![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/palo-alto-logo.png\"){kind=logo}
<\/p>\n<\/p>\n
<\/p>\n
Before start configuring GlobalProtect, needs to generate\/import an SSL certificate<\/a> and create an SSL\/TLS Service Profile<\/strong>. And also needs an Authentication Profile, you can either create a local user base or use an external one. An example of using OneLogin<\/a> and AWS SSO<\/a>.<\/p>\n First of all, needs to create a security zone for the VPN interface. To do this, go to the "Network<\/strong>" -> "Zones<\/strong>" tab and click "Add<\/strong>".<\/p>\n Set the name, select "Layer3<\/strong>" as the "Type<\/strong>" and enable the "Enable User Identification<\/strong>" option. Leaves everything else by default.<\/p>\n Now let’s create a tunnel, for this we go to the "Network<\/strong>" -> "Interfaces<\/strong>" -> "Tunnel<\/strong>" tab and add a new one.<\/p>\n Leaves everything else by default.<\/p>\n Click "OK<\/strong>" and check the created interface.<\/p>\n Internal networks according to our scheme can be accessed through the "trust<\/strong>" interface, for this, needs to create 2 static routes.<\/p>\n To do this, go to the "Network<\/strong>" -> "Virtual Routers<\/strong>" tab and select the "default<\/strong>" router.<\/p>\n Go to the "Static Routes<\/strong>" tab and add a route<\/p>\n Where "10.0.13.1<\/strong>" — AWS gateway for "GP-TRUST-A<\/strong>" subnet<\/p>\n There is such a moment, in the "Active-Passive<\/strong>" mode, static routes are synchronized between instances, as well as "Admin Distance<\/strong>" and "Metric<\/strong>" are synchronized, so we cannot influence the choice of route for each instance in this way. The route with the lower "Admin Distance<\/strong>" and "Metric<\/strong>" will be chosen as the route, and since the "Next Hop<\/strong>" parameter is required, it may turn out that the instance in AZ A will have a route through AZ B, which will not work. To get around this point, you can use "Path Monitoring Destination<\/strong>", the point is the following, we will check the availability of the gateway, and if it is not available, we do not use this route. Thus, on an instance in AZ A, the active route will be through AZ A, and on an instance of AZ B through AZ B, respectively.<\/p>\n Check the created route and path monitoring.<\/p>\n Create a second route through AZ B:<\/p>\n Where "10.0.23.1<\/strong>" — AWS gateway for "GP-TRUST-B<\/strong>" subnet<\/p>\n And also add monitoring for it, as "Destination IP<\/strong>" we specify "10.0.23.1<\/strong>"<\/p>\n Go to tab "Network<\/strong>" -> "GlobalProtect<\/strong>" -> "Portals<\/strong>" and click "Add<\/strong>".<\/p>\n "General<\/strong>" tab<\/p>\n Set the name and specify in the "Interface<\/strong>" field — "ethernet1\/2<\/strong>" (untrusted-zone).<\/p>\n "Authentication<\/strong>" tab<\/p>\n Select "SSL\/TLS Service Profile<\/strong>".<\/p>\n Add "Client Authentication<\/strong>"<\/p>\n Specify a name and select a profile, in this example, OneLogin is used as authentication.<\/p>\n Save and check.<\/p>\n "Agent<\/strong>" tab<\/p>\n Create agent configuration<\/span><\/span><\/span> "Agent<\/strong>" -> "Add<\/strong>".<\/p>\n "Authentication<\/strong>" tab<\/p>\n Set the name.<\/p>\n (optional<\/span><\/span><\/span>)<\/p>\n You can use cookies to avoid double authentication (first to the portal, then to the gateway), or set different cookie lifetimes for the portal and gateway. Read more here<\/a>.<\/p><\/blockquote>\n "External<\/strong>" tab<\/p>\n Add a gateway, for this, in the "External Gateways<\/strong>" block, click "Add<\/strong>".<\/p>\n Specify the name and DNS name. Set the region — "Any<\/strong>".<\/p>\n Set "Connect Method<\/strong>" to "On-demand (Manual user initiated connection)<\/strong>".<\/p>\n On-demand — adds the ability to disable VPN to the client, and when the client starts, it does not automatically connect.<\/p><\/blockquote>\n <\/p>\n This completes the portal setup.<\/p>\n Go to the tab<\/span><\/span><\/span> "Network<\/strong>" -> "GlobalProtect<\/strong>" -> "Gateways<\/strong>" and click "Add<\/strong>".<\/p>\n "General<\/strong>" tab<\/p>\n Set the name and specify in the "Interface<\/strong>" field — "ethernet1\/2<\/strong>" (untrusted-zone).<\/p>\n "Authentication<\/strong>" tab<\/p>\n Select "SSL\/TLS Service Profile<\/strong>".<\/p>\n Add "Client Authentication<\/strong>".<\/p>\n Specify a name and select a profile, in this example, OneLogin is used as authentication.<\/p>\n Tab "Agent<\/strong>" -> "Tunnel Settings<\/strong>"<\/p>\n Turn on the "Tunnel Mode<\/strong>" and specify the tunnel interface that we created.<\/p>\n Go to the "Client Settings<\/strong>" tab and click "Add<\/strong>".<\/p>\n "Config Selection Criteria<\/strong>" tab<\/p>\n Set the name, and leave all criteria by default.<\/p>\n (optional) "Authentication Override<\/strong>" tab<\/p>\n Check the boxes next to the fields:<\/p>\n And specify the certificate for GlobalProtect.<\/p>\n Tab "IP Pools<\/strong>" -> "IP POOL<\/strong>" and click "Add<\/strong>". Set the IP addresses that will be issued to VPN clients.<\/p>\n In the "Split Tunnel<\/strong>" tab, specify the networks that the VPN server will announce. In this case "10.0.0.0\/8<\/strong>". Also, if necessary, you can exclude networks that do not need to be announced.<\/p>\n This completes the gateway setup.<\/p>\n Now needs to create a security policy for the VPN zone. Go to the "Policies<\/strong>" -> "Security<\/strong>" tab and click "Add<\/strong>".<\/p>\n "General<\/strong>" tab. Give it a name and check that "Rule Type<\/strong>" is "universal (default)<\/strong>".<\/p>\n "Source<\/strong>" tab. In "SOURCE<\/strong> ZONE<\/strong>" needs to add the security zone created for VPN connections, in this case, it’s "vpn-zone<\/strong>".<\/p>\n "Destination<\/strong>" tab. In "DESTINATION ZONE<\/strong>" needs to add the security zone created for internal networks, in this case, it’s "trust-zone<\/strong>".<\/p>\n "Application<\/strong>" tab. Check that "Any<\/strong>" is indicated as applications.<\/p>\n "Service\/URL Category<\/strong>" tab<\/p>\n Set "Any<\/strong>", as services.