Quick Start Guide Global Protect Ver2

Global Protect- Configuration Guide Configuring Global Protect Palo Alto Networks 232 E. Java Dr. Sunnyvale, CA 94089 408.738.7700 www.paloaltonetworks.com

2010 Palo Alto Networks Page 2

Revision history November 2010

First draft- Jerish parapurath

January 11th 2011

Second draft- updated screen shots, HIP objects, auth methods.


Table of Contents Revision history .................................................................................................................................. 2 Overview............................................................................................................................................. 4 Global Protect elements ..................................................................................................................... 4 Deployment topologies ....................................................................................................................... 4 Configuration check list ...................................................................................................................... 6 Configuration steps ............................................................................................................................ 6

Software requirements .................................................................................................................... 6 User authentication ............................................................................................................................ 6

Local database ............................................................................................................................... 7 External server ................................................................................................................................ 7

RADIUS ....................................................................................................................................... 7 Kerberos ...................................................................................................................................... 8 LDAP ........................................................................................................................................... 8 Authentication profile................................................................................................................... 8

Defining Host Information Profile and Objects ............................................................................. 10 HIP objects ................................................................................................................................ 10 HIP profile ................................................................................................................................. 12

Certificate requirements ................................................................................................................... 12 Generating CA certificate.............................................................................................................. 13 Generate Server certificate ........................................................................................................... 13 Generate Client certificate ............................................................................................................ 14 Create a Client Certificate Profile ................................................................................................. 15

Creating Global protect gateway and profiles .................................................................................. 15 Gateway configuration .................................................................................................................. 16 Portal Configuration ...................................................................................................................... 18

Security Policy Configuration ........................................................................................................... 21 Establishing connection.................................................................................................................... 21 Logging and reporting ...................................................................................................................... 23 Useful Commands ............................................................................................................................ 24


Overview

GlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. With GlobalProtect, users are protected against threats even when they are not on the enterprise network, and application and content usage is controlled on the client system to prevent leakage of data

Global Protect elements There are three essential components that make up the Global Protect:

x Global Protect Portal: A PAN-OS device that provides centralized control over the Global Protect system.

x Global Protect Gateway: One or more interfaces on one or more PAN-OS devices that provide security enforcement for traffic from the Global Protect Agent.

x Agent: Client software on the laptop that is configured to connect to the Global Protect deployment.

Deployment topologies GlobalProtect can be deployed with a single firewall acting as both the gateway and portal. For larger deployments, a single portal can support multiple gateways. In this case the agent will connect to the closest gateway


Sequence of steps

1. The user makes an initial browser based connection to the portal and authenticates. 2. Upon successful authentication, the user is prompted to download the agent software as

msi file. The msi files for both 32bit and 64bit OS are available 3. The downloaded agent is installed and configured with username and password and the IP

address or FQDN of the portal to connect to. 4. At this point, the Agent will obtain the host information, and find the closest Gateway to

connect to. 5. If the closest Gateway is "internal", where the user is inside the network and the Gateway

is the Internet firewall, then the Agent can connect to multiple Gateways, authenticate, update the HIP and have access through the Gateways which may be using HIP-augmented policies.

6. If the closest Gateway is "external", where the user is outside the network, then the Agent will find the closest Gateway, authenticate, establish a SSL VPN tunnel, and then provide the HIP.

7. The Gateway provides notifications as configured back to the agent for user notification (Agent allows manual resubmission of HIP).

8. The Gateway enforces security policy based on user, application, content and the HIP submitted from the client.

And after a successful authentication, Portal will send agent configuration and the client certificate to the agent. The agent configuration will contain the following


1. The gateway list (both internal and external) 2. (Optional) The DNS name/IP mapping that Global Protect client software uses to

determine if the PC is inside or outside the office. This is used to determine if the agent must connect to an internal or external gateway.

3. Trusted CAs that client software should use to verify the Gateways belong to the same company. .

4. Host Information Data Collection Instructions that client software should report, e.g. OS version, AV version, Disk encryption version, specific registry key/value, etc. The client software is designed to be dumb, meaning it will simply report the raw data instead of saying it is up-to-date or not. That logic is reserved for each gateway to determine.

5. Base64 embedded Client certificate that allows agent to authenticate itself when connecting to Gateways.

6. Third-Party VPN Clients that should be allowed to run. 7. Agent users override policy. 8. Portal agent software version. This is to allow agent software to determine if a different

version is available.

Configuration check list Before you start configuring Global Protect, make sure if have the following list of items handy

x IP address of the Authentication server x IP address for Portal x IP address of Gateway x Access to CA server to generate certificate.

