Palo Alto EDU-110: Global Protect

Describe the three major components of GlobalProtect

Configure the client and server certificates to authenticate the agent and the portal

Define the three methods supported for GlobalProtect client connections

Configure the tunnel parameters for an external gateway connection

Extending the security platform with GlobalProtect

GlobalProtect builds on the technology of and offers several features over traditional VPNs:

  • Extends Next Generation Firewall capabilities to endpoints
  • Delivers full traffic visibility
  • Simplifies management
  • Unifies policies
  • Stops advanced threats

Expanding the boundries of the organisation network the clients endpoint anywhere in the world, GlobalProtect can work on remote laptops and mobiles devices.

GlobalProtect can determine the closest available gateway to the roaming device and establish a secure connection using strong authentication.

Laptops and mobiles devices can stay conencted to the organisations network at all times, and behave as if they have never left the corporate network.

GlobalProtect can ensure that the same secure application enablement policies that protect users at the organisation are enforced for all users where ever they are in the world.

Components of GlobalProtect

GlobalProtect comes in three components:

  • GlobalProtect Portal
    • Provides the management functions for the GlobalProtect infrastrucutre. Every client that connects to the GlobalProtect netweork receives configuration information from this portal.
  • GlobalProtect Gateways
    • Provides security encofrmcenet for traffic and GlobalProtect agents and apps. External gateways provide security enforcement and VPN access for remeote users. Internal gateways apply security policy for access to internal resources
  • GlobalProtect Client Software
    • Runs on end users systems and enables access to network resources via the deploy GlobalProtect portals and gateways

GlobalProtect Install Agents

The installer is in an .msi for Windows, or .pkg for Mac.

GlobalProtect has installation agents for Android, Chroembook, iOS, and Universal Windows Platform.

The iOS and Android versions are available through their respective app stores.

The GlobalProtect app for Linux extends User-ID and Security Policy enforcement to users on Linux endpoints.

The app is available in .deb, .rpm, or .tar packages, and compatibilty with operating systems such as CentOS 7.0, Red Hat Enterprise 7.0, or Ubuntu 14.04 and later

It provides a command line interface and functions as an SSL or IPSec VPN client.

The Linux App supports common GlobalProtect features and authentication methods such as client certificate authentication, server certificate validation, authentication cookies, and two factor authentication.

Connection Sequence for GlobalProtect

  1. The GlobalProtect client on the local system connects to the GlobalProtect Portal for authentication.
  2. After authorization is confirmed, the portal sends the client configurations and a list of GlobalProtect Gateways.
  3. The client connects to the bets gateway (based on SSL response time and local priority) to respond to the connection request.

It is the client that communicates directly with portals and gateways, there is direct communication among gateways or between gateways and portals.

Once the client is installed and enabled, it contacts the portal when setting up a connection. Any time the client contacts to the portal, the portal authenticates the connection.

A GlobalProtect Topology

The GlobalProtect implementation requires at least one portal and one gateway.

The portal and gateway can be configured on the same firewall.

In the most simple configuration, a single firewall is configured to serve gateway and p otal services from the same IP addres. This provides the end users with VPN access to the organisations networks with a minimum of configuration.

If the gateway and portal share a single IP address, only one certificate is needed for the firewall.

An Advanced GlobalProtect Topology

Larger environments GlobalProtect can be configured with multiple gatewaysd.

Additional gateways can be used to provide access to multiple protected networks, and can provide redundancy and performance improvements for end users.

GlobalProtect clients can connect directly to a gateway, from a list provided by the portal, and by default, the chosen gateway is the one that responds the fastest to the connection request.

To ensure consistent access, multiple gateways often require the networks to be connected to each other by VPN so the end user has access to the same data regardless of which gateway they connect too.

Although there will always be one portal, the portal is not a single point of failure. If the firewall that hosts the portal is unreachable the client can use their cached configuration to contact other gateways.

The only limitation is an offline portal, which a new client can not be serviced or configuration changes will not be downloaded by existing clients.

This issue can be resolved by fixing the offline portal, or redirecting clients via DNS to another portal.

GlobalProtect in the cloud

With major cloud providers having worldwide locations, with VM series firewalls and globalprotect mobile security, this allows an organisation to extend their security policy to remote users and devices regardless of their location in the world.

GlobalProtect establishes a secure connection to protect the user from internet threats and can enforce application based access control where ever they are in the world.

Prisma Access

In marketing terms:

Prisma access is:

  • security delivered from the cloud
  • scalable, mangeable architecture
  • consistent security for both remote locations and mobile users
  • managed centrally by panorama

Prisma access allows the administrator to scale their networks based on growth of the headquarters, remote networks, and mobile users.

Subscriptions are Threat Prevention, URL F iltering, WildFire are all included with Prisma Access.

Panorama is used to onboard sites, manage policies and query logs for monitoring and reporting capabilities.

Determining Internal or External Gateways

The portal can provide an IP address and DNS hostname as part of the information passed to the client to determine if the host is inside or outside the corporate network

The DNS hostname and IP address must correspond to a device whose name can only be resolved by an internal web server

The agent performs a reverse lookup on the IP address. If it recieves a hostname as the response, the agent assumes it is an internal network and connects to the gateways in the internal list.

