Palo Alto Firewall GlobalProtect VMware Workstation Lab

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys welcome to MBT talker my name is Matt in this video I'm going to show you how to configure a simple global protect deployment on a Palo Alto virtual next-generation firewall using VMware Workstation if you want to see more videos like this be sure to hit that subscribe button and the bound to get notified every time I post a new video so what is global protect well global tech extends next-generation firewalls to the client endpoints which delivers full traffic visibility simplifies management unifies policy and stops advanced threats there are multiple global protect components including global tech portals global tech gateways and global tech client software the portal provides management functions for the global tech infrastructure clients that communicate with the infrastructure receive configuration from the portal and clean available global tech gateways and client certificates that may be required to connect to those gateways there are two flavors of gateways external gateways and internal gateways the external gateway provides VPN access for the global tech agents and apps from outside of the network whereas the internal gateways are configured to be accessed on the inside or trusted side of the network a use case would be internal clients accessing critical or sensitive data on the LAN which needs to be encrypted or separated from other users who are not authorized to access the data when a client first connects to the port or requesting access the portal identifies and authenticates the client and in turn sends the configuration to decline with information about available gateways gateways can be configure with priorities which dictate which gateway the client should connect to or gateway station can be based on gateways fastest response so let's get into the lab setup this diagram has been taken from my earlier video where I showed you how to configure a Palo Alto firewall in VMware Workstation so be sure to check that out first I will leave a link in the description the only difference is the DMZ zone interface eat 1 / 3 is not used and the client vm's are Windows clients so before you start there are a few prerequisites you will need to make sure you have a Windows Server 2012 or 2016 configured with Active Directory and acting as a DNS server I also have a Windows 10 client configured and joined to the domain I've run a Windows Update on both machines whilst using the VM NetZero bridge connection within VMware Workstation and once both clients were fully patched I connected them back to the VM net 3 on the 10.33 0/24 sub there and then configured static IPS on both Windows machines the Palo Alto file is licensed with a VM 50 ivar license this allows me to download the global protect client and host it on the firewall so it can be later downloaded directly from the firewall to the client machines using the same VMware Workstation lab topology used in my previous video the layer 3 interface 1/1 will be used to access the portal and Ethernet 1/2 the inside zone where both the Windows 10 and Server 2016 servers connected to VM net 3 ok so Before we jump into allow I'm just going to explain that both the portal and the Gateway will coexist on the the same firewall typically in a production environment you would see the portal and the gateways on on different firewalls or separate firewalls and they can be in different countries or different regions and then it would provide a much more scalable solution but because this is obviously a lab and it's just demonstrating how the portal a gateway work and this also keep reducing the footprint you know using less VMs inside of VM workstation ok so let's jump into it first of all I'm going to create a layer 3 untagged in sub interface in order to do that we go to the net tab and we click on existing Ethernet 1/2 interface and then we go into advanced at the bottom there you can see untagged 7 face we need to check that and then click OK now with ethernet 1/2 still selected go to the bottom and then click on add sub interface this is going to be Ethernet 1/2 dot 2 we're going to put a quick comment in here so we're just gonna put internal GP gateway and portal and then what we're going to do is assign this sub interface to the existing VR 1 virtual Reuter assign it to this inside security so we're gonna give it an IP something just completely separate I just chose 10.2 0.254 on a stash 24 subnet and then on in the Advanced tab I assigned a management profile which is the existing ping ping management profile which allow us to test connectivity to that sub interface and then we can just click OK and that's done ok so next we're gonna move on to certificates global protect requires three certificates one each for the portal external gateway and internal gateway now in a production environment the certificates are typically signed by a common certificate authority however in my lab I'm going to generate a firewall self-signed root CA certificate as well as an internal gateway certs and a combined global protect portal an external gateway certificate as both the portal and external gateway share the same ip address ok so if we head over to device tab and then on the Left we're gonna go to certificate management and then hit certificates from here we're going to generate three certificates so first one is the self signed