How to Configure a GlobalProtect Gateway

  1. Add a gateway.
    1. Add a new gateway (NetworkGlobalProtectGateways).
    2. Name the gateway.The gateway name cannot contain spaces and must be unique for each virtual system. As a best practice, include the location or other descriptive information to help users and administrators identify the gateway.
    3. (Optional) Select the virtual system Location to which this gateway belongs.
  2. Specify the network information that enables endpoints to connect to the gateway.If it does not already exist, create the network interface for the gateway.Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH to the interface where you configure; doing so enables access to your management interface from the internet. Follow Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.
    1. Select the Interface for the endpoints to use when communicating with the gateway.
    2. Specify the IP Address Type and IP Address for the gateway web service:
      • Set the IP Address Type to IPv4 OnlyIPv6 Only, or IPv4 and IPv6. Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
      • The IP address must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 addresses or 21DA:D3:0::2F3b for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
  3. Specify how the gateway authenticates users.If an SSL/TLS service profile for the gateway does not already exist, Deploy Server Certificates to the GlobalProtect Components.If authentication profiles or certificate profiles do not already exist, use the authentication setup task to configure these profiles for the gateway.Configure any of the following gateway Authentication settings (NetworkGlobalProtectGateways<gateway-config>Authentication):
    • To secure communication between the gateway and the GlobalProtect app, select the SSL/TLS Service Profile for the gateway.To provide the strongest security, set the Min Version of the SSL/TLS service profile to TLSv1.2.
    • To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP), Add a Client Authentication configuration with the following settings:
      • Specify a Name to identify the client authentication configuration.
      • Identify the type of OS (operating system) to which this configuration applies. By default, the configuration applies to Any operating system.
      • Select or add an Authentication Profile to authenticate endpoints seeking access to the gateway.
      • Enter a custom Username Label for gateway login (for example, Email Address (username@domain).
      • Enter a custom Password Label for gateway login (for example, Passcode for two-factor, token-based authentication).
      • Enter an Authentication Message to help end-users understand which credentials to use during login. The message can be up to 256 characters in length (default is Enter login credentials).
      • Select one of the following options to define whether users can authenticate to the gateway using credentials and/or client certificates:
        • To require users to authenticate to the gateway using both user credentials AND a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to No (User Credentials AND Client Certificate Required) (default).
        • To allow users to authenticate to the gateway using either user credentials OR a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to Yes (User Credentials OR Client Certificate Required).When you set this option to Yes, the gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the gateway using his or her user credentials.
    • To authenticate users based on a client certificate or a smart card/CAC, select the corresponding Certificate Profile. You must pre-deploy the client certificate or Deploy User-Specific Client Certificates for Authentication using the Simple Certificate Enrollment Protocol (SCEP).
      • If you want to require users to authenticate to the gateway using both their user credentials and a client certificate, you must specify both a Certificate Profile and an authentication profile
      • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you specify an Authentication Profile for user authentication, then the Certificate Profile is optional.
      • If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you don’t select an Authentication Profile for user authentication, then the Certificate Profile is required.
      • If you do not configure any Authentication Profile that matches a specific OS, then the Certificate Profile is required.If you allow users to authenticate to the gateway using either user credentials or a client certificate, do not select a Certificate Profile that has the Username Field configured as None.
    • To use two-factor authentication, select both an Authentication Profile and a Certificate Profile. This requires the user to authenticate successfully using both methods to gain access.(Chrome only) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks:
      1. Log in to the Google Admin console and select Device managementChrome managementUser settings.
      2. In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites:{“pattern”: “https://[*.]”,”filter”:{}}
      3. Click Save. The Google Admin console deploys the policy to all devices within a few minutes.
  4. Enable tunneling and then configure the tunnel parameters.Tunnel parameters are required for an external gateway; they are optional for an internal gateway.To force the use of SSL-VPN tunnel mode, disable (clear) the Enable IPSec option. By default, SSL-VPN is used only if the endpoint fails to establish an IPSec tunnel.Extended authentication (X-Auth) is supported only on IPSec tunnels. If you Enable X-Auth Support, GlobalProtect IPSec Crypto profiles are not used.You cannot connect GlobalProtect using IPSec mode when source Network Address Translation (NAT) rule is configured for GlobalProtect IP traffic on the firewall. In this case, you must use SSL-VPN mode instead of IPSec mode.For more information on supported cryptographic algorithms, refer to GlobalProtect App Cryptographic Functions.
    1. In the GlobalProtect Gateway Configuration dialog, select AgentTunnel Settings.
    2. Enable Tunnel Mode to enable split tunneling.
    3. Select the Tunnel Interface that you defined when you created the network interface for the gateway.
    4. (Optional) Specify the maximum number of users (Max User) that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect app updates. The range of values is displayed when the field is empty and varies based on the platform.
    5. Enable IPSec and then select a GlobalProtect IPSec Crypto profile to secure the VPN tunnels between the GlobalProtect app and the gateway. The default profile uses AES-128-CBC encryption and sha1 authentication.IPSec is not supported with Windows 10 UWP endpoints.You can also create a New GlobalProtect IPSec Crypto profile (GlobalProtect IPSec Crypto drop-down) and then configure the following settings:
      1. Specify a Name to identify the profile.
      2. Add the Authentication and Encryption algorithms that VPN peers can use to negotiate the keys for securing data in the tunnel:
        • Encryption—If you don’t know what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows: aes-256-gcmaes-128-gcmaes-128-cbc. The peers will negotiate the strongest algorithm to establish the tunnel.
        • Authentication—Select the authentication algorithm (sha1) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting only to the AES-CBC cipher (aes-128-cbc). If you use an AES-GCM encryption algorithm (aes-256-gcm or aes-128-gcm), the setting is ignored because these ciphers provide native ESP integrity protection.
      3. Click OK to save the profile.
    6. (Optional) Enable X-Auth Support if any endpoint must connect to the gateway using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the Group name and Group Password (if the endpoint requires it). By default, the user is not required to re-authenticate if the key that establishes the IPSec tunnel expires. To require users to re-authenticate, disable the option to Skip Auth on IKE Rekey.To Enable X-Auth Support for strongSwan endpoints, you must also disable the option to Skip Auth on IKE Rekey because these endpoints re

Ref: Configure a GlobalProtect Gateway (paloaltonetworks.com)