Global Protect:

o GlobalProtect is the Palo Alto Networks Firewall remote client-based VPN services.
o GlobalProtect is program that runs on endpoint desktop computer, laptop, tablet, etc.
o GlobalProtect establishes an SSL/IPsec VPN tunnel from a laptop, smartphone or tablet.
o It protect by using same security policies that protect sensitive resources in corporate.
o It secures intranet traffic & allows to connect to corporate network to access resources.
o GlobalProtect securely allow to connect to corporate network from anywhere in world.
o The Global Protect is the system used to connect to the Virtual Private Network (VPN).
o It provides encrypted connection between your computer and the corporate network.
o It is network security for endpoints enables organizations to protect mobile workforce.
o GlobalProtect enables security teams to build policies that are consistently enforced.
o Palo Alto Network GlobalProtect supports all existing PAN-OS authentication methods.
o Including Kerberos, RADIUS, LDAP, SAML , client certificates, and local user database.
o Once GlobalProtect authenticates the user, it immediately provides mapping for User-ID.
o GlobalProtect has options to make strong authentication even easier to use and deploy.
o Use GlobalProtect to extend the protection of the platform to users wherever they go.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

GlobalProtect Lab:

Creating Zone for GlobalProtect:

Like IPSec VPN, in GlobalProtect VPN, need to create zone for the tunnel interface. To create
Security Zone, go to Network >> Zones >> Add. Make sure the Zone Type should be Layer 3 and
Enable User Identification.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Generating a Self-Sign Certificate:
Go to Device >> Certificate Management >> Certificates >> Device Certificates >> Generate.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Creating an SSL/TLS Service Profile:
Now, you need to create an SSL/TLS profile that is used for portal configuration. So, Go to
Device >> Certificate Management >> SSL/TLS Service Profile >> Add. Select the certificate you
just created and the minimum and maximum version of TLS.

Creating Local Users for GP VPN:

GlobalProtect VPN needs to be authenticated during the VPN connection process. If you are
running LDAP integrate GlobalProtect VPN with LDAP Server. For now, I’m creating a local user.
Go to Device >> Local User Database >> Users and click on Add.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Creating Authentication Profile for GlobalProtect VPN:
Now, you need to create an authentication profile for GP Users. Go to Device >> Authentication
Profile and click on Add. Access the Advanced tab and add users to Allow List. Just follow the
steps and create a new Authentication profile.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Creating Tunnel Interface for GlobalProtect:
Likewise, IPSec tunnel, you need to create a separate tunnel interface for the GlobalProtect
VPN. Go to Network >> Interfaces >> Tunnel >> Add, to create a tunnel interface. Also, make
sure you assign the same security zone which is created in the previous step. You can attach a
management profile to the tunnel interface as per your requirement. Although, you do not
need to assign an IP address to this interface.

Portal Configuration for GlobalProtect:

Now we will start configuring the actual configuration for GlobalProtect. Go to the
GlobalProtect >> Portals >> Add. Access the General tab and Provide the name for
GlobalProtect Portal Configuration. Below this in Network Settings, select the interface on
which you want to accept requests from GlobalProtect client.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Access the Authentication Tab and select the SSL/TLS service profile which you are created in
Step 2. In Client Authentication, click on ADD. Here, you need to define a user-friendly name for
Client Authentication and select the Operating Systems on which you want to run
GlobalProtect. Also, select the Authentication Profile which was created in one of the previous
steps.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Now, access the Agent tab, and select the Trusted Root CA (created in Step 1) and check the
option “Install in Local Root Certificate Store”. After this, click on Add Agent. Provide a user-
friendly name for the agent.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Access the User/User Group tab and select OS and User/User Group you have on your
environment. In this example, I am using ANY, ANY option.

Access the External tab and Add an External Gateway. Give the Name to External Gateway and
provide IP, Source Region, and Priority details and click OK.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Gateway Configuration for GlobalProtect:
configure the Gateway Configuration for GlobalProtect VPN. Access the Network >>
GlobalProtect >> Gateways and click on Add. Give the name to GP Gateway and In the Network
Settings, define the interface on which you want to accept the requests from GlobalProtect.

Access the Authentication tab, select the SSL/TLS service profile and click on Add to add a client
authentication profile. Here, you need to select Name, OS and Authentication profile.

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Access the Agent tab, and Enable the tunnel mode, and select the tunnel interface which was
created in the earlier step.

Access the Client Settings tab and click on Add. Just, give a user-friendly name to this.

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Now, access the IP Pools and assign an IP subnet’s or IP range which is used to assign the IP
address once the client successfully authenticates the GP authentication.

Access the Split Tunnel tab and Include all networks you want to give access to remote clients.
For all routes, you need to provide a 0.0.0.0/0 network. For this example, I just configure my
LAN network which is 192.168.78.0/24.

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Security Policy for GlobalProtect:
If you created a new zone for the GlobalProtect tunnel interface, then you must define the
security policies to allow the traffic from the tunnel interface. Although, if you put the tunnel
interface in Trust or Inside security zone, for example, you do not need to define the security
policy for InteraZone traffic. To create a security policy, access the Policy >> Security and click
on Add.

Verification of GlobalProtect Configuration:

accessing the GlobalProtect agent from a client machine. You must download the GP agent on
the client machine directly from the support portal, or you must have a GP agent on your
firewall itself. You can access the GlobalProtect portal by access the public IP of firewall i.e.
https://192.168.17.100 in my case.

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Once, you installed the GP agent, open it and try to connect it on your firewall Public IP. If the
configuration is correct, it will prompt for username and password. Once you type the
username and password, it will automatically connect to the firewall and you can access
corporate resources using GlobalProtect.

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Now, test the configuration by access an internal system. I have web server and FTP Server on
my LAN segment, and I can directly access that web and FTP server by using private IP. You can
try to access the firewall using it’s LAN segment.

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717