Symantec VIP Integration Guide for Palo Alto Networks

GlobalProtect VPN
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Table of Contents
About integrating Palo Alto Networks GlobalProtect VPN with Symantec VIP............................. 3
Scope of document..........................................................................................................................................................3
Supported platforms........................................................................................................................................................ 3
Supported VIP features................................................................................................................................................... 3
Authentication method: User ID–LDAP Password–Security Code.............................................................................4
Integrating GlobalProtect with VIP Enterprise Gateway..................................................................7
Installing GlobalProtect................................................................................................................................................... 7
Installing and configuring VIP Enterprise Gateway..................................................................................................... 7
Configuring GlobalProtect to integrate with the VIP integration module.................................................................. 8
Configuring the authentication server and profile.......................................................................................................8
Creating the RADIUS server profile.................................................................................................................... 9
Creating an authentication profile......................................................................................................................10
Configuring the GlobalProtect Gateway................................................................................................................... 10
Creating a gateway............................................................................................................................................11
Specifying network settings to connect to the gateway.................................................................................... 12
Specifying authentication information for the gateway......................................................................................12
Configuring the GlobalProtect Gateway............................................................................................................ 13
Setting advanced configurations...............................................................................................................................14
Enabling VIP Access Push................................................................................................................................ 15
Enabling selective strong authentication........................................................................................................... 15
Testing the integration...............................................................................................................................................16
Hardware and VIP Access Credential Authentication....................................................................................... 17
SMS or Voice authentication............................................................................................................................. 17
VIP Access Push authentication........................................................................................................................18
Troubleshooting the integration....................................................................................................... 19
Copyright Statement.......................................................................................................................... 20

2
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

About integrating Palo Alto Networks GlobalProtect VPN with

Symantec VIP
Simple password authentication is insufficient to protect against unauthorized access to networks and web or cloud-based
applications, but users demand ease of use. Passwords and traditional two-factor authentication solutions are not enough
to meet today’s evolving security threats and regulatory requirements. Stronger and smarter authentication solutions are
needed to secure corporate data and applications; solutions which also offer greater ease of use.
Two-factor authentication demands two of the following — something a user knows (such as user name or password) and
something a user has (such as a VIP credential) to validate the user. For enterprises, the second-factor authentication
mechanism delivers a higher level of security to protect confidential data and applications, and meets compliance
requirements.
Users generate a security code on their VIP credential that is registered in Symantec’s VIP Service. They use that security
code along with their user name and password to gain access to the resources that are protected by GlobalProtect. Your
enterprise user store validates the user name and the password, and the VIP Service validates the security code.

Scope of document
Symantec’s Validation and ID Protection (VIP) Enterprise Gateway enables your organization's employees and associates
to use the strong authentication capabilities that VIP Services provides, along with their enterprise directory authentication
credentials.
This document is intended to assist system administrators of VIP Enterprise Gateway working with Palo Alto Networks
GlobalProtect to enable two-factor authentication capabilities. This document describes how to integrate Palo Alto
Networks GlobalProtect with VIP Enterprise Gateway 9.8 or later to enable two-factor authentication for users who access
your protected resources. If you have Symantec VIP Enterprise Gateway 9.7 or earlier, then download the pre-9.8 version
document from the Account > Download Files link in VIP Manager.

Supported platforms
Table 1: Supported platforms

Component Supported Platform

Partner Palo Alto Networks

Product Palo Alto GlobalProtect Gateway 8.1.4
RADIUS Server VIP Enterprise Gateway 9.8.4 or later
Authentication Method User ID–LDAP Password–Security Code

Supported VIP features

Table 1-3 lists the VIP Enterprise Gateway features that are supported with Palo Alto Networks GlobalProtect.

3
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Table 2: Supported VIP features

VIP Feature Support

First-factor authentication
AD/LDAP password through VIP Enterprise Gateway Yes
VIP PIN No
Second-factor authentication
VIP Push Yes
SMS Yes
Voice Yes
Selective Strong authentication
End user-based Yes
Risk-based No
General authentication
Multi-domain Yes
Anonymous user name Yes
Legacy authentication provider integration (delegation) Yes
AD password reset Yes
Integration Method
VIP JavaScript No
VIP Login No
RADIUS Yes

Authentication method: User ID–LDAP Password–Security Code

The following diagram illustrates how VIP Enterprise Gateway integrates with Palo Alto Networks GlobalProtect Server to
enable the User ID–LDAP Password–Security Code authentication method.

4
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Table 3: VIP Enterprise Gateway integration with GlobalProtect workflow

Step Action

1 The user enters a user name, password, and a security code on GlobalProtect client. The GlobalProtect client sends the
user name, password, and the security code to GlobalProtect server.
2 The GlobalProtect server sends the user name, password, and the security code to VIP Enterprise Gateway.