<\/p>\n "Actions<\/strong>" tab<\/p>\n Make sure the action is set to "Allow<\/strong>".<\/p>\n Save the security policy and check that it is in front of the default policies.<\/p>\n Now needs to create a NAT policy, for this go to the "Policies<\/strong>" -> "NAT<\/strong>" tab and click "Add<\/strong>".<\/p>\n "General<\/strong>" tab<\/p>\n Set the name, and leave the rest as default.<\/p>\n "SOURCE ZONE<\/strong>" — add a security zone created for VPN connections, in this case, it’s "vpn-zone<\/strong>".<\/p>\n "Destination Zone<\/strong>" — select the security zone created for internal networks, in this case, it’s "trust-zone<\/strong>".<\/p>\n "Destination Interface<\/strong>" — select the interface in the "trust-zone<\/strong>", in this case, it’s "ethernet1\/3<\/strong>".<\/p>\n "Service<\/strong>", "SOURCE ADDRESS<\/strong>" and "DESTINATION ADDRESS<\/strong>" — set "Any<\/strong>".<\/p>\n "Translated Packet<\/strong>" tab<\/p>\n Source Address Translation:<\/p>\n Destination Address Translation:<\/p>\n Save and check.<\/p>\n Go to the "Device<\/strong>" tab and find the "GlobalProtect Client<\/strong>" item on the right and download the list of client versions by clicking "Check Now<\/strong>".<\/p>\n <\/p>\n If you see a similar message, then you have not completed the license activation. And since BYOL AMI is used, nothing will work without activating the license. Also, if you download the bundle from the Palo Alto support center and import it, you will get an error regarding the license at the activation stage.<\/p><\/blockquote>\n After receiving the list of versions, you need to download and install the required version, for example — the latest. After you have installed it, you need to activate it.<\/p>\n Activation is not synchronized and must be performed on both GlobalProtect instances.<\/p><\/blockquote>\n It remains to save changes, for this, in the upper right corner, click "Commit<\/strong>".<\/p>\n Now we go to the IdP portal, in this case, it’s OneLogin.<\/p>\n If you set up a local user base, then you need to follow the link:<\/p>\n https:\/\/YOUR_GP_DOMAIN\/global-protect\/getsoftwarepage.esp<\/p>\n Client download page available even without authentication<\/p><\/blockquote>\n <\/p>\n If click on GlobalProtect application, you will be redirected to the client download page.<\/p>\n After downloading and installing the client as a portal, specify the domain name for GlobalProtect and the credentials configured in the SAML provider.<\/p>\n","protected":false},"excerpt":{"rendered":" Before start configuring GlobalProtect, needs to generate\/import an SSL certificate and create an SSL\/TLS Service Profile. And also needs an Authentication Profile, you can either create a local user base or use an external one. An example of using OneLogin and AWS SSO. Security zone First of all, needs to create a security zone … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Palo Alto VM-Series Firewall: GlobalProtect"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1335],"tags":[1899,1901,1905],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2593"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2593"}],"version-history":[{"count":4,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2593\/revisions"}],"predecessor-version":[{"id":2607,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2593\/revisions\/2607"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Security zone<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-16.52.24.png\")
<\/p>\n<\/h4>\n
Tunnel interface<\/h4>\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.01.59.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.08.14.png\")
<\/p>\nStatic routes<\/h4>\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-at-12.26.25.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-at-12.27.22.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-at-12.27.36.png\")
<\/p>\n\n
GlobalProtect: Portal<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.18.18.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.22.46.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.26.39.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.28.36.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-17.33.23.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.41.11.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.42.56.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.45.01.png\")
<\/p>\nGlobalProtect: Gateway<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.49.53.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.51.30.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.53.43.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.56.08.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-18.58.51.png\")
<\/p>\n\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-19.00.06.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-19.03.49.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-31-at-19.07.38.png\")
<\/p>\nSecurity policy<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.20.02.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.20.18.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.20.34.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.29.55.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.20.57.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.31.04.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.21.41.png\")
<\/p>\nNAT Policy<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.45.03.png\")
"Original Packet<\/strong>" tab<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.45.47.png\")
<\/p>\n\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.46.29.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-11.47.30.png\")
<\/p>\nGlobalProtect Client<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-13.49.38.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-01-at-13.49.26.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-03-at-10.33.44.png\")
<\/p>\nGlobalProtect: Connection<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-03-at-16.42.14.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-03-at-17.00.13.png\")
<\/p>\n