Post

Palo Alto Global Protect Remote Access VPN

Posted
By Sena Perdiana 2 min read


GlobalProtect Remote Access VPN is a secure network solution by Palo Alto that enables users to connect to a private network from a remote location over the internet.



Network Topology

Here’s the connection topology, where PC on the internet will become the VPN client to connect to the inside network

x



Configuring Global Protect Portal

Setting up VPN Users

For VPN Users, here we’ll use locally stored users, On Device » Local User Database, add new

x


Then on User Groups, add new and include the user

x



Configuring Authentication Profile

On Device » Authentication Profile, add new

x


add the newly created group

x



Configuring Certificate

On Device » Certificate, generate new certificate

x


Then sign the CSR on the CA Server

x


Then import the certificate right back

x

x



Configuring SSL/TLS Service Profile

On Device » SSL/TLS Service Profile, add new, select the newly created certificate

x



Configuring Global Protect Portal

On Network » Global Protect » Portals, add new

x

select the Outside Interface

x

select the SSL Service Profile and Authentication Profile made earlier


And that should do it. Commit the changes



Accessing the Global Protect Portal

Now accessing the outside IP, we should be greeted with the Global Protect Portal

x

x



Configuring Global Protect Gateway

Creating a Tunnel Interface

On Network » Interfaces » Tunnel, add new

x



Creating a Zone

On Network » Zones, add new VPN Zone, attach it to Tunnel Interface and enable User ID ACL

x


Make sure to have a policy allowing traffic from VPN Zone

x



Configuring the Gateway

On Network » Global Protect » Gateways, add new

x

Give it a name and attach to the outside interface

x

select the SSL Service Profile and Authentication Profile made earlier

x

On Agent, enable Tunnel Mode and select the tunnel interface

x

On here, just allow any

x

Define the IP Pool for the VPN Clients

x

On Split Tunnel, include the inside network that will be accessible from VPN



Configuring Agent on Global Protect Portal

On Network » Global Protect » Portals, select the Portal and open the Agents

x

Select add

x

On Authentication, Give it a name

x

On External, fill in the outside IP Address


Back on Agent, add the Trusted Root CA and fill in the override key

x


That should be all. Commit the changes.



Connecting VPN from Client PC

Now on the client pc, on Global Protect, enter the VPN gateway

x


Enter username and password

x


And we should be connected!

x

x


On Troubleshooting » Advanced, we can see the inside routes being advertised here

x


And pinging the inside network shows that the connection is up and running

x


Back to Palo Alto, on Monitor » Global Protect, we can see the VPN activities

x


And peeking at the traffic, we can also see the traffic coming from Zone VPN to Inside

x


Security, Palo Alto
Palo Alto
This post is licensed under CC BY 4.0 by the author.