Palo Alto GlobalProtect VPN Configuration Step by Step [2024]
HTML-код
- Опубликовано: 24 июл 2024
- In this tutorial you're going to learn how to configure remote access VPN on the Palo Alto Firewall. Palo Alto has its own VPN client (or app), called GlobalProtect.
In the video I will show you how to authenticate a remote user using three different methods:
- just Username/Password
- username/password + client certificate, and
- username/password + Google Authenticator
I'm going to give you an overview of the main VPN components in the GlobalProtect environment, explain what certificates are for, the licenses needed, and afterwords show you step by step how to configure all three different methods mentioned above on the Palo Alto firewall.
I am going to be using a Windows client to test the VPN connection using the GlobalProtect app to a linux server inside our fictional corporate network.
💻 Palo Alto Online Training
🔥 Join our exclusive online training: "Mastering Palo Alto Firewalls: Comprehensive Training in Operation and Management." 🚀 Prepare confidently for the PCNSA exam with expert guidance and hands-on exercises. Reserve your spot now and benefit from Early Bird discounts and bonusses! 💻 Learn more and register for FREE at netsums.com/training
🌐 Useful Links
- GlobalProtect Authentication with Azure: • Palo Alto GlobalProtec...
- Newer Version of GlobalProtect Step-by-Step Video: • Palo Alto GlobalProtec...
- NETSums Resources: netsums.com/resources
- Palo Alto Training (preparation for PCNSA): netsums.com/training
If you have questions, suggestions, or any kind of feedback, please don't hesitate to comment below! I will reply as soon as possible.
#paloaltofirewall #paloaltonetworks #firewall
Timeline:
00:00 Palo Alto Globalprotect VPN Configuration Step by Step
00:30 Introduction
03:03 User authentication methods
04:14 Network diagram for this tutorial
05:06 Firewall interfaces
06:45 Certificates
10:04 User authentication
12:33 Objects and security rules
18:05 GlobalProtect Gateway
21:36 GlobalProtect Portal
23:39 Download GlobalProtect software
24:34 Import Root certificate into VPN client
27:08 Connect to GlobalProtect Portal
29:32 Authentication with certificate
35:26 Authentication with Google Authenticator
Link to GlobalProtect License documentation:
docs.paloaltonetworks.com/glo... 
Наука
![Palo Alto GlobalProtect with multiple AD groups [2024]](http://i.ytimg.com/vi/j5LdVWCfxRM/mqdefault.jpg)
![Palo Alto GlobalProtect with multiple AD groups [2024]](/img/tr.png)
![Palo Alto GlobalProtect VPN Configuration [2024 IMPROVED!!!]](http://i.ytimg.com/vi/jonUROUSn-U/mqdefault.jpg)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
You did an excellent job esplaining this topic. Thank you!
Thank you also for the nice comment! I'm glad you liked the video. 😊
Excellent! This video will help a lot of students. Thank you!!!!!
Glad it was helpful! Thank you for the comment.
You did an excellent job here! Thank you very much mate!
Thank you for your reply, I'm glad you liked it!
Hi Bro, thanks and congratulations! I'm very appreciated your tutorial in this video, you winning a subscriber !
Go ahead and publish more videos, congratulations again.
Thank you for your very nice comment! I'm glad you like the videos. :)
Awesome video, thank you so much!
You're welcome, I'm glad you liked it! Thank you also for the comment. :)
complete video...good work.
Thank you...
Thank you for the comment, I'm glad you liked it. :-)
Great article!
Thank you, I'm glad you liked it.
great tutorial! thanks!
Hi. Thank you, I'm glad you liked it!
Thanks for your valuable session, appreciate your efforts to spread the knowledge for real knowledge seekers. Sir if you can create a new video for PaloAlto Integrating with Windows Radius and Google Authenticator OTP. God bless you.
Hi Mohammed, thank you for the nice words. My next video will be about Palo Alto and OTP, but integrating with a Linux Radius server instead of Windows. I hope it will still be useful for you. :)
In this tutorial you're going to learn how to configure remote access VPN on the Palo Alto Firewall. Palo Alto has its own VPN client (or app), called GlobalProtect.
Cool Video thanks
Thank you for your comment, I'm glad you liked the video. :)
Brilliant video. thanks.
Thank you also, I'm glad you liked it!
