GlobalProtect Portal & Gateway Configuration PAN-OS 10.0.6

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey what is up guys welcome to nb tech talk and my name's matt in this video i'll be revisiting a global patek portal and gateway configuration on a vm series next generation firewall running panos 10.0.6 okay so this will be a more stripped back version of my previous global tech video which provides more of an overview of global tech and also includes a configuration of an internal gateway and internal host detection i wanted to create a global tip video on panos 10 and keep it as basic as possible with the aim of getting a global tech portal and gateway up and running efficiently i will then use this configuration as a baseline for future global tech videos so that being said let's jump into the configuration okay so i've logged into the firewall we need to go to the device tab and we need to go to certificates and we're going to generate a new certificate signing request so click generate and we're going to give this certificate a name so i'm just going to call it global protect gw portal now because we're going to be hosting the portal and the gateway on the same firewall they both share the same external ip which is 192 168 21.250 so there's no reason why we need two separate certificates but in a production environment you know you may want to split the portal and the gateway certificate up then we're going to complete a certificate sign-in request using the windows 2016 certificate server so this is going to be an external authority csr and then we're going to hit generate and as you can see the certificate is pending so we're going to pick the check box and we're going to export the certificate then we're going to open it and then we're going to copy the contents and then i'm going to browse to the certificate server which is 10.4.4.1 and it's search serve so i'm going to log in as administrator i found using administrator the best way to do this because you get all the options in there in the web enrollment interface so we need to add a password then we need to request a new certificate advanced certificate request and then we're just going to copy and paste the contents into that box and then we're going to choose subordinate certificate authority and then we're going to click submit and then we're going to check base64 encoded and then download the certificate and we go back to the firewall and then we and what i do is just open it up copy the name so that when we import the certificate in you can name it exactly the same because it needs to match and then browse to that certain new dot cer file and then open click ok so the certificate's valid now next thing we need to do is create a ssl tls service profile so this is going to be used in the portal and gateway configuration for server authentication so we're going to click add and i'm just going to give it the same name which is double protect gateway portal and then we're going to select that certificate that we just generated and got it and had signed and then i'm going to change the minimum version to tls version 1.2 and then click ok so that's the certificate side of things done and we can move on to the network configuration so let's head over to the network tab and then we're going to go to zones so it's uh best practice to terminate the tunnel on its own zone so we can then enforce policies between the global protect zones and other zones on the firewall so what we need to do is click add and we're just going to call this global detect and this is going to be a layer 3 zone and then we're going to enable user identification and then we're going to click ok next we're going to create a channel interface so let's click on interface and then tunnel and then click add i'm just going to use tunnel 2 so tunnel 2 and then we're going to assign it to the existing virtual router so vr1 and then we're going to assign it to the new global detect zone and then click ok now we can go and create a global tech gateway so staying in the network tab we go over to gateways and then we're going to click add and we're going to give the gateway a name so mb tech gateway and then we associate the interest interface so one slash one and also the ipv4 ip address and then we need to go into the authentication and then we're going to choose the ssl tls service profile that we created which has the certificate inside then we need to provide some plant authentication so i'm just going to call this gp gateway auth i'm going to leave os at any and we're going to need to create a new authentication profile so i'm going to call this uh bible protect alda auth because i'm going to use an ldap server profile so active directory essentially and then we're going to change type to ldap and then we're going to choose an existing ldap profile and then in advance the allow list we're going to click add and it's going to allow everyone so all and then click ok and then click ok on that okay next we go to the agent tab and then underneath tunnel settings we're going to enable tunnel mode and then we're going to select the tunnel interface that we're using to terminate the global tech tunnel which is assigned to the global text zone we're going to keep the enable ipsec tick box checked if it's not checked then it will default back to ssl but this is recommended so ip6 recommended for global protect then we're going to go into the client settings and we're just going to create a basic configuration here just to get things working we're not going to go into any of the advanced um config selection criterias so i'm just going to give this a name mb tech hyphen security team we're not doing anything with all authentication override just ip pulls here this is where we're gonna sign these users um an ip pool so if we click add and then we're going to use 172.16.3.0.24 and we're not using any anything else in here so this is just a basic configuration just to get things going click ok and then in the network services we're going to set the primary dns so this is going to be the ad server so 10.4.4.100 and then we're going to use google's dns as a secondary so that's all the uh gateway configuration we need for this video as i said at the beginning of the video we're going to the more advanced configuration in subsequent videos so we can just click ok here okay so we can move on to the portal configuration so we click on portals click add and we're going to give it a name so mb tech portal select the interface so one slash one and the ip address which is associated with that interest interface and then we can click on the authentication tab we're going to choose the ssl tls series profile that we used in the gateway configuration because the certificate's shared between the portal and the gateway because it uses the same ip address then we need to configure some client auth authentication so we're going to call this gp portal auth and the authentication profile we can use the existing ldap auth we used earlier and we can click ok on that then if we go to the agent this is essentially the configurations that get pushed down to the global tech app when they fir when users first connect so you can have multiple configurations based on users groups teams so you know for example a security team a it help desk team or uh hr finance etc so we're just