Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure
Configure GlobalProtect Gateways
Because the GlobalProtect configuration that the portal delivers to the agents includes the list of gateways the client can connect to, it is a good idea to configure the gateways before configuring the portal.
The
GlobalProtect Gateways
can be configured to provide two main functions:
Enforce security policy for the GlobalProtect agents and apps that connect to it. You can also enable HIP collection on the gateway for enhanced security policy granularity. For more information on enabling HIP
checks, see Use Host Information in Policy Enforcement
.
Provide virtual private network (VPN) access to your internal network. VPN access is provided through an
IPSec or SSL tunnel between the client and a tunnel interface on the gateway firewall.
Prerequisite Tasks for Configuring the GlobalProtect Gateway
Before you can configure the GlobalProtect gateway, you must have completed the following tasks:
Created the interfaces (and zones) for the interface where you plan to configure each gateway. For gateways that require tunnel connections you must configure both the physical interface and the virtual tunnel interface. See
Create Interfaces and Zones for GlobalProtect
.
Set up the gateway server certificates required for the GlobalProtect agent to establish an SSL connection with the gateway. See
Enable SSL Between GlobalProtect Components
.
Defined the authentication profiles and/or certificate profiles that will be used to authenticate
GlobalProtect users. See
Set Up GlobalProtect User Authentication
.
Configure a GlobalProtect Gateway
After you have completed the prerequisite tasks, configure the
GlobalProtect Gateways
as follows:
Configure the Gateway
Step 1 Add a gateway.
1.
Select
Network > GlobalProtect > Gateways
and click
Add
.
2.
On the
General
tab, enter a
Name
for the gateway. The gateway name should not contain any spaces and as a best practice it should include the location or other descriptive information that will help users and other administrators identify the gateway.
3.
(Optional) Select the virtual system to which this gateway belongs from the
Location
field.
32 GlobalProtect Administrator’s Guide
Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways
Configure the Gateway (Continued)
Step 2 Specify the network information to enable agents to connect to the gateway.
If you have not yet created the network
interface for the gateway, see Create
Interfaces and Zones for
GlobalProtect
for instructions. If you haven’t yet created a server certificate for
the gateway, see Deploy Server
Certificates to the GlobalProtect
Components
.
1.
Select the
Interface
that agents will use for ingress access to the gateway.
2.
Select the
IP Address
for the gateway web service.
3.
Select the
Server Certificate
for the gateway from the drop-down.
Note The Common Name (CN) and, if applicable, the Subject
Alternative Name (SAN) fields of the certificate must match the IP address or fully qualified domain name
(FQDN) of the interface where you configure the gateway.
Step 3 Specify how the gateway will authenticate end users.
If you have not yet set up the authentication profiles and/or certificate
profiles, see Set Up GlobalProtect User
Authentication
for instructions.
• To authenticate users using a local user database or an external authentication service such as LDAP, Kerberos, or RADIUS
(including OTP), select the corresponding
Authentication Profile
.
• To provide help to users as to what login credentials to supply, enter an
Authentication Message
.
• To authenticate users based on a client certificate or smart card, select the corresponding
Certificate Profile
.
• To use two-factor authentication, select both an authentication profile and an certificate profile. Keep in mind that the user must successfully authenticate using both methods to be granted access.
Step 4 Configure the tunnel parameters and enable tunneling.
The tunnel parameters are required if you are setting up an external gateway. If you are configuring an internal gateway, they are optional.
If you want to force use of
SSL-VPN tunnel mode, clear the
Enable IPSec
check box. By default, SSL-VPN will only be used if the client fails to establish an IPSec tunnel.
Extended authentication (X-Auth) is only supported on IPSec tunnels.
1.
On the GlobalProtect Gateway dialog, select
Client
Configuration > Tunnel Settings
.
2.
Select the
Tunnel Mode
check box to enable tunneling.
3.
Select the
Tunnel Interface
you defined in
Step 2
in
Create
Interfaces and Zones for GlobalProtect
.
4.
(Optional) Select
Enable X-Auth Support
if you have end clients that need to connect to the gateway using a third-party
VPN client, such as a VPNC client running on Linux. If you enable X-Auth you also must provide the
Group
name and
Group Password
if required by the client.
Although X-Auth access is supported on iOS and
Android devices, it provides limited GlobalProtect functionality. Instead use the GlobalProtect app for simplified access to the full security feature set
GlobalProtect provides on iOS and Android devices. The
GlobalProtect app for iOS is available from the AppStore and the GlobalProtect app for Android is available from
Google Play.
