompanyprovisionedandemployeeowneddevices(suchasinaBYODenvironment).

Amobileendpointmanagementsystemsimplifiestheadministrationofmobileendpointsbyenablingyouto
[Link]
canalsouseyourmobileendpointmanagementsystemforremediationofsecuritybreachesbyinteracting
[Link]
[Link],ifanenduserlosesanendpoint,youcanremotelylocktheendpointfromthemobile
endpointmanagementsystemorevenwipetheendpoint(eithercompletelyorselectively).
Inadditiontotheaccountprovisioningandremotedevicemanagementfunctionsthatamobileendpoint
managementsystemcanprovide,whenintegratedwithyourexistingGlobalProtectVPNinfrastructure,you
usehostinformationthattheendpointreportstoenforcesecuritypoliciesforaccesstoappsthroughthe
[Link]
nextgenerationfirewalltomonitormobileendpointtraffic.

120 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement SetUpaMobileEndpointManagementSystem

SetUpaMobileEndpointManagementSystem

Tosetupamobileendpointmanagementsystem,usethefollowingworkflow:

SetUpanEndpointManagementSystem

Step1 SetUptheGlobalProtectInfrastructure. 1. CreateInterfacesandZonesforGlobalProtect.

2. EnableSSLBetweenGlobalProtectComponents.
3. SetUpGlobalProtectUserAuthentication.
4. EnableGroupMapping.
5. ConfigureGlobalProtectGateways.
6. ActivateLicensesforeachfirewallrunninga
gateway(s)thatsupportstheGlobalProtectappon
mobileendpoints.
7. ConfiguretheGlobalProtectPortal.

Step2 Setupthemobileendpointmanagementsystem Seetheinstructionsforyourmobileendpoint

anddecidewhethertosupportonly managementsystem,mobiledevicemanagement(MDM)
corporateissuedendpointsorboth system,orenterprisemobilitymanagement(EMM)
corporateissuedandpersonalendpoints. system.

Step3 ObtaintheGlobalProtectappformobile AppstoreDownloadandInstalltheGlobalProtect

endpoints. MobileApp
AirWatchDeploytheGlobalProtectMobileAppUsing
AirWatch
Otherthirdpartymobileendpointmanagement
systemSeetheinstructionsfromyourvendoronhow
todeployappstomanagedendpoints.

Step4 ConfigureVPNsettingsfortheGlobalProtect ManagetheGlobalProtectAppUsingAirWatch

app. ManagetheGlobalProtectAppUsingaThirdParty
MDM

Step5 Configurepolicesthattargetmobileendpoints ConfigureHIPBasedPolicyEnforcementformanaged

usinghostinformation. endpoints.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 121

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ManagetheGlobalProtectAppUsingAirWatch

DeploytheGlobalProtectMobileAppUsingAirWatch
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

DeploytheGlobalProtectMobileAppUsingAirWatch

TheGlobalProtectappprovidesasimplewaytoextendtheenterprisesecuritypoliciesouttomobile
[Link],themobileappprovidessecure
[Link]
[Link],traffictoandfromthemobileendpointis
automaticallysubjecttothesamesecuritypolicyenforcementasotherhostsonyourcorporatenetwork.
LiketheGlobalProtectagent,theappcollectsinformationaboutthehostconfigurationandcanusethis
informationforenhancedHIPbasedsecuritypolicyenforcement.
TherearetwoprimarymethodsforinstallingtheGlobalProtectapp:Youcanyoucaninstalltheappdirectly
fromtheappstoreforyourendpoint(seeDownloadandInstalltheGlobalProtectMobileApp);or,deploy
theappfromathirdpartymobileendpointmanagementsystem(suchasAirWatch)andtransparentlypush
theapptoyourmanagedendpoints.
WithAirWatch,youcandeploytheGlobalProtectapptomanagedendpointsthathaveenrolledwith
[Link]
EDM.Windows10endpointsdonotrequiretheAirWatchagentbutrequireyoutoconfigureenrollmenton
[Link],configureanddeployaVPNprofiletosetuptheGlobalProtectapp
fortheenduserautomatically.

DeploytheGlobalProtectAppfromAirWatch

Step1 Beforeyoubegin,ensurethattheendpointstowhichyouwanttodeploytheGlobalProtectappareenrolled
withAirWatch:
AndroidandiOSDownloadtheAirWatchagentandfollowingthepromptstoenroll.
WindowsPhoneandWindows10UWPConfiguretheWindows10UWPendpointtoenrollwith
AirWatch(fromtheendpoint,selectSettings > Accounts > Work access > Connect).

Step2 FromAirWatch,selectApps & Books > Public > Add Application.

Step3 Selecttheorganizationgroupbywhichthisappwillbemanaged.

Step4 SelectthePlatform,eitherApple iOS,Android,orWindows Phone.

Step5 SearchfortheappintheappstorefortheendpointorentertheURLoftheGlobalProtectapppage:
Apple iOS[Link]
Android[Link]
Windows Phone[Link]

122 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

DeploytheGlobalProtectAppfromAirWatch(Continued)

Step6 [Link],youmustalsoSelecttheapp
fromalistofsearchresults.
IfyouchosetosearchfortheGlobalProtectappforAndroidanddidnotseetheappinthelist,contact
yourAndroidforWorkadministratortoaddGlobalProtecttothelistofapprovedcompanyapps.

Step7 OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.

Step8 OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.

Step9 SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.

Step10 Nextsteps:
ConfiguretheGlobalProtectAppforiOSUsingAirWatch
ConfiguretheGlobalProtectAppforAndroidUsingAirWatch
ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

ConfiguretheGlobalProtectAppforiOSUsingAirWatch

AirWatchisanEnterpriseMobilityManagementPlatformthatenablesyoutomanagemobileendpoints,
[Link]
[Link]
connectionallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
preventiononthemobileendpoint.
ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch

YoucaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguringVPN
[Link],yourouteallofthetrafficthatmatchesthe
accessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforiOS.
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 123

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaDeviceLevelVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).
3. ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment [Link]
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart [Link]
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'[Link]
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
[Link] AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step3 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.

Step4 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesyou
caninsert.
[Link]
PasswordoruploadanIdentity Certificatetousetoauthenticateusers;Or,ifyouselectedPassword +
Certificate,followtherelatedpromptsforboth.

Step5 Save & Publishyourchanges.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
[Link],youcanspecifywhichmanaged
[Link]
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforiOS:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheAppStore.

124 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAppleiOSprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletoaddtheVPNconfigurationtoitoraddanewone(selectAdd > Apple iOS).

Step3 ConfigureGeneralprofilesettings:
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
DeploymentDeterminesiftheprofilewillbeautomaticallyremoveduponunenrollment,eitherManaged
(theprofileisremoved)orManual(theprofileremainsinstalleduntilremovedbytheenduser).
Assignment [Link]
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart [Link]
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'[Link]
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
[Link] AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 ToconfiguretheperappVPNsettingsintheAppleiOSprofile,selectVPNandthenclickConfigure.

Step5 Configureconnectioninformation,including:
Connection NameEnterthenameoftheconnectionnametobedisplayed.
Connection TypeSelectPalo Alto Networks GlobalProtectasthenetworkconnectionmethod.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
AccountEntertheusernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthat
youcaninsert.
Send All TrafficSelectthischeckboxtoforcealltrafficthroughthespecifiednetwork.
Disconnect on IdleAllowtheVPNtoautodisconnectafteraspecificamountoftime.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
Connect AutomaticallySelectthischeckboxtoallowtheVPNtoconnectautomaticallytochosenSafari
Domains.

Step6 [Link],youmustuse
[Link] Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.

Step7 SelecteitherManualorAuto Proxytypeandenterthespecificinformationneeded.

Step8 ClickSave & Publish.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 125

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaPerAppVPNConfigurationforiOSDevicesUsingAirWatch(Continued)

Step9 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps.
AfterconfiguringthesettingsfortheappandenablingperappVPN,youcanpublishtheapptoagroupof
usersandenabletheapptosendtrafficthroughtheGlobalProtectVPNtunnel.
1. Onthemainpage,selectApps & Books > Public.
2. Toaddanewapp,selectAdd [Link],tomodifythesettingsofanexistingapp,locatethe
GlobalProtectappinthelistofPublicappsandthenselecttheediticon intheactionsmenunexttothe
row.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectApple iOSasthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbysearchingtheAppStore(byName),or
specifyingaURLfortheappintheAppStore(forexample,toaddtheBoxapp,enter
[Link]
[Link],youmustSelecttheappfromthelistofsearchresults.
6. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
7. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
8. SelectUse VPNandthenselecttheAppleiOSprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.

9. SelectSave & PublishtopushtheAppCatalogtotheendpointsintheSmartGroupsyouassignedinthe

Assignmentsection.

ConfiguretheGlobalProtectAppforAndroidUsingAirWatch

[Link]
[Link]
thesecureconnectionbetweentheendpointandthefirewallallowsconsistentinspectionoftrafficand
[Link]
connectionateitherthedeviceorapplicationlevel.
ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch
ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch
EnableAppScanIntegrationwithWildFire

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch

YoucaneasilyenableaccesstointernalresourcesfromyourmanagedAndroidmobileendpointsby
[Link],yourouteallofthetrafficthat
matchestheaccessroutesconfiguredontheGlobalProtectgatewaythroughtheGlobalProtectVPN.

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

126 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaDeviceLevelVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)

Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.

Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment [Link]
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart [Link]
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'[Link]
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
[Link] AuthorizationaddsarequiredPassword.
ExclusionsIfYesisselected,anewfieldExcluded Smart Groupsdisplays,enablingyoutoselectthose
SmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 Save and PublishthisprofiletotheassignedSmartGroups.

Step5 ToconfiguretheVPNsettings,selectVPNandthenclickConfigure.

Step6 ConfigureConnection Info,including:

Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.

Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.

Step8 Save & PublishthisprofiletotheassignedSmartGroups.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 127

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch

Youcaneasilyenableaccesstointernalresourcesfromyourmanagedmobileendpointsbyconfiguring
[Link],youcanspecifywhichmanaged
[Link]
toconnectdirectlytotheInternetinsteadofthroughtheGlobalProtectVPNtunnel.

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch

Step1 DownloadtheGlobalProtectappforAndroid:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromGooglePlay.

Step2 FromtheAirWatchconsole,modifyoraddanewAndroidprofile.
1. NavigatetoDevices > Profiles > List View.
2. SelectanexistingprofiletowhichtoaddtheVPNconfigurationoraddanewone(selectAdd > Add Profile).
3. SelectAndroid astheplatformandDevice astheconfigurationtype.

Step3 ConfigureGeneralprofilesettings:
NameProvideameaningfulnameforthisconfiguration.
VersionThisfieldisautopopulatedwiththelatestversionnumberoftheconfigurationprofile.
DescriptionAbriefdescriptionoftheprofilethatindicatesitspurpose.
Profile ScopeScopeforthisprofile,eitherProduction,Staging,orBoth.
Assignment [Link]
toallendpointsautomatically,Optional toenabletheendusertoinstalltheprofilefromtheSelfService
Portal(SSP)ortomanuallydeploytheprofiletoindividualendpoints,orCompliancetodeploytheprofile
whenanenduserviolatesacompliancepolicyapplicabletotheendpoint.
Managed ByTheOrganizationGroupwithadministrativeaccesstotheprofile.
Assigned Smart [Link]
tocreateanewSmartGroupwhichcanbeconfiguredwithspecsforminimumOS,devicemodels,
ownershipcategories,organizationgroupsandmore.
Allow RemovalDetermineswhetherornottheprofilecanberemovedbytheendpoint'[Link]
Alwaystoenabletheendusertomanuallyremovetheprofileatanytime,Nevertopreventtheenduser
fromremovingtheprofilefromtheendpoint,orWith Authorizationtoenabletheendusertoremovethe
[Link] Authorizationaddsarequired
Password.
ExclusionsWhenyouselectYes,theAirWatchconsoledisplaysanExcluded Smart Groupsfieldwhich
youcanusetoselectthoseSmartGroupsyouwishtoexcludefromtheassignmentofthisdeviceprofile.

Step4 Save and PublishthisprofiletotheassignedSmartGroups.

Step5 ToconfiguretheVPNsettings:
1. SelectVPNandthenclickConfigure.
2. ConfigureConnection Info,including:
Connection TypeSelectGlobalProtectasthenetworkconnectionmethod.
Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.
EnablePer App VPNtorouteallofthetrafficforamanagedapptrafficthroughtheGlobalProtectVPN.
3. [Link],youmustuse
[Link] Authentication: Certificate,andthenfollowthepromptsto
uploadanIdentity Certificatetouseforauthentication.
4. Save & PublishthisprofiletotheassignedSmartGroups.

128 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfigureaPerAppVPNConfigurationforAndroidDevicesUsingAirWatch(Continued)

Step6 ConfigureperappVPNsettingsforanewmanagedapp,ormodifythesettingsforanexistingmanagedapps:
1. Onthemainpage,selectApps & Books > Applications > List View > Public.
2. Toaddanewapp,selectAdd [Link],tomodifythesettingsofanexistingapp,locatetheappin
thelistofPublicappsandthenselecttheediticon intheactionsmenunexttotherow.
3. Selecttheorganizationgroupbywhichthisappwillbemanaged.
4. SelectAndroid asthePlatform.
5. Selectyourpreferredmethodforlocatingtheapp,eitherbyspecifyingaURLorimportingtheappfromthe
appstore(GooglePlay).TosearchbyURL,youmustalsoentertheGooglePlayStoreURLfortheapp(for
example,tosearchfortheBoxappbyURL,enter
[Link]
6. [Link],youmustSelecttheapp
[Link],contactyourAndroidforWork
administratortoapprovetheapp.
7. OntheAssignmenttab,selectAssigned Smart Groupsthatwillhaveaccesstothisapp.
8. OntheDeploymenttab,selectthePush Mode,eitherAutoorOn Demand.
9. SelectUse VPNandthenselecttheAndroidprofilethatyoucreatedearlierinthisworkflow.
OnlyprofilesthathaveperappVPNenabledareavailablefromthedropdown.

[Link] & PublishtheconfigurationtotheassignedSmartGroups.

Step7 ConfigureAuthenticationinformation:
1. Choosethemethodtoauthenticateendusers:PasswordorCertificate.
2. EntertheUsernameoftheVPNaccountorclickadd(+)toviewsupportedlookupvaluesthatyoucan
insert.
3. EnteraPasswordoruploadanIdentity CertificatethatGlobalProtectwillusetoauthenticateusers.

Step8 Save & PublishthisprofiletotheassignedSmartGroups.

