{"id":4590,"date":"2023-01-26T08:57:01","date_gmt":"2023-01-26T16:57:01","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4590"},"modified":"2023-01-26T08:57:04","modified_gmt":"2023-01-26T16:57:04","slug":"how-to-configure-a-globalprotect-gateway","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4590","title":{"rendered":"How to Configure a GlobalProtect Gateway"},"content":{"rendered":"\n<ol class=\"wp-block-list\"><li>Add a gateway.<ol><li><strong>Add<\/strong>\u00a0a new gateway (<strong>NetworkGlobalProtectGateways<\/strong>).<\/li><li><strong>Name<\/strong>\u00a0the gateway.The gateway name cannot contain spaces and must be unique for each virtual system. As a best practice, include the location or other descriptive information to help users and administrators identify the gateway.<\/li><li>(Optional) Select the virtual system\u00a0<strong>Location<\/strong>\u00a0to which this gateway belongs.<\/li><\/ol><\/li><li>Specify the network information that enables endpoints to connect to the gateway.If it does not already exist,\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/get-started\/create-interfaces-and-zones-for-globalprotect.html#id3c324ff2-c9e1-4480-a286-4718426353c7\">create the network interface for the gateway<\/a>.Do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH to the interface where you configure; doing so enables access to your management interface from the internet. Follow\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/9-1\/pan-os-admin\/getting-started\/best-practices-for-securing-administrative-access.html\" target=\"_blank\" rel=\"noreferrer noopener\">Best Practices for Securing Administrative Access<\/a>\u00a0to ensure that you are securing administrative access to your firewalls in a way that will prevent successful attacks.<ol><li>Select the\u00a0<strong>Interface<\/strong>\u00a0for the endpoints to use when communicating with the gateway.<\/li><li>Specify the\u00a0<strong>IP Address Type<\/strong>\u00a0and\u00a0<strong>IP Address<\/strong>\u00a0for the gateway web service:<ul><li>Set the\u00a0<strong>IP Address Type<\/strong>\u00a0to\u00a0<strong>IPv4 Only<\/strong>,\u00a0<strong>IPv6 Only<\/strong>, or\u00a0<strong>IPv4 and IPv6.<\/strong>\u00a0Use\u00a0<strong>IPv4 and IPv6<\/strong>\u00a0if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.<\/li><li>The IP address must be compatible with the IP address type. For example,\u00a0172.16.1.0\u00a0for IPv4 addresses or\u00a021DA:D3:0::2F3b\u00a0for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.<\/li><\/ul><\/li><\/ol><\/li><li>Specify how the gateway authenticates users.If an SSL\/TLS service profile for the gateway does not already exist,\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/get-started\/enable-ssl-between-globalprotect-components\/deploy-server-certificates-to-the-globalprotect-components.html#idd02df51f-f514-4a59-9cba-ecb14c03c70b\">Deploy Server Certificates to the GlobalProtect Components<\/a>.If authentication profiles or certificate profiles do not already exist, use the\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/authentication.html#id40041484-d1e0-465a-a970-a8af5dc53f79\">authentication setup task<\/a>\u00a0to configure these profiles for the gateway.Configure any of the following gateway\u00a0<strong>Authentication<\/strong>\u00a0settings (<strong>NetworkGlobalProtectGateways&lt;gateway-config>Authentication<\/strong>):<ul><li>To secure communication between the gateway and the GlobalProtect app, select the\u00a0<strong>SSL\/TLS Service Profile<\/strong>\u00a0for the gateway.To provide the strongest security, set the\u00a0<strong>Min Version<\/strong>\u00a0of the SSL\/TLS service profile to\u00a0<strong>TLSv1.2<\/strong>.<\/li><li>To authenticate users with a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP),\u00a0<strong>Add<\/strong>\u00a0a\u00a0<strong>Client Authentication<\/strong>\u00a0configuration with the following settings:<ul><li>Specify a\u00a0<strong>Name<\/strong>\u00a0to identify the client authentication configuration.<\/li><li>Identify the type of\u00a0<strong>OS<\/strong>\u00a0(operating system) to which this configuration applies. By default, the configuration applies to\u00a0<strong>Any<\/strong>\u00a0operating system.<\/li><li>Select or add an\u00a0<strong>Authentication Profile<\/strong>\u00a0to authenticate endpoints seeking access to the gateway.<\/li><li>Enter a custom\u00a0<strong>Username Label<\/strong>\u00a0for gateway login (for example,\u00a0Email Address (username@domain).<\/li><li>Enter a custom\u00a0<strong>Password Label<\/strong>\u00a0for gateway login (for example,\u00a0Passcode\u00a0for two-factor, token-based authentication).<\/li><li>Enter an\u00a0<strong>Authentication Message<\/strong>\u00a0to help end-users understand which credentials to use during login. The message can be up to 256 characters in length (default is\u00a0Enter login credentials).