Palo Alto Networks: Instructions for configuring GlobalProtect SSL VPN using synchronous users from AD

1.The purpose of the article

In the previous article, techbast guided you to configure GlobalProtect SSL VPN using the local user of the Palo Alto firewall device.

In this article, techbast will show you how to configure GlobalProtect to use users synchronized from AD in the system.

2.Diagram

Details:

  • The Palo Alto firewall device was connected to the internet through the ethernet port1/1 with the WAN IP of 192.168.219.129.
  • The LAN area of the Palo Alto device is configured at ethernet port1/2 which allocates network layer 10,145.41.0/24 using DHCP.
  • Trong lớp LAN còn có 1 AD Server có IP 10.145.41.10/24, trên server này đã tạo 1 OU IT, trong OU IT có group Support, trong group Support có các user là user1,user2,user3.
  • We will have a computer outside the internet to make the GlobalProtect SSL VPN connection.

3.Scenario

We will perform the configuration of GlobalProtect SSL VPN on Palo Alto device, after configuration, we will use the user from AD to connect and when connecting it will receive IP in the range 192.168.100.200-192.168.100.200 and gain access to LAN layer resources.

4. What to do

  • Create certificate.
  • Create SSL/TLS Service Profile.
  • AD Sync
  • Create Authentication Profile
  • Create tunnel interface.
  • Create GlobalProtect Gateways.
  • Create GlobalProtect Portal.
  • Update and download GlobalProtect software for Palo Alto devices.
  • Install GlobalProtect and make a VPN connection.

5. Configuration

5.1 Create Certificate

In this article, we will configure GlobalProtect for users to access from outside, so we need 2 certificates, one for the portal and one for the external gateway for the internet.

To create a certificate go to Device > Certificate Management > Certificates.

Click Generate and generate a portal certificate with the following information:

  • Certificate Name: GlobalProtect
  • Common Name: GlobalProtect
  • Tích chọn Certificate Authority.
  • Click Generate.

After creating the GlobalProtect certificate, click Generate to generate the external-gateway certificate.

We will create the following information:

  • Certificate Name: external-gw-portal
  • Common Name: 192.168.219.129 (This is Wan’s IP address)
  • Signed by: select the GlobalProtect certificate just created above.
  • Click Generate.

Click Commit and OK to save the configuration changes.

5.2. Create SSL/TLS Service Profile

To configure go to Device > Certificate Management > SSL/TLS Service Profile.

Click Add to create an SSL/TLS Service Profile with the following parameters:

  • Name: external-gw-portal.
  • Certificate: select the newly created external-gp certificate.
  • Min Version: select TLSv1.0.
  • Max Version: select Max.
  • Click OK to save

Click Commit and OK to save the changes.

5.3.AD sync

5.3.1. Configure Service Features

First we need to configure Service Features to route some services to the port that is connecting to the AD server.

Here we will route services like DNS, Kerberos, LDAP, UID Agent.

To open these services we access the configuration page of Palo Alto. Go to Device > Setup > Service > Service Features > Service Route Configuration.

The Service Route Configuration panel appears and select Customize.

To configure the service, we left-click on the service to be configured, here I choose DNS, the Service Route Source table pops up, we will select the ethernet1/2 port in the Source Interface and at the Source Address will automatically show the IP. of the ethernet1/2 port is 10,145.41.10/24.

Click OK to save.

The remaining services we also do the same.

Click OK in the Service Route Configuration panel to save.

Click Commit and OK to save the configuration changes.

5.3.2. Enable User Identification on LAN zone

To be able to synchronize users from the AD server, we need to enable the User Identification feature on the zone containing the john domain workstations, here we will enable this feature on the Trust-Player3 zone.

To turn on Network > Zones > left-click on the Trust-Player3 zone > the Zone table appears > we will check the box Enable User Identification in the User Identification ACL section.

Click OK to save.

Click Commit and OK to save the configuration changes.