EnableAppScanIntegrationwithWildFire

ByenablingAppScaninAirWatch,youcanleverageWildFirethreatintelligenceaboutappstodetect
[Link],theAirWatchagentsendsthelistofappsthatareinstalled
[Link]
[Link]
endpointbasedontheverdict.

EnableAppScanIntegrationwithWildFire

Step1 Beforeyoubegin,[Link],contactSupport.

Step2 FromAirWatch,selectGroups & Settings > All Settings > Apps > App Scan > Third Party Integration.

Step3 SelectCurrent Setting: Override.

Step4 Select Enable Third Party App Scan AnalysistoenablecommunicationbetweenAirWatchandWildFire.

Step5 ChoosePalo Alto Networks WildFirefromtheChoose App Scan Vendordropdown.

Step6 EnteryourWildFireAPIkey.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 129

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

EnableAppScanIntegrationwithWildFire

Step7 ClickTest [Link],

verifyconnectivitytotheInternet,reentertheAPIkey,andthentryagain.

Step8 [Link]
[Link] Nowtoinitiateamanual
syncwithWildFire.

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

UsingtheGlobalProtectappforWindows10UWPasthesecureconnectionbetweentheendpointandthe
firewallallowsconsistentinspectionoftrafficandenforcementofnetworksecuritypolicyforthreat
prevention.
TheGlobalProtectappforWindows10UWPsupportsthefollowingconfigurationsusingAirWatch:
PerAppVPNSpecifieswhichmanagedappsontheendpointcansendtrafficthroughthesecure
[Link]
connection.
DeviceLevelVPNSendsalltrafficthatmatchesspecificfilters(suchasportandIPaddress)throughthe
[Link]
[Link],youcanenabletheVPN Lockdown
optionwhichbothforcesthesecureconnectiontoalwaysbeonandconnectedanddisablesnetwork
[Link] GlobalProtect for Network
AccessoptionthatyouwouldtypicallyconfigureinaGlobalProtectportalconfiguration.

BecauseAirWatchdoesnotyetlistGlobalProtectasanofficialconnectionproviderforWindowsendpoints,you
mustselectanalternateVPNprovider,editthesettingsfortheGlobalProtectapp,andimporttheconfiguration
backintotheVPNprofileasdescribedinthefollowingworkflow.

130 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingAirWatch

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch

Step1 DownloadtheGlobalProtectappforWindows10UWP:
DeploytheGlobalProtectMobileAppUsingAirWatch.
DownloadtheGlobalProtectappdirectlyfromtheMicrosoftStore.

Step2 FromtheAirWatchconsole,addanewWindows10UWPprofile:
1. NavigatetoDevices > Profiles > List View.
2. SelectAdd > Add Profile.
3. SelectWindows astheplatformandWindows Phone astheconfigurationtype.
4. ConfigureGeneralprofilesettingssuchasameaningfulNameforthisconfigurationandabriefDescription
oftheprofilethatindicatesitspurpose.
5. Save and PublishthisprofiletotheassignedSmartGroups.

Step3 ToconfiguretheVPNconnectionsettings,selectVPNandthenclickConfigure.

Step4 SelectConfigureConnection Info,including:

Connection NameEnterthenameoftheconnectionnamethattheendpointwilldisplay.
Connection TypeSelectanalternateprovider(donotselectIKEv2,L2TP,PPTP,orAutomaticasthesedo
nothavetheassociatedvendorsettingsrequiredfortheGlobalProtectVPNprofile).
YoumustselectthealternatevendorbecauseAirWatchdoesnotyetlistGlobalProtectasanofficial
connectionproviderforWindowsendpoints.

ServerEnterthehostnameorIPaddressoftheGlobalProtectportaltowhichtoconnect.

Step5 ConfiguretheauthenticationsettingsfortheVPNconnection:
1. SelecttheAuthentication Typetochoosethemethodtoauthenticateendusers.
2. TopermitGlobalProtecttosaveusercredentials,enableRemember CredentialsinthePoliciesarea.

Step6 ConfigureVPNtrafficrulestoapplydevicewideoronaperappbasis:
Add New Per-App VPN RuleSpecifyrulesforspecificlegacyapps([Link])ormodernapps
(typicallydownloadedfromtheMicrosoftStore)thatdeterminewhethertoautomaticallyestablishthe
[Link]
configurespecifictrafficfilterstorouteonlyapptrafficthroughtheVPNifitmatchesmatchcriteriasuch
asIPaddressandport.
Add New Device-Wide VPN RuleSpecifyroutingfilterstosendtrafficmatchingaspecificroutethrough
[Link]
matchesthematchcriteria,itisroutedthroughtheVPN.

Step7 (DevicelevelVPNonly)Ifdesired,configureyourpreferenceofAlwaysOnconnection:
1. TomaintaintheVPNconnectionalways,enableeitherofthefollowingoptions:
Always OnForcethesecureconnectiontobealwayson.
VPN LockdownForcethesecureconnectiontobealwaysonandconnected,anddisablethenetwork
[Link] LockdownoptioninAirWatchissimilartotheEnforce
GlobalProtect for Network AccessoptionthatyouwouldconfigureinaGlobalProtectportalconfiguration.
2. SpecifyTrusted NetworkaddressesifyouwantGlobalProtecttoconnectonlywhenitdetectsatrusted
networkconnection.
3. Save & Publishyourchanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 131

ManagetheGlobalProtectAppUsingAirWatch MobileEndpointManagement

ConfiguretheGlobalProtectAppforWindows10UWPUsingAirWatch(Continued)

Step8 ToadapttheconfigurationforGlobalProtect,edittheVPNprofileinXML.
TominimizeadditionaleditsintherawXML,reviewthesettingsinyourVPNprofilebeforeyouexport
[Link],youcanmakethe
changesintherawXMLor,youcanupdatethesettingintheVPNprofileandperformthisstepagain.
1. IntheDevices > Profiles > List View,selecttheradiobuttonnexttothenewprofileyouaddedinthe
previoussteps,andthenselect</> [Link].
2. Exporttheprofileandthenopenitinatexteditorofyourchoice.
3. EditthefollowingsettingsforGlobalProtect:
IntheLoclURIelementthatspecifiesthePluginPackageFamilyName,changetheelementto:
<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocU
RI>
IntheDataelementthatfollows,changethevalueto:
<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
4. Saveyourchangestotheexportedprofile.
5. ReturntoAirWatchandtheDevices > Profiles > List View
6. Create(selectAdd > Add Profile > Windows > Windows Phone)andnameanewprofile.
7. SelectCustom Settings > Configure,andthencopyandpastetheeditedconfiguration.
8. Save & Publishyourchanges.

Step9 Cleanuptheoriginalprofile:SelecttheoriginalprofilefromtheDevices > Profiles > List View,selectMore

Actions > [Link].

Step10 Testtheconfiguration.

132 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

ManagetheGlobalProtectAppUsingaThirdPartyMDM

Youcanuseanythirdpartymobiledevicemanagementsystem,suchasamobiledevicemanagement
(MDM)system,thatmanagesanAndroidoriOSmobileendpointtodeployandconfiguretheGlobalProtect
app.
ManagetheGlobalProtectAppforiOSUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforiOS
Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration
Example:GlobalProtectiOSAppAppLevelVPNConfiguration
ManagetheGlobalProtectAppforAndroidUsingaThirdPartyMDMSystem
ConfiguretheGlobalProtectAppforAndroid
Example:SetVPNConfiguration
Example:RemoveVPNConfiguration

ConfiguretheGlobalProtectAppforiOS

WhileathirdpartyMDMsystemallowsyoutopushconfigurationsettingsthatallowaccesstoyour
corporateresourcesandprovidesamechanismforenforcingdevicerestrictions,itdoesnotsecurethe
[Link]
tunnelconnections,youmustenableVPNsupportontheendpoint.
ThefollowingtabledescribestypicalsettingsthatyoucanconfigureusingyourthirdpartyMDMsystem.

Setting Description Value

ConnectionType Typeofconnectionenabledbythepolicy. Custom SSL

Identifier IdentifierforthecustomSSLVPNin [Link]

reverseDNSformat. [Link]
Server HostnameorIPaddressofthe <hostname or IP address>
GlobalProtectportal. Forexample:[Link]

Account Useraccountforauthenticatingthe <username>

connection.

UserAuthentication Authenticationtypefortheconnection. Certificate | Password

Credential (CertificateUserAuthenticationonly) <credential>
Credentialforauthenticatingthe Forexample:clientcredial.p12
connection.

EnableVPNOnDemand (Optional)Domainandhostnamethatwill <domain and hostname and the

establishtheconnectionandthe on-demand action>
ondemandaction: Forexample:[Link]; Never
Alwaysestablishaconnection establish
Neverestablishaconnection
Establishaconnectionifneeded

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 133

ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
thedevicelevelVPNconfigurationoftheGlobalProtectappforiOS.

Example:GlobalProtectiOSAppDeviceLevelVPNConfiguration

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[Link]
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample Device Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level [Link]</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>[Link]</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011d</string>
<key>UserDefinedName</key>
<string>Sample Device Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>[Link]</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>[Link]</string>
<key>AuthName</key>
<string></string>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>AllowPortalProfile</key>
<integer>0</integer>
<key>FromAspen</key>
<integer>1</integer>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Sample Device Level VPN</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadDescription</key>
<string>Profile Description</string>
<key>PayloadIdentifier</key>
<string>Sample Device Level VPN</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

134 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

Example:GlobalProtectiOSAppAppLevelVPNConfiguration

ThefollowingexampleshowstheXMLconfigurationcontainingaVPNpayloadthatyoucanusetoverify
theapplevelVPNconfigurationoftheGlobalProtectappforiOS.

Example:GlobalProtectiOSAppAppLevelVPNConfiguration

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[Link]
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (Sample App Level VPN)</string>
<key>PayloadIdentifier</key>
<string>Sample App Level [Link]</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadType</key>
<string>[Link]</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>VPNUUID</key>
<string>cGFuU2FtcGxlIEFwcCBMZXZlbCBWUE52cG5TYW1wbGUgQXBwIExldmVsIFZQTg==</string>
<key>SafariDomains</key>
<array>
<string>*.[Link]</string>
</array>
<key>PayloadUUID</key>
<string>54370008-205f-7c59-0000-01a1</string>
<key>UserDefinedName</key>
<string>Sample App Level VPN</string>
<key>Proxies</key>
<dict/>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>[Link]</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>[Link]</string>
<key>AuthName</key>
<string></string>
<key>OnDemandMatchAppEnabled</key>
<integer>1</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>VendorConfig</key>
<dict>
<key>OnlyAppLevel</key>
<integer>1</integer>
<key>AllowPortalProfile</key>
<integer>0</integer>
<key>FromAspen</key>
<integer>1</integer>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Sample App Level VPN</string>
<key>PayloadOrganization</key>
<string>Palo Alto Networks</string>
<key>PayloadDescription</key>
<string>Profile Description</string>
<key>PayloadIdentifier</key>
<string>Sample App Level VPN</string>
<key>PayloadType</key>
<string>Configuration</string>

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 135

ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

Example:GlobalProtectiOSAppAppLevelVPNConfiguration(Continued)

<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5436fc94-205f-7c59-0000-011c</string>
<key>PayloadRemovalDisallowed</key>
<false/>
</dict>
</plist>

ConfiguretheGlobalProtectAppforAndroid

YoucandeployandconfiguretheGlobalProtectapponAndroidForWorkdevicesfromanythirdparty
mobiledevicemanagement(MDM)systemsupportingAndroidForWorkAppdatarestrictions.
OnAndroiddevices,trafficisroutedthroughtheVPNtunnelaccordingtotheaccessroutesconfiguredon
[Link],youcan
furtherrefinethetrafficthatisroutedthoughtheVPNtunnel.
Inanenvironmentwherethedeviceiscorporatelyowned,thedeviceownermanagestheentiredevice
[Link],allinstalledappscansendtrafficthroughtheVPN
tunnelaccordingtotheaccessroutesdefinedonthegateway.
Inabringyourowndevice(BYOD)environment,thedeviceisnotcorporatelyownedandusesaWork
[Link]
[Link]
personalsideofthedevicecannotsendtrafficthroughtheVPNtunnelsetbythemanagedGlobalProtect
appinstalledintheWorkProfile.
Toroutetrafficfromanevensmallersetofapps,youcanenablePerAppVPNsothatGlobalProtectonly
[Link],youcanwhitelistorblacklistspecificmanaged
appsfromhavingtheirtrafficroutedthroughtheVPNtunnel.
AspartoftheVPNconfiguration,[Link]
configuretheVPNconnectionmethodasuser-logon,theGlobalProtectappwillestablishaconnection
[Link]-demand,userscaninitiatea
connectionmanuallywhenattemptingtoconnecttotheVPNremotely.

TheVPNconnectmethoddefinedintheMDMtakesprecedenceovertheconnectmethoddefinedinthe
GlobalProtectportalconfiguration.

RemovingtheVPNconfigurationautomaticallyrestorestheGlobalProtectapptotheoriginalconfiguration
settings.
ToconfiguretheGlobalProtectappforAndroid,configurethefollowingAndroidAppRestrictions.

Key ValueType Example

portal String [Link]

username String john

password String Passwd!234

certificate String(inBase64) DAFDSaweEWQ23wDSAFD.

136 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

MobileEndpointManagement ManagetheGlobalProtectAppUsingaThirdPartyMDM

Key ValueType Example

client_certificate_passphrase String PA$$W0RD$123

app_list* String whiltelist | blacklist: [Link];

[Link]; [Link]

connect_method String user-logon | on-demand

remove_vpn_config_via_restricti Boolean true | false

on

*Theapp_listkeyspecifiestheconfigurationforPerAppVPN.Beginthestringwitheitherthewhitelistor
blacklist,[Link]
[Link]
inthewhitelistorexpresslylistedintheblacklistwillnotgothroughtheVPNtunnel.

