Palo Alto Firewall: GlobalProtect VPN How-To Guide

Palo Alto Firewall: GlobalProtect VPN How-To Guide

This is part of the Palo Posts how-to guides for getting the most from your Palo Alto firewall on a home or small business network.

Overview

So you’ve got your Palo Alto firewall successfully protecting your home network, blocking known malicious sites, and allowing system updates.  Your network’s never been more secure.  But what about when you’re away from home, is there a way to extend that protection to wherever you are?

Fortunately, Palo Alto has a great virtual private network (VPN) solution called GlobalProtect.  At a high level, GlobalProtect establishes an encrypted secure tunnel between you and your Palo Alto firewall, providing you the same firewall protection even if you’re not physically at home.  You can also securely access resources on your home network, such as a file server.  If you’ve never set up GlobalProtect, this guide will get you started with a basic configuration that you can tweak to your requirements.

This how-to guide is designed to walk you through a GlobalProtect configuration appropriate for remotely accessing a home network, leveraging both a username/password and machine certificate for secure authentication.  It is not a one size fits all approach and you’re absolutely encouraged to modify the steps to meet your requirements.

Note: This guide was tested on and is intended for use with PAN-OS 9.1.x.

Set Up Dynamic DNS

Chances are, your home internet’s public IP address is dynamically assigned by your internet service provider (ISP), meaning it may change from time to time as the lease expires.  For the purposes of establishing a GlobalProtect tunnel to our Palo Alto firewall, we need a way to guarantee the public IP address of our home network.  A simple solution is to use a Dynamic DNS (DDNS) service that automatically updates a hostname (e.g., DNS A record) to resolve to your home network’s public IP address.  There are a number of DDNS services, some of which are free.  It’s left as an exercise for you the reader to determine which solution is best for you.  Once you’ve signed up and have a hostname pointing to your public IP, you’re all set.  If you need to know what your public IP address is, a quick Google search will tell you.

Create VPN Root Certificate Authority (CA) And VPN Certificate

First, we need to create a Root Certificate Authority (CA) that we’ll use to issue certificates for our VPN configuration.

  1. Login to the Palo Alto firewall and click on the Device tab.
  2. In the left menu navigate to Certificate Management -> Certificates.
  3. In the bottom of the Device Certificates tab, click on Generate.
  4. This will open the Generate Certificate window.  Populate it with the settings as shown in the screenshot below and click Generate to create the root certificate authority (my-vpn-ca).
  5. In the same menu, click Generate again to open a new Generate Certificate window.  This time, we will create our VPN server certificate (my-vpn) signed by our newly created root certificate authority (my-vpn-ca). Populate it with the settings as shown in the screenshot below and click Generate to create the VPN server certificate.  The Common Name should be populated with your Dynamic DNS hostname and must match the value under Certificate Attributes -> Host Name.

    Note: If you’ll be supporting the latest macOS and iOS systems, be aware of the new requirements for certificates: https://support.apple.com/en-us/HT210176. Notably, you cannot use a certificate that expires after 825 days and server certificates must present the DNS name of the server in the Subject Alternative Name extension.  I ran into a lot of issues with this when I tried creating three year certificates!  The settings above are compliant with these new requirements.

Create Machine Certificate For Client Authentication

Now we’ll create a machine certificate that we can use for authenticating to GlobalProtect.  This adds an extra layer of security instead of solely relying on a username/password combination to login.

    1. Staying in the same menu, click Generate one more time to open a new Generate Certificate window.
    2. This time, we will create our machine certificate (my-system) signed by our newly created root certificate authority (my-vpn-ca). Populate it with the settings as shown in the screenshot below and click Generate to create the machine certificate.
    3. Still in the Device tab, navigate to Certificate Management -> Certificate Profile and click on Add at the bottom.
    4. This will open the Certificate Profile window. Name the profile and add the my-vpn-ca root certificate to the list of CA Certificates as shown in the screenshot below. Then click OK to create the machine certificate profile (my-system-cert).

    Create SSL/TLS Profile

    Next, we’ll create the SSL/TLS service profile that we’ll use for connecting to our firewall.  In this profile we’ll specify the VPN server certificate (my-vpn) we created in step 5 of the Create VPN Root Certificate Authority (CA) section and define the allowed cipher suites.

    1. Still in the Device tab, navigate to Certificate Management -> SSL/TLS Service Profile and click on Add at the bottom.
    2. This will open the SSL/TLS Service Profile window.  Name the profile, select my-vpn for the Certificate, and configure the Protocol Settings as shown in the screenshot below. Then click OK to create the profile.