certificate so we're just going to call this global protect see a and in the same in the common name so that's go will protect CA and then we're just gonna check the certificate authority box and then click generate click OK on that next one is the external gateway portal cert so again just hit the generate button this one is gonna be called external gateway portal cert I know it's a long name but it's easier to identify if needed later on common name for this one it's going to be the IP address of the interface so that's the external eath 1/1 so in my case is 192.168.1.2 50 and then we're gonna sign it by difficut we created a moment ago so and then just generate that and then one more this is going to be the internal so this one's internal gateway portal cert and then we're going to use the sub interface so there F 1/2 - IP address so this is going to be 10 - 0.25 for and then again sign it with the global texier so the self signed certificate and then just click generate so that gives us 3 certificates the self signed annex still on internal cert they're nested underneath this this root CA so that completes that configuration ok so the next step is to create an external and internal SSL TLS service profile paloalto files use these to specify which certificates should be used by the global patek portal and the gateways so if we head over to ssl/tls service profile underneath the certificate management and then just click the Add button and then from here we give it a name I'm just gonna call this ext ports ssl/tls and then we're just going to use the external gateway portal search click OK add another one for the internal and give it a name int port SSL TLS and then we're going to use the internal gateway portal set and then click OK so that's done okay so the next step is to define a server that the firewall will use to authenticate users when the global protect agent connects to the portal and again when the agent connects the Gateway in order to set up the VPN so in my lab I have a Windows Server 2016 configure with Active Directory and is running a DNS server the Windows 10 client has also been joined to the domain I have a LDAP account or ad accounts that is going to be used to LDAP queries so here on my 2016 server you can see if God can't call paulo alder SVC it's just a member of the main users I'll just popped it in the managed service account group here this is just so the firewall can query the Active Directory server nothing really special going on here so we go back to the firewall and under the device tab still we go to server profiles and we go to LDAP and we're going to create a LDAP server profile and we can give it a name we're going to call it lab server ad and then we're gonna put the server's name in there so it's ws for workstation lab ad and then the the server's address so 10.33 100 and leave the port at 3 8 9 in the server settings we're gonna you're gonna choose active directory and the base DN this is my domain information and it's configured in this format which is DC equals Tech Talk comma D C equals local hit tab on that then I'm gonna reference the the paolo LDAP SVC account ad account that I showed you previously so that's paolo LDAP SVC at Tech Talk dot local and then the password you've got to go right twice try that again and then untick the require ssl/tls and then click OK so that's the LDAP server profile configured the next thing we need to do is configure an authentication profile so the the authentication profile references the lab server in the LDAP server profile so we need to stay where we are go to alter authentication profile and then click Add and then give it a name I'm going to call this GP uses auth Roth and then I'm going to select the type to be held up and then choose the lab server ad server profile and then under the Advanced tab I'm gonna click Add and then we're going to select all and then we're gonna click OK so ultimately that that finishes the LDAP server profile and authentication profile and we can move on to the next part of the lab ok so next we need to create a logical tunnel interface for encryption and decryption purposes this allows the global protect client to establish a secure connection to the Gateway so in the web interface select the network tab and go to interfaces and then to tunnel and from here we can a new tunnel interface so we're just going to pop a one in there add a comment which is GP Gateway VPN and then we're going to assign it to the existing VR one virtual router and the inside security zone click OK and that configuration is now complete ok so next we're going to move on to the global protect gateways so the internal gateway can be use for user ID deployment and host information profile enforcement or aka hip they also can be used to encrypt traffic from the client to sensitive internal resources through a VPN gateway so let's create the internal gateway now so still under the network tab under the global protects heading we go to gateways and then we're gonna click Add and then we're gonna give it a name so just gonna call it GP int gate gateway and then we're gonna choose the 7th face we created at the beginning of the video and then the ipv4 address is the IPA associated with that interface authentication is gonna be using this service profile so if we go in and drop down and use the internal port SSL TLS service profile and then under the client authentication you're gonna click Add and we're