Example:SetVPNConfiguration

private static String RESTRICTION_PORTAL = "portal";

private static String RESTRICTION_USERNAME = "username";
private static String RESTRICTION_PASSWORD = "password";
private static String RESTRICTION_CONNECT_METHOD = "connect_method";
private static String RESTRICTION_CLIENT_CERTIFICATE = "client_certificate";
private static String RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE =
"client_certificate_passphrase";
private static String RESTRICTION_APP_LIST = "app_list";
private static String RESTRICTION_REMOVE_CONFIG = "remove_vpn_config_via_restriction";

Bundle config = new Bundle();

[Link](RESTRICTION_PORTAL, "[Link]");
[Link](RESTRICTION_USERNAME, "john");
[Link](RESTRICTION_PASSWORD, "Passwd!234");
[Link](RESTRICTION_CONNECT_METHOD, "user-logon");
[Link](RESTRICTION_CLIENT_CERTIFICATE, "DAFDSaweEWQ23wDSAFD.");
[Link](RESTRICTION_CLIENT_CERTIFICATE_PASSPHRASE, "PA$$W0RD$123");
[Link](RESTRICTION_APP_LIST,
"whitelist:[Link];[Link]");

DevicePolicyManager dpm = (DevicePolicyManager)

getSystemService(Context.DEVICE_POLICY_SERVICE);
[Link]([Link](this),
"[Link]", config);

Example:RemoveVPNConfiguration

Bundle config = new Bundle();

[Link](RESTRICTION_REMOVE_CONFIG, true );
DevicePolicyManager dpm = (DevicePolicyManager)

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 137

ManagetheGlobalProtectAppUsingaThirdPartyMDM MobileEndpointManagement

getSystemService(Context.DEVICE_POLICY_SERVICE);
[Link]([Link](this),"com
.[Link]", config);

138 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

 UseHostInformationinPolicy
Enforcement
Althoughyoumayhavestringentsecurityatyourcorporatenetworkborder,yournetworkisreallyonlyas
[Link],
oftenrequiringaccesstocorporateresourcesfromavarietyoflocationsairports,coffeeshops,hotelsand
fromavarietyofdevicesbothcompanyprovisionedandpersonalyoumustlogicallyextendyour
[Link]
GlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthesecurity
statusofyourendhostssuchaswhethertheyhavethelatestsecuritypatchesandantivirusdefinitions
installed,whethertheyhavediskencryptionenabled,whetherthedeviceisjailbrokenorrooted(mobile
devicesonly),orwhetheritisrunningspecificsoftwareyourequirewithinyourorganization,including
customapplicationsandbasethedecisionastowhethertoallowordenyaccesstoaspecifichostbased
onadherencetothehostpoliciesyoudefine.
[Link]
thefollowingsections:
AboutHostInformation
ConfigureHIPBasedPolicyEnforcement
CollectApplicationandProcessDataFromClients
BlockDeviceAccess

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 139

AboutHostInformation UseHostInformationinPolicyEnforcement

AboutHostInformation

[Link]
[Link]
matchesthisrawhostinformationsubmittedbytheagentagainstanyHIPobjectsandHIPprofilesyouhave
[Link],[Link],ifitfindsaHIPprofile
matchinapolicyrule,itenforcesthecorrespondingsecuritypolicy.
Usinghostinformationprofilesforpolicyenforcementenablesgranularsecuritythatensuresthatthe
remotehostsaccessingyourcriticalresourcesareadequatelymaintainedandinadherencewithyour
[Link],beforeallowing
accesstoyourmostsensitivedatasystems,youmightwanttoensurethatthehostsaccessingthedatahave
[Link]
[Link],forclientsthatare
notincompliancewiththisrule,youcouldcreateanotificationmessagethatalertsusersastowhytheyhave
beendeniedaccessandlinksthemtothefilesharewheretheycanaccesstheinstallationprogramforthe
missingencryptionsoftware(ofcourse,toallowtheusertoaccessthatfileshareyouwouldhavetocreate
acorrespondingsecurityruleallowingaccesstotheparticularshareforhostswiththatspecificHIPprofile
match).
WhatDataDoestheGlobalProtectAgentCollect?
HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?
HowDoUsersKnowifTheirSystemsareCompliant?
HowDoIGetVisibilityintotheStateoftheEndClients?

WhatDataDoestheGlobalProtectAgentCollect?

Bydefault,theGlobalProtectagentcollectsvendorspecificdataabouttheendusersecuritypackagesthat
arerunningonthecomputer(ascompiledbytheOPSWATglobalpartnershipprogram)andreportsthisdata
totheGlobalProtectgatewayforuseinpolicyenforcement.
Becausesecuritysoftwaremustcontinuallyevolvetoensureenduserprotection,yourGlobalProtect
gatewaylicensesalsoenableyoutogetdynamicupdatesfortheGlobalProtectdatafilewiththelatestpatch
andsoftwareversionsavailableforeachpackage.
Whiletheagentcollectsacomprehensiveamountofdataaboutthehostitisrunningon,youmayhave
additionalsoftwarethatyourequireyourenduserstoruninordertoconnecttoyournetworkortoaccess
[Link],youcandefinecustomchecksthatinstructtheagenttocollectspecific
registryinformation(onWindowsclients),preferencelist(plist)information(onMacOSclients),ortocollect
informationaboutwhetherornotspecificservicesarerunningonthehost.
Theagentcollectsdataaboutthefollowingcategoriesofinformationbydefault,tohelptoidentifythe
securitystateofthehost:

140 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement AboutHostInformation

Table:DataCollectionCategories
Category DataCollected

General Informationaboutthehostitself,includingthehostname,logondomain,
operatingsystem,clientversion,and,forWindowssystems,thedomaintowhich
themachinebelongs.
ForWindowsclientsdomain,theGlobalProtectagentcollectsthedomain
definedforComputerNameDnsDomain,whichistheDNSdomainassigned
tothelocalcomputerortheclusterassociatedwiththelocalcomputer.
ThisdataiswhatisdisplayedfortheWindowsclientsDomainintheHIP
Matchlogdetails(Monitor > HIP Match).

PatchManagement Informationaboutanypatchmanagementsoftwarethatisenabledand/or
installedonthehostandwhetherthereareanymissingpatches.

Firewall Informationaboutanyclientfirewallsthatareinstalledand/orenabledonthe
host.

Antivirus Informationaboutanyantivirussoftwarethatisenabledand/orinstalledonthe
host,whetherornotrealtimeprotectionisenabled,thevirusdefinitionversion,
lastscantime,thevendorandproductname.
GlobalProtectusesOPSWATtechnologytodetectandassessthirdpartysecurity
[Link],
[Link]
example,youcandefineHIPobjectsandHIPprofilesthatverifythepresenceof
aspecificversionofAntivirussoftwarefromaspecificvendorontheendpointand
alsoensurethatithasthelatestvirusdefinitionfiles.

AntiSpyware Informationaboutanyantispywaresoftwarethatisenabledand/orinstalledon
thehost,whetherornotrealtimeprotectionisenabled,thevirusdefinition
version,lastscantime,thevendorandproductname.

DiskBackup Informationaboutwhetherdiskbackupsoftwareisinstalled,thelastbackuptime,
andthevendorandproductnameofthesoftware.

DiskEncryption Informationaboutwhetherdiskencryptionsoftwareisinstalled,whichdrives
and/orpathsareconfiguredforencryption,andthevendorandproductnameof
thesoftware.

DataLossPrevention Informationaboutwhetherdatalossprevention(DLP)softwareisinstalledand/or
enabledforthepreventionsensitivecorporateinformationfromleavingthe
[Link]
informationisonlycollectedfromWindowsclients.

MobileDevices Identifyinginformationaboutthemobiledevice,suchasthemodelnumber,
phonenumber,serialnumberandInternationalMobileEquipmentIdentity(IMEI)
[Link],theagentcollectsinformationaboutspecificsettingsonthe
device,suchaswhetherornotapasscodeisset,whetherthedeviceisjailbroken,
alistofappsinstalledonthedevicethataremanagedbyathirdpartymobile
devicemanager,ifthedevicecontainsappsthatareknowntohavemalware
(Androiddevicesonly),and,optionally,theGPSlocationofthedeviceandalistof
[Link]
foriOSdevices,someinformationiscollectedbytheGlobalProtectappandsome
informationisreporteddirectlybytheoperatingsystem.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 141

AboutHostInformation UseHostInformationinPolicyEnforcement

Youcanexcludecertaincategoriesofinformationfrombeingcollectedoncertainhosts(tosaveCPUcycles
andimproveclientresponsetime).Todothis,youcreateaclientconfigurationontheportalexcludingthe
[Link],ifyoudonotplantocreatepolicybasedonwhetheror
notclientsystemsrundiskbackupsoftware,youcanexcludethatcategoryandtheagentwillnotcollectany
informationaboutdiskbackup.
Youcanalsochoosetoexcludecollectinginformationfrompersonaldevicesinordertoallowforuser
[Link]
managedbyathirdpartymobiledevicemanager.

HowDoestheGatewayUsetheHostInformationtoEnforcePolicy?

Whiletheagentgetstheinformationaboutwhatinformationtocollectfromtheclientconfiguration
downloadedfromtheportal,youdefinewhichhostattributesyouareinterestedinmonitoringand/orusing
forpolicyenforcementbycreatingHIPobjectsandHIPprofilesonthegateway(s):
HIPObjectsProvidethematchingcriteriatofilteroutthehostinformationyouareinterestedinusing
[Link],whiletherawhostdatamay
includeinformationaboutseveralantiviruspackagesthatareinstalledontheclientyoumayonlybe
[Link],youwould
createaHIPobjecttomatchthespecificapplicationyouareinterestedinenforcing.
ThebestwaytodeterminewhatHIPobjectsyouneedistodeterminehowyouwillusethehost
[Link]
[Link],
youmaywanttokeepyourobjectssimple,matchingononething,suchasthepresenceofaparticular
typeofrequiredsoftware,membershipinaspecificdomain,[Link]
doingthis,youwillhavetheflexibilitytocreateaverygranular(andverypowerful)HIPaugmented
policy.
HIPProfilesAcollectionofHIPobjectsthataretobeevaluatedtogether,eitherformonitoringorfor
[Link],youcancombinetheHIPobjectsyou
previouslycreated(aswellasotherHIPprofiles)usingBooleanlogicsuchthatwhenatrafficflowis
[Link],the
correspondingpolicyrulewillbeenforced;ifthereisnotamatch,theflowwillbeevaluatedagainstthe
nextrule,aswithanyotherpolicymatchingcriteria.
UnlikeatrafficlogwhichonlycreatesalogentryifthereisapolicymatchtheHIPMatchloggenerates
anentrywhenevertherawdatasubmittedbyanagentmatchesaHIPobjectand/oraHIPprofileyouhave
[Link]
overtimebeforeattachingyourHIPprofilestosecuritypoliciesinordertohelpyoudetermineexactly
[Link]
howtocreateHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria.

142 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement AboutHostInformation

HowDoUsersKnowifTheirSystemsareCompliant?

Bydefault,endusersarenotgivenanyinformationaboutpolicydecisionsthatweremadeasaresultof
[Link],youcanenablethisfunctionalitybydefiningHIP
notificationmessagestodisplaywhenaparticularHIPprofileismatchedand/ornotmatched.
Thedecisionastowhentodisplayamessage(thatis,whethertodisplayitwhentheusersconfiguration
matchesaHIPprofileinthepolicyorwhenitdoesntmatchit),dependslargelyonyourpolicyandwhata
HIPmatch(ornonmatch)[Link],doesamatchmeantheyaregrantedfullaccesstoyour
networkresources?Ordoesitmeantheyhavelimitedaccessduetoanoncomplianceissue?
Forexample,considerthefollowingscenarios:
YoucreateaHIPprofilethatmatchesiftherequiredcorporateantivirusandantispywaresoftware
[Link],youmightwanttocreateaHIPnotificationmessageforuserswho
matchtheHIPprofiletellingthemthattheyneedtoinstallthesoftware(and,optionally,providingalink
tothefilesharewheretheycanaccesstheinstallerforthecorrespondingsoftware).
YoucreateaHIPprofilethatmatchesifthosesameapplicationsareinstalled,youmightwanttocreate
themessageforuserswhodonotmatchtheprofile,anddirectthemtothelocationoftheinstallpackage.
SeeConfigureHIPBasedPolicyEnforcementfordetailsonhowtocreateHIPobjectsandHIPprofilesand
useindefiningHIPnotificationmessages.

HowDoIGetVisibilityintotheStateoftheEndClients?

WheneveranendhostconnectstoGlobalProtect,[Link]
gatewaythenusesthisdatatodeterminewhichHIPobjectsand/[Link]
match,[Link]
policymatchtheHIPMatchloggeneratesanentrywhenevertherawdatasubmittedbyanagentmatches
aHIPobjectand/[Link]
monitoringthestateofthehostsonyournetworkovertimebeforeattachingyourHIPprofilestosecurity
policiesinordertohelpyoudetermineexactlywhatpoliciesyoubelieveneedenforcement.
BecauseaHIPMatchlogisonlygeneratedwhenthehoststatematchesaHIPobjectyouhavecreated,for
fullvisibilityintohoststateyoumayneedtocreatemultipleHIPobjectstologHIPmatchesforhoststhat
areincompliancewithaparticularstate(forsecuritypolicyenforcementpurposes)aswellashoststhatare
noncompliant(forvisibility).Forexample,supposeyouwanttopreventahostthatdoesnothaveAntivirus
[Link]
[Link]
ittothesecuritypolicyrulethatallowsaccessfromyourVPNzone,youcanensurethatonlyhoststhatare
protectedwithantivirussoftwarecanconnect.
However,inthiscaseyouwouldnotbeabletoseeintheHIPMatchlogwhichparticularhostsarenotin
[Link]
softwareinstalledsothatyoucanfollowupwiththeusers,youcanalsocreateaHIPobjectthatmatches
[Link]
purposes,youdonotneedtoaddittoaHIPprofileorattachittoasecuritypolicyrule.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 143

ConfigureHIPBasedPolicyEnforcement UseHostInformationinPolicyEnforcement

ConfigureHIPBasedPolicyEnforcement

[Link]
moreinformationontheHIPfeature,seeAboutHostInformation.

EnableHIPChecking

Step1 VerifyproperlicensingforHIPchecks. TousetheHIPfeature,youmusthavepurchasedandinstalleda

GlobalProtectGatewaysubscriptionlicenseoneachgatewaythat
[Link]
eachportalandgateway,selectDevice > Licenses.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
[Link]
licensing,seeAboutGlobalProtectLicenses.