going to create one for the mb tech security team we're not going to delve into the config selection criteria or the internal gateways but we do need to specify the gateway that these users would connect to so i'm going to click add and we're going to give it name which is mb tech gateway and we're going to use the ip address of the gateway so that's 192.168.21.250. and the source region will be any and then click ok and then in the app tab this is essentially the settings that users can interact with in the global tech app so you can enable disabled things you know you may not want them to change settings so in my lab i like to change it from user logger always on to on demand so that i have control over the connection um and then we click ok and then finally in the trusted root ca we add the root ca from the firewall and we get it and we install it in the local root certificate store so essentially when the global protect app connects to the portal it will deploy these certificates to the client so it's recommended that you do this and any um intermediary certificates that are required um add them all in here and they get pushed down so we just click ok there so that's the portal configuration finished so at this stage we have all the necessary global set components configured we just need to configure the correct security and that policies to allow global to access so what we're going to do is go to the policies tab and we're going to create a security rule that allows the global tech app to connect to the portal and gateway so let's call this global protect info structure and the source is going to be the untrust because that's where users are going to be based and destination is going to be untrust because that's the ip address that's where the iep address decides on ethernet one slash one application we're going to add the globalprotect app which is panos globalprotect and that's got a dependency on ssl so we can add that to the current rule service is going to be application default and then we're going to allow it and then we're going to click ok then we're going to move that rule just below the block rule the deny rule so this becomes rule number two then we're going to create a security policy to allow global tech users to access internal resources so gp users to internal resource source is going to be the global tech zone the destination is going to be dc dmz and users application at this stage just going to leave it as any and then services application default and then we click ok and then we can put that underneath the global infrastructure and then what we're going to do is change the general internet access rule that currently only has dc and users in we want to put the global protect zone in there as well so it lies them out to the internet once they connect in so i'd add the global text zone and click ok and then finally we've got on that policy of source nat and that's which is matting these zones out to the external interface we need to include the global tech zone in there as well so we need to add global protect and then okay so that's all the security policies configured now so all we need to do is just click on commit and then we can test before we move on i just want to make you aware that the windows 10 lab client has already been joined to the mbtech.local domain and has a root ca in its trusted root certificate store so before moving this client onto the internet connection you need to make sure this has been done otherwise when you attempt to connect to the portal and the gateway and you're going to get a certificate error so just have this in mind and you shouldn't have any issues okay so the next thing we're going to do is change the network and on the windows 10 client because currently it's connected to the inside of the firewall so we want to turn this into a essentially a machine on the internet so what we're going to do is go into vmware workstation and we're going to change the settings so i'm going to settings and then we're going to go to the network adapter and we're going to change this from vm net 3 to the vm 0 auto bridged network which actually goes to the physical network and then we're going to click ok and we're going to go into the control panel and change the network settings we're going to change the ip address and then we're going to go into properties and we're going to change this to dhcp and then click ok so hopefully we should be able to see this go to the um home internet network which it has so if i click on that now we can see that it's got a 192168 21.10 address and if you remember um the outside interface of the firewall is 192.168.21 250. so what we're going to be able to do now is open up a browser and browse to the portal to be able to download the software like no protect app so if we go to https 192.168.21.250 and it goes to advance and then proceed and then we're given a user log on so i'm going to log in with mbtech admin and my password then we get the ability to download the global tech agent so on windows 64-bit os and we can wait for that to download and once it's downloaded we just run the msi and go through the installer and then we close it as you can see the agents installed we can now put the gateway ip address which is 192.168.21.250 and now it's asking for username and password and we're connected so that was a successful installation of globalprotect using a vm series firewall hosting both a doubletech portal and gateway so that's worked out great so let's just go back to the firewall web ui and we can have a look at the logs because with uh as of i think 9.1 you get the advanced global tech login so if we go to the monitor tab and there we go to globalprotect you can see that i'm logged in nb tech admin and i'm connected to the nbtec gateway and i've been given a 172 16 3.1 and you can see that i'm connecting from the windows 10 lab client okay so that's all done i'm happy with the result i will see you on the next video thanks okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks [Music]
Info
Channel: MB Tech Talker
Views: 1,294
Rating: undefined out of 5
Keywords:
Id: tIZ9GY2yATc
Channel Id: undefined
Length: 20min 38sec (1238 seconds)
Published: Wed Sep 08 2021
Related Videos
How to take Packet Captures on a Palo Alto Networks Firewall
MB Tech Talker
670
Palo Alto Firewall GlobalProtect VMware Workstation Lab
MB Tech Talker
2.3K
GlobalProtect Pre-logon using a machine certificate - PAN-OS 10.0.6
MB Tech Talker
1K
Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall
Sec-U-rity
13K
Palo Alto NGFW SSL Forward Proxy Decryption & AD Certificate Services CSR on VMware Workstation
MB Tech Talker
822
Palo Alto Networks Certified Network Security Engineer (PCNSE) | Actual Practice Exam | 172 Q & A
MikoloChannelTV
566
How to configure URL Filtering on a Palo Alto Networks Firewall | PAN-OS 9.1
MB Tech Talker
1.4K
Palo Alto firewall lab using VMware Workstation
MB Tech Talker
10K
How to configure Palo Alto Networks Wildfire Analysis | PAN-OS 9.1
MB Tech Talker
340
How to deploy Palo Alto firewall on AWS cloud using VPC and EC2
ElastiCourse
14K
Palo Alto Firewall Windows User-ID Agent Lab using VMware Workstation
MB Tech Talker
2.7K
GNS3 and PaloAlto (PANOS) Integration
rootbootswap
5.1K
Palo Alto Networks GlobalProtect 9.1 Part1
2LTech
998
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.