Note: This step is not required if you are using the PA firewall as the CA server

x Licenses- License for Global Protect Portal and Gateway is required. If there are multiple gateways managed by the portal, a license for each gateway is required

Configuration steps Software requirements

Global Protect require PAN-OS version 4.0. Download and activate the Global Protect client (Device> GlobalProtect Client) Latest Application and Threats, Antivirus is required. Configure schedule for GlobalProtect Data File

User authentication Identify the authentication method that you will be using to authenticate Global Protect users. PA devices support using local database and external authentication servers for authenticating users


Local database

Define a local user - Device>Local user Database>Users and click on add to add a new user

External server

Device>Server Profiles>

RADIUS


Kerberos

LDAP

Authentication profile

The authentication profile refers to the authentication method configured earlier. Screen shots below shows the authentication profiles for both local auth and RADIUS auth Device>Authentication Profile


If using external database, choose the authentication method and the server profile. Screenshot shows the example of using RADIUS server

Group membership can be checked as well without requiring any AD-agent being deployed. In other words, Global Protect can be an alternative design for User-ID in case youd prefer an agent on the systems, to complement user authentication with a HIP validation.

For LDAP, the user groups can be retrieved like this

Device>User Identification> and click Add in the LDAP server section


Defining Host Information Profile and Objects

HIP objects

HIP objects refer to the reports the Global Protect gateway will generate base on the HIP report sent by the agent. The agent wills send all information about all categories, and the gateway reports on the HIP objects that is configured to match .In this example, we match objects

x Firewall and AV enabled x Patch management

To create a HIP object, Object>Global Protect > HIP object


From the firewall tab select firewall enabled, optionally you can also specify the vendor list. Similarly from the AntiVirus tab select Antivirus enabled.

Similarly a HIP object for patch management is created to check for any patch installed

Once the HIP objects are configured you will be objects are shown in the screen shot


HIP profile

A HIP Profiles defines an evaluation of a set of collected HIP objects, combined logic such that when evaluated, the result will either be true or false. HIP profile is then referred to in the security policy From Objects>HIP profiles> Add- to add a new profile Give the HIP profile a name, Click on Add match criteria to add the HIP objects to the profile. The list of the available HIP objects will be displayed in a new pop-up window. The HIP profile can be configured to use the Boolean AND/OR/NOT operation to match all or any one of the HIP objects. Choose the operator from the top of the HIP objects screen and click on the + sign next to the object to add the object to the HIP profile

Certificate requirements The same must be used to create all the certificates used by the Portal and each gateway and thus can be used to verify the PC is not connecting to the wrong Gateways. In addition, the client certificate should also be created by the same CA so that the Gateways can verify the PC belongs to the same company Global protect requires three types of certificates

CA certificate

Server Certificate

Client Certificate

The PAN-OS device itself can act the CA server.


Generating CA certificate

Device>certificate>generate

Check the CA certificate, to make the CA certificate

Generate Server certificate

From the signed by drop down select the CA certificate generated earlier


Generate Client certificate

From the signed by drop down select the CA certificate generated earlier


Create a Client Certificate Profile

Device>client certificate profile From the CA certificate drop down select the CA certificate generated earlier and click on add

Creating Global protect gateway and profiles Global Protect portal provides first point of user authentication. The Global Protect Portal is an identified by an IP address on an active interface on the firewall. These interface can be a logical interface. A single PAN-OS device can function as both as the portal and gateway. This is accomplished by configuring two IP address on two different interfaces. In the figure below a single PAN-OS device is functioning as the portal and the gateway. Loopback interfaces are used for this function. Note: The interface used for portal must have HTTPS management service enabled. To see user names in the traffic log, enable user identification on the zone that binds the global protect gateway interface


Portal: 192.168.50.57/32 Gateway: 192.168.50.58/32 Static NAT is configured on the upstream router to map the 192.168.50.57 and 58 IP addresses to public IP address.

Gateway configuration

Gateway configuration defines how the clients connect to and authenticate to Global protect gateways. If the clients are connecting to the gateway on the internet, tunnel mode must be enabled. This configuration will enable the clients connect to the gateway either via a SSL VPN tunnel or IPSec tunnel. The gateway in the tunnel mode must be configured to assign IP address. DNS and WINS information to the client (similar to IPSec mode config) Network>Global Protect General Tab: IP address field is the address of the global protect gateway. Select the tunnel interface. This is required when the agent connects to external gateways. If enable IPSec is selected, then agent establishes a IPSec tunnel to the gateway. If the IPSec connection fails, the agent uses SSL to connect to the gateway.


Client configuration tab: When the clients connect to the external gateway using a tunnel, networking configuration will be pushed to the client. Specify the DNS, WINS and DNS suffix to be used by the client. Also specify the pool from which IP addresses will be assigned to the client. Access routes: By default all traffic from the client will be sent to the gateway. Access routes, allow you to define networks that will be accessible by the client through the tunnel.