Step2 (Optional)Defineanycustomhost 1. OnthefirewallthatishostingyourGlobalProtectportal,select

informationthatyouwanttheagentto Network > GlobalProtect > Portals.
[Link],ifyouhaveany 2. SelectyourportalconfigurationtoopentheGlobalProtect
requiredapplicationsthatarenot Portaldialog.
includedintheVendorand/orProduct
listsforcreatingHIPobjects,youcould 3. SelecttheAgent tabandthenselecttheagentconfiguration
createacustomcheckthatwillallowyou towhichyouwanttoaddacustomHIPcheck,orclickAddto
todeterminewhetherthatapplicationis createanewagentconfiguration.
installed(hasacorrespondingregistryor 4. SelecttheData Collectiontab.
plistkey)orisrunning(hasa
5. EnabletheoptiontoCollect HIP Data.
correspondingrunningprocess).
Step 2andStep 3assumethatyou 6. SelectCustom Checksanddefinethedatayouwanttocollect
havealreadycreatedaPortal fromhostsrunningthisagentconfigurationasfollows:
[Link] Tocollectinformationaboutspecificregistrykeys:Onthe
configuredyourportal,see Windowstab,AddthenameofaRegistry Keyforwhichto
ConfiguretheGlobalProtectPortal [Link],torestrict
forinstructions. datacollectiontoaspecificRegistryValue,Addandthen
[Link]
savethesettings.
Tocollectinformationaboutrunningprocesses:Selectthe
appropriatetab(WindowsorMac)andthenAddaprocess
[Link]
wanttheagenttocollectinformationabout.
Tocollectinformationaboutspecificpropertylists:Onthe
Mactab,[Link]
[Link],clickAddtorestrictthe
[Link]
settings.
7. Ifthisisanewclientconfiguration,completetherestofthe
[Link],seeDefinethe
GlobalProtectAgentConfigurations.
8. ClickOKtosavetheclientconfiguration.
9. Committhechanges.

144 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step3 (Optional)Excludecategoriesfrom 1. OnthefirewallthatishostingyourGlobalProtectportal,select

collection. Network > GlobalProtect > Portals.
2. SelectyourportalconfigurationtoopentheGlobalProtect
Portaldialog.
3. OntheAgent tab,selecttheAgentconfigurationfromwhich
toexcludecategories,orAddanewone.
4. SelectData Collection,andthenverifythatCollect HIP Data
isenabled.
5. OntheExclude Categories tab,[Link]
Categorydialogdisplays.
6. SelecttheCategoryyouwanttoexcludefromthedropdown
list.
7. (Optional)Ifyouwanttoexcludespecificvendorsand/or
productsfromcollectionwithintheselectedcategoryrather
thanexcludingtheentirecategory,[Link]
selecttheVendortoexcludefromthedropdownontheEdit
Vendordialogand,optionally,clickAddtoexcludespecific
[Link]
vendor,[Link]
totheexcludelist.
8. RepeatStep6andStep7foreachcategoryyouwantto
exclude.
9. Ifthisisanewclientconfiguration,completetherestofthe
[Link]
clientconfigurations,seeDefinetheGlobalProtectAgent
Configurations.
10. ClickOKtosavetheclientconfiguration.
11. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 145

ConfigureHIPBasedPolicyEnforcement UseHostInformationinPolicyEnforcement

EnableHIPChecking(Continued)

Step4 CreatetheHIPobjectstofiltertheraw 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

hostdatacollectedbytheagents. objectsamongmultiplegateways),selectObjects >
ThebestwaytodeterminewhatHIP GlobalProtect > HIP ObjectsandclickAdd.
objectsyouneedistodeterminehow 2. OntheGeneraltab,enteraNamefortheobject.
youwillusethehostinformationyou
3. Selectthetabthatcorrespondstothecategoryofhost
[Link]
informationyouareinterestedinmatchingagainstandselect
thattheHIPobjectsthemselvesare
thecheckboxtoenabletheobjecttomatchagainstthe
merelybuildingblocksthatallowyouto
[Link],tocreateanobjectthatlooksfor
createtheHIPprofilesthatareusedin
informationaboutAntivirussoftware,selecttheAntivirustab
[Link],you
andthenselecttheAntiviruscheckboxtoenablethe
maywanttokeepyourobjectssimple,
[Link]
matchingononething,suchasthe
[Link],thefollowingscreenshot
presenceofaparticulartypeofrequired
showshowtocreateanobjectthatwillmatchiftheSymantec
software,membershipinaspecific
NortonAntiVirus2004Professionalapplicationisinstalled,
domain,orthepresenceofaspecific
hasRealTimeProtectionenabled,andhasvirusdefinitions
[Link],youwillhavethe
thathavebeenupdatedwithinthelast5days.
flexibilitytocreateaverygranular(and
verypowerful)HIPaugmentedpolicy.
FordetailsonaspecificHIP
categoryorfield,refertotheonline
help.

Repeatthisstepforeachcategoryyouwanttomatchagainst
[Link],seeTable:DataCollection
Categories.
4. ClickOKtosavetheHIPobject.
5. RepeatthesestepstocreateeachadditionalHIPobjectyou
require.
6. Committhechanges.

146 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step5 CreatetheHIPprofilesthatyouplanto 1. Onthegateway(oronPanoramaifyouplantosharetheHIP

useinyourpolicies. profilesamongmultiplegateways),selectObjects >
WhenyoucreateyourHIPprofiles,you GlobalProtect > HIP ProfilesandclickAdd.
cancombinetheHIPobjectsyou 2. EnteradescriptiveNamefortheprofileandoptionallya
previouslycreated(aswellasotherHIP Description.
profiles)usingBooleanlogicsuchthat
3. ClickAdd Match CriteriatoopentheHIPObjects/Profiles
whenatrafficflowisevaluatedagainst
Builder.
theresultingHIPprofileitwilleither
[Link], 4. SelectthefirstHIPobjectorprofileyouwanttouseasmatch
thecorrespondingpolicyrulewillbe criteriaandthenclickadd tomoveitovertotheMatchtext
enforced;ifthereisnotamatch,theflow [Link]
willbeevaluatedagainstthenextrule,as theHIPprofiletoevaluatetheobjectasamatchonlywhenthe
withanyotherpolicymatchingcriteria. criteriaintheobjectisnottrueforaflow,selecttheNOTcheck
boxbeforeaddingtheobject.

5. Continueaddingmatchcriteriaasappropriatefortheprofile
youarebuilding,makingsuretoselecttheappropriate
Booleanoperatorradiobutton(ANDorOR)betweeneach
addition(and,again,usingtheNOTcheckboxwhen
appropriate).
6. IfyouarecreatingacomplexBooleanexpression,youmust
manuallyaddtheparenthesisintheproperplacesintheMatch
textboxtoensurethattheHIPprofileisevaluatedusingthe
[Link],thefollowingHIPprofilewill
matchtrafficfromahostthathaseitherFileVaultdisk
encryption(forMacOSsystems)orTrueCryptdiskencryption
(forWindowssystems)andalsobelongstotherequired
Domain,andhasaSymantecantivirusclientinstalled:

7. Whenyouaredoneaddingmatchcriteria,clickOKtosavethe
profile.
8. RepeatthesestepstocreateeachadditionalHIPprofileyou
require.
9. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 147

ConfigureHIPBasedPolicyEnforcement UseHostInformationinPolicyEnforcement

EnableHIPChecking(Continued)

Step6 VerifythattheHIPobjectsandHIP Onthegateway(s)thatyourGlobalProtectusersareconnectingto,

profilesyoucreatedarematchingyour selectMonitor > Logs > HIP [Link]
GlobalProtectclienttrafficasexpected. matchesthegatewayidentifiedwhenevaluatingtherawHIPdata
ConsidermonitoringHIPobjects reportedbytheagentsagainstthedefinedHIPobjectsandHIP
andprofilesasameanstomonitor [Link],aHIPmatchdoesnotrequireasecurity
thesecuritystateandactivityof policymatchinordertobelogged.
[Link]
thehostinformationovertimeyou
willbebetterabletounderstand
whereyoursecurityand
complianceissuesareandyoucan
usethisinformationtoguideyouin
[Link]
details,seeHowDoIGetVisibility
intotheStateoftheEndClients?

Step7 EnableUserIDonthesourcezonesthat 1. SelectNetwork > Zones.

containtheGlobalProtectusersthatwill 2. ClickontheNameofthezoneinwhichyouwanttoenable
besendingrequeststhatrequire UserIDtoopentheZonedialog.
[Link]
enableUserIDevenifyoudontplanon 3. EnableUserIDbyselectingtheEnabledcheckboxandthen
usingtheuseridentificationfeatureor clickOK.
thefirewallwillnotgenerateanyHIP
Matchlogsentries.

Step8 CreatetheHIPenabledsecurityruleson 1. SelectPolicies > Securityandselecttheruletowhichyou

yourgateway(s). wanttoaddaHIPprofile.
Asabestpractice,youshouldcreate 2. OntheSourcetab,makesuretheSource Zoneisazonefor
yoursecurityrulesandtestthatthey whichyouenabledUserIDinStep 7.
matchtheexpectedflowsbasedonthe
3. OntheUsertab,clickAddintheHIP Profilessectionand
sourceanddestinationcriteriaas
selecttheHIPprofile(s)youwanttoaddtotherule(youcan
expectedbeforeaddingyourHIP
addupto63HIPprofilestoarule).
[Link]
betterabletodeterminetheproper 4. ClickOKtosavetherule.
placementoftheHIPenabledrules 5. Committhechanges.
withinthepolicy.

148 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement ConfigureHIPBasedPolicyEnforcement

EnableHIPChecking(Continued)

Step9 Definethenotificationmessagesend 1. OnthefirewallthatishostingyourGlobalProtectgateway(s),

userswillseewhenasecurityrulewitha selectNetwork > GlobalProtect > Gateways.
HIPprofileisenforced. 2. Selectapreviouslydefinedgatewayconfigurationtoopenthe
Thedecisionastowhentodisplaya GlobalProtectGatewaydialog.
message(thatis,whethertodisplayit
3. SelectClient Configuration > HIP Notification andthenclick
whentheusersconfigurationmatchesa
Add.
HIPprofileinthepolicyorwhenit
doesntmatchit),dependslargelyon 4. SelecttheHIP Profilethismessageappliestofromthe
yourpolicyandwhataHIPmatch(or dropdown.
nonmatch)[Link], 5. SelectMatch MessageorNot Match Message,dependingon
doesamatchmeantheyaregrantedfull whetheryouwanttodisplaythemessagewhenthe
accesstoyournetworkresources?Or correspondingHIPprofileismatchedinpolicyorwhenitisnot
doesitmeantheyhavelimitedaccess [Link]
duetoanoncomplianceissue? forbothamatchandanonmatch,dependingonwhatobjects
Forexample,supposeyoucreateaHIP youarematchingonandwhatyourobjectivesareforthe
profilethatmatchesiftherequired [Link],youcanalsoenabletheoption
corporateantivirusandantispyware toInclude matched application list in messagetoindicate
[Link] whatapplicationstriggeredtheHIPmatch.
thiscase,youmightwanttocreateaHIP
6. SelecttheEnablecheckboxandselectwhetheryouwantto
notificationmessageforuserswho
displaythemessageasaPop Up MessageorasaSystem Tray
matchtheHIPprofiletellingthemthat
Balloon.
theyneedtoinstallthesoftware.
Alternatively,ifyourHIPprofilematched 7. EnterthetextofyourmessageintheTemplatetextboxand
ifthosesameapplicationsareinstalled, [Link]
youmightwanttocreatethemessage thetextandanHTMLsourceview,whichyoucantoggle
foruserswhodonotmatchtheprofile. betweenusingtheSourceEdit [Link]
providesmanyoptionsforformattingyourtextandfor
creatinghyperlinks toexternaldocuments,forexampleto
linkusersdirectlytothedownloadURLforarequired
softwareprogram.

8. Repeatthisprocedureforeachmessageyouwanttodefine.
9. Committhechanges.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 149

ConfigureHIPBasedPolicyEnforcement UseHostInformationinPolicyEnforcement

EnableHIPChecking(Continued)

Step10 VerifythatyourHIPprofilesareworking YoucanmonitorwhattrafficishittingyourHIPenabledpolicies

asexpected. usingtheTrafficlogasfollows:
1. Fromthegateway,selectMonitor > Logs > Traffic.
2. Filterthelogtodisplayonlytrafficthatmatchestherulethat
hastheHIPprofileyouareinterestedinmonitoringattached.
Forexample,tosearchfortrafficthatmatchesasecurityrule
namediOSAppsyouwouldenter( rule eq 'iOS Apps' )
inthefiltertextboxasfollows:

150 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement CollectApplicationandProcessDataFromClients

CollectApplicationandProcessDataFromClients

TheWindowsRegistryandMacPlistcanbeusedtoconfigureandstoresettingsandoptionsforWindows
andMacoperatingsystems,[Link]
whetheranapplicationisinstalled(hasacorrespondingregistryorplistkey)orisrunning(hasa
correspondingrunningprocess)[Link]
GlobalProtectagenttocollectspecificregistryinformation(RegistryKeysandRegistryKeyValuesfrom
Windowsclients),preferencelist(plist)information(plistandplistkeysfromMacOSclients).Thedatathat
youdefinetobecollectedinacustomcheckisincludedintherawhostinformationdatacollectedbythe
GlobalProtectagentandthensubmittedtotheGlobalProtectgatewaywhentheagentconnects.
[Link]
[Link]
gatewaycanusetheHIPobject(whichmatchestothedatadefinedinthecustomcheck)tofiltertheraw
[Link],aHIP
[Link]
[Link],thegatewaywillenforcethat
securityruleonthematchingtraffic.
[Link]
includestheoptionalstepstocreateaHIPobjectandHIPprofileforacustomcheck,ifyouwouldliketouse
clientdataasmatchingcriteriaforasecuritypolicytomonitor,identify,andactontraffic.

FormoreinformationondefiningagentsettingsdirectlyfromtheWindowsregistryortheglobal
Macplist,seeDeployAgentSettingsTransparently.

EnableandVerifyCustomChecksforWindowsorMacClients

Step1 EnabletheGlobalProtectagentto CollectdatafromaWindowsclient:

collectWindowsRegistryinformation 1. SelectNetwork > GlobalProtect > Portals andthenselectthe
fromWindowsclientsorPlist portalconfigurationyouwanttomodifyorAddanewone.
[Link]
ofinformationcollectedcaninclude 2. SelecttheAgenttabandthenselecttheAgentconfiguration
whetherornotanapplicationisinstalled youwanttomodifyorAddanewone.
ontheclient,orspecificattributesor 3. Select Data Collection,andthenverifythatCollect HIP Datais
propertiesofthatapplication. enabled.
Thisstepenablestheagenttoreport 4. Select Custom Checks > Windows.
dataontheapplicationsandclient
settings.(Step 5andStep 6willshow 5. AddtheRegistryKeythatyouwanttocollectinformation
youhowtomonitorandusethereported [Link]
datatoidentifyortakeactiononcertain containedwithinthatRegistryKey,addthecorresponding
devicetraffic). Registry Value.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 151

CollectApplicationandProcessDataFromClients UseHostInformationinPolicyEnforcement

EnableandVerifyCustomChecksforWindowsorMacClients

CollectdatafromaMacclient:
1. SelectNetwork > GlobalProtect > Portals andthenselectthe
portalconfigurationyouwanttomodifyorAddanewone.
2. SelecttheAgenttabandthenselecttheAgentconfiguration
youwanttomodifyorAddanewone.
3. Select Data Collection,andthenverifythatCollect HIP Datais
enabled.
4. Select Custom Checks > Mac.
5. AddthePlistthatyouwanttocollectinformationaboutand
thecorrespondingPlistKeytodetermineiftheapplicationis
installed:
.