GlobalProtect Administrator’s Guide 33
Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure
Configure the Gateway (Continued)
Step 5 (Tunnel Mode only) Configure the network settings to assign the clients’ virtual network adapter when an agent establishes a tunnel with the gateway.
Network settings are not required in internal gateway configurations in non-tunnel mode because in this case agents use the network settings assigned to the physical network adapter.
1.
On the GlobalProtect Gateway dialog, select
Client
Configuration > Network Settings
.
2.
Specify the network configuration settings for the clients in one of the following ways:
• You can manually assign the DNS server(s) and suffix, and
WINS servers by completing the corresponding fields.
• If the firewall has an interface that is configured as a DHCP client, you can set the
Inheritance Source
to that interface and the GlobalProtect agent will be assigned the same settings received by the DHCP client.
3.
To specify the
IP Pool
to use to assign client IP addresses, click
Add
and then specify the IP address range to use. As a best practice, use a different range of IP addresses from those assigned to clients that are physically connected to your LAN to ensure proper routing back to the gateway.
4.
To define what destination subnets to route through the tunnel click
Add
in the
Access Route
area and then enter the routes as follows:
• To route all client traffic GlobalProtect (full-tunneling), enter
0.0.0.0/0 as the access route. You will then need to use security policy to define what zones the client can access
(including untrust zones). The benefit of this configuration is that you have visibility into all client traffic and you can ensure that clients are secured according to your policy even when they are not physically connected to the LAN. Note that in this configuration traffic destined for the local subnet goes through the physical adapter, rather than being tunneled to the gateway.
• To route only some traffic—likely traffic destined for your
LAN—to GlobalProtect (split-tunneling), specify the destination subnets that must be tunneled. In this case, traffic that is not destined for a specified access route will be routed through the client’s physical adapter rather than through the virtual adapter (the tunnel).
The firewall supports up to 100 access routes.
34 GlobalProtect Administrator’s Guide
Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways
Configure the Gateway (Continued)
Step 6 (Optional) Define the notification messages end users will see when a security rule with a host information profile (HIP) is enforced.
This step only applies if you have created host information profiles and added them to your security policies. For details on configuring the HIP feature and for more detailed information about creating HIP
notification messages, see Use Host
Information in Policy Enforcement
.
1.
On the
Client Configuration > HIP Notification tab, click
Add
.
2.
Select the
HIP Profile
this message applies to from the drop-down.
3.
Select
Match Message
or
Not Match Message
, depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when it is not matched. In some cases you might want to create messages for both a match and a non-match, depending on what objects you are matching on and what your objectives are for the policy.
4.
Select the
Enable
check box and select whether you want to display the message as a
Pop Up Message
or as a
System Tray
Balloon
.
5.
Enter the text of your message in the Template text box and then click
OK
.
6.
Repeat these steps for each message you want to define.
Step 7 Save the gateway configuration.
Click
OK
to save the settings and close the GlobalProtect Gateway dialog.
Step 8 (Optional) Set up access to the Mobile
Security Manager.
This step is required if you are using the
GlobalProtect Mobile Security Manager to manage end user devices and you are using HIP-enabled policy enforcement.
This configuration allows the gateway to communicate with the Mobile Security
Manager to retrieve the HIP reports for managed mobile devices. For more details, see
Enable Gateway Access to the
Mobile Security Manager .
1.
Select
Network > GlobalProtect > MDM
and click
Add
.
2.
Enter a
Name
for the Mobile Security Manager.
3.
(Optional) Select the virtual system to which this Mobile
Security Manager configuration belongs from the
Location field.
4.
Enter the IP address or FQDN of the Mobile Security Manager
Server
interface where the gateway will connect to retrieve HIP reports.
5.
(Optional) Set the
Connection Port
on which the Mobile
Security Manager will be listening for HIP retrieval requests.
This value must match the value set on the Mobile Security
Manager. By default, this port is set to 5008, which is the port that the GlobalProtect Mobile Security Manager listens on.
6.
If the Mobile Security Manager requires the gateway to present a certificate to establish an HTTPS connection, select the
Client
Certificate
to use.
7.
If the gateway does not trust the Mobile Security Manager certificate for the interface where it will be connecting, click
Add in the Trusted Root CA section and select or
Import
the root
CA certificate that was used to issue the Mobile Security
Manager server certificate.
8.
Click
OK
to save the Mobile Security Manager settings.
Step 9 Save the configuration.
Commit
your changes.
GlobalProtect Administrator’s Guide 35