5
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Step Action

3 As the first part of the two-factor authentication process, the VIP Enterprise Gateway Validation server authenticates the
user name and the password against your user store. For example, if AD/LDAP is the user store, the Validation server
authenticates the user name and the password against AD/LDAP.
4 As the second part of the two-factor authentication process, VIP Enterprise Gateway authenticates the user name and
the security code with the VIP Service.
5 If the user name and the security code are successfully authenticated, VIP Enterprise Gateway returns an Access-
Accept Authentication response to the GlobalProtect server.
6 Based on the Access-Accept Authentication response, the GlobalProtect server gives the user access to the
protected resource.

6
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Integrating GlobalProtect with VIP Enterprise Gateway

You must complete the following general steps to integrate your GlobalProtect server with VIP Enterprise Gateway for
two-factor authentication:

Table 4: Integration overview

Step Task

1 Install Palo Alto Networks GlobalProtect server.

See Installing GlobalProtect.
2 Install and configure VIP Enterprise Gateway.
See Installing and configuring VIP Enterprise Gateway.
3 Configure GlobalProtect to integrate with the VIP integration module.
See Configuring GlobalProtect to integrate with the VIP integration module.
4 Set advanced configurations.
See Setting advanced configurations.
5 Test the integration.
See Testing the integration.

Installing GlobalProtect
Before you integrate GlobalProtect with Symantec VIP for second-factor authentication, you must install the GlobalProtect
server and ensure that the first factor works. That is, ensure that the application is configured with LDAP and a user is
able to log into the application with a user name and password. For more information, refer to the Palo Alto Networks
GlobalProtect documentation.

Installing and configuring VIP Enterprise Gateway

Complete the following steps to install and configure VIP Enterprise Gateway:
1. Install VIP Enterprise Gateway. For installation procedures, see the VIP Enterprise Gateway documentation that is
provided with the product, or at https://help.symantec.com/bucket/VIP_DOC_ACCESS/install_vip_enterprise_gateway.
2. Complete these general steps to add the Validation server. For detailed information on LDAP–RADIUS mapping and
configuring the Validation server, see the VIP Enterprise Gateway Installation and Configuration Guide, available as
part of the VIP Enterprise Gateway documentation.
• Log on to VIP Enterprise Gateway and click the Validation tab.
• Click Add Server. The Add RADIUS Validation server dialog box is displayed (Add RADIUS Validation server
dialog box).
• In the Vendor drop-down list, select the appropriate vendor. For this integration, choose Palo Alto Networks.
• In the Application Name drop-down list, select the vendor’s application that you use. For this integration, choose
Global Protect/Gateway.
• In the Authentication Mode drop-down list, select the mode that you want to use for first and second-factor
authentication. For this integration, choose UserID – LDAP Password – Security code. In this
authentication mode, VIP Enterprise Gateway validates the first-factor (user name and password) with your user
store, such as AD/LDAP. VIP Enterprise Gateway validates the second-factor (user name and security code) with
the VIP Service.
See Authentication method: User ID–LDAP Password–Security Code.

7
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Optionally, if you want to authorize the user according to the LDAP Groups, configure the LDAP–RADIUS mapping
in the Validation server.
• Click Continue.

Configuring GlobalProtect to integrate with the VIP integration module

Complete the following general steps to configure GlobalProtect to integrate with the VIP integration module.

Table 5: Steps for integrating GlobalProtect with the VIP integration module

Step Task

1 Configure the authentication server and profile.

See Configuring the authentication server and profile.
2 Configure the GlobalProtect Gateway.
See Configuring the GlobalProtect Gateway.

Configuring the authentication server and profile

You must complete the following tasks to create a RADIUS server and authentication profile. The RADIUS server
connects to your authentication service (VIP Enterprise Gateway) to access authentication credentials for your users. The
authentication profile defines settings for authenticating your users.

Table 6: Steps for configuring the authentication server and profile

Step Task

1 Creating the RADIUS server profile.

See Creating the RADIUS server profile.
2 Create an authentication profile
See Creating an authentication profile.

8
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Creating the RADIUS server profile

1. Log on to the GlobalProtect Portal.
2. Select Device > Server Profiles > RADIUS.
3. Click Add.
4. In the RADIUS Server Profile page (RADIUS Server Profile page), enter the following:
• Profile Name: Enter a name for this RADIUS server profile.
• Timeout (sec): Enter the maximum number of seconds the server waits for a connection.
• Retries: Enter the number of times an attempt is made to connect to the server.
• Authentication Protocol: Select PAP from the drop-down list.
If you integrate out-of-band authentication (SMS, Voice, or VIP Access Push), set the Timeout value to 20 and the
Retries value to 3 to avoid authentication failures.
5. Add the RADIUS server entry by clicking Add in the Servers section and enter the following:
• Name: Enter a name to identify the RADIUS server.
• IP Address: Enter the IP address of the RADIUS server (Symantec VIP Enterprise Gateway).
• Secret: Enter a shared secret that is used for encryption.
• Port: Enter a port number for RADIUS server.
6. Click OK to save the profile.