Forexample,Add [Link]
KeyaskForPasswordtocollectinformationonwhethera
passwordisrequiredtowaketheMacclientafterthescreen
saverbegins:

ConfirmthatthePlistandKey areaddedtotheMaccustom
checks:

Step2 (Optional)Checkifaspecificprocessis 1. ContinuefromStep 1ontheCustom Checkstab(Network >

runningontheclient. GlobalProtect > Portals > <portalconfig> > Agent >
<agentconfig>> Data Collection)andselecttheWindows tab
orMactab.
2. Addthenameoftheprocessthatyouwanttocollect
informationabouttotheProcess List.

Step3 Savethecustomcheck. ClickOKandCommitthechanges.

152 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement CollectApplicationandProcessDataFromClients

EnableandVerifyCustomChecksforWindowsorMacClients

Step4 VerifythattheGlobalProtectagentis ForWindowsclients:

collectingthedatadefinedinthecustom OntheWindowsclient,doubleclicktheGlobalProtecticononthe
checkfromtheclient. taskbarandclicktheHost Statetabtoviewtheinformationthat
[Link]
customchecksdropdown,verifythatthedatathatyoudefinedfor
collectioninStep 7isdisplayed:

ForMacclients:
OntheMacclient,clicktheGlobalProtecticonontheMenubar,
clickAdvanced View,andclickHost Statetoviewtheinformation
[Link]
thecustomchecksdropdown,verifythatthedatayoudefinedfor
collectioninStep 7isdisplayed:

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 153

CollectApplicationandProcessDataFromClients UseHostInformationinPolicyEnforcement

EnableandVerifyCustomChecksforWindowsorMacClients

Step5 (Optional)CreateaHIPObjecttomatch ForWindowsandMacclients:

toaRegistryKey(Windows)orPlist 1. SelectObjects > GlobalProtect > HIP ObjectsandAddaHIP
(Mac).Thiscanallowyoutofiltertheraw Object.
hostinformationcollectedfromthe
GlobalProtectagentinordertomonitor 2. SelectandenableCustom Checks.
thedataforthecustomcheck. ForWindowsclientsonly:
WithaHIPobjectdefinedforthecustom 1. TocheckWindowsclientsforaspecificregistrykey,select
checkdata,thegatewaywillmatchthe Registry [Link]
rawdatasubmittedfromtheagenttothe clientsthatdonothavethespecifiedregistrykey,selectKey
HIPobjectandaHIPMatchlogentryis does not exist or match the specified value data.
generatedforthedata(Monitor > HIP
Match). 2. TomatchonspecificvalueswithintheRegistrykey,clickAdd
[Link]
clientsthatexplicitlydonothavethespecifiedvalueorvalue
data,selecttheNegate checkbox.

3. [Link]
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.
ForMacclientsonly:
1. Selectthe Plisttaband AddandenterthenameofthePlistfor
whichyouwanttocheckMacclients.(Ifinstead,youwantto
matchMacclientsthatdonothavethespecifiedPlist,continue
byselectingPlist does not exist).
2. (Optional)Youcanmatchtraffictoaspecifickeyvaluepair
withinthePlistbyenteringtheKeyandthecorresponding
Valuetomatch.(Alternatively,ifyouwanttoidentifyclients
thatdonothaveaspecificKeyandValue,youcancontinueby
selectingNegateafteraddingpopulatingtheKeyandValue
fields).

3. [Link]
dataintheHIP Matchlogsatthenextdevicecheckinor
continuetoStep 6.

154 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

UseHostInformationinPolicyEnforcement CollectApplicationandProcessDataFromClients

EnableandVerifyCustomChecksforWindowsorMacClients

Step6 (Optional)CreateaHIPprofiletoallow 1. SelectObjects > GlobalProtect > HIP Profile.

theHIPobjectyoucreatedinStep 5to 2. ClickAdd Match Criteria toopentheHIP Objects/Profiles
beevaluatedagainsttraffic. Builder.
TheHIPprofilecanbeaddedtoa
3. SelecttheHIP objectyouwanttouseasmatchcriteriaand
securitypolicyasanadditionalcheckfor
thenmoveitovertotheMatchboxontheHIPProfiledialog.
[Link]
trafficismatchedtotheHIPprofile,the 4. WhenyouhavefinishedaddingtheobjectstothenewHIP
securitypolicyrulewillbeenforcedon profile,click OKandCommit.
thetraffic.
FormoredetailsoncreatingaHIP
profiles,seeConfigureHIPBasedPolicy
Enforcement.

Step7 AddtheHIPprofiletoasecuritypolicyso SelectPolicies > Security,andAdd [Link]

thatthedatacollectedwiththecustom [Link]
checkcanbeusedtomatchtoandacton onsecuritypoliciescomponentsandusingsecuritypoliciesto
traffic. matchtoandactontraffic,seeSecurityPolicy.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 155

BlockDeviceAccess UseHostInformationinPolicyEnforcement

BlockDeviceAccess

IntheeventthatauserlosesadevicethatprovidesGlobalProtectaccesstoyournetwork,thatdeviceis
stolen,orauserleavesyourorganization,youcanblockthedevicefromgainingaccesstothenetworkby
placingthedeviceinablocklist.
Ablocklistislocaltoalogicalnetworklocation(vsys,1forexample)andcancontainamaximumof1,000
[Link],youcancreateseparatedeviceblocklistsforeachlocationhostinga
GlobalProtectdeployments.

BlockDeviceAccess

Step1 Createadeviceblocklist. 1. SelectNetwork > GlobalProtect > Device Block ListandAdd

YoucannotusePanorama adeviceblocklist.
templatestopushadeviceblock 2. EnteradescriptiveNameforthelist.
listtofirewalls.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.

Step2 Addadevicetoablocklist. 1. [Link](required)andhostname

(optional)foradeviceyouneedtoblock.
2. Addadditionaldevices,ifneeded.
3. ClickOKtosaveandactivatetheblocklist.
Thedevicelistdoesnotrequireacommitandis
immediatelyactive.

156 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

 GlobalProtectQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
deployments:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
AlwaysOnVPNConfiguration
RemoteAccessVPNwithPreLogon
GlobalProtectMultipleGatewayConfiguration
GlobalProtectforInternalHIPCheckingandUserBasedAccess
MixedInternalandExternalGatewayConfiguration

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 157

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs

RemoteAccessVPN(AuthenticationProfile)

IntheFigure:GlobalProtectVPNforRemoteAccess,theGlobalProtectportalandgatewayareconfigured
onethernet1/2,[Link]
andtheportalandgatewayauthenticatesit,theclientestablishesaVPNtunnelfromitsvirtualadapter,
whichhasbeenassignedanaddressintheIPaddresspoolassociatedwiththegatewaytunnel.2
configuration10.[Link].[Link]
separatecorpvpnzone,youhavevisibilityintotheVPNtrafficaswellastheabilitytocustomizesecurity
policyforremoteusers.
Watchthevideo.

Figure:GlobalProtectVPNforRemoteAccess

[Link].

QuickConfig:VPNRemoteAccess

Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces > Ethernetandconfigure

GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustzoneandthedefault
interfaceconfigurationstoavoid virtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
[Link].
SelectNetwork > Interfaces> Tunnel andaddthetunnel.2
[Link]
defaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

158 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPN(AuthenticationProfile)

QuickConfig:VPNRemoteAccess(Continued)

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenAddanewrule.

flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPNAccess
SourceZonecorpvpn
DestinationZonel3trust

Step3 Obtainaservercertificateforthe SelectDevice> Certificate Management> Certificates tomanage

interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe [Link]
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,[Link].
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles> LDAP).
howtoconnecttotheauthentication
[Link],
RADIUS,Kerberos,andLDAP
[Link]
LDAPauthenticationprofilefor
authenticatingusersagainsttheActive
Directory.

Step5 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>

profile. Authentication Profile).

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 159

RemoteAccessVPN(AuthenticationProfile) GlobalProtectQuickConfigs

QuickConfig:VPNRemoteAccess(Continued)

Step6 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
Interfaceethernet1/2
IP Address203.0.113.1
Server [Link] issued by GoDaddy
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - [Link]

Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
1. [Link]
thefollowingsettings:
Interfaceethernet1/2
IP Address203.0.113.1
Server [Link] issued by
GoDaddy
Authentication ProfileCorp-LDAP
2. DefinetheGlobalProtectAgentConfigurationsusingthe
followingsettings:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway [Link]

Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectGatewaysubscription(Device

GlobalProtectmobileapp. > Licenses)toenableuseoftheapp.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

160 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)

RemoteAccessVPN(CertificateProfile)

Withcertificateauthentication,theclientmustpresentavalidclientcertificatethatidentifiestheusertothe
[Link],theportalorgatewaycanuseacertificate
profiletodeterminewhethertheclientthatsentthecertificateistheclienttowhichthecertificatewas
issued.
Whenaclientcertificateistheonlymeansofauthentication,thecertificatethattheclientpresentsmust
containtheusernameinoneofthecertificatefields;typicallytheusernamecorrespondstothecommon
name(CN)intheSubjectfieldofthecertificate.
Uponsuccessfulauthentication,theGlobalProtectagentestablishesaVPNtunnelwiththegatewayandis
[Link]
enforcementonsessionsfromthecorpvpnzone,theusernamefromthecertificateismappedtotheIP
[Link],ifasecuritypolicyrequiresadomainnameinadditiontousername,
thespecifieddomainvalueinthecertificateprofileisappendedtotheusername.

Figure:GlobalProtectClientCertificateAuthenticationConfiguration

ThisquickconfigurationusesthesametopologyasFigure:[Link]
configurationdifferenceisthatinsteadofauthenticatingusersagainstanexternalauthenticationserver,this
configurationusesclientcertificateauthenticationonly.

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication

Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces> Ethernetandconfigure

GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustsecurityzoneandthe
interfaceconfigurationstoavoid defaultvirtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
[Link].
SelectNetwork> Interfaces> Tunnel.
[Link]
interfacetothedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 161

RemoteAccessVPN(CertificateProfile) GlobalProtectQuickConfigs

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenAddanewrule.

flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

Step3 Obtainaservercertificateforthe SelectDevice> Certificate Management> Certificates tomanage

interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe [Link]
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,[Link].
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

[Link] certificatetoeachGlobalProtectuser.
GlobalProtectportalandgatewaysto 2. Installcertificatesinthepersonalcertificatestoreonthe
validatethatthedevicebelongstoyour endpoints.
organization.

Step5 Createaclientcertificateprofile. 1. SelectDevice> Certificate Management> Certificate Profile,

clickAddandenteraprofileNamesuchasGP-client-cert.
2. SelectSubjectfromtheUsername Fielddropdown.
3. ClickAddintheCACertificatessection,selecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.

Step6 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Server [Link] issued by GoDaddy
Certificate ProfileGP-client-cert
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - [Link]

162 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPN(CertificateProfile)

QuickConfig:VPNRemoteAccesswithClientCertificateAuthentication(Continued)

Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address203.0.113.1
Server [Link] issued by
GoDaddy
Certificate ProfileGP-client-cert
2. DefinetheGlobalProtectAgentConfigurations:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway [Link]

Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectGatewaysubscription(Device

GlobalProtectmobileapp. > Licenses)toenableuseoftheapp.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 163

RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs

RemoteAccessVPNwithTwoFactorAuthentication

IfyouconfigureaGlobalProtectportalorgatewaywithanauthenticationprofileandacertificateprofile
(whichtogethercanprovidetwofactorauthentication),theendusermustsucceedatauthentication
[Link],thismeansthatcertificatesmustbe
[Link],theclientcertificate
presentedbyaclientmustmatchwhatisdefinedinthecertificateprofile.
Ifthecertificateprofiledoesnotspecifyausernamefield(thatis,theUsername FielditissettoNone),the
[Link],theclientmustprovidetheusername
whenauthenticatingagainsttheauthenticationprofile.
Ifthecertificateprofilespecifiesausernamefield,thecertificatethattheclientpresentsmustcontaina
[Link],ifthecertificateprofilespecifiesthattheusername
fieldisSubject,thecertificatepresentedbytheclientmustcontainavalueinthecommonnamefield,or
[Link],whentheusernamefieldisrequired,thevaluefromthe
usernamefieldofthecertificateisautomaticallypopulatedastheusernamewhentheuserattemptsto
[Link]
authenticatewithausernamefromthecertificate,donotspecifyausernamefieldinthecertificate
profile.

ThisquickconfigurationusesthesametopologyasFigure:[Link],
inthisconfigurationtheclientsmustauthenticateagainstacertificateprofileandanauthenticationprofile.
Formoredetailsonaspecifictypeoftwofactorauthentication,seethefollowingtopics:
EnableTwoFactorAuthenticationUsingCertificateandAuthenticationProfiles
EnableTwoFactorAuthenticationUsingOneTimePasswords(OTPs)
EnableTwoFactorAuthenticationUsingSmartCards

164 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication

UsethefollowingproceduretoconfigureVPNRemoteAccesswithTwoFactorAuthentication.