<\/li><li>Select one of the following options to define whether users can authenticate to the gateway using credentials and\/or client certificates:<ul><li>To require users to authenticate to the gateway using both user credentials AND a client certificate, set the\u00a0<strong>Allow Authentication with User Credentials OR Client Certificate<\/strong>\u00a0option to\u00a0<strong>No (User Credentials AND Client Certificate Required)<\/strong>\u00a0(default).<\/li><li>To allow users to authenticate to the gateway using either user credentials OR a client certificate, set the\u00a0<strong>Allow Authentication with User Credentials OR Client Certificate<\/strong>\u00a0option to\u00a0<strong>Yes (User Credentials OR Client Certificate Required)<\/strong>.When you set this option to\u00a0<strong>Yes<\/strong>, the gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the gateway using his or her user credentials.<\/li><\/ul><\/li><\/ul><\/li><li>To authenticate users based on a client certificate or a smart card\/CAC, select the corresponding\u00a0<strong>Certificate Profile<\/strong>. You must pre-deploy the client certificate or\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/authentication\/set-up-client-certificate-authentication\/deploy-user-specific-client-certificates-for-authentication.html#id0b9c5c20-ca54-44df-a24b-f17601ea0c08\">Deploy User-Specific Client Certificates for Authentication<\/a>\u00a0using the Simple Certificate Enrollment Protocol (SCEP).<ul><li>If you want to require users to authenticate to the gateway using both their user credentials and a client certificate, you must specify both a\u00a0<strong>Certificate Profile<\/strong>\u00a0and an authentication profile<\/li><li>If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you specify an\u00a0<strong>Authentication Profile<\/strong>\u00a0for user authentication, then the\u00a0<strong>Certificate Profile<\/strong>\u00a0is optional.<\/li><li>If you want to allow users to authenticate to the gateway using either their user credentials or a client certificate and you don\u2019t select an\u00a0<strong>Authentication Profile<\/strong>\u00a0for user authentication, then the\u00a0<strong>Certificate Profile<\/strong>\u00a0is required.<\/li><li>If you do not configure any\u00a0<strong>Authentication Profile<\/strong>\u00a0that matches a specific OS, then the\u00a0<strong>Certificate Profile<\/strong>\u00a0is required.If you allow users to authenticate to the gateway using either user credentials or a client certificate, do not select a\u00a0<strong>Certificate Profile<\/strong>\u00a0that has the\u00a0<strong>Username Field<\/strong>\u00a0configured as\u00a0<strong>None<\/strong>.<\/li><\/ul><\/li><li>To use two-factor authentication, select both an\u00a0<strong>Authentication Profile<\/strong>\u00a0and a\u00a0<strong>Certificate Profile<\/strong>. This requires the user to authenticate successfully using both methods to gain access.(Chrome only) If you configure the gateway to use client certificates and LDAP for two-factor authentication, Chromebooks that run Chrome OS 47 or later versions encounter excessive prompts to select the client certificate. To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and then deploy that policy to your managed Chromebooks:<ol><li>Log in to the\u00a0<a href=\"https:\/\/admin.google.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Admin console<\/a>\u00a0and select\u00a0<strong>Device managementChrome managementUser settings<\/strong>.<\/li><li>In the Client Certificates section, enter the following URL pattern to\u00a0<strong>Automatically Select Client Certificate for These Sites<\/strong>:{&#8220;pattern&#8221;: &#8220;https:\/\/[*.]&#8221;,&#8221;filter&#8221;:{}}<\/li><li>Click\u00a0<strong>Save<\/strong>. The Google Admin console deploys the policy to all devices within a few minutes.<\/li><\/ol><\/li><\/ul><\/li><li>Enable tunneling and then configure the tunnel parameters.Tunnel parameters are required for an external gateway; they are optional for an internal gateway.To force the use of SSL-VPN tunnel mode, disable (clear) the\u00a0<strong>Enable IPSec<\/strong>\u00a0option. By default, SSL-VPN is used only if the endpoint fails to establish an IPSec tunnel.Extended authentication (X-Auth) is supported only on IPSec tunnels. If you\u00a0<strong>Enable X-Auth Support<\/strong>, GlobalProtect IPSec Crypto profiles are not used.You cannot connect GlobalProtect using IPSec mode when source Network Address Translation (NAT) rule is configured for GlobalProtect IP traffic on the firewall. In this case, you must use SSL-VPN mode instead of IPSec mode.For more information on supported cryptographic algorithms, refer to\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/globalprotect-cryptography\/globalprotect-cryptography-references\/reference-globalprotect-app-cryptographic-functions.html#id4a76b31c-d877-4c5f-848f-087cd1e3f298\">GlobalProtect App Cryptographic Functions<\/a>.