Palo Alto Lesson: 10.6 Lab: GlobalProtect

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and thank you for watching my video my name is astrid krasnichi i am cisco ccna ccnp and palo alto certified instructor in this video we are covering pcnsa 210 and this is our chapter 10 global protect remote access vpn now this is the sixth video of chapter 10 which is 10.6 lab global protect now i'm going to configure globalprotect from scratch so i'm going to do every little thing that needs to be done in globalprotect but i'm not going to explain it every little details because then this video is going to get very very large or very long it is not going to be a short video to say because there's a lot to configure for global protect and this is what we're going to do we're going to create certificates for the global protect portal internal gateway and external gateway we can attach certificates to ssl tls profile we're going to configure a server profile and authentication profile to be used with authenticating users create and configure the tunnel interface to be used with this external gateways and then we're going to configure the external gateway and portal host the globalprotect agent on the portal for download and then test the external gateway so there is a lot of stuff to configure but there is an interesting stuff and very fun when you configure globalprotect now this is the lab topology that we'll be using to demonstrate for you the globalprotect i already have a machine windows 7 machine that's in in the outside zone with this ip address that will be using global protect to become to come in an inside zone and start accessing the shares and contents on the inside zone for this demonstration i will be using one firewall to host both globalprotect portal and globalprotect gateway so they will have a same ip address and we'll have a one only one certificate this user is going to access the portal the portal is going to authenticate and authorize it and actually give the software the the software that this machine has to install and as well as the list of the gateway they has the firewall will actually authenticate with the windows server to make sure the user in the outside zone has access to the global protect i already have a user called pan agent pan agent in in the windows server and that's going to be communicating with the firewall and the wind and the agent and i already have a user that's allowed to come from outside to the inside that's that user is just called my my name so astrid user okay so let's start configuring globalprotect so the first thing that we're going to do we can actually go and create certificates for globalprotect portal internal gateway even though i'm not going to use internal gateway but i'm going to show you one certificate to create for that and the external gateway so i'm going to always come back to this window because there's a lot of stuff to do and we don't want to forget any of the any of the items on this list so if i access my firewall and in the firewall i have reset everything i have cleared all the logs so there's nothing in there just a regular configuration like zones and interface ip addresses and so on but there is nothing to for a global protect configuration okay so the first thing that we need to do we need to create certificates and we're going to create three certificates one as a certificate authority which is going to be trusted by internal users and that's going to be issuing and signing all other certificates for example for the internal gateway for external gateway and for the portal okay to create the certificates i need to go to device and then certificate management and certificates so three certificates here so the first certificate that we're going to generate is going to be our certificate authority certificate which is going to be signing other certificates as well so i'm just going to call this as a astrid ca certificate and for the common name i'm going to use the same and i'm not going to assign it by any external authority so we have to export this certificate and import it to our client machine to trust it otherwise they're not going to trust it and this is going to be our certificate authority okay so if i press f11 here just so we can see everything and generate the certificate so this is my first certificate authority certificate generated then i'm going to generate two more certificates one for portal and one for internal gateway the portal will be the external gateway as well so on this one i'm gonna call it a portal portal and external gateway certificate and ip address for this portal an external gateway certificate is 203.0.113 and this certificate will be signed by this certificate authority that's it then i'm going to create another certificate now this one is for the internal gateway so it's not going to be the portal just internal gateway and i'm not going to actually use internet gateway just explain how to make a certificate for them so 192.168.2.1 is the ip address of this internal gateway and is signed by this same certificate authority and click generate now we have a certificate done so the second step if i go back here was to attach certificates to an ssl tls service profile so i need to go to service profile and attach these certificates so just bit further down still under the device and i have ssl tls service profile and i'm going to create one for the external so external ssl tls and the external ssl tls is going to use well external certificate and i'm going to create another ssl tls for the internal so internal ssl tls and this is going to be for the internal tls so internal gateway okay so my ssl tls service profile are done so the first step to create the certificates and the ssl tls is complete the next step is to configure a server profile and authentication profile so server profile first now for the server profile we need to go to device server profiles and we're going to be using even though we can use radius stackax ldap kerberos and so on we're going to be using ldap so that's going to be our server profile like i told you before i already have an account on my domain controller as an agent that this firewall is going to use to access ldap information so i click add here under the profile name i'm just going to call it as asterisk ldap server profile profile and for server list i'm gonna use my domain controller which is our 2016 server and ldap server well the ip address is 192. 