VPNRemoteAccesswithTwoFactorAuthentication

Step1 CreateInterfacesandZonesfor SelectNetwork> Interfaces> Ethernetandconfigure

GlobalProtect. ethernet1/2asaLayer3EthernetinterfacewithIPaddress
Usethedefaultvirtualrouterforall 203.0.113.1andassignittothel3untrustsecurityzoneandthe
interfaceconfigurationstoavoid defaultvirtualrouter.
havingtocreateinterzonerouting. CreateaDNSArecordthatmapsIPaddress203.0.113.1to
[Link].
SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
[Link]
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

Step2 Createsecuritypolicytoenabletraffic 1. SelectPolicies> SecurityandthenclickAddtoaddanewrule.

flowbetweenthecorpvpnzoneandthe 2. Forthisexample,youwoulddefinetherulewiththefollowing
l3trustzonetoenableaccesstoyour settings:
internalresources.
NameVPN Access
SourceZonecorp-vpn
DestinationZonel3-trust

Step3 Obtainaservercertificateforthe SelectDevice> Certificate Management> Certificates tomanage

interfacehostingtheGlobalProtect certificatesasfollows:
portalandgatewayusingoneofthe [Link]
followingmethods: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,[Link].
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 IssueclientcertificatestoGlobalProtect 1. UseyourenterprisePKIorapublicCAtoissueauniqueclient

[Link] certificatetoeachGlobalProtectuser.
GlobalProtectportalandgatewaysto 2. Installcertificatesinthepersonalcertificatestoreonthe
validatethatthedevicebelongstoyour endpoints.
organization.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 165

RemoteAccessVPNwithTwoFactorAuthentication GlobalProtectQuickConfigs

VPNRemoteAccesswithTwoFactorAuthentication(Continued)

Step5 Createaclientcertificateprofile. 1. SelectDevice> Certificate Management> Certificate Profile,

AddandenteraprofileNamesuchasGP-client-cert.
2. Specifywheretogettheusernamethatwillbeusedto
authenticatetheenduser:
FromuserIfyouwanttheendusertosupplyausername
whenauthenticatingtotheservicespecifiedinthe
authenticationprofile,selectNoneastheUsername Field.
FromcertificateIfyouwanttoextracttheusernamefrom
thecertificate,selectSubjectastheUsername [Link]
usethisoption,theCNcontainedinthecertificatewill
automaticallypopulatedtheusernamefieldwhentheuseris
promptedtologintotheportal/gatewayandtheuserwillbe
requiredtologinusingthatusername.
3. IntheCACertificatessection,Add andthenselecttheCA
Certificatethatissuedtheclientcertificates,andclickOK
twice.

Step6 Createaserverprofile. CreatetheserverprofileforconnectingtotheLDAPserver(Device

Theserverprofileinstructsthefirewall > Server Profiles> LDAP).
howtoconnecttotheauthentication
[Link],RADIUS,Kerberos,and
LDAPauthenticationmethodsare
[Link]
authenticationprofileforauthenticating
usersagainsttheActiveDirectory.

Step7 (Optional)Createanauthentication Attachtheserverprofiletoanauthenticationprofile(Device>

profile. Authentication Profile).

166 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPNwithTwoFactorAuthentication

VPNRemoteAccesswithTwoFactorAuthentication(Continued)

Step8 ConfigureaGlobalProtectGateway. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

Seethetopologydiagramshownin configuration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Server [Link] issued by GoDaddy
Certificate ProfileGP-client-cert
Authentication ProfileCorp-LDAP
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - [Link]

Step9 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address203.0.113.1
Server [Link] issued by
GoDaddy
Certificate ProfileGP-client-cert
Authentication ProfileCorp-LDAP
2. DefinetheGlobalProtectAgentConfigurations:
Connect MethodOn-demand(Manualuserinitiated
connection)
External Gateway [Link]

Step10 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step11 (Optional)DeployAgentSettings Asanalternativetodeployingagentsettingsfromtheportal

Transparently. configuration,youcandefinesettingsdirectlyfromtheWindows
[Link]
deployincludespecifyingtheportalIPaddressorenabling
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsintothe
[Link]
clientsonly,youcanalsoconfiguresettingsusingtheMSIEXEC
[Link],seeCustomizableAgent
Settings.

Step12 (Optional)Enableuseofthe PurchaseandinstallaGlobalProtectGatewaysubscription(Device

GlobalProtectmobileapp. > Licenses)toenableuseoftheapp.

Step13 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 167

AlwaysOnVPNConfiguration GlobalProtectQuickConfigs

AlwaysOnVPNConfiguration

InanalwaysonGlobalProtectconfiguration,theagentconnectstotheGlobalProtectportaluponuser
[Link]
establishestheVPNtunneltothegatewayspecifiedintheclientconfigurationdeliveredbytheportal
withoutenduserinterventionasshowninthefollowingillustration.

ToswitchanyofthepreviousremoteaccessVPNconfigurationstoanalwaysonconfiguration,yousimply
changetheconnectmethod:
RemoteAccessVPN(AuthenticationProfile)
RemoteAccessVPN(CertificateProfile)
RemoteAccessVPNwithTwoFactorAuthentication
UsethefollowingproceduretoswitchtoanAlwaysOnconfiguration.

SwitchtoanAlwaysOnConfiguration

Step1 SelectNetwork> GlobalProtect> Portalsandselecttheportalconfigurationtoopenit.

Step2 SelecttheAgent tabandthenselecttheagentconfigurationyouwanttomodify.

Step3 SelecttheApptab.

Step4 SelectUser-logon (Always On)astheConnect [Link].

Step5 ClickOKtwicetosavetheagentconfigurationandtheportalconfigurationandthenCommityourchanges.

168 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon

[Link]
istoauthenticatetheendpoint(nottheuser)andthenenabledomainscriptsandothertasksofyourchoice
[Link]
[Link]
endpointfortheuser.
[Link],tolet
theendpointhaveaccesstoresourcesinthetrustzone,youmustcreatesecuritypoliciesthatmatchthe
[Link],such
asDHCP,DNS,ActiveDirectory(forexample,tochangeanexpiredpassword),antivirus,oroperating
systemupdateservices.
AfterthegatewayauthenticatesaWindowsuser,theVPNtunnelisreassignedtothatuser(theIPaddress
mappingonthefirewallchangesfromtheprelogonendpointtotheauthenticateduser).

[Link],thetunnel
createdforprelogonistorndownandanewtunnelcreatedwhentheuserlogsin.

Whenaclientrequestsanewconnection,theportalauthenticatestheclientbyusinganauthentication
[Link](ifthe
configurationincludesaclientcertificate).Inthiscase,theclientcertificatemustidentifytheuser.
Afterauthentication,[Link]
fortheagenthaschanged,itpushesanupdatedconfigurationtotheendpoint.
Iftheconfigurationontheportaloragatewayincludescookiebasedauthenticationfortheclient,theportal
[Link],theportalorgatewayusesthecookie
[Link],ifanagentconfigurationprofile
includestheprelogonconnectmethodinadditiontocookieauthentication,theGlobalProtectcomponents
canusethecookieforprelogon.
Ifusersneverlogintoadevice(forexample,aheadlessdevice)oraprelogonconnectionisrequiredona
systemthatauserhasnotpreviouslyloggedinto,youcanlettheendpointinitiateaprelogontunnelwithout
[Link],youmustoverridethe
defaultbehaviorbycreatingentriesintheWindowsregistryorMacplist.
TheGlobalProtectendpointwillthenconnecttotheportalspecifiedintheconfigurationandauthenticate
theendpointbyusingitsmachinecertificate(asspecifiedinacertificateprofileconfiguredonthegateway)
andestablishtheVPNtunnel.
Whentheendusersubsequentlylogsintothemachineandifsinglesignon(SSO)isenabledintheclient
configuration,theusernameandpasswordarecapturedwhiletheuserlogsinandusedtoauthenticateto
thegatewayandsothatthetunnelcanberenamed(Windows).IfSSOisnotenabledintheclient
configurationorofSSOisnotsupportedontheclientsystem(forexample,itisaMacOSsystem)theusers
credentialsmustbestoredintheagent(thatis,theSave User CredentialsoptionmustbesettoYes).After
successfulauthenticationtothegatewaythetunnelwillberenamed(Windows)orrebuilt(Mac)anduser
andgroupbasedpolicycanbeenforced.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 169

RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

ThisexampleusestheGlobalProtecttopologyshowninFigure:GlobalProtectVPNforRemoteAccess.

RemoteAccessVPNwithPreLogon

Step1 CreateInterfacesandZonesfor Forthisexample,selectNetwork> Interfaces> Ethernetand

GlobalProtect. then:
Usethedefaultvirtualrouterforall Selectethernet1/2.
interfaceconfigurationstoavoid Foritsinterfacetype,selectLayer 3.
havingtocreateinterzonerouting. Assign interface to:defaultvirtualrouter,defaultvirtual
system,andl3-untrustsecurityzone.
SelectIPv4andAdd.
Selecttheaddress203.0.113.1(ortheobjectthatmaps
[Link])oraddaNew Addresstocreateanewobjectand
addressmapping.(LeavetheaddresstypeasStatic.)
CreateaDNSArecordthatmapsIPaddress203.0.113.1to
[Link].
SelectNetwork> Interfaces> Tunnel.
[Link]
tothedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

170 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon(Continued)

Step2 Createthesecuritypolicyrules. Thisconfigurationrequiresthefollowingpolicies(Policies>

Security):
1. Createarulethatenablestheprelogonuseraccesstobasic
servicesthatarerequiredforthecomputertocomeup,such
asauthenticationservices,DNS,DHCP,andMicrosoft
Updates.
2. Createaruletoenableaccessbetweenthecorpvpnzoneand
thel3trustzoneforanyknownuseraftertheusersuccessfully
logsin.

Step3 Useoneofthefollowingmethodsto SelectDevice> Certificate Management> Certificates tomanage

obtainaservercertificateforthe certificateswiththefollowingcriteria:
interfacethatishoststheGlobalProtect [Link]
portalandgateway: onthesameinterface,thesameservercertificatecanbeusedfor
(Recommended)Importaserver bothcomponents.
certificatefromawellknown, TheCNofthecertificatemustmatchtheFQDN,[Link].
thirdpartyCA. Toenableclientstoconnecttotheportalwithoutreceiving
UsetherootCAontheportalto certificateerrors,useaservercertificatefromapublicCA.
generateaselfsignedserver
certificate.

Step4 Generateamachinecertificateforeach 1. IssueclientcertificatestoGlobalProtectclientsandendpoints.

clientsystemthatwillconnectto ThisenablestheGlobalProtectportalandgatewaystovalidate
GlobalProtectandimportthemintothe thatthedevicebelongstoyourorganization.
personalcertificatestoreoneach 2. Installcertificatesinthepersonalcertificatestoreonthe
machine. endpoints.(LocalComputerstoreonWindowsorSystem
Althoughyoucouldgenerateselfsigned KeychainonMacOS)
certificatesforeachclientsystem,asa
bestpractice,useyourownpublickey
infrastructure(PKI)toissueand
distributecertificatestoyourclients.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 171

RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

RemoteAccessVPNwithPreLogon(Continued)

Step5 ImportthetrustedrootCAcertificate 1. DownloadtheCAcertificateinBase64format.

fromtheCAthatissuedthemachine 2. Importthecertificateontoeachfirewallthathostsaportalor
certificatesontotheportaland gateway,asfollows:
gateway(s).
a. SelectDevice> Certificate Management> Certificates>
Youdonothavetoimportthe Device Certificates andclickImport.
privatekey.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.

Step6 Oneachfirewallthathostsa 1. SelectDevice> Certificates> Certificate Management>

GlobalProtectgateway,createa Certificate Profile.
certificateprofiletoidentifytheCA 2. ClickAddandenteraNametouniquelyidentifytheprofile,
certificateforvalidatingthemachine suchasPreLogonCert.
certificates.
3. SetUsernameFieldtoNone.
Optionally,ifyouplantouseclient
certificateauthenticationtoauthenticate 4. (Optional)Ifyouwillalsouseclientcertificateauthentication
userswhentheylogintothesystem, toauthenticateusersuponlogin,addtheCAcertificatethat
makesurethattheCAcertificatethat issuedtheclientcertificatesifitisdifferentfromtheonethat
issuestheclientcertificatesisreferenced issuedthemachinecertificates.
inthecertificateprofileinadditiontothe 5. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificatethatissuedthemachine CAcertificateyouimportedinStep 5andthenclickOK.
certificatesiftheyaredifferent.
6. ClickOKtosavetheprofile.

Step7 ConfigureaGlobalProtectGateway. 1. SelectNetwork> GlobalProtect> Gatewaysandaddthe

Seethetopologydiagramshownin followingconfiguration:
Figure:GlobalProtectVPNforRemote Interfaceethernet1/2
Access. IP Address203.0.113.1
Althoughyoumustcreateacertificate Server [Link] issued by
profileforprelogonaccesstothe GoDaddy
gateway,youcanuseeitherclient Certificate ProfilePreLogonCert
certificateauthenticationor
Authentication ProfileCorp-LDAP
authenticationprofilebased
[Link] Tunnel Interfacetunnel.2
example,thesameLDAPprofileisused IP Pool10.31.32.3 - [Link]
thatisusedtoauthenticateuserstothe 2. Committhegatewayconfiguration.
portal.

172 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs RemoteAccessVPNwithPreLogon

RemoteAccessVPNwithPreLogon(Continued)

Step8 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandspecifythefollowing

ConfigureDevicedetails(networking configuration:
parameters,theauthenticationservice SetUpAccesstotheGlobalProtectPortal:
profile,andthecertificateforthe Interfaceethernet1/2
authenticationserver). IP Address203.0.113.1
Server [Link] issued by
GoDaddy
Certificate ProfileNone
Authentication ProfileCorp-LDAP

Step9 DefinetheGlobalProtectAgent SelectAgentandspecifyoneofthefollowingconfigurations:

Configurationsforprelogonusersand Usethesamegatewaybeforeandafterprelogonuserslogin:
forloggedinusers. Use single sign-onenabled
Useasingleagentconfigurationifyou Connect Methodpre-logon
wantprelogonuserstoaccessthesame
External Gateway [Link]
gatewaysbeforeandaftertheylogin.
User/User Groupany
Otherwise,todirectprelogonusersto
differentgatewaysbeforeandafterthey Authentication OverrideCookieauthenticationfor
login,createtwoagentconfiguration transparentlyauthenticatingusersandforconfigurationrefresh
[Link] Useseparategatewaysforprelogonusersbeforeandafterthey
User/User Group,selectthepre-logon login:
[Link],theportalfirst FirstAgentConfiguration:
authenticatestheendpoint,nottheuser, Connect Methodpre-logon
tosetupaVPN(eventhoughthe
External Gateway [Link]
prelogonparameterisassociatedwith
users).Subsequently,theportal User/User Grouppre-logon
authenticatestheuserwhenheorshe Authentication OverrideCookieauthenticationfor
logsin. transparentlyauthenticatingusersandforconfigurationrefresh
Aftertheportalauthenticatestheuser,it SecondAgentConfiguration:
deploysthesecondagentconfiguration. Use single sign-onenabled
Inthiscase,User/User Groupisany. Connect Methodpre-logon
Asabestpractice,enableSSOin External Gateway [Link]
thesecondagentconfigurationso User/User Groupany
thatthecorrectusernameis
Authentication OverrideCookieauthenticationfor
immediatelyreportedtothe
transparentlyauthenticatingusersandforconfigurationrefresh
gatewaywhentheuserlogsinto
[Link], Makesuretheprelogonclientconfigurationisfirstinthelistof
thesavedusernameintheAgent [Link],selectitandclickMove Up.
settingspanelisused.