In the HIP notification tab select the HIP profile that was configured in step xx. You can also specify the message to be displayed to the end user when the PC is in compliance as defined in the HIP object.


Portal Configuration

Select the client and the server certificate and the authentication profile used to authenticate users. The gateway address is the IP address of the interface configured for the portal


Client configuration general tab:

On demand mode With this setting GlobalProtect agent will not automatically connect to the gateway. Instead, a menu item will be available for user to click to manually connect to the gateway. In this mode, GlobalProtect will send the HIP report as well as establishing the tunnel with one gateway. Single Sign on The agent will use the windows credentials of the user to authenticate to the global protect portal Gateway list Portal provides agents with a list of the IP address/FQDN of gateways within the deployment. The gateways are separated into two categories: internal and external gateways. In each category, you can specify the list of gateways that agent can connect to. In this example the real IP address of the gateway is 192.168.50.58, which is a private IP address. Since this IP address must be reachable from outside of the LAN, this IP address must be translated. In this example the IP address in the external gateway is the post NAT IP address i.e public IP address that address translated to 192.168.50.58 Root CA Add the root CA that was used to sign the server and client certificates


Advanced tab

Third party VPN clients allows administrator to specify the VPN traffic that will exempt from being sent through the global protect gateway. If no virtual adapters are selected, all traffic VPN traffic from the host will be routed via the global protect gateway. Internal Host Detection This is an optional configuration. It helps agent determine whether the host is inside the network and connect to the internal gateway The DNS name specifies a hostname that can be reached from internal network and the IP address is the host IP address. The Agent will do a reverse lookup on the IP address and if it receives the expected hostname as a response, it will attempt connecting to the gateways in the internal list. If no response is received that agent will attempt to connect to the gateways in the external list If no internal-host-detection configuration is provided, agent tries the internal gateways first, followed by external gateways.


Agent UI: User can disable the agent on the PC. Agent User Override option allows the administrator to have configure whether or not the agent can be disable and if it can be disabled, the user will need a passcode or reason for disabling the agent. Data Collection

The global protect agent will send HIP report about all categories Host Info, Anti Virus, anti-spyware, disk backup, disk encryption and firewall. Click on Add to exclude the agent sending reporting on any category. Please note that if you have a HIP object configured to report on Anti Virus and if you add antivirus to exclude category, this will negate purpose of configuring HIP object to report on anti-virus. To enable custom checks, enter the value for registry key values and services in the custom checks tab, The max wait time is amount of time the global protect agent waits to submit a HIP report to the gateway.

Security Policy Configuration The value for this column in a security rule is any, no-hip or HIP profiles. any will match any host, regardless of whether a HIP was submitted or not. no-hip will match any host that has not submitted a HIP. If more than 1 HIP profile is defined in the rule, it is a match if either one of the HIP profiles matches.

Establishing connection Connection to the global protect portal is initial from browser using a SSL connection. To connect to the portal browse to https:// of the portal. Once authenticated, end users will


have to download the agent software. There agent software is available for both 32 bit and 64bit OS. Administrator privileges are required to install the agent for the first. Subsequent upgrades do not require administrator rights After installing agent, agent must be configured to connect to the Global Protect portal. Provide the IP address/FQDN of the portal and user credentials to connect to the portal

Once successfully connected you can verify the connection detail under the details tab of the agent

The user will be required to authenticate to the portal via ssl only the first time connecting the portal. Once the agent is downloaded and installed all subsequent connects to any of the portal is done using the agent.


To view the categories that agent will send HIP report, go to the settings tab on the agent

Logging and reporting Logs can be viewed under the HIP match section of the Monitor tab

ACC provides reports for HIP objects and profiles


System logs provide information about user activity

Useful Commands To view the users connected

show global-protect-gateway current-user show user ip-user-mapping type GP

To view the tunnels established show global-protect-gateway flow show global-protect-gateway flow tunnel-id

Revision historyOverviewGlobal Protect elementsDeployment topologiesConfiguration check listConfiguration stepsSoftware requirements

User authenticationLocal databaseExternal serverRADIUSKerberosLDAPAuthentication profileFor LDAP, the user groups can be retrieved like thisDevice>User Identification> and click Add in the LDAP server section

Defining Host Information Profile and ObjectsHIP objectsHIP profile

Certificate requirementsGenerating CA certificateGenerate Server certificateGenerate Client certificateCreate a Client Certificate Profile

Creating Global protect gateway and profilesGateway configurationPortal Configuration

Security Policy ConfigurationEstablishing connectionLogging and reportingUseful Commands

Date post:	06-Sep-2015
Category:	Documents
Upload:	silva
View:	236 times
Download:	1 times

Quick Start Guide Global Protect Ver2

Documents