just gonna call this lab ad OS is any you can change this to be whatever you want it to be authentication profiles the is the GP users alter profile that we created earlier click OK so that completes the internal gateway so now the external gateway which is the VPN gateway that global protect clients connects you when they are outside of the corporate network so again just click on the ads give a name so GP ext Gateway the interface will be the outside zone interface Ethernet 1/1 and then the associated IP address of 192 168 21.2 50 is going to be used against the authentication tab and underneath the server authentication again we're going to choose the service profile this time it's the external one client authentication this is just a repeat so we just call it lab ad and then we're going to use the same do--what protect users all profile as before and then click OK we've got a little bit more work to do on this one so we need to go to the agent tab and I'm going to use the tunnel mode on this configuration so tunnel mode is optional it's an optional configuration and I wear IPSec is enabled by default but as you see if I select the tunnel interface I've created earlier I could uncheck that and by unchecking that it will fall back to SSL so I'm going to use this tunnel interface and it's going to leave it default and then go into client settings and then click Add and I'm gonna call this GP client config and then we're going to create an IP pool for the users so the the global protects client will get an IP from the IP pools defined here so I'm just gonna make one up 192 168 or 100 200 and then use of - 192 168 dot one hundred dot to 10 that gives me a range of IP so it gives me ten IP addresses that can be assigned to each one IP to each of the ten clients and so that's that's the pool configured and then finally ended the network service says tab I'm going to set the primary DNS server to be my internal DNS server which is the Windows 2016 so I'm gonna do 10.33 100 and then I'm gonna set Google's DNS as the secondary and then click OK let's just have a look at this serve some reason it didn't take the IP address let's do that again there we go so now we've got the both the Gateway set up the internal gateway is using the sub-interface and the associated IP is 10.20 254 the external gateway is on the outside zone interface if 1/1 and is using 190 168 21.2 50 and and we've got a pool setup as well so those gateways are now configured we can now move on to the portal configuration so as I mentioned in the video earlier the portal provides management functions for the globe tech infrastructure clients that communicate with the infrastructure receive configuration from the portal including available gateways and client certificates that may be required to connect to those gateways so we're gonna create a new portal so from the network tab under the global protect heading I'm gonna click on portals and then we're gonna click Add and then we're gonna give it a name so this is GP portal and the interface is gonna be each net 1/1 and the ipv4 address should be in the drop down box so in my case it's the 192 168 21.2 50 then you're gonna hit the authentication tab and underneath the server authentication we're going to choose the external service profile and just select that and then under the client authentication we're gonna give it a name so this is going to be lab ad and then we're going to choose the authentication profile created earlier called GP uses all prof. and then clicked ok now we need to click on the agent tab and at the bottom we're gonna add the trusted root CA so it's the global protect CA that we created earlier on the firewall now we need to click on add underneath the agent section and we're going to give this a name of portal agent config and then we're going to click on the internal tab so this part of the configuration is for the global tech internal host detection this is a feature that uses reverse DNS lookup on the windows ad server which will attempt to resolve the IP address 10.2 0.254 to a fully qualified domain name and if successful the global tech client will connect to the internal gateway if the reverse DNS lookup fails the client will connect to the external gateway so on the internal tab we're going to select the internal host detection we're going to add this sub interface IP address we created which is 10.22 dot 0 dot 254 and then I have a fully qualified domain name configured on the windows server so it is GP int gateway dot Tech Talk dot local so if I go over to the server the windows 2016 server and show you the DNS settings so if I go into DNS and the forward look up zone here is the domain Tech Talk iloko and you can see there I've got GP int so GP - in - GW and then it's if you if you ping that that would give you the IP 10.20 - five four which is the sub interface so that the portal IP address and if you go to reverse look up zones I created a new reverse look up zone and there's an entry in there a pointer record saying that 10.2 0.254 resolves to GP - in - GWT to local and if I was to go to my other Windows 10 machine and do a quick test if I open up a command prompt and then I did ping - a 10 to 0.254 should get response and as you can see I get response from the fully qualified domain name so that will work so if the firewall actually does a reverse DNS lookup it will get response back from the server so let's go back to the firewall