      Note: The Certificate field is populated with the VPN server certificate (my-vpn), NOT the Root Certificate Authority certificate (my-vpn-ca).

    Create Local User(s)

    Let’s create the local user(s) that we will use to connect to our VPN.  Since this tutorial assumes we’re setting up this VPN for home use and not an enterprise environment, we will be using a local database of users as opposed to something like Active Directory.  If you happen to have Active Directory or another database of users, you can skip this section and configure GlobalProtect to use your existing user database.

    1. Still in the Device tab, navigate to Local User Database -> Users and click on Add at the bottom.
    2. This will open the Local User window.  Name the user, select Password for Mode, set and confirm the Password, and check the box for Enable as shown in the screenshot below. Then click OK to create the user.

    Create Authentication Profile

    Let’s create the authentication profile for authenticating users to our VPN. Again, since this tutorial assumes we’re setting up this VPN for home use, we will create an authentication profile that uses the local user(s) we created in the section above as opposed to using something like Active Directory.

    1. Still in the Device tab, navigate to Authentication Profile and click on Add at the bottom.
    2. This will open the Authentication Profile window. Let’s start with the Authentication tab.

      Authentication Tab

      Name the profile and select Local Database for Type as shown in the screenshot below.

      Advanced Tab

      Next, click on the Advanced tab. Add the allowed user(s)/group(s) in the Allow List as shown in the screenshot below. Then click OK to create the profile.

    Create Tunnel Interface

    Next, we’ll create a tunnel interface for our VPN.

    1. Click on the Network tab and then click on Interfaces.
    2. Click on the Tunnel tab and then click on Add at the bottom.
    3. This will open the Tunnel Interface window.  Give the Interface Name a number, describe the interface in the Comment, and set the Virtual Router to default as shown in the screenshot below. Then click OK to create the tunnel interface.

      Note: The Security Zone will be automatically set to our VPN zone once we create it in the next section.

    Create VPN Zone

    Now we’ll define a VPN zone for our tunnel.  This zone will also enable us to create security policies for our VPN traffic.

    1. Still in the Network tab, navigate to Zones and click on Add at the bottom.
    2. This will open the Zone window.  Name the zone, select Layer3 for the Type, add tunnel.1 to the list of Interfaces, and check the box for Enable User Identification as shown in the screenshot below. Then click OK to create the interface.

    Create GlobalProtect Portal

    Next, let’s create our GlobalProtect Portal.  The set up here is more complex than the previous sections, so step through each setting carefully.

      1. Still in the Network tab, navigate to GlobalProtect -> Portals and click on Add at the bottom.
      2. This will open the GlobalProtect Portal Configuration window.  Let’s start with the General tab.

        General Tab

        Name the portal and select ethernet1/1 (assuming that this is your public facing interface, change this as needed) as the Interface under Network Settings as shown in the screenshot below.

      3. Next, click on the Authentication tab.

        Authentication Tab

        Select my-vpn for the SSL/TLS Service Profile, configure the Client Authentication settings using our local-auth profile, and set the Certificate Profile to my-system-cert as shown in the screenshot below.

      4. Next, we’ll skip the Portal Data Collection tab and instead click on the Agent tab and populate it with the settings as shown in the screenshots below. Fair warning, it’s going to get a bit confusing due to Palo Alto’s questionable naming and GUI design.  But we’ll make it work. 🙂

        Agent Tab -> Authentication Tab

        First, in the Agent tab, click Add under Configs to open the Configs window.  This will open the Authentication tab.  Name the config, select Yes for Save User Credentials, select the checkboxes for both Generate cookie for authentication override and Accept cookie for authentication override, and select my-vpn-ca for the Certificate to Encrypt/Decrypt Cookie as shown in the screenshot below.

        Note: Derek del Barrio of Solid Border (an awesome Texas-based Palo Alto reseller and services provider) pointed out that the cookie settings above are optional and used in the event you want to bypass authentication, upon successful login. This can be helpful if you run into spotty/slow authentication problems, want to do pre-logon without certificates, or want to generate cookies to later enable “accept” in an emergency.

        Agent Tab -> External Tab

        Next, click on the External tab.  Name the External Gateway, select FQDN for the Address, enter your Dynamic DNS hostname (e.g., my-vpn.ddns.net) in the free form field below, and then click Add to select the Source Regions that connections are allowed from.

        Note: The Dynamic DNS FQDN must match the Common Name and Host Name that you configured in step 5 of the Create VPN Root Certificate Authority (CA) And VPN Certificate section.  If it does not match you will run into certificate and authentication errors.