Step10 SavetheGlobalProtectconfiguration. ClickCommit.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 173

RemoteAccessVPNwithPreLogon GlobalProtectQuickConfigs

RemoteAccessVPNwithPreLogon(Continued)

Step11 (Optional)Ifuserswillneverlogintoa 1. LocatetheGlobalProtectsettingsintheregistry:

device(forexample,aheadlessdevice)or HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
aprelogonconnectionisrequiredona Networks\GlobalProtect\PanSetup
systemthatauserhasnotpreviously
2. CreateaDWORDnamedPrelogonwithavalueof1inthe
loggedinto,createthePrelogonregistry
Value [Link]
entryontheclientsystem.
enablesGlobalProtecttoinitiateaVPNconnectionbeforethe
Youmustalsopredeploy userlogsintothelaptop.
additionalagentsettingssuchas
thedefaultportalIPaddressand 3. CreateaString ValuenamedPortalthatspecifiestheIP
connectmethod. addressorhostnameofthedefaultportalforthe
GlobalProtectclient.
Formoreinformationaboutregistry
settings,seeDeployAgentSettings 4. CreateaString Valuenamedconnect-methodwithavalueof
Transparently. [Link]
GlobalProtecttoinitiateaVPNtunnelbeforeauserlogsinto
thedeviceandconnectstotheGlobalProtectportal.

174 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration

GlobalProtectMultipleGatewayConfiguration

InFigure:GlobalProtectMultipleGatewayTopology,asecondexternalgatewayhasbeenaddedtothe
[Link]
[Link],whenconfiguringthe
clientconfigurationstobedeployedbytheportalyoucandecidewhethertoallowaccesstoallgateways,
orspecifydifferentgatewaysfordifferentconfigurations.

Figure:GlobalProtectMultipleGatewayTopology

Ifaclientconfigurationcontainsmorethanonegateway,theagentwillattempttoconnecttoallgateways
[Link]
[Link]
[Link]
information,seeGatewayPriorityinaMultipleGatewayConfiguration.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 175

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMultipleGatewayConfiguration

Step1 CreateInterfacesandZonesfor Onthefirewallhostingtheportal/gateway(gw1):

GlobalProtect. SelectNetwork> Interfaces> Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesoneachfirewallhostinga 198.51.100.42andassignittothel3untrustsecurityzoneand
gateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterforall CreateaDNSArecordthatmapsIPaddress198.51.100.42to
interfaceconfigurationstoavoid [Link].
havingtocreateinterzonerouting. SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
[Link]
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
Onthefirewallhostingthesecondgateway(gw2):
SelectNetwork> Interfaces> Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
defaultvirtualrouter.
CreateaDNSArecordthatmapsIPaddress192.0.2.4to
[Link].
SelectNetwork> Interfaces> Tunnel andaddthetunnel.1
[Link]
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.

Step2 PurchaseandinstallaGlobalProtect Afteryoupurchasethegatewaysubscriptionandreceiveyour

gatewaysubscriptiononeachgatewayif activationcode,installthelicenseonthefirewallhostingtheportal
youhaveuserswhowillbeusingthe asfollows:
GlobalProtectappontheirmobile 1. SelectDevice> Licenses.
devicesorifyouplantouseHIPenabled
securitypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.

Step3 OneachfirewallhostingaGlobalProtect Thisconfigurationrequirespolicyrulestoenabletrafficflow

gateway,createsecuritypolicy. betweenthecorpvpnzoneandthel3trustzonetoenableaccess
toyourinternalresources(Policies> Security).

176 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs GlobalProtectMultipleGatewayConfiguration

QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

Step4 Obtainservercertificatesforthe Oneachfirewallhostingaportal/gatewayorgateway,select

interfaceshostingyourGlobalProtect Device> Certificate Management> Certificates tomanage
portalandeachofyourGlobalProtect certificatesasfollows:
gatewaysusingthefollowing Obtainaservercertificatefortheportal/[Link]
recommendations: portalandthegatewayareonthesameinterfaceyoumustuse
(Onthefirewallhostingtheportalor [Link]
portal/gateway)Importaserver theFQDN,[Link]
certificatefromawellknown, portalwithoutreceivingcertificateerrors,useaservercertificate
thirdpartyCA. fromapublicCA.
(Onafirewallhostingonlyagateway) Obtainaservercertificatefortheinterfacehostinggw2.
UsetherootCAontheportalto Becausethisinterfacehostsagatewayonlyyoucanusea
generateaselfsignedserver [Link]
certificate. FQDN,[Link].

Step5 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or

totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
[Link]
[Link]
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

Step6 Configurethegateways. Thisexampleshowstheconfigurationforgp1andgp2shownin

Figure:GlobalProtectMultipleGatewayTopology.(SeeConfigurea
GlobalProtectGatewayforstepbystepinstructionsoncreating
thegatewayconfigurations.)
Onthefirewallhostinggp1,selectNetwork> GlobalProtect>
Gatewaysandconfigurethegatewaysettingsasfollows:
Interfaceethernet1/2
IP Address198.51.100.42
Server [Link] issued by GoDaddy
Tunnel Interfacetunnel.2
IP Pool10.31.32.3 - [Link]
Onthefirewallhostinggp2,selectNetwork> GlobalProtect>
Gatewaysandconfigurethegatewaysettingsasfollows:
Interfaceethernet1/2
IP Address192.0.2.4
Server Certificateself-signed certificate,
[Link]
Tunnel Interfacetunnel.1
IP Pool10.31.33.3 - [Link]

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 177

GlobalProtectMultipleGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMultipleGatewayConfiguration(Continued)

Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

configuration:
1. SetUpAccesstotheGlobalProtectPortal:
Interfaceethernet1/2
IP Address198.51.100.42
Server [Link] issued by
GoDaddy
2. DefinetheGlobalProtectAgentConfigurations:
Thenumberofclientconfigurationsyoucreatedependson
yourspecificaccessrequirements,includingwhetheryou
requireuser/groupbasedpolicyand/orHIPenabledpolicy
enforcement.

Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 SavetheGlobalProtectconfiguration. ClickCommitonthefirewallhostingtheportalandthegateway(s).

178 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess

GlobalProtectforInternalHIPCheckingandUserBased
Access

WhenusedinconjunctionwithUserIDand/orHIPchecks,aninternalgatewaycanbeusedtoprovidea
secure,accuratemethodofidentifyingandcontrollingtrafficbyuserand/ordevicestate,replacingother
networkaccesscontrol(NAC)[Link]
authenticatedaccesstocriticalresourcesisrequired.
Inaconfigurationwithonlyinternalgateways,allclientsmustbeconfiguredwithuserlogon;ondemand
[Link],itisrecommendedthatyouconfigureallclientconfigurationstouse
singlesignon(SSO).Additionally,becauseinternalhostsdonotneedtoestablishatunnelconnectionwith
thegateway,theIPaddressofthephysicalnetworkadapterontheclientsystemisused.
Inthisquickconfig,internalgatewaysareusedtoenforcegroupbasedpoliciesthatallowusersinthe
EngineeringgroupaccesstotheinternalsourcecontrolandbugdatabasesandusersintheFinancegroup
[Link],HIP
profilesconfiguredonthegatewaycheckeachhosttoensurecompliancewithinternalmaintenance
requirements,suchaswhetherthelatestsecuritypatchesandantivirusdefinitionsareinstalled,whether
diskencryptionisenabled,orwhethertherequiredsoftwareisinstalled.

Figure:GlobalProtectInternalGatewayConfiguration

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 179

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs

UsethefollowingproceduretoquicklyconfigureaGlobalProtectinternalgateway.

QuickConfig:GlobalProtectInternalGatewayConfiguration

Step1 CreateInterfacesandZonesfor Oneachfirewallhostingaportal/gateway:

GlobalProtect. 1. SelectanEthernetporttohosttheportal/gatewayandthen
Inthisconfiguration,youmustsetup configureaLayer3interfacewithanIPaddressinthel3trust
interfacesoneachfirewallhostinga securityzone.(Network> Interfaces> Ethernet).
portaland/[Link]
2. Enable User Identificationonthel3trustzone.
configurationusesinternalgateways
only,youmustconfiguretheportaland
gatewaysoninterfacesontheinternal
network.
Usethedefaultvirtualrouterforall
interfaceconfigurationstoavoid
havingtocreateinterzonerouting.

Step2 Purchaseandinstallagateway Afteryoupurchasethegatewaysubscriptionsandreceiveyour

subscriptionforeachfirewallhostingan activationcode,installthegatewaysubscriptionsonthefirewalls
internalgatewayifyouhaveuserswho hostingyourgatewaysasfollows:
willbeusingtheGlobalProtectappon 1. SelectDevice> Licenses.
theirmobiledevicesorifyouplantouse
HIPenabledsecuritypolicy. 2. SelectActivate feature using authorization code.
3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicensewassuccessfullyactivated.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
[Link]
licensing,seeAboutGlobalProtectLicenses.

Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
GlobalProtectgateway.
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
[Link]
useaselfsignedcertificateontheportal c. UsetherootCAontheportaltogenerateaselfsigned
anddeploytherootCAcertificatetothe [Link].
endclientsbeforethefirstportal 2. Oneachfirewallhostinganinternalgateway:
connection,orobtainaservercertificate a. Deploytheselfsignedservercertificates.
fortheportalfromatrustedCA.
Youcanuseselfsignedcertificateson
thegateways.

180 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs GlobalProtectforInternalHIPCheckingandUserBasedAccess

QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step4 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or

totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
[Link]
[Link]
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway [Link],ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeUseHostInformationinPolicy createaHIPobjecttomatchonwhetherthepatch
Enforcementformoreinformationon managementsoftwareisinstalledandthatallpatcheswitha
HIPmatching. givenseverityareuptodate.

2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 181

GlobalProtectforInternalHIPCheckingandUserBasedAccess GlobalProtectQuickConfigs

QuickConfig:GlobalProtectInternalGatewayConfiguration(Continued)

Step6 Configuretheinternalgateways. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)[Link]
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

Althoughalloftheprevious configuration:
configurationscoulduseaConnect 1. SetUpAccesstotheGlobalProtectPortal:
MethodofUser-logon (Always On) Interfaceethernet1/2
orOn-demand (Manual user
IP Address10.31.34.13
initiated connection),aninternal
gatewayconfigurationmustalways Server [Link] issued by
beonandthereforerequiresa GoDaddywithCN=[Link]
Connect MethodofUser-logon 2. DefinetheGlobalProtectClientAuthentication
(Always On). Configurations:
Use single sign-onenabled
Connect MethodUser-logon (Always On)
Internal Gateway [Link],
[Link]
User/User Groupany
3. Committheportalconfiguration.

Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 CreatetheHIPenabledand/or Addthefollowingsecurityrulesforthisexample:

user/groupbasedsecurityrulesonyour 1. SelectPolicies> SecurityandclickAdd.
gateway(s).
2. OntheSourcetab,settheSource Zonetol3-trust.
3. OntheUsertab,addtheHIPprofileanduser/grouptomatch.
ClickAddintheHIP ProfilessectionandselecttheHIP
profileMissingPatch.
ClickAddintheSource Usersectionandselectthegroup
(FinanceorEngineeringdependingonwhichruleyouare
creating).
4. ClickOKtosavetherule.
5. Committhegatewayconfiguration.

182 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

MixedInternalandExternalGatewayConfiguration

InaGlobalProtectmixedinternalandexternalgatewayconfiguration,youconfigureseparategatewaysfor
[Link],agentsperform
[Link]
itisontheexternalnetwork,itwillattempttoconnecttotheexternalgatewayslistedinitsclient
configurationanditwillestablishaVPN(tunnel)connectionwiththegatewaywiththehighestpriorityand
theshortestresponsetime.
Becausesecuritypoliciesaredefinedseparatelyoneachgateway,youhavegranularcontroloverwhich
[Link],youalsohavegranularcontrolover
whichgatewaysusershaveaccesstobyconfiguringtheportaltodeploydifferentclientconfigurations
basedonuser/groupmembershiporbasedonHIPprofilematching.
Inthisexample,theportalsandallthreegateways(oneexternalandtwointernal)aredeployedonseparate
[Link]
whiletheinternalgatewaysprovidegranularaccesstosensitivedatacenterresourcesbasedongroup
[Link],HIPchecksareusedtoensurethathostsaccessingthedatacenterareuptodate
onsecuritypatches.

Figure:GlobalProtectDeploymentwithInternalandExternalGateways

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 183

MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

UsethefollowingproceduretoquicklyconfigureamixofinternalandexternalGlobalProtectgateways.

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration

Step1 CreateInterfacesandZonesfor Onthefirewallhostingtheportalgateway([Link]):

GlobalProtect. SelectNetwork> Interfaces> Ethernetandconfigure
Inthisconfiguration,youmustsetup ethernet1/2asaLayer3EthernetinterfacewithIPaddress
interfacesonthefirewallhostingaportal 198.51.100.42andassignittothel3untrustsecurityzoneand
andeachfirewallhostingagateway. thedefaultvirtualrouter.
Usethedefaultvirtualrouterforall CreateaDNSArecordthatmapsIPaddress198.51.100.42to
interfaceconfigurationstoavoid [Link].
havingtocreateinterzonerouting. SelectNetwork> Interfaces> Tunnel andaddthetunnel.2
[Link]
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
Onthefirewallhostingtheexternalgateway([Link]):
SelectNetwork> Interfaces> Ethernetandconfigure
ethernet1/5asaLayer3EthernetinterfacewithIPaddress
192.0.2.4andassignittothel3untrustsecurityzoneandthe
defaultvirtualrouter.
CreateaDNSArecordthatmapsIPaddress192.0.2.4to
[Link].
SelectNetwork> Interfaces> Tunnel andaddthetunnel.3
[Link]
thedefaultvirtualrouter.
EnableUserIdentificationonthecorpvpnzone.
Onthefirewallhostingtheinternalgateways([Link]
[Link]):
SelectNetwork> Interfaces> EthernetandconfigureLayer3
EthernetinterfacewithIPaddressesontheinternalnetworkand
assignthemtothel3trustsecurityzoneandthedefaultvirtual
router.
CreateaDNSArecordthatmapstheinternalIPaddresses
[Link].
EnableUserIdentificationonthel3trustzone.