5.3.3. Configure LDAP Service Profile

To create, go to Device > Server Profiles > LDAP > Click Add and create the following information:

  • Profile Name: learningit
  • Server List: Click Add, enter Name as adserver, LDAP Server is IP of server 10.145.41.10 and Port is 389.
  • Ở Server Settings :
  • Type: select active-directory
  • Base DN: DC=learningit,DC=xyz
  • Bind DN: administrator@learningit.xyz
  • Password and Confirm Password: enter the password of the administrator account.
  • Bind Timeout: 30
  • Search Timeout: 30
  • Retry Interval: 60
  • Required SSL/TLS secured connection: uncheck if any.
  • Click OK to save.

Click Commit and OK to save the configuration changes.

5.3.4. Configure User Mapping

To configure go to Device > User Identification > User Mapping.

Here we have 3 parts to configure: Palo Alto Networks User-ID Agent Setup, Server Monitoring, Include/Exclude Networks.

In the Palo Alto Networks User-ID Agent Setup section to configure we click on the wheel icon on the right, a configuration panel will appear, and need to configure the following parameters.

Server Monitor Account tab :

  • User Name: learningit\administrator
  • Password và Confirm Password: Enter the password of the administrator account in these 2 boxes
  • Kerberos Server Profile: None

Tab Server Monitor :

  • Enable Security Log : check
  • Server Log Monitor Frequency (sec) : 2
  • Enable Session : uncheck
  • Server Session Read Frequency (sec) : 10
  • Novell eDirectory Query Interval (sec) : 30
  • Syslog Service Profile : None

Tab Client Probing :

  • Enable Probing : check
  • Probe Interval (min) : 5

Tab Cache :

  • Enable User Identification Timeout : check
  • User Identification Timeout (min) : 120
  • Allow matching usernames without domains : uncheck
  • Click OK to save.

Next we will configure the Monitoring Server, click Add the User Identification Monitored Server table appears and configure the following parameters:

  • Name : learningit
  • Check Enable
  • Type : Microsoft Active Directory
  • Transport Protocol : WMI
  • Network Address : 10.145.41.10
  • Click OK to save

Finally, the Include/Exclude Networks section, click Add, and the Include Exclude Network panel appears and configure the following parameters:

  • Name : All
  • Check Enable
  • Discovery : Include
  • Network Address : 0.0.0.0/0
  • Click OK to save

After the configuration is complete, we notice in the Server Monitoring section, the status of the server we connect to has shown Connected.

Click Commit and OK to save the configuration changes.

5.3.5. Configure Group Mapping Setting

To configure, go to Device > User Identification > Group Mapping Settings > Click Add the Group Mapping table appears and we will configure Server Profile, Group Incude List.

Tab Server Profile :

  • Name : learningit
  • Server Profile : learningit
  • User Domain : learningit.xyz
  • Object Class (Gourp Object) : group
  • Object Class (User Object) : person
  • Check Enable

Tab Group Include List :

  • We will click the arrow at DC=learningit,DC=xyz so that it displays a list of OUs, Groups that it has associated with AD then select the OU or Group that we want to use and then press the “+” sign to switch. it over the Include Group table.
  • Here I will synchronize the support group located in the IT OU.
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.4. Create Authentication Profile

We need to create an Authentication Profile for local users so that the firewall device can rely on this to verify whether the user’s account to log in is on the allowed list to use the VPN and if it is in the list, it is used to authenticate whether the user to log in is the correct account and password.

To create an Authentication Profile go to Device > Authentication Profile > click Add and configure the following parameters.

Tab Authentication:

  • Name: Learningit Auth.
  • Type: select LDAP.
  • Server Profile: learningit.
  • Password Expiry Warning: 7
  • Username Modifier: select %USERDOMAIN%\%USERINPUT%

Tab Advanced:

  • At the Allow List panel, click Add and select all.
  • If you choose all ie all users will be used, you can also choose the user you want instead of selecting all.
  • Click OK to save.

Click Commit and OK to save the configuration changes.

5.5. Create tunnel interface

We need to create a tunnel for the VPN connection, to create it go to Network > Interfaces > Tunnel.

Click Add and create with the following parameters:

  • Interface Name: tunnel.1.
  • Virtual Routers: VR1 (we need to add it so that when connected users can still access the internet).
  • Security Zone: chọn Trust-Player3 (We will let people connected to VPN join the LAN zone)
  • Click OK to save.

