Palo Alto Networks: Guide to configure GlobalProtect SSL VPN for users from outside the internet to access the internal network

1. The purpose of the article

In this article, techbast will guide how to configure GlobalProtect SSL VPN feature on Palo Alto firewall device so that users outside the system have access to the internal network.

2. Diagram

Details:

  • Palo Alto firewall device is connected to the internet through ethernet port1/1 with a WAN IP of 113.161.x.x.
  • The Palo Alto device’s LAN area configured at ethernet1/2 port allocates the network layer 10.146.41.0/24 using DHCP.
  • We will have a computer outside the internet zone to perform the GlobalProtect SSL VPN connection.

3. Scenario

We will perform GlobalProtect SSL VPN compute configuration on the Palo Alto device, after configuration and when connected it will receive the IP of network layer 10.146.41.0/24 and gain access to the LAN layer’s resources.

4. What to do

  • Create certificate.
  • Create SSL/TLS Service Profile.
  • Create users.
  • Create Authentication Profile
  • Create tunnel port.
  • Create GlobalProtect Gateways.
  • Create GlobalProtect Portal.
  • Update and download GlobalProtect software for the Palo Alto device.
  • Install GlobalProtect and perform VPN connection.

5. Configuration

5.1 Create Certificate

In this article we will configure GlobalProtect for external users, so we need 2 certificates: one for the portal and an external gateway for the internet gateway.

To create certificate go to Device > Certificate Management > Certificates.

Click Generate and create the portal certificate with the following information:

  • Certificate Name: GlobalProtect
  • Common Name: GlobalProtect
  • Check box Certificate Authority.
  • Click Generate.

After creating the GlobalProtect certificate, click Generate to generate the external-gateway certificate.

We will create the following information:

  • Certificate Name: external-gw-portal
  • Common Name: 113.161.x.x (It’s WAN IP)
  • Signed by: select GlobalProtect certificate just created.
  • Click Generate.

Click Commit and OK to save the configuration changes.

5.2. Create SSL/TLS Service Profile

To create go to Device > Certificate Management > SSL/TLS Service Profile.

Click Add to create an SSL / TLS Service Profile with the following parameters:

  • Name: external-gw-portal.
  • Certificate: select external-gw-portal certificate just created.
  • Min Version: select TLSv1.0.
  • Max Version: select Max.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3. Create users

In this section we will create an account to log in when connected to GlobalProtect.

To create user go to Device > Local User Database > Users.

Click Add and create an user with the following information:

  • Name: testvpn.
  • Mode: Password.
  • Password: 123456a@
  • Confirm Password: 123456a@
  • Click OK.

Click Commit and OK to save configuration changes.

5.4. Create Authentication Profile

We need to create an Authentication Profile for local users so that the firewall device can rely on this to verify whether the user’s account for logging in is in the list of allowed VPN usage or not. If there is a list, it is used to authenticate whether the user is logged in with the correct account and password.

To create Authentication Profile go to Device > Authentication Profile > Click Add and configure with the following information.

Tab Authentication:

  • Name: Local.
  • Type: select Local Database.
  • Username Modifier: select %USERINPUT%

Tab Advanced:

  • In the Allow List table, click Add and select all.
  • If you choose all, i.e., who will use all users, you can also choose the user you want instead of selecting all.
  • Click OK.

Click Commit and OK to save configuration changes.

5.5. Create tunnel port

We need to tunnel for the VPN connection, to go to Network> Interfaces> Tunnel.

Click Add and create with the following parameters:

  • Interface Name: tunnel.1.
  • Virtual Routers: VR1 (we need to add it so that when connected, the user can still access the internet).
  • Security Zone: chọn Trust-Player3 (We will put the people connecting to the VPN into the same zone LAN)
  • Click OK.

Click Commit and OK to save configuration changes.

5.6. Create GlobalProtect Gateways.

To create Gateway go to Network > GlobalProtect > Gateways.

Click Add and create according to the following parameters:

Tab General:

  • Name: GlobalProtect_Gateways.
  • Interface: select ethernet1/1 (It is WAN port).
  • IP Address Type: IPv4 Only.
  • IPv4 Address: None.

Tab Authentication:

  • SSL/TLS Service Profile: select external-gw-portal.
  • In Client Authentication, table click Add and configure the following parameters.
  • Name: ex-gp-auth
  • OS: Any
  • Authentication Profile: select Local.
  • Click OK.

Tab Agent:

In the Tunnel Settings panel we configure the following:

  • Tunnel Mode: check box.
  • Tunnel Interface: select tunnel.1
  • check box Enable IPSec.

In the Client Settings panel we click Add and configure the following parameters:

  • Name: gp-client-config
  • In the IP Pools table we enter the range of IPs that will be allocated when the user connects to the VPN, here enter the range 10.146.41.151-10.146.41.250.
  • In the Split Tunnel under Include we need to enter the LAN layer 10.146.41.0/24 that we want users to have access to when connecting to the VPN.
  • Click OK two times.

Click Commit and OK to save configuration changes

5.7. Create GlobalProtect Portal

To create GlobalProtect portal go to Network > GlobalProtect > Portals.

Click Add and configure the following parameters:

Tab General:

  • Name: gp-portal
  • Interface: ethernet1/1
  • IP Address Type: IPv4 Only

Tab Authentication:

  • SSL/TLS Service Profile: select external-gw-portal.

In the Cient Authentication panel click Add and configure the following parameters:

  • Name: Local-Auth
  • OS: Any
  • Authentication Profile: Local
  • Click OK.

Tab Agent:

Click Add in the Agent panel and configure the following parameters:

  • In the Authentication table, we enters the name portal-agent-config at Name.
  • On the External panel, click Add and configure the following information.
  • Name: ext-gw-1
  • Address: check box IP
  • IPv4: 113.161.x.x
  • Press Add and choose Any for Source Region and Highest for Priority.
  • Click OK.

In the Trusted Root CA section, click Add and select GlobalProtect certificate and tick Install to Local Root Certificate Store.

Click OK.

Click Commit and OK to save configuration changes.

5.8. Update and download GlobalProtect sofware for the Palo Alto device.

Next we need to download the GlobalProtect software to the Palo Alto device.

To download to Device > GlobalProtect Client > click Check Now.

A list of versions will appear, here I will choose the latest version is 5.2.5.

After determining the version to download, click Download in the Action column.

After the download is complete, we click Activate in the Action column to enable the use of this version when the user accesses the VPN.

5.8. Install GlobalProtect and perform VPN connection.

We will install the GlobalProtect software on the user’s machine outside the internet and perform a VPN.

First, we need to access the path https: //113.161.x.x to go to the GlobalProtect portal page and enter the testvpn account we created to log in.

After logging in, the page will appear GlobalProtect software for us to download, we need to choose the software suitable for the operating system being used.

After selecting and downloading, we install the file in the following image.

After the installation is complete we enter the WAN IP of the Palo Alto device 113.161.x.x and click Connect.

Now the Server Certificate Error table will appear asking us to install the certificate on the computer.

To install, click Show Certificate.

Click Install.

Select Local Machine and click Next.

Click Next, Finish and OK to complete the installation.

After installing the Certificate, click OK at the Certificate panel and Continue at the Server Certificate Error panel to continue.

After installing the certificate, the login panel of GlobalProtect appears, enter your testvpn account, password and click Sign In to connect.

Wait a few seconds for the connection.

And we have successfully connected the VPN to the Palo Alto device.

Techbast will ping the LAN port with IP address 10.146.41.1 and 1 server with IP address 10.146.41.65 to check the results.

As a result, the networks connect after the VPN connection is established.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.