<ol><li>In the GlobalProtect Gateway Configuration dialog, select\u00a0<strong>AgentTunnel Settings<\/strong>.<\/li><li>Enable\u00a0<strong>Tunnel Mode<\/strong>\u00a0to enable split tunneling.<\/li><li>Select the\u00a0<strong>Tunnel Interface<\/strong>\u00a0that you defined when you\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/globalprotect\/9-1\/globalprotect-admin\/get-started\/create-interfaces-and-zones-for-globalprotect.html#id3c324ff2-c9e1-4480-a286-4718426353c7\">created the network interface for the gateway<\/a>.<\/li><li>(Optional) Specify the maximum number of users (<strong>Max User<\/strong>) that can access the gateway at the same time for authentication, HIP updates, and GlobalProtect app updates. The range of values is displayed when the field is empty and varies based on the platform.<\/li><li><strong>Enable IPSec<\/strong>\u00a0and then select a\u00a0<strong>GlobalProtect IPSec Crypto<\/strong>\u00a0profile to secure the VPN tunnels between the GlobalProtect app and the gateway. The\u00a0<strong>default<\/strong>\u00a0profile uses AES-128-CBC encryption and sha1 authentication.IPSec is not supported with Windows 10 UWP endpoints.You can also create a\u00a0<strong>New GlobalProtect IPSec Crypto<\/strong>\u00a0profile (<strong>GlobalProtect IPSec Crypto<\/strong>\u00a0drop-down) and then configure the following settings:<ol><li>Specify a\u00a0<strong>Name<\/strong>\u00a0to identify the profile.<\/li><li><strong>Add<\/strong>\u00a0the\u00a0<strong>Authentication<\/strong>\u00a0and\u00a0<strong>Encryption<\/strong>\u00a0algorithms that VPN peers can use to negotiate the keys for securing data in the tunnel:<ul><li><strong>Encryption<\/strong>\u2014If you don\u2019t know what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows:\u00a0<strong>aes-256-gcm<\/strong>,\u00a0<strong>aes-128-gcm<\/strong>,\u00a0<strong>aes-128-cbc<\/strong>. The peers will negotiate the strongest algorithm to establish the tunnel.<\/li><li><strong>Authentication<\/strong>\u2014Select the authentication algorithm (<strong>sha1<\/strong>) to provide data integrity and authenticity protection. Although the authentication algorithm is required for the profile, this setting only to the AES-CBC cipher (<strong>aes-128-cbc<\/strong>). If you use an AES-GCM encryption algorithm (<strong>aes-256-gcm<\/strong>\u00a0or\u00a0<strong>aes-128-gcm<\/strong>), the setting is ignored because these ciphers provide native ESP integrity protection.<\/li><\/ul><\/li><li>Click\u00a0<strong>OK<\/strong>\u00a0to save the profile.<\/li><\/ol><\/li><li>(Optional)\u00a0<strong>Enable X-Auth Support<\/strong>\u00a0if any endpoint must connect to the gateway using a third-party VPN (for example, a VPNC client running on Linux). If you enable X-Auth, you must provide the\u00a0<strong>Group<\/strong>\u00a0name and\u00a0<strong>Group Password<\/strong>\u00a0(if the endpoint requires it). By default, the user is not required to re-authenticate if the key that establishes the IPSec tunnel expires. To require users to re-authenticate, disable the option to\u00a0<strong>Skip Auth on IKE Rekey<\/strong>.To\u00a0<strong>Enable X-Auth Support<\/strong>\u00a0for strongSwan endpoints, you must also disable the option to\u00a0<strong>Skip Auth on IKE Rekey<\/strong>\u00a0because these endpoints re<\/li><\/ol><\/li><\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/docs.paloaltonetworks.com\/globalprotect\/9-1\/globalprotect-admin\/globalprotect-gateways\/configure-a-globalprotect-gateway\">Configure a GlobalProtect Gateway (paloaltonetworks.com)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Add a gateway. Add\u00a0a new gateway (NetworkGlobalProtectGateways). Name\u00a0the gateway.The gateway name cannot contain spaces and must be unique for each virtual system. As a best practice, include the location or other descriptive information to help users and administrators identify the gateway. (Optional) Select the virtual system\u00a0Location\u00a0to which this gateway belongs. Specify the network information that <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4590\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,9,1161],"tags":[1479,1478],"class_list":["post-4590","post","type-post","status-publish","format-standard","hentry","category-firewalls","category-networks","category-palo-alto","tag-add-a-globalprotect-gateway","tag-configure-a-globalprotect-gateway"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4590"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4590\/revisions"}],"predecessor-version":[{"id":4591,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4590\/revisions\/4591"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}