168.1.20 the port we're going to leave it to default the server settings that's going to be for example active directory we can have others but for us is active directory and the distinguished base name is going to be dc lab and dc local now to bind the distinguished name i already have like i told you i have a domain controller here that it's running and in there i have an agent so let me just log on and show you and which the firewall is going to actually communicate with okay so palo alto is a password so in here if i open active directory users and computers just want to show you the agent it's already configured and and one account that's gonna be allowed to access globalprotect um so in active directory users and computers users and the agent is here so pan agent and this is going to communicate between the firewall and this control this domain controller i already have asterisk user here who's allowed to access a global protect excellent so now if i go back to my firewall and press f11 to see it better and the com the connection here is pan at lab.local password is palo alto so easy so i can remember that buying timeout search timeout everything leave them to default and untick require ssl tls secure connection this is my authentication server profile now what have i have configured that i have to add this to my authentication profile so if i go to just be up and under device authentication profile i'm going to create a new one and say say a street authentication profile type well here is going to be you can see what type of different authentication profile we can use in here i'm going to be using ldap and the one that i created earlier was this one so this binds to the ldap server profiler here and the user domain is going to be lab.local that's it and under the advance you can see this quickly redline that means that we have to fill something in it and we have to allow some users for authentication but i'm just going to choose the all of them right and click ok now i have my server authentication profile and the authentication profile so if i go back to my list what i need to do so configure server profile and authentication profile to be used with authentication user done that create and configure the tunnel interface to be used with external gateway so the next thing we need to do is configure the tunnel so i need to do that under the network interfaces and i go to tunnel interface click add and we can't change the name it's read only but i'm just going to give a number so 55 and comment nothing i don't need to configure anything apart from i need to add it to the virtual router which is going to be the labvr and the security zone which is going to be the inside zone so that's it on our terminal interface just give it an id and then virtual router and secure zone we don't need to give an ip address or anything in advance that's it the next thing configure the external gateway and portal you can see all of this up to you can see everything up to here it's done quite quickly now we need to configure the gateway the external gateway and portal so first i'm going to do the portal and to configure that i need to go to the network global protect portals and click add and under the portal so i'm going to just add a name so as astrid astrid global protect global protect portal and the interface for this portal is going to be our outside facing interface which is ethernet one one and the ip address which i'm going to use on the ipv4 is to this one two or three zero one one three twenty now appearance i'm gonna leave it to default i'm not gonna change how it appears for authentication i need to use ssl tls service profile which i have configured already and this is my external ssl tls and this is for it's going to be used for portal and it's going to be used for gateway and under the client authentication i click add and i give it a name so global protect client authentication authentication and you can see the the operating system we can use different operating system for different authentication but then we can see we have windows mac linux and so on but i'm going to leave it to any an authentication profile is what we configured earlier so it's going to be that authentication profile which means that says use ldap and you can see the app login screen well we leave it at the default you can change the enter like the command the message if you want to what kind of authentication login authentication you want to use or login credentials um okay let me go back there okay so after authentication is done we're not going to collect any data so we're going to go straight to the agent an agent we need to add something on the root ca what the clients will trust and here we add our root ca so certificate authority certificate that we have and we say install this in the local certificate store and after that we configure the agent so if i go to agent and under the agent i'll just put a name so global protect agent config for example we're not going to have anything all this is default i'm just going to go straight to the external because i don't even have anything here that to configure nothing for internal just external straight away and configure my gateway here click add and so external gateway and the ip address of the external gateway i can use a fully qualified domain name but i don't have it any dns setup so i'm just going to use the ip address which is more three to 203.0.113.20 and this is then i can configure the for example the priority from the region so say any region i'm going to keep it highest priority and in the other videos we talked about different regions for example uk united states brazil and so on but here i'm just going to say any and highest and click ok i'm not going to configure any anything under app or host information profile so click ok here nothing not going to configure clients vpn uh clientless vpn or anything for the satellite so we're just done here the next thing i'm going to configure is the globalprotect the next thing i'm going to configure is the globalprotect gateways so i'll click that and select add now under the name i'll just put globalprotect gateway and on the network setting we need to put the layer 3 interface which is going to be our outside facing interface which is ethernet 1 4 1 and that's the ip address under the authentication well i'm going to use the external ssl tls profile under the client authentication again same thing i'm going to put the name as a external gateway authentication and this is again for same for every operating system i'm going to just use one authentication profile that we have and login screen leave it as a default after that i'm going to configure the agent and the agent is actually the one that is performing like dhcp is going to give out the ip addresses and so on because we are using external gateway global protect we need tunnel mode and tunnel mode i'm just gonna leave it to enable ipsec by default there and the tunnel interface is the one that i created earlier so 55. everything leave it at the default under the client settings i need to add the client setting this is going to be like your dhcp so what we need to add we need to add the well give it a name so client globalprotect and we just need to add here the pool what what ip addresses our pc is going to get so the ip those pc you're going to get is on the network 10. so anything with a 10 from 10 1 1 200 all the way up to 10 1 1 2 10. so these are the range on the if you draw this only 