Last month Palo Alto released a “Stable” version of 4.1.x update 4.1.3, we were still on 3.1.9 and it worked fine. However there were some pleasant features in 4.1 like better ways of committing configuration, faster GUI, Premium Version of VPN setup etc.. The update however messed up things in committing stage and generated errors. This is an addressed issue and it’s fixed in 4.1.4 as I am running now.
When you chose to upgrade to 4.1 you are forced to leave your current setup of SSL VPN and it will turn in to Palo Altos Premium VPN called GlobalProtect. GlobalProtect provides security for computers that are used in the field by allowing easy and secure login from anywere in the world. With GP, users are protected against threats even when they are not on the enterprise network. Users network traffic is gated through the Palo Alto and then out on internet. That means every package demanded by the client will be reviewed by the firewall.
GP could be compared to Microsofts DirectAcces and it is a very good competitor. As it is a client installed on to the users computer.
This is how it works:
- 1. Users make an SSL connection to the portal and authenticate
- 2. The user is prompted to download the Client Software supports OSX or Windows
- 3. Configure client options with usernam/password and name of portal
- 4. Portal sends configuration and Client Certificate to the Client, cfg contains following:
- Gateway list both internal & external
- DNS name/IP mapping thah client uses to determine if the PC is inside or outside
- Trusted CA
- Host information data collection, reports OS version, AV version, disk encryption, specified registry keys/value etc
- Base 64embedded Client certificate that allows client to authenticate itself when connecting to gw
- Client users override policy
- Portal Client software version. This is to allow client to determinate if a different version is available
- 5. At this point the client will obtain the host info and find the closest gateway to connect to
- 6. If the client determines that the user is inside the network and that the gateway is the internet firewall then the client can connect to multiple internal gateways and authenticate
- 7. If the client determines that the user is outside the internal network, then the client will find the closest external gateway, authenticate and establish a SSL VPN tunnel
- 8. The Gateway enforces security policy based on user, application, content and the HIP submitted from the client.
Following items are required to configure GP. Configure the items listed in the order below
- User Authentication
- Gateway Configuration
- Portal Configuration
Certificates – Palo recommends to use 3 types of cert’s CA cert, Gateway cert, Client cert. I only use the required once CA cert and Gateway Cert, the third Client Cert is for extra security. However managing cert is done in Device > Certifcates . Create a CA cert and a Gateway cert from digicert or verisign or whatever public certificate your company owns.
User Authentication – Identify the authentication method that will be using to authenticate GlobalProtect users. Supported methods are Local database, LDAP,RADIUS or kerberos. We use LDAP so set up a LDAP profile if you haven’t:
Next thing you would like to do is to setup authentication profile, it refers to the authentication method configured in previous step. Authentication profile using LDAP requires “Login Attribute” field.
Gateway Configuration – Gateway provides the endpoint for the clients connection. Once the client is connected it sends all traffic through the gateway. The gateway can be either external or internal. External gateway as we are setting up in this tutorial require a tunnel. For this example we will refer to the topology below:
To configure Gateway, navigate Network > GlobalProtect > Gateways. In this example we will configure an external gateway. A tunnel interface is required when configuring external gateway. The IPSec tunnel from the remote users is terminated on this tunnel interface. When using external gateway, it is recommended to configure the tunnel interface in its own zone. This provides the ability to enforce a different security policy on the traffic from the remote users. Also to identify users, enable “User identification” on the zone in with the tunnel interface is bound. General Tab:
- Name: Gateway name
- Authentication: Chose the Server Certificate that you own + The auth profile we made
- Tunnel mode: Should be enabled with external gateways
- Timeout Configuration: Specify the lifetime of the tunnel
- Tunnel Gateway Address: Select interface in my setup i actually use Layer2 VLAN and not L3 as in pictures before.
Client Configuration Tab:
Client configuration is required if tunnel mode is enabled. If tunnel mode is disable, this section will be grayed out. When the client connects to the Gateway using tunnel mode, a virtual adapter is created and networking configuration will be assigned to the client. Specify the DNS,WINS and dns suffix to be used by the client. Also specify the pool from with IP addresses will be assigned to the clients. Access routes by default all traffic from the client will be sent to the gateway. Access routes allow you to define networks that will be accessible by the client through the tunnel, also known as split tunneling. Palo Alto do not recommend split tunneling, so just leave this option to 0.0.0.0/0. I set it up letting the tunnel zone access what ever networks i would like VPN users to reach.
To configure portal navigate Network > Global Protect > Portal. The authentication profile is used to auth users when the first browse to the portal to download the GP client. The client and server certificates is used to authenticate the client and the portal. The certificates are sent to the client when it establish the first connection to the portal. PAN-OS 4.1 supports both the portal and the gateway using the same interface and IP address.
Client configuration general tab:
This section defines the parameters that will determine the GP client behavior. Click on “ADD” to create a new client configuration and give it a name.
On Demand – client can be configured to connect on demand ( if selected it will not automatically sign on to gateway when internet connections i available) user have to click connect. If its not selected user will get logged on directly.
Single-sing-on – works fine with corp computers. The client will use the windows credentials of the user to auth to the portal.
There a lot of more options available, like if you have a very large world or nation wide network, you have the possibility to set up multiple gateways. And set priorities on what GW client should chose pending on the average response time etc..
Under gateway section you can define internal and external gateways that portal manages. A cut off time can be defined to limit the amount of time clients wait to get a response from the gateways. External gateways can be assigned priorities. Priority is numeric value between 1 and 5, with 1 being the highest priority and 5 the lowest. The client also considers the latency along with priority before connection to a gateway. Notice the client will not always connect to the highest priority gateway if the latency is high compared to the other gateways. The sample topology below is used to illustrate the configuration used to configure internal and external gateway:
Ok setup is done, all you need to do now is to download the client from web portal. Put in portal info and auth with AD user with permissions. Permissions are set within firewall security policy’s, assign them to have free access to the zone the tunnel are made in.
Next chapter Palo Alto SLL VPN will be about HIP profiles, profiles that collect data from the computer client connected to the gateway. And i will walk through logging and reporting and also GP in High Availability mode (redundancy). Also i will show how to troubleshoot Gateway configuration from the CLI using SSH connection.