9
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Creating an authentication profile

1. Select Device > Authentication Profile.
2. Click Add.
3. In the Authentication Profile page (Authentication Profile page), enter a name for the authentication profile in the Name
field.
4. In the Authentication tab:
• Select RADIUS in the Type drop-down list.
• Select the RADIUS server profile that you created earlier in the Server Profile drop-down list.
See Creating the RADIUS server profile.
5. Configure the rest of your authentication profile as required by your security requirements. See the GlobalProtect
documentation for details.
6. Click OK to save the authentication profile.

Configuring the GlobalProtect Gateway

After you have created the RADIUS server and defined the authentication profiles that are used to authenticate the
GlobalProtect users, complete the following general steps to configure the GlobalProtect Gateway:

10
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Table 7: Steps for configuring the GlobalProtect Gateway

Step Task

1 Create a gateway.
See Creating a gateway.
2 Specify network settings to connect to the gateway.
See Specifying network settings to connect to the gateway.
3 Specify authentication information for the gateway.
See Specifying authentication information for the gateway.
4 Configure the GlobalProtect Gateway.
See Configuring the GlobalProtect Gateway.

Creating a gateway
1. Select Network > GlobalProtect > Gateways.
2. Select an existing gateway to update, or create a new gateway:
• Click Add to create a new gateway.
• On the General tab (GlobalProtect Gateway Portal page), enter a name for the gateway.

11
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Specifying network settings to connect to the gateway

1. Select an Interface from the drop-down list.
2. Select the IP Address for the gateway service.

Specifying authentication information for the gateway

1. Click the Authentication tab on the GlobalProtect Gateway Configuration page (Authentication tab of the Protect
Gateway Configuration page ).
2. Select an existing SSL/TLS service profile, or click Add create a new one.
3. Click Add under Client Authentication.
4. In the resulting Client Authentication dialog box (Client Authentication dialog box), set the following:
• Name: Enter a name to identify these client authentication settings.
• OS: Select the Palo Alto Networks client operating system for your environment.
• In the Authentication Profile drop-down list, select the authentication profile that you created earlier.
See Creating an authentication profile.
Keep the default settings for the remaining fields.
5. Click OK to save your changes to the Client Authentication dialog box.
6. Click OK to save your changes to the GlobalProtect Gateway Configuration page.

12
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Configuring the GlobalProtect Gateway

1. Select Network > GlobalProtect > Portals.
2. Select an existing portal to update.
3. Click the Authentication tab on the GlobalProtect Gateway Portal Configuration page (GlobalProtect Gateway
Portal Configuration page).
4. In the resulting Client Authentication dialog box (Client Authentication dialog box), set the following:
• Name: Enter a name to identify these client authentication settings.
• OS: Select the Palo Alto Networks client operating system for your environment.
• In the Authentication Profile drop-down list, select the authentication profile that you created earlier.
See Creating an authentication profile.
Keep the default settings for the remaining fields.

13
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

5. Click OK to save your changes to the Client Authentication dialog box.

6. Click OK to save your changes to the GlobalProtect Portal Configuration page.

Setting advanced configurations

The following advanced configurations are optional:

14
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

• Enabling VIP Access Push

• Enabling selective strong authentication

Enabling VIP Access Push

Complete the following general steps to enable VIP Access Push:

Table 8: Steps for enabling VIP Access Push

Step Task

1 Customize the RADIUS server in GlobalProtect.

See Customizing the RADIUS server in GlobalProtect.
2 Enable VIP Access Push in VIP Manager.
See Enabling VIP Access Push in VIP Manager.

Customizing the RADIUS server in GlobalProtect

1. Log on to the GlobalProtect portal.

2. Select Device > Server Profile > RADIUS.
3. Open the RADIUS server profile that you created earlier.
See Creating the RADIUS server profile.
4. Change the Timeout value to 20, and the Retries value to 3.
5. Click OK to save your changes.
Enabling VIP Access Push in VIP Manager

1. Log on to VIP Manager.

2. Select Policies > Account.
3. Click Edit.
4. Under Mobile Push Authentication, select Yes for Enable Mobile Push, and then click Save.

Enabling selective strong authentication

Selective strong authentication lets you authenticate users through GlobalProtect without VIP second-factor
authentication.
1. Point GlobalProtect to an LDAP server which can search only for users that do not need strong authentication. Then,
create an LDAP Server Profile that specifies how to connect to the directory servers.
See the Palo Alto Networks GlobalProtect VPN documentation for procedures.