Amazing
very nice explanation
Thank you for the comment, I'm glad you liked the video.
Good stuff :)
Thank you for the nice comment. :)
Hello, I need create two pools with different subjets. It’s possible ? How to do it? On asa it’s possible
A+
Thank you for the great video, it helps me to set up quick remote VPN, one thing need to know if you can explain the GP EXTERNAL GATEWAY PRIORITY BY SOURCE LOCATION that will be great
Hi. Thank you for the comment, I'm glad you liked the video. :) I will keep your suggestions in mind for the next videos.
very good video
I'm glad you liked the video. :)
Great video, can you do a video on the basic initial setup of a Palo, internet,dhcp,lan etc?
Thank you for the reply, I will keep it in mind for the next videos. :)
Great video, I have a question though. I have ipsec tunnels setup to some cloud services (AWS and OCI for example) When a user connects to the corp network using Global protect they can access the AWS servers as if they are in the office. However the OCI servers are only accessible when physically in the office, through global protect they do not work. Any ideas what i am missing.
Access Route, if youre using split tunnel?
Is the VPN traffic even hitting the firewall?
Thank you for this video, it is so helpful! Is it possible to do a similar configuration but without the RADIUS server?
Thank you, I'm glad it could help you. You can do a similar configuration using saml, for example, or LDAP, or local user. We have a video for Azure/SAML, with MS Active directory/LDAP, and another one with OKTA/SAML. Just search the channel. We don't have one for local authentication though.
over all is good but too fast on configuration part please slow down a little bit so that can be focus on how it be done
Thank you for the feedback. I think I didn't speed up as much in the newest videos, but I will pay more attention. :)
Great video, but did the DNS get covered? I might have missed it in the gateway and portal config, but I couldn't find it.
Thank you for the comment. No, I didn't really cover dns, since I consider the configuration rather straightforward. I configured an A record pointing to my NAT router. What specific questions do you have?
Hello, great video, in the 27:29 you start to show how configure the side of client, I have a VM in azure, that VM have the Windows 10 Multisession, where some users connect the same time, I installed the GlobalProtect to they can connect, but only the first user enter in the machine can connect using GlobalProtect, another after cant connect and the first user lost the connection. So what the better way could I resolve this? remove global protect of the machine and configure a gateway or a tunnel vpn its a possible solution? Thx for you time.
Hi, thank you for the comment. I don't have experience with Windows 10 multi-session, but I think the first thing I would do is to configure GlobalProtect to be always-on. I am not sure if it works with the multi-session OS and if the VPN tunnel would be available for all users. If you need to identify the users on the Firewall, you could install a TS-Agent on the Windows 10. I saw somewhere that they should support W10 multi-session. I hope I could help. :-)
Hai, sorry im confuse to implement it.
focused on what IP address will implement on GP gateway and GP Portal?
its use an IP public or use IP at feet on NAT (reference on your figure)
You can choose if you want to use NAT or not, it depends on your network. I only used NAT because I didn't have any other option in my lab. But many companies have a public IP address attached to the outside interface of their Firewalls. The important thing is that the outside interface is reachable through the Internet. I used a DNS name, but you can as well use an IP address. Just be sure your certificate is setup and issued accordingly.
I have a question. I use GlobalProtect for my remote work which provided by our company, can I use this while I'm traveling internationally?
Hi. If your company doesn't explicit block connections from abroad, you could be able to use it internationally, yes.
Can this be done even if the PA-VM w/o licensed(expired trial version). I want to test it in virtual lab environment. Thank u
I'm not sure, but I think it would work. Maybe you won't be able to download the client to the firewall, though, but it shouldn't be a big deal if your test client has GlobalProtect installed.
Hello,
Thank you for this info. It was a great help. I come from the Cisco ASA Firewalls, and we just moved to the PA 1410s. Very different! I do have one questions regarding VPNs. With the ASAs I was able to setup groups for all of our Vendors and assign them IPs and have them access only the networks they needed. We use RADIUS for all connections. I have the VPN setup like your video and its working but I'm having an issue setting up vendors. I don't know what's the best route to go. Can you point me in the right directions? A GP Portal for each vendor? A GP Gateway for each? We do not have any extra licenses for GP. Basic GP License.
