GlobalProtect VPN for Remote Access

1. Create Interfaces and Zones for GlobalProtect.

Use the

default

virtual router for all interface configurations to avoid having to create inter-zone routing.

o Select

Network
Interfaces
Ethernet
. Configure
ethernet1/2
as a Layer 3 Ethernet interface with IP address 203.0.113.1, and then assign it to
the
l3-untrust

Security Zone
and the default
 Virtual Router
.
o Create a DNS “A” record that maps IP address
203.0.113.1

to
gp.acme.com

.
o Select

Network
Interfaces
Tunnel
and
Add
the
tunnel.2
interface.
Add
the tunnel interface to a new
Security Zone
called
corp-vpn

, and then assign it to the default

Virtual Router
.
o Enable User Identification on the
corp-vpn

zone.

2. Create security policies to enable traffic flow between the

corp-vpn

zone and the

l3-trust
 zone, which enables access to your internal resources.

1. Select

Policies

Security

, and then

Add

a new rule.

2. For this example, you would define the rule with the following settings:

 Name
(
General
tab)—VPN Access
 Source Zone
(
Source
tab)—corp-vpn
 Destination Zone
(
Destination
tab)—l3-trust

3.

3. Use one of the following methods to obtain a server certificate for the interface hosting the
GlobalProtect portal and gateway:

o (

Recommended
) Import a server certificate from a well-known, third-party CA.
 o Use the root CA on the portal to generate a self-signed server certificate.

Select
Device
Certificate Management
Certificates
to manage certificates as follows:
o Obtain a server certificate. Because the portal and gateway are on the same
interface, the same server certificate can be used for both components.

o The CN of the certificate must match the FQDN,

gp.acme.com

.
o To enable users to connect to the portal without receiving certificate errors, use a
server certificate from a public CA.

4. Create a server profile.

The server profile instructs the firewall on how to connect to the authentication service. Local,
RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example
shows an LDAP authentication profile for authenticating users against the Active Directory.

Create the server profile for connecting to the LDAP server (

Device

Server Profiles

LDAP

).
5. (Optional) Create an authentication profile.

Attach the server profile to an authentication profile (

Device

Authentication Profile

).
6. Configure a GlobalProtect Gateway.

Select

Network

GlobalProtect

Gateways

, and then

Add

the following configuration:

Interface

—
 ethernet1/2

IP Address

203.0.113.1

Server Certificate

GP-server-cert.pem issued by GoDaddy

Authentication Profile

Corp-LDAP

Tunnel Interface

tunnel.2

IP Pool

10.31.32.3 - 10.31.32.118

7. Configure the GlobalProtect Portals.

Select

Network

GlobalProtect
Portals

, and then

Add

the following configuration:

1. Set Up Access to the GlobalProtect Portal:

Interface

ethernet1/2

IP Address

203.0.113.1

Server Certificate

GP-server-cert.pem issued by GoDaddy

Authentication Profile

Corp-LDAP

2. Define the GlobalProtect Client Authentication Configurations:

Connect Method

On-demand

(Manual user initiated connection)

External Gateway Address

—
 gp.acme.com

8. Deploy the GlobalProtect App Software.

Select

Device

GlobalProtect Client

. Follow the procedure to Host App Updates on the Portal.

9. (

Optional

) Enable use of the GlobalProtect mobile app.

Purchase and install a GlobalProtect subscription (

Device

Licenses

) to enable use of the app.

10. Save the GlobalProtect configuration.

Click

Commit