Step2 Purchaseandinstallagateway Afteryoupurchasethegatewaysubscriptionsandreceiveyour

subscriptionsforeachfirewallhostinga activationcode,installthegatewaysubscriptionsonthefirewalls
gateway(internalandexternal)ifyou hostingyourgatewaysasfollows:
haveuserswhowillbeusingthe 1. SelectDevice> Licenses.
GlobalProtectappontheirmobile
devicesorifyouplantouseHIPenabled 2. SelectActivate feature using authorization code.
securitypolicy. 3. Whenprompted,entertheAuthorization Codeandthenclick
OK.
4. Verifythatthelicenseandsubscriptionsweresuccessfully
activated.
ContactyourPaloAltoNetworksSalesEngineerorResellerifyou
[Link]
licensing,seeAboutGlobalProtectLicenses.

184 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step3 Obtainservercertificatesforthe Therecommendedworkflowisasfollows:

GlobalProtectportalandeach 1. Onthefirewallhostingtheportal:
GlobalProtectgateway.
a. Importaservercertificatefromawellknown,thirdparty
Inordertoconnecttotheportalforthe CA.
firsttime,theendclientsmusttrustthe
b. CreatetherootCAcertificateforissuingselfsigned
rootCAcertificateusedtoissuethe
certificatesfortheGlobalProtectcomponents.
portalservercertificate.
c. UsetherootCAontheportaltogenerateaselfsigned
Youcanuseselfsignedcertificateson
[Link].
thegatewaysanddeploytherootCA
certificatetotheagentsintheclient 2. Oneachfirewallhostinganinternalgateway:
[Link] Deploytheselfsignedservercertificates.
generateallofthecertificatesonfirewall
hostingtheportalanddeploythemto
thegateways.

Step4 Definehowyouwillauthenticateusers Youcanuseanycombinationofcertificateprofilesand/or

totheportalandthegateways. authenticationprofilesasnecessarytoensurethesecurityforyour
[Link]
[Link]
stepbystepinstructions:
SetUpExternalAuthentication(authenticationprofile)
SetUpClientCertificateAuthentication(certificateprofile)
SetUpTwoFactorAuthentication(tokenorOTPbased)
Youwillthenneedtoreferencethecertificateprofileand/or
authenticationprofilesyoudefinedintheportalandgateway
configurationsyoudefine.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 185

MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step5 CreatetheHIPprofilesyouwillneedto 1. CreatetheHIPobjectstofiltertherawhostdatacollectedby

enforcesecuritypolicyongateway [Link],ifyouareinterestedinpreventing
access. usersthatarenotuptodatewithrequiredpatches,youmight
SeeUseHostInformationinPolicy createaHIPobjecttomatchonwhetherthepatch
Enforcementformoreinformationon managementsoftwareisinstalledandthatallpatcheswitha
HIPmatching. givenseverityareuptodate.

2. CreatetheHIPprofilesthatyouplantouseinyourpolicies.
Forexample,ifyouwanttoensurethatonlyWindowsusers
withuptodatepatchescanaccessyourinternalapplications,
youmightattachthefollowingHIPprofilethatwillmatchhosts
thatdoNOThaveamissingpatch:

Step6 Configuretheinternalgateways. SelectNetwork> GlobalProtect> Gatewaysandaddthefollowing

settings:
Interface
IP Address
Server Certificate
Authentication Profileand/orConfiguration Profile
Noticethatitisnotnecessarytoconfiguretheclientconfiguration
settingsinthegatewayconfigurations(unlessyouwanttosetup
HIPnotifications)[Link]
ConfigureaGlobalProtectGatewayforstepbystepinstructions
oncreatingthegatewayconfigurations.

186 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectQuickConfigs MixedInternalandExternalGatewayConfiguration

QuickConfig:GlobalProtectMixedInternal&ExternalGatewayConfiguration(Continued)

Step7 ConfiguretheGlobalProtectPortal. SelectNetwork> GlobalProtect> Portalsandaddthefollowing

Althoughthisexampleshowshowto configuration:
createasingleclientconfigurationtobe 1. SetUpAccesstotheGlobalProtectPortal:
deployedtoallagents,youcouldchoose Interfaceethernet1/2
tocreateseparateconfigurationsfor
IP Address10.31.34.13
differentusesandthendeploythem
basedonuser/groupnameand/orthe Server [Link] issued by
operatingsystemtheagent/appis GoDaddywithCN=[Link]
runningon(Android,iOS,Mac,or 2. DefinetheGlobalProtectClientAuthentication
Windows). Configurations:
Internal Host Detectionenabled
Use single sign-onenabled
Connect MethodUser-logon (Always On)
External Gateway [Link]
Internal Gateway [Link],
[Link]
User/User Groupany
3. Committheportalconfiguration.

Step8 DeploytheGlobalProtectAgent SelectDevice> GlobalProtect Client.

Software. Inthisexample,usetheproceduretoHostAgentUpdatesonthe
Portal.

Step9 Createsecuritypolicyrulesoneach Createsecuritypolicy(Policies> Security)toenabletrafficflow

gatewaytosafelyenableaccessto betweenthecorpvpnzoneandthel3trustzone.
applicationsforyourVPNusers. CreateHIPenabledanduser/groupbasedpolicyrulestoenable
granularaccesstoyourinternaldatacenterresources.
Forvisibility,createrulesthatallowallofyourusers
webbrowsingaccesstothel3untrustzone,usingthedefault
securityprofilestoprotectyoufromknownthreats.

Step10 SavetheGlobalProtectconfiguration. ClickCommitontheportalandallgateways.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 187

MixedInternalandExternalGatewayConfiguration GlobalProtectQuickConfigs

188 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

 GlobalProtectReferenceArchitecture
ThissectionoutlinesanexamplereferencearchitecturefordeployingGlobalProtectwhichsecuresinternet
trafficandprovidessecureaccesstocorporateresources.
Thereferencearchitectureandguidelinesdescribedinthissectionprovideacommondeploymentscenario.
Beforeadoptingthisarchitecture,identifyyourcorporatesecurity,infrastructuremanageability,andend
userexperiencerequirementsanddeployGlobalProtectbasedonthoserequirements.
Althoughtherequirementsmaybedifferentforeachenterprise,youcanleveragethecommonprinciples
anddesignconsiderationsoutlinedinthisdocumentalongwithbestpracticeconfigurationguidelinesto
meetyourenterprisesecurityneeds.
GlobalProtectReferenceArchitectureTopology
GlobalProtectReferenceArchitectureFeatures
GlobalProtectReferenceArchitectureConfigurations

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 189

GlobalProtectReferenceArchitectureTopology GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureTopology

GlobalProtectPortal
GlobalProtectGateways

GlobalProtectPortal

Inthistopology,aPA3020inthecolocationspacefunctionsasaGlobalProtectportal.
Employeesandcontractorscanauthenticatetotheportalusingtwofactorauthentication(2FA)consisting
ofActiveDirectory(AD)credentialsandaonetimepassword(OTP).TheportaldeploysGlobalProtectclient
configurationsbasedonuserandgroupmembershipandoperatingsystem.
Byconfiguringaseparateportalclientconfigurationthatappliestoasmallgrouporsetofpilotusers,you
[Link]
featuressuchastheEnforceGlobalProtectorSimpleCertificateEnrollmentProtocol(SCEP)featureswhich
weremadeavailablewithPANOS7.1andcontentupdatesthatfollowedisenabledinthepilot
configurationfirstandvalidatedbythosepilotusers,beforeitismadeavailabletootherusers.
[Link]
theGlobalProtectgatewaystowhichsatellitescanconnectandestablishasitetositetunnel.

190 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureTopology

GlobalProtectGateways

ThePA3020inthecolocationspace(mentionedpreviously)alsodoublesasaGlobalProtectgateway(the
SantaClaraGateway).10additionalgatewaysaredeployedinAmazonWebServices(AWS)andthe
[Link]
deployedarebasedonthedistributionofemployeesacrosstheglobe.
SantaClaraGatewayEmployeesandcontractorscanauthenticatetotheSantaClaraGateway
(PA3020inthecolocationspace)[Link]
[Link],itisconfigured
[Link],usersdonotconnecttothisgatewayautomaticallyandmust
[Link],whenusersconnecttoAWSNorcal,whichis
notamanualonlygateway,[Link]
manuallyswitchtoandauthenticatewiththeSantaClaraGatewaytoaccesstheseresources.
Inaddition,theSantaClaraGatewayisconfiguredasaLargeScaleVPN(LSVPN)tunnelterminationpoint
[Link]
tosetupanInternetProtocolSecurity(IPSec)[Link]
thetunnelthatprovidesaccesstoresourcesinthecorporateheadquarters.
GatewaysinAmazonWebServicesandMicrosoftAzureThisgatewayrequires2FA:aclientcertificate
[Link]
requiredtoauthenticatewiththesegatewaysusingtheGlobalProtectSCEPfeature.
[Link]
GlobalProtectportal,downloadthesatelliteconfiguration,andestablishasitetositetunnelwiththe
[Link],andsubsequently
authenticateusingcertificates.
GatewaysInsideCorporateHeadquartersWithinthecorporateheadquarters,threefirewallsfunction
[Link].
[Link]
useGlobalProtecttoidentifytheUserIDandtocollectHostInformationProfile(HIP)fromthe
endpoints.
Tomaketheenduserexperienceasseamlessaspossible,youcanconfiguretheseinternal
gatewaystoauthenticateusersusingcertificatesprovisionedbySCEPorusingKerberosservice
tickets.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 191

GlobalProtectReferenceArchitectureFeatures GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureFeatures

EndUserExperience
ManagementandLogging
MonitoringandHighAvailability

EndUserExperience

Enduserswhoareremote(notinsidethecorporatenetwork)connecttooneofthegatewaysinAWSor
[Link],assignequalprioritytothe
[Link],thegatewaytowhichusersconnectdependsontheSSLresponsetime
ofeachgatewaymeasuredontheendpointduringthetunnelsetuptime.
Forexample,[Link]
connectedtoAWSSydney,GlobalProtectclienttunnelsalltrafficfromtheendpointtotheAWSSydney
[Link]
GatewayandtunnelstraffictocorporateresourcesthroughasitetositetunnelbetweentheAWSSydney
GatewayandtheSantaClaraGateway,andthenthroughanIPSecsitetositetunneltothecorporate
[Link]
[Link](oranygatewayclosertoSydney)wasunreachable,the
GlobalProtectclientwouldbackhaultheinternettraffictothefirewallinthecorporateheadquartersand
causelatencyissues.
[Link],the
GlobalProtectclientsendsauthenticationrequeststhroughthesitetositetunnelinAWS/Azuretothe
[Link]
ActiveDirectoryServerincorporateheadquarters.

Toreducethetimeittakesforremoteuserauthenticationandtunnelsetup,considerreplicatingtheActive
DirectoryServerandmakingitavailableinAWS.

Endusersinsidethecorporatenetworkauthenticatetothethreeinternalgatewaysimmediatelyafterthey
login;[Link]
officeonthecorporatenetwork,theymustmeettheUserIDandHIPrequirementstoaccessanyresource
atwork.

ManagementandLogging

Inthisdeployment,youcanmanageandconfigureallfirewallsfromPanorama,whichisdeployedinthe
colocationspace.
Toprovideconsistentsecurity,allfirewallsinAWSandAzureusethesamesecuritypoliciesand
[Link],Panoramaalsousesonedevicegroupandone
[Link],[Link]
networktrafficortroubleshootissuesfromacentrallocationinsteadofrequiringyoutologintoeach
firewall.

192 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureFeatures

Whensoftwareupdatesarerequired,youcanusePanoramatodeploythesoftwareupdatestoallfirewalls.
Panoramafirstupgradesoneortwofirewallsandverifieswhethertheupgradewassuccessfulbefore
updatingtheremainingfirewalls.

MonitoringandHighAvailability

Tomonitorthefirewallsinthisdeployment,youcanuseNagios,anopensourceserver,network,andlog
[Link]'
[Link]
GlobalProtectSimpleNetworkManagementProtocol(SNMP)ManagementInformationBase(MIB)objects
tomonitorgatewayusage.
[Link],
newusers(whohaveneverconnectedtotheportalbefore)willnotbeabletoconnecttoGlobalProtect.
However,existinguserscanusethecachedportalclientconfigurationtoconnecttooneofthegateways.
Multiplevirtualmachine(VM)firewallsinAWSconfiguredasGlobalProtectgatewaysprovidegateway
[Link],configuringgatewaysasahighavailability(HA)pairisnotrequired.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 193

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

GlobalProtectReferenceArchitectureConfigurations

Toalignyourdeploymentwiththereferencearchitecture,reviewthefollowingconfigurationchecklists.
GatewayConfiguration
PortalConfiguration
PolicyConfigurations

GatewayConfiguration

[Link],ensuretherearenoAccessRoutesspecifiedinAgent > Client Settings

> [Link].
EnableNo direct access to local networkinAgent > Client Settings > Split [Link]
GlobalProtectGateway.
EnablethegatewaytoAccept cookie for authentication [Link].

PortalConfiguration

ConfiguretheConnect MethodasAlways-on (User logon).SeeCustomizetheGlobalProtectAgent.

SetUse Single Sign-On(Windowsonly)[Link].
ConfiguretheportaltoSave User Credentials(setthevaluetoYes).SeeDefinetheGlobalProtectAgent
Configurations.
EnabletheportaltoAccept cookie for authentication [Link]
Configurations.
ConfiguretheCookie [Link].
Enforce [Link].
ConfigureInternal Host [Link].
EnabletheCollect HIP [Link]
Configurations.
[Link]
GlobalProtectAgentConfigurations.

PolicyConfigurations

ConfigureallfirewallstousesecuritypoliciesandprofilesbasedontheBestPracticeInternetGateway
[Link],thisincludestheSantaClaraGatewayinthecolocation
spaceandgatewaysintheAWS/Azurepubliccloud.
EnableSSLDecryptiononallgatewaysinAWSandAzure.
ConfigurePolicyBasedForwardingrulesforallgatewaysinAWStoforwardtraffictocertainwebsites
[Link]

194 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.

GlobalProtectReferenceArchitecture GlobalProtectReferenceArchitectureConfigurations

thatblocktrafficfromAWSIPaddressrangesarestillaccessiblewhenusersconnecttogatewaysin
AWS.

PaloAltoNetworks,Inc. GlobalProtect7.1AdministratorsGuide 195

GlobalProtectReferenceArchitectureConfigurations GlobalProtectReferenceArchitecture

196 GlobalProtect7.1AdministratorsGuide PaloAltoNetworks,Inc.