Click Commit to save the changes.

5.6. Create GlobalProtect Gateways.

To create a gateway we go to Network > GlobalProtect > Gateways.

Click Add and create according to the following parameters:

Tab General:

  • Name: gp-ext-gateway.
  • Interface: select ethernet1/1 (it’s a WAN port).
  • IP Address Type: IPv4 Only.
  • IPv4 Address: None.

Tab Authentication:

  • SSL/TLS Service Profile: select external-gw-portal.
  • At the Client Authentication panel, click Add and configure the following parameters.
  • Name: lab-ad
  • OS: Any
  • Authentication Profile: select Learningit Auth.
  • Click OK to save.

Tab Agent:

In the Tunnel Settings panel we configure the following:

  • Tunnel Mode: select.
  • Tunnel Interface: select tunnel.1
  • Select Enable IPSec.

In the Client Settings panel, we click Add and configure the following parameters:

  • Name: gp-client-config
  • In the IP Pools table, we enter the IP range that will be allocated when the user connects to the VPN, here enter the range 192.168.100.200-192.168.100.210.
  • In the Split Tunnel where Include, we need to enter the LAN layer 10,145.41.0/24 that we want users to access when connecting to the VPN.
  • Click OK 2 times to save.

Click Commit and OK to save the changes.

5.7. Create GlobalProtect Portal

To create GlobalProtect Portal go to Network > GlobalProtect > Portals.

Click Add and configure the following parameters:

Tab General:

  • Name: gp-portal
  • Interface: ethernet1/1
  • IP Address Type: IPv4 Only

Tab Authentication:

  • SSL/TLS Service Profile: select external-gw-portal.

In the Center Authentication panel, click Add and configure the following parameters:

  • Name: lab-ad
  • OS: Any
  • Authentication Profile: Learningit Auth
  • Click OK to save.

Tab Agent:

Click Add in the Agent panel and configure the following parameters:

  • In the Authentication, table enter the name portal-agent-tab at Name.
  • At the External panel, click Add and configure according to the following information.
  • Name: ext-gw-1
  • Address: select IP
  • IPv4: 192.168.219.129
  • Click Add and select Any for Source Region and Highest for Priority.
  • Click OK to save

In the Trusted Root CA section, click Add and select GlobalProtect certificate, and select Install to Local Root Certificate Store.

Click OK to save.

Click Commit and OK to save the changes.

5.8. Update and download GlobalProtect software for Palo Alto devices.

Next we need to download the GlobalProtect software to the Palo Alto device.

To download to Device > GlobalProtect Client > click Check Now.

A list of versions will appear, here I will choose the latest version which is 5.2.5.

After determining the version to download, we click Download in the Action column.

After the download is complete, we click Activate in the Action column to activate using this version when the user accesses the VPN.

5.8. Install GlobalProtect software and make a VPN connection.

We will install GlobalProtect software on users’ computers outside the internet and perform VPN on the device.

First, we need to access the link https://192.168.219.129 to access the portal page of GlobalProtect and enter the user2 account from AD.

After logging in, the GlobalProtect software will appear for us to download, we need to choose the software that is suitable for the operating system in use.

After selecting and downloading, we install the file according to the following figure.

After setting, we enter the WAN IP of the Palo Alto device as 192.168.219.129 and click Connect.

Now the Server Certificate Error table will appear asking us to install the certificate on the computer.

To install click Show Certificate.

Click Install Certificate.

Select Local Machine and click Next.

Click Next, Finish and OK to complete the installation.

After installing the Certificate, we click OK at the Certificate table and Continue at the Server Certificate Error table to continue.

After installing the certificate, the login panel of GlobalProtect appears, enter the user2 account, password and click Sign In to connect.

Wait a few seconds to connect.

And we have successfully connected VPN to Palo Alto device.

Techbast will perform a ping to the LAN port with IP address 10.145.41.1 and the ad server with IP address 10.145.41.10 to check the results.

As a result, the networks are connected after the VPN connection is established.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.