This tutorial walks through the six steps required to quickly set up GlobalProtect for VPN access. Begin by making sure you have the zones and interfaces you need for GlobalProtect. Both the portal and the gateway require a Layer 3 interface and an external zone for agents to connect to. In this configuration, the portal and the gateway are on the same firewall, so they can share Layer 3 interface. Additionally, the gateway requires a tunnel interface for terminating VPN tunnels. Let's get started. First, place ethernet 1/3 in our Layer 3 untrust zone and configure it with an IPv4 address. Then we set up the tunnel interface for the gateway to use to terminate VPN tunnels. As a best practice, create a new zone for the tunnel interface so that you'll have visibility and control over your VPN traffic. Make sure to enable User-ID on the zone for visibility into your users VPN activity. To enable traffic flow between the new VPN zone and your trust zone, you'll need to create a security policy rule. Configure the policy rule to match only known-users to ensure that only VPN users who have successfully authenticated have access. Finally, define the specific applications you want to safely enable access to for your VPN users. You may want to create a second rule to allow traffic to flow between the VPN zone and your untrust zone if you plan to tunnel Internet traffic. In order for agents to establish secure connections, you must issue unique server certificates for the GlobalProtect portal and each gateway, as you would for all applications that require SSL connectivity. As a best practice, use a certificate from an enterprise CA or a well-known third-party CA for the portal. This allows the clients to establish the initial connection with the portal without requiring you to deploy the root CA certificate to each end host. Alternatively, you can generate a self-signed root CA certificate on the portal and use it to issue server certificates for the GlobalProtect components as we are doing here. The best workflow for this is to generate the root CA certificate on the portal. After you create the root CA certificate, use it to issue server certificates for the GlobalProtect portal and gateways. The Common Name in the server certificate you generate must match the IP address or the Fully Qualified Domain Name of the Layer 3 interface of the portal and/or gateway. The next step is to set up the mechanisms the portal and the gateway will use to authenticate end-users. In this configuration, we'll configure the portal and the gateway to authenticate the VPN clients using Active Directory. The first step is to create a server profile to enable the firewall to connect to the Active Directory and access the user information. Notice that if you have correctly configured the LDAP server entries, the firewall will automatically fetch the available base domain names. After creating the server profile, create an Authentication Profile that instructs the portal and the gateway how to authenticate users. For Active Directory, make sure you set the Login Attribute to SAM AccountName. You will need to reference this Authentication Profile when you configure the portal and the gateway. When you finish creating the Authentication Profile, you can make your changes. Now that the infrastructure is set up, you can begin configuring the GlobalProtect components. Because the portal configuration specifies which gateways the agents can connect to, configure the gateways first. Begin by defining the network settings for connecting to the gateway, the Layer 3 interface to which the agents will connect, the corresponding IP address, the server certificate that you generated for the gateway, and the Authentication Profile you just created. Enabled Tunnel Mode and specify the Tunnel Interface that you configured for VPN tunnel termination. Specify Network Settings to push to the virtual adapters on the client systems, such as DNS server addresses. You also need to specify a pool of IP addresses for the gateway to assign to clients upon establishment of the VPN tunnel. Finally, set the Access Route to define what traffic tunnel. Throughout all client traffic through the VPN tunnel, enter 0.0.0.0/0. Commit the changes to the gateway. After you finish configuring your gateways, configure the portal. Again, you must configure the network information to enable agents to connect. Select the server certificate you issued to the portal and select the Authentication Profile you created for authenticating GlobalProtect users. On the Client Configuration tab, add a GlobalProtect configuration to deploy to agents after the end-user successfully authenticates. Specify when the agent should connect to the VPN. By default, GlobalProtect will automatically establish a VPN tunnel as soon as the user logs onto the machine. Here we are changing the connect method to on-demand so that users can manually connect when they need VPN access. On the gateway's tabs, specify what gateways the agents can connect to. Make sure the address you specify for each gateway exactly matches the IP address or Fully Qualified Domain Name in the gateway server certificate. Make sure to commit the changes when you're done. After you finish configuring the GlobalProtect portal and gateways, you are ready to deploy the agent software and verify that you can connect to the VPN. To deploy the agent, download the agent software image to the firewall that is hosting the portal. After the download completes, activate it so that it is available for clients to download upon connecting to the portal. To test the configuration, launch your browser and go to the portal address. When prompted, download the agent bundle that is appropriate for your operating system and then go ahead and install it. Note that you must have admin rights on the client system to perform a first-time installation of the GlobalProtect agent. After installation completes, the agent will open. Enter your login credentials and the portal address. Click apply to connect. If everything is configured properly, the agent will successfully connect and receive its VPN Configuration.