Thank You in advance,
Mark
Hi. Thank you for the comment! I would suggest you to use only one portal and one gateway for the vendors, if the authentication should be the same (ldap, saml, etc). And in each gateway configuration you have one agent configuration for each vendor, using the user group field (active directory groups) to match each vendor to its configuration.
There, I knew I had a video regarding this topic: ruclips.net/video/j5LdVWCfxRM/видео.html
@@netsums Thank you for replying. I will work on it and let you the out come. Thank you for taking the time to answer me. Much appreciated!
@@netsums Another question :-} We used RADIUS for Anyconnect for Vendors clients and some employees. We have about 100 employees using NetMotion(A automatic VPN Connection using ldap) We want to get rid of Netmotion and use GP for automatically logging the computer and the user into the network. I watched one of your videos using a pre-login for the pc for updates and such. What would you recommend going forward? RADIUS or LDAP?
Also, I sent you a message on your website.
Mark Aiello
Thanks for the great video, how do we restrict the VPN to domain-connected devices? What are the certs which we want to import to the firewall?
Hi, sorry for the late reply. If your clients have certificates issued from your internal Microsoft Domain Controller, you can import to the firewall the domain root certificate. After importing it, you can add it to the field CA Certificates under Device -> Certificate Management -> Certificate Profile. Whenever you link this certificate profile to your portal or gateway, the firewall will verify if the certificate being presented from the client has been signed from the CA added to the certificate profile. I hope I could help.
Hey this is amazing step by step video. Do you have a document that we can follow.
Hi. You could start with this one. knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK
But just search Google and you will find some documentation directly from Palo Alto.
Brother you are great. Can you release the video of Global protect with 2FA using TOTP using Microsoft Authenticator
Hi, thank you for the nice comment. :)
Do you mean this one here, for example? ruclips.net/video/knEi2TCdp3s/видео.html
In the video I don't show how to configure MFA, but it can be done easily on Azure.
At 29:32, This is where we're stuck. I'm trying to deploy the Client and certs through Intune but Getting the cert to the User Store keeps failing. Do you know any other methods?
Hi. I'm sorry you're getting stuck. I haven't worked with any other mobile device management tool before, so I wouldn't be able to help you there. I have worked with classical Microsoft AD environment, and the certificates were deployed through active directory group policies.
But why are the certificates failing? What is the error message?
Hello sir, i want to ask a quick question is it possible using Global protect and work outside the country where you are supposed to work from? like i am working from home but in the one country and i want to go to another country to work from there without being noticed by my company is that possible? Thank you so much.
I don't see why it shouldn't work, unless your Palo Alto firewall has a country restriction. You could try to use a VPN service, but I'm not sure if it would work. But I would advise you to be open with your boss, I wouldn't advise you to try to hide from them that you are working from a foreign country.
Is it possible to reject or deny connection if hip profile is not met ? I would like to refuse or disconnect gp if they end user doesnt pass the hip object assoicated to HIP profile.
As far as I know, the gateway doesn't do much other than send a message back to the client, stating if he "passed" the HIP test or not. The decision if the client is allowed access or not is taken in the security profiles. But I guess you already knew that. :-)
I don't think it's possible to do what you want.
thank you for this video -- if there are multiple entries under Global Protect Portal how are the profiles selected ? first in queue or other ?
Thank you for the comment. Each portal you create has to have a different IP/interface associated with it. But if you mean in the agent configuration in the portal configuration, the firewall matches the configuration from top to bottom.
I hope I could answer your question. :)
@@netsums thank you
@@netsums hello is there a paid subscription service I can join for tech support /design discussion ?
We don't offer any service like that. You could join the subreddit r/paloaltonetworks, you can find lots of information there, and it's free. reddit.com
@@netsums hello I am trying to create a new portal with a new IP Address - the software will not allow me to add the IP Address -there are other addresses listed in the drop down that I can select but not the new one that has been ordered . What has to happen before the new IP Address is recognised ? I tried configuring the address on a tunnel.199 but this did not solve the problem
i don't understand where/how you configure the Google authentication. can you make a quick video for that as well?
Hi. The Google authenticator has to be configured on your authentication server, in the case of this tutorial, on the Radius server. I will see if I can make a video about it. Thanks for the feedback. :)
Would the same setting be applicable with third-party vpn client app or only for GP client app?