        Agent Tab -> App Tab

        Next, click on the App tab.  Under App Configurations, set the Connect Method to On-demand (Manual user initiated connection) as shown in the screenshot below, indicated by the red triangle.

        Now, set the Client Certificate Store Lookup to User as shown in the screenshot below, indicated by the red triangle.  This configures GlobalProtect to only look for our client certificate in the User Certificate Store as opposed to both the User and Machine Certificate Stores.  Click OK to save the Configs tab settings.

        Agent Tab

        Finally, back in the Agent Tab, click Add under Trusted Root CA to add the my-vpn-ca root certificate and check the box for Install in Local Root Certificate Store.

      5. Click OK to finish creating the GlobalProtect Portal.

      Create GlobalProtect Gateway

      With our GlobalProtect Portal created, we can now create our GlobalProtect Gateway. As with the Portal, the set up here is again complex, so step through each setting carefully.

      1. Still in the Network tab, navigate to GlobalProtect -> Gateways and click on Add at the bottom.
      2. This will open the GlobalProtect Gateway Configuration window. Let’s start with the General tab.

        General Tab

        Name the gateway and select ethernet1/1 (assuming that this is your public facing interface, change this as needed) as the Interface under Network Settings as shown in the screenshot below.

      3. Next, click on the Authentication tab.

        Authentication Tab

        Select my-vpn for the SSL/TLS Service Profile, configure the Client Authentication settings using our local-auth profile, and set the Certificate Profile to my-system-cert as shown in the screenshot below.

      4. Next, click on the Agent tab. Another fair warning, it’s again going to get a bit confusing due to Palo Alto’s questionable naming and GUI design.  But as before, we’ll continue to make it work. 🙂

        Agent Tab -> Tunnel Settings Tab

        Let’s start with the Tunnel Settings tab. Check the box for Tunnel Mode, select tunnel.1 for the Tunnel Interface, and check the box for Enable IPSec as shown in the screenshot below.

        Agent Tab -> Client Settings Tab -> Config Selection Criteria Tab

        Next, click on the Client Settings tab.  In this tab, click Add to open the Configs window.  Let’s start with the Config Selection Criteria TabName the config as shown in the screenshot below.

        Agent Tab -> Client Settings Tab -> Authentication Override Tab

        Next, click on the Authentication Override tab.  Check the boxes for both Generate cookie for authentication override and Accept cookie for authentication override, and select my-vpn-ca for the Certificate to Encrypt/Decrypt Cookie as shown in the screenshot below.

        Agent Tab -> Client Settings Tab -> IP Pools Tab

        Next, click on the IP Pools tab. Here we want to define an IP pool for our VPN devices that is different from the IP pool we use on our home network.  For example, if our home network is defined as 10.1.1.0/24, then we could define our VPN IP pool as 10.1.2.0/24 as shown in the screenshot below.  Click Add under IP Pool to add this subnet.

        Agent Tab -> Client Settings Tab -> Split Tunnel Tab -> Access Route Tab

        Next, click on the Split Tunnel tab. In the Access Route tab, we’ll define what routes are available to us when we’re connected to our VPN.  For example, if our internal home network is 10.0.1.0/24, we can add this subnet under Include so that it is accessible as shown in the screenshot below. Then click OK to finish the Client Settings tab.

        Assuming we want “full tunnel” VPN, where all of our network traffic is routed through the VPN tunnel, we can add the 0.0.0.0/0 route as shown in the screenshot below.

        Agent Tab -> Network Services Tab

        Now back in the Agent tab, click on the Network Services tab.  Set Primary DNS to your internal primary home DNS server (e.g., typically your wireless router) as shown in the screenshot below.

      5. Click OK to finish creating the GlobalProtect Gateway.

      Create Security Policy To Access Internal Network

      Now, let’s create a Security Policy to define what network resources we have access to once we’re connected to the VPN.  You are welcome to create more specific rules, but the rule we’ll create below will give us the same access to our home network as if we were there physically.

      1. In the left menu navigate to Policies -> Security and click on Add at the bottom.
      2. This will open the Security Policy Rule window. Let’s start with the General tab.

        General Tab

        Name the new rule so that it’s clear what it will be used for as shown in the screenshot below.

      3. Next, click on the Source tab.

        Source Tab

        Click Add under Source Zone and add the my-vpn zone as shown in the screenshot below.

      4. Next, we’ll click on the Destination tab.

        Destination Tab

        Click Add under Destination Zone and add your internal home network zone (e.g., Trust-L3) as shown in the screenshot below.