10 ip addresses available well 11. so i'm not going to configure anything for split tunnel or network services just click ok here on the network services here i'm going to click configure like what is going to be the primary dns which is my windows domain controller 168.1.20 and for secondary i'm just going to use a public domain dns everything else we leave at the default click ok so now we have configured uh external gateway and portal the next thing is to actually check the global protect agent on the portal for download so we need to actually see what kind of software we have installed so device and we have to go to global down at the end towards the end global protect client so i have all these latest versions downloaded i had them currently activated as well they didn't work because maybe i have all the version of windows 7 that i'm using um the map for me 4.1.11 it actually worked correctly and i could use it so at the moment currently currently active i have is 4.1.11 so after we just going to commit everything that we did and then we're going to go to the client and test that it's working okay the one thing that actually it says here the commit is telling us the inside zone has not got enable user identification enabled so we have to go there and configure as well as the second warning is about ipv6 not being enabled but it says that this one can be ignored so we need to go to the inside zone and enable user identification so close that go to networks and then zones and i'll have inside zone so access the inside zone and enable user identification click ok commit it again and then go and test it excellent now the commit has completed success successfully we can go and test it um so if i just click f11 there and then let me just start this okay now this machine it's going to use because it's located you can see 203011324 is located on the internet right so on in the cloud so we're gonna use the globalprotect to access the inside network and i'm gonna show you here let me just show you the ip address it's using um ipconfig and you can see it's 203011324 that's the ip address and if i try for example ping from that ping this windows server with that ip address it should not work so if i say ping 192 168.1.20 and that's a service ip address and that's not working so as you know that's expected because it's private ip address inside private network okay so what i'm going to do i'm going to run the continuous ping and after we download the globalprotect and we sign in we come back here and we have a look and hopefully the pings well should have reply that means that we are in inside network so the first thing to do in this client machine we need to open the browser and navigate to the portal's ip address and then the portal will assign will tell us or give us a software after it authorizes and authenticates it will issue us with the software that we could download for globalprotect so the address is https and the globalprotect address a portal address is 203.0.113.20. so first thing is we access in the portal okay so we don't trust because i have not imported that main certificate so it's fine that we're not trusting we're just going proceed here okay here now i have a global protect portal login screen i have to use one of the accounts i created um that's allowed to access so asterisk user and password palo alto just saw it remember okay so now the global protect has authenticated us and authorized us and is giving us option to download the global protect software so for the software to download we have to choose the one that we actually have the correct version so either 32-bit windows 64-bit windows or mac 3264-bit to check it i can just go right-click on the computer and go to properties and that will show me is a 32-bit or 64-bit as you can see this is 32-bit operating system so i need to download 32-bit okay now that it's downloaded do you want to keep this file yes i do want to keep it and then we start the installation so if i just click in there that should start the installation okay so the installation should be easy it's just pretty much next next next everything because i have three or four machines running this now is going to start slowing down a little bit okay we got the wizard that says welcome to the global protect setup wizard do you want to install it yes next um location where you want to install it well yeah that's fine that location click next and then we're ready to install okay now the installation has completed successfully we can close this we can minimize this and we'll see the global protect is going to come out here okay it has come back so now we need to put the ip address of globalprotect portal which is 203.0.113.20. now we got the server certificate error because again that i didn't import the certificates on this machine so yes i can i'm okay with that okay now because we don't have a single sign on so we have to sign on again and the it was astrid user and the password was follow also okay now we have connected now it's taking this time because i have so many machines running in one machine so many virtual machines running but you can see now globalprotect is connected and we can we see that we have reply from our internal server if i click on the gear icon here and go to settings and i can see the astrid user is connected to the portal and connection we have connected to external gateway and with a tunnel and authenticate it that's the ip address that we got that's the gateway that we are using and um excellent now we can access the server we can you can see that we think in the server if i disable for example so to disconnect you have to just click on that and then click disable and that's going to stop there then you can't ping it so if i enable it then we're going to start bringing it okay i'll enable it again and if i go back to the firewall and look at the monitor so just monitor and we should have under logs user id you can see that we have a user id me and we connect it through vpn client and the source type is globalprotect okay success 100 it works okay excellent thank you for watching lesson 10.6 lab globalprotect this is of chapter 10 globalprotect please have a look at my other videos and don't forget to subscribe this has been astrid krasnichi bye bye
Info
Channel: Astrit Krasniqi
Views: 8,183
Rating: undefined out of 5
Keywords: Security Policies, NAT Policies, User-ID, GlobalProtect, Site-to-Site VPNs, High Availability, Palo Alto Networks Certified Network Security Administrator, PCNSA exam, EDU-210, GlobalProtect overview, GlobalProtect Portal, GlobalProtect Gateway(s), GlobalProtect Client Software, GlobalProtect Connection Sequence, External GlobalProtect Gateway, Internal GlobalProtect Gateway, Clientless VPN, Certificate authority (CA), Portal certificate, Gateway certificate, Portal Configuration
Id: rfO-9k2gw2M
Channel Id: undefined
Length: 24min 53sec (1493 seconds)
Published: Wed Sep 02 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.