Hi. Sorry for the late reply. I cannot confirm that it would work with third party apps. You would need to test, I only tested this configuration with the GlobalProtect. I heard that it is possible to connect to the Palo Alto using the Cisco AnyConnect, for example, but things sometimes don't go as smooth as using GP, and you probably need to tweak your configuration to make it work as desired.
Urgent!! when we connect to "Global protect VPN" by default its selecting Local user(Logged in user) in General -> Account -> User: its not prompting for user id and password. how can we fix this. does Admin need to configure in their server? Please suggest.
Sorry for the late reply. Can it be that you've chosen to save a cookie at the client's computer? In this case after the first login GlobalProtect won't ask for the credentials anymore until the cookie expires.
@@netsums Fixed, issue was due to other VPN installed. Thank you.
hello
Could you please make a video on setting up and testing Google authentication with two factors?
Please wait a moment.
I will keep this in mind, thank you for your suggestion.
Thanks for the informative video. What if I don't want to use Radius?
You can use something else, such as ldap or saml. Just change the authentication profile on the portal and gateway.
I hope I understood your question right. :)
@@netsums Thanks!
Thank you for the great explanation. However, I'm encountering an issue. While all the settings appear to be correct and functional, I've noticed that when I attempt to work from home using my laptop, I'm not prompted to enter the MFA code. It's possible that I may have done so once, perhaps around 6 months ago. As a result, I can access my company's IP address without the need for MFA. Occasionally, I do receive a prompt asking for the MFA code, but if I cancel it, I'm still able to continue working without any interruption. Could you please advise on how I can adjust the settings to ensure that users are always required to enter the MFA code? Otherwise, users should not be able to access the trusted IP range.
What kind of authentication are you using? Ldap, Radius, Saml... ?
@@netsums Saml
@@netsums Saml
@@netsums SAML
update please?
I'm connected to the GlobalProtect VPN, but it is killing my internet speeds. I've reebooted my router as well as updating the firmware on it. Are there any fixes?
Maybe after connected to global protect you're sending all the traffic to your company? Try using the split tunnel function of the global protect gateway, so that you only send what you need through the vpn tunnel, and the rest gets sent to the internet locally.
Hi, you will not be needing the rule you created allowing GP-client to communicate with Portal. by default untrust to untrust is allowed intrazone rule" that is how the client is able to connect to the portal. Also, you can log your rules all you need to is click on the green gear it allows for you to override the existing implicit rules..
Thank you for your feedback. If I have a denyAny rule, I would need the rule to allow the GP client to communicate with the Portal or Gateway. But if I use an override for the default interzone rule as you suggested, than the rule would be needless, correct.
Hi, i don't understand where/how you configure the Google authentication.
Hi. The Radius server has to be configured to send back to the firewall a challenge after the user gets successfully authenticated using username/password. At the Radius server you configure the authenticator, scan the QRCode with your smartphone, etc. The whole configuration resides there. For this video I used privacyIDEA (www.privacyidea.org) as RADIUS.
Could you please help me?
I have EC2 windows server and i installed global protect on it and connect to server "palo alto FW"
When i login to windows via remote desktop the vpn connected successfully when i close the session of RDP the VPN is disconnected
You probably need to configure the Pre-Logon option on your portal configuration. Search for "Pre-Logon netsums" and you should find a video I made about this topic. You shouldn't configure your firewall exactly as I show in the video, but hopefully it will point you to the right direction. :-) let me know later if you managed to configure it.
@netsums thank you for your valuable session ❤️❤️ i will check and feedback
@netsums i had configured the pre login as you mentioned but i still have the same issue , i have read in the log of GP socket closed exit now
It is happening when i close the RDP
Sorry, I only saw your reply today. If you have Pre-logon (always-on) configured on your portal and the certificate is okay, when the user logs out of the RDP session, the EC2 server should keep connected through the user pre-logon.
What do you see on the Global Protect logs (under monitor)? Take a look also at the Global Protect client logs (mainly PanGPS, PanGPA and pan-gp-event-log, I think).
@netsums yes i have launched EC2
And after close the session EC2 connected using pre login
Note
When i relogined, it is reconnected and IPsec started counting again
Many thanks for your efforts and videos
Is there a link to download the file? without logging in please
You mean the GlobalProtect client? Officially no, you need to have a support account.