15
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

2. Log on to the GlobalProtect Portal.

3. Select Device > Server profile > LDAP.
4. Click Add.
5. On the resulting Authentication Sequence page (Authentication Sequence page), set the following:
• Name: Enter a name to identify the authentication profile.
• Lockout Time (min): Enter the number of minutes the user is locked out upon reaching the maximum number of
failed attempts.
• Failed Attempts: Enter the number of failed logon attempts that are allowed before the account is locked out.
6. Add the authentication profile that you created earlier.
See Creating an authentication profile.
7. Optionally, select an authentication profile and click Move up or Move down to reorder the list of authentication
profiles.
The order in which the profiles appear in this list indicates the order in which GlobalProtect triggers the authentication
profiles. If a user is found in the LDAP server associated with the first authentication profile, GlobalProtect
authenticates the user with the validation method assigned to that profile. If the user does not belong to that LDAP
server, GlobalProtect searches the LDAP server associated with the next authentication profile in the list.
8. Click OK.

Testing the integration

Test the integration for the User ID – LDAP Password – Security Code authentication method that you use in your
enterprise. The VIP integration with Palo Alto Networks GlobalProtect VPN supports the following authentication methods:

16
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

• Hardware and VIP Access Credential: In this method, your users generate a security code on their hardware or VIP
Access credential. Your users enter that security code, along with their user name and password, to access protected
resources.
See Hardware and VIP Access Credential Authentication.
• SMS or Voice: If you have configured out-of-band authentication in the VIP Enterprise Gateway validation server
and in VIP Manager, then VIP sends a security code is sent to the registered mobile devices of your users over SMS
or a Voice call. Your users enter that security code, along with their user name and password, to access protected
resources.
See SMS or Voice authentication.
• VIP Access Push: If you have enabled VIP Access Push authentication in the VIP Enterprise Gateway validation
server, in VIP Manager, and in the GlobalProtect Portal, VIP sends a VIP Push notification message to the registered
VIP Access credential on your users mobile devices. The user enters a user name and password, and then taps Allow
on the device to perform second-factor authentication and access protected resources.
See VIP Access Push authentication.
You must have enabled and provisioned these authentication methods in VIP Manager to test them.

Hardware and VIP Access Credential Authentication

Complete the following steps to test an integration using hardware or VIP Access credential authentication and the User
ID – LDAP Password – Security Code authentication method:
1. Log on to the GlobalProtect portal.
2. On the portal logon page, do the following:
• Enter your user name.
• Enter your password.
• Generate a security code on your hardware or VIP Access credential, and enter that security code.
• Enter the portal IP address.
• Click Apply.

After successful authentication, you can access the protected resources.

SMS or Voice authentication

Complete the following steps to test an integration using SMS or Voice authentication and the User ID – LDAP Password
– Security Code authentication method:
1. Log on to the GlobalProtect portal.
2. On the portal logon page, do the following:
• Enter your user name.
• Enter your password.
• Enter the portal IP address.
• Click Apply. The Challenge page displays. If the credentials are correct, you also receive a security code over
SMS or Voice on your registered mobile device.
3. On the Challenge page, enter the security code that you received on your device and click Sign In.

After successful authentication, you can access the protected resources.

17
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

VIP Access Push authentication

Complete the following steps to test an integration using VIP Access Push authentication and the User ID – LDAP
Password – Security Code authentication method:
1. Log on to the GlobalProtect portal.
2. On the portal logon page, do the following:
• Enter your user name.
• Enter your password.
• Enter the portal IP address.
• Click Apply. If the credentials are correct, you receive a VIP Access Push notification on your registered mobile
device.
• Tap Allow on your device to approve the push notification.

After successful authentication, you can access the protected network resource.

18
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Troubleshooting the integration

The following are some of the common issues that you may encounter during integration, along with typical solutions.

Table 9: Common issues and solutions

Issues Solution

The log file contains the error message, Authentication
failed with incorrect LDAP static password.
Authentication fails even before you get the SMS or Voice security Make sure that you set the Timeout field to 20 seconds and the
code or the Push notification on the registered mobile device.
Use one of the following solutions:
• Password may be locked or it may have expired. Reset the
password.
• Make sure that the RADIUS shared secret set in the VIP
Enterprise Gateway Validation server and the application are
the same.
Retries field to 3 when configuring the RADIUS Server in the
application. If the Retries field is unavailable, set the Timeout
field to a minimum of 60 seconds.

For additional troubleshooting help, review the log entries in the System tab on the Palo Alto Networks GlobalProtect
Gateway portal dashboard. Optionally, review the authd.log file generated by the GlobalProtect Gateway.
See the Palo Alto Networks GlobalProtect Gateway documentation for more details on these logs.

19
 Symantec VIP Integration Guide for Palo Alto Networks GlobalProtect VPN

Copyright Statement
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.
Copyright ©2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product or
circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

20