and just check so now we've done that so that's that's the easy part there now we need to add the internal gateway so this is just going to be called int gateway one and then we're gonna select IP address and I'm just gonna give it ten dot 2.0 dot two five four and then click OK and now we need to go to external and then we're gonna add an external gateway in which is going to be ext gateway one and again IP address and that's going to be the outside interface so 192.168.1.2 50 and then in the source region we need to click any because we're not filtering we just we're just going to allow anything anyone to connect to that gateway click ok so we've got in internal gateway and an external gateway so that's the portal configuration completed so we can click OK on that and ok on that so if we expand it we've got a new portal called GP portal it's on Ethernet 1/1 it's using the outside interface address 192 168 21.2 50 it's used in the external service profile as using the GP users authentication profile there's this using internal host detection so there's a reverse dns configuration there and there's two gateways an external gateway and an internal gateway so that is the portal configured and we can move on to the next step so when a new user needs to obtain the correct global tech agent software we can get the user to download it directly from the global protect portal web page so in order to do that we need to make sure that the the agent is hosted on the firewall so if you go to the device tab and then down to global protect clients if this is the first time you've done this lab or click this button then there will be nothing showing now once you're at the page at the bottom you need to click check now and that will just populate the page with all the available versions of the girl protect client now the only caveat is that you will need a license installed on the firewall to to download from Palo Alto I did attempt to do this without the license it didn't work so I wasn't able to complete the demonstration without licensing the firewall but if you are licensed then this is where you'll be and then you can download it and then and then activate it and then the version that you've installed will show up on the dashboard so as you can see for this lab I'm using 5.00 okay so the next thing we're gonna do is create a security policy rule to allow clients on the inside to reach the portal and Gateway outside interface address so if we head over to the policies tab and go to security and then click Add call the rule inside to portal gateway and then source it from the inside zone destined to the outside zone and the destination address is the outside interface which is 192.168.1.2 50 and then application is any service so I'm going to change that to any just for simplicity just for demonstration so we don't get anything causing any traffic to be blocked and then click OK I'm just gonna move that to the top and then we need to create a known that rule because currently traffic from the inside zone to the outside outside uses the source and that we need to create an app policy so internal clients go will take requests to the portal and the Gateway will not get their dresses translated or the existing I brand that raw once their new net rule is created we need to move it to the top of than that policy so create a new that policy we're going to call this GP clients to portal no not and then original is original packet is gonna be inside destination outside destination interface Ethan app Ethernet 1/1 and then the destination address is going to be the outside interface again and then translated package is left at none because we're not doing any translation so GP clients to portal no not original inside to outside on the destined the ethernet 1/1 interface to that IP no nut and they were going to move that to the top okay so we're gonna move on to the final configuration steps we need to make sure that the firewall is using the internal DNS server and that elder queries are sourcing from the inside zone interface as by defaults management services use the management interface and IP so let's start by configuring the primary DNS server so under device management and services we need to click the gear icon and under the dns settings we need to change this from the Google DNS server to the internal ad server so 10.3 dot three dot 100 and then we'll change that to Google's DNS that's and then click OK then the service routes of configuration as you can see it's using the management interface for everything so we need to click customize and then we need to look for DNS and click DNS and we're going to select the inside in the face so the 1/2 as you can see it's populated the IP address of the interface and then lip for LDAP and do the same there 1/2 and then click OK so that is the final configuration we can now move on to the testing but before we do we're going to commit all the changes so let's just commit everything and let that push the config to the firewall to the running config and then we can go on to the testing ok so now it's time to see if we can download the global protect client from the portal so let's head them over to VMware Workstation and go to the Windows 10 client let's open a browser and we're going to browse to the external IP address of the firewall so HTTP colon forward slash forward slash 192.168.1 250 he returned lavance proceed that's good news so we've got a successful