      5. The remaining tabs can be configured according to your requirements.  Click OK to finish creating the rule.

      [Optional] Update Security and NAT Policies To Access Internet via Full Tunnel

      Note: The following is only applicable if you configured GlobalProtect to establish a full tunnel. For reference, we configured this in the Agent Tab -> Client Settings Tab -> Split Tunnel Tab -> Access Route step of the Create GlobalProtect Gateway section.

      If you’ve followed this guide exactly up to this point, then you’ve also configured your GlobalProtect VPN to establish a full tunnel connection.   With this in place, in order for our system to access the general internet via this full tunnel, we need to update our Security and NAT policies to allow our new VPN zone to reach the internet.

      Update Security Policy:

      1. In the left menu navigate to Policies -> Security and click on your rule for outbound internet access. This will open the Security Policy Rule window.
      2. Click on the Source tab and under Source Zone, click Add and select the VPN zone we created (my-vpn) as shown in the screenshot below.
      3. Click OK to finish updating the rule.

      Update NAT Policy:

      1. In the left menu navigate to Policies -> NAT and click on your rule for internet outbound access. This will open the NAT Policy Rule window.
      2. Click on the Original Packet tab and under Source Zone, click Add and select the VPN zone we created (my-vpn) as shown in the screenshot below.
      3. Click OK to finish updating the rule.

      Install machine certificate on your computer

      Recall that we’re not just requiring a username and password to connect to our VPN, we’re also requiring a client machine certificate as an additional layer of authentication.  You’ll want to download the machine certificate (my-system) we generated in the Create Machine Certificate For Client Authentication section and install it into your computer’s user/personal certificate store.

      Export the machine certificate:

      1. In the left menu navigate to Certificate Management -> Certificates.
      2. In the Device Certificates tab check the box for our machine certificate (my-system). This will open the Export Certificate window.
      3. Select Encrypted Private Key and Certificate (PKCS12) for File Format and set a passphrase to secure the certificate in the Passphrase and Confirm Passphrase fields as shown in the screenshot below.
      4. Click OK to export and save the machine certificate to your local system.

      Now, we need to install this machine certificate onto the computer we’ll be using to connect to our VPN.  Recall that in the Create GlobalProtect Portal section we configured GlobalProtect to check for our machine certificate in the user/personal certificate store.  So we’ll want to install this machine certificate to our computer’s user/personal certificate store as opposed to the system/machine certificate store.  

      Install the machine certificate on your computer using the instructions below for your respective OS:

      Commit changes and test VPN

      This is it, the moment of truth!  We’ll now commit all of our changes and test drive our new GlobalProtect VPN.  If you run into issues, double check each step and confirm your settings are correct.

      1. Click Commit in the top right corner to open the Commit window.  Now, click Commit in this window to commit all changes.
      2. This guide assumes we’re setting this up on our home network using our public IP.  If this is true for you, you won’t be able to test the VPN from a computer with an IP address on your home network.  We need to instead test from another network. The easiest way is to use your phone as a hotspot and connect your computer to this network.
      3. Once you’re connected to your hotspot or another network outside of your home network, browse to the FQDN that you configured as your Dynamic DNS name.  If this resolves properly, you should now see a GlobalProtect login screen hosted on your Palo Alto firewall. Enter the credentials for the local user you created in the Create Local User(s) section to download and install the latest GlobalProtect client to your computer.
      4. Launch the GlobalProtect client, enter your Dynamic DNS FQDN for your portal address, and click Connect.  When prompted, enter the credentials for the local user you created in the Create Local User(s) section.  On macOS, you may be prompted to allow the GlobalProtect app to access your Keychain to access the machine certificate we installed in the previous section.  You want to select Always Allow, unless you prefer to be prompted by macOS each time you attempt a connection.
      5. If all went well, you should now be connected to your very own GlobalProtect VPN instance — way to go! Verify that you can access internal subnets and the general internet if you’re using a full tunnel.  Additionally, you can confirm your connection details by viewing GlobalProtect logs in Monitor -> Logs -> GlobalProtect.  These logs are also helpful when troubleshooting connection errors.

      Conclusion

      Whew!  This was a challenging set up and congratulations for getting this far.  Don’t get frustrated if you run into issues, I experienced plenty — improperly configured certificates, firewall rules not allowing access, and all manner of other oddities.  This is an involved and lengthy configuration so problems are virtually guaranteed.  I promise you that at the very least, you will learn a ton — I know I did.

      Happy secure VPN tunneling!


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access

When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.