If no response is recieved by the lookup, the client connects to the gateways in the external list.

If an internal host detect hostname and address pair is not provided, the client connection attempts to connect to the internal gateways first, then the external gateways.

Clientless VPN

Clientless VPN allows the user to have secure access to an organisations network from a SSL-enabled web browser without needing to install client software

Users can log into the GlobalProtect portal using a web browser and launch the web applications that have been published for that user

A user can access applications that have been made available to them. The user who logs in will be able to see a list of applications that they can launch

Security policies will need to be configured to allow traffic from GlobalProtect clients to the security zone associated with the GlobalProtet portal that hosts the landing apge.

Security policies will need to be configured to allow user-based traffic from the GlobalProtect portal zone to the security zone where the published application servers are hosted.

GlobalProtect for Internal User Based Access

An internal gateway that is used in conjunction with User-ID technology can be used to provide a secure, accurate, method of identifying and controlling traffic by user

Internal gateways are useful in sensitive environments where authenticated access to critical resources is required

HIP Profiles can be configured on the gateway to ensure compliance with internal maintenance requirements, such as the latest security patches and anti-virus definitions are installed, whether disk encryption is enabled, and if any other software is required to bne installed.

GlobalProtect Certficates

Connectivity between all components of GlobalProtect is authenticated using SSL certificates.

The portal can act as a CA for the system, using a self signed or imported subordinate issuing a CA certificate, or an administrator can generate their own certificates using their own CA.

The portal, gateways, and agents msut use certificates all signed by the same certificate authority.

Before any information is tranferred, the client verifies the gateway is using a server certificate signed by a trusted CA.

The gateway also verifies that the client has a client certificate signed by the correct CA.

If they are third parties who may not trust a self signed CA, a third paty CA who is trusted by all parties should be used for the portal.

The portal includes public certificate of the CA, and the needed client certificate and key as part of a configuration bundle sent to the client.

GlobalProtect gateways use the same client certificate to authenticate and identify the client,

Support is provided from the Palo Alto for the portal to export the server certificate and key for the gateways. If an external CA is used, the CA certificate, along with a server certificate and key can imported along with a server certificate and key for the portals and gatewats, and a client certificate and key for the clients.

Portals and gateways do not communicate directly, so the gateway certificates need to be manually imported onto firewalls.

Authentication Server Profiles and GlobalProtect

GlobalProtect uses the same system of server profiles and authentication profiles that administration or user-id use.

Agent Software

The GlobalProtect client apge lists available GlobalProtect releases.

When the agent connects to the portal, the firewall will check the version and installs the currently activated version if it is different from the version currently on the system.

Only the portal provides the software, so if seperate from the gateway it will need to be maintained.

GlobalProtect Portal

As most configuration for GlobalProtect to work happens on the portal, the portal is responsbile for co-ordinating communications between all other components for GlobalProtect to work.

GlobalProtect administrators can set the level of control that end users have over their own coinnections, from a fully locked down configuration to one that permits to choose what gateway they want to connect too.

GlobalProtect App Connection Methods

on-demand: Allows users to establish a connection on demand. This user must explictly initiate the connection

user-logon: Automatically establishes a GlobalProtect client connection after the user logs into their computer. If the use of single sign on is enabled, the agent uses the Windows credentials of the user to authenticate to the portal in a process that is completely seamless to the user. The authentication profile must use the same verification process as the logon service.

pre-logon: Preserves pre-login and post-login services provided by organisation infrastructure regardless of where a machine might be located. GlobalProtect establishes a connection, even if a user is not logged into the computer. This means the company can create a logicial network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs based on machine certificates deployed outside of GlobalProtect

When User-ID technology isi n use, pre-login conditiuons are marked with a user identifier of ‘pre-login’ rather than an explict user. Once a user has logged in ‘pre-login’ changes to the username of the client device.

Internal gateways only support always-on methods, user-login or pre-login.

The connection method is selected by navigating to Network -> GlobalProtect -> Portals -> Agent

GlobalProtect Gateway

The GlobalProtect gateway provides the endpoint for the agents connection

If tunnel mode is enabled, the client sends all traffic through the conencted gateway.

Note that external gateways always require a tunel, internal gateways do not but can be configured to use one.

Split tunnels are supported, but this feature is not recommended for extending the firewall policy with application control and visibility to all mobile users.

Gateways enforce the policy based on the HIP profiles that are received.

GlobalProtect and User-ID

The GlobalProtect client provides a way of mapping user information to the firewall directly.

Every user that has the GlobalProtect agent or app running requires the user to enter their login details to access orgainisation rsources.

This login information can be mapped to the User-ID user mapping table on the firewall for visiblity and user-based securtity policy enforcement.

Since users must authenticate to gain access to the network, their user to IP address is explictly known.

GlobalProtect Agent

The GlobalProtect client software runs on end users systems and enables access to the organisations network via GlobalProtect Portals and Gateways that have been deployed.







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.