global tech portal login window so we need to make sure we have a domain user ad account configured on the server as we will be using the account and the authentication profile using LDAP that we configured earlier in order to log into the portal so if we go to Windows Server 2016 and then open up windows immensity of tools and then Active Directory users and computers I'm just going to show you that I've got a just a simple mb tech admin the main user account setup it is just a member of domain users so if we go back to Windows 10 and login so Emmy Tech admin and then the password now we're giving some options to downloads the global tech agent I'm just going to download the windows 64-bit doesn't take long and then we should be able to run that installer and then just click Next the sister Next Next Next yes close so as you can see that has successfully connected to the to the firewall to the global tech portal giving you the option to download the elbe tech agent based on your OS and then installed it and we're ready to connect so we'll move on to the testing the actual VPN connection and seeing what happens when you're inside the network and when you're outside the network so first of all we need to enter the portal address which is 192.168.1 T 1.2 50 and then click connect you know we're gonna enter the password of M be tech admin which is the ad account that I created earlier we're gonna sign in and as you can see we are connected to the internal gateway so if we go into settings we go to the connection you can see that both gateways are listed but I'm authenticated using the internal gateway so if I just go and open up a command prompt and I do an IP config /all you can see that the global tech virtual Ethernet adapter hasn't got an IP address assigned and we're still using the the static IP of the Windows 10 client so what I'm gonna do is I'm gonna disconnect this this connection so I'm going to sign out I'm just gonna cancel that for a minute and then one can do is change the Windows 10 network in so that it's connected to my home network which is the outside address of the firewall and then re-establish the global tech client and see the difference so first of all I'm gonna go in into the adapter settings on a Windows 10 client and we're going to change it from static IP to DHCP because my mic my home network is it's providing DHCP addresses and now we need to go into the Windows 10 settings and then we need to change the network adapter from the VM net three to the bridge connection so that's British doll ready for the physical network of my home network and then click OK and then we should get an IP address from the home network and if we go into status and then look at the details you can see we would be given a 191 6 8 20 1.45 address so this is going to be like coming from the internet because the outside interface of the firewall is on the same subnet so if we go back to the client and sigh nights and then we're gonna sign back in now so then enter the password again and it's attempting to connect and as you can see we've connected so connected you're securely connected to the corporate network so now if we go into the gear icon and go to settings and go to the connection tab the internal gateway has now disappeared and we've got a full tunnel into the corporate network via the external gateway and we're authenticated so if we go back to the Palo Alto and we go to network and gateways and if we go to the external gateway and click on the hyperlink the remote users hyperlink and if we just enlarge this and then just adjust these columns you can now see any current user that is connected to the external gateway and as you can see there's the mb tec admin user i'm coming from the workstation lab client it's a Windows 10 and it's been given an IP address of 190 168 100 200 and it's coming from a public IP which is you know my home network and it's a full IP sick I piece external so that's been a successful demonstration of how to set up a global protect lab in VMware Workstation please let me know how you got on with your own lab put them in the comments below please hit that like button if you found the video useful thanks very much ok guys that's it for today's video thanks for watching over the next coming weeks I will be uploading more videos where I'll be sharing more content about palo alto firewall features and technologies and how to configure them if you liked this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time I post video if you have any ideas of video content you want me to create please put them in the comments below as I would love to hear your feedback on any aspect of my channel please keep watching and I will see you in the next video thanks [Music]
Info
Channel: MB Tech Talker
Views: 2,373
Rating: undefined out of 5
Keywords: palo alto networks, palo alto firewall, vm-series ngfw, palo alto networks firewall, palo alto firewall setup, palo alto vm-series, vm 100, palo alto WebUI, Palo alto mangement configuration, palo alto vm, palo alto firewall tutorial, next generation firewall, next-generation firewall demo, palo alto firewall tutorial for beginners, setup palo alto firewall basic configuration, palo alto vm series, globalprotect, vmware workstation, globalprotect palo alto, global protect
Id: 21m5hBEqvDY
Channel Id: undefined
Length: 38min 28sec (2308 seconds)
Published: Thu Nov 07 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.