No video :(

Palo Alto GlobalProtect VPN Configuration [2024 IMPROVED!!!]

Подписаться 3 тыс.

Просмотров 16 тыс.

50% 1

In this tutorial you're going to learn how to configure remote access VPN on the Palo Alto Firewall. Palo Alto has its own VPN client, called GlobalProtect.
In the video I will show you how to authenticate a remote user using Microsoft Active Directory.
This video is an improved version of an older GlobalProtect tutorial I made in the beginning of 2023 ( • Palo Alto GlobalProtec... ). The theory part has been compacted and we are also offering some professional hints that were not mentioned in the first video.
In the end of the video, I use a Windows client to test the VPN connection using the GlobalProtect app to a Linux server inside our fictional corporate network.
🌐 Useful Links
- GlobalProtect Authentication with Azure: • Palo Alto GlobalProtec...
- NETSums Resources: netsums.com/re...
- Palo Alto Training (preparation for PCNSA): netsums.com/tr...
If you have questions, suggestions, or any kind of feedback, please don't hesitate to comment below! I will reply as soon as possible.
#paloaltofirewall #paloaltonetworks #firewall #globalprotect

Опубликовано:

25 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 67

@netsums 6 месяцев назад

FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources

@sx91k 9 месяцев назад

Great explanation, thanks!

@netsums 9 месяцев назад

You're welcome, I'm glad you liked it!

@zs8850 3 месяца назад

Great video! Thank you for what you do!

@netsums 3 месяца назад

No worries, I'm glad you liked the video!

@_prince_isra_9845 5 месяцев назад

Thank you for video. I learned a lot.

@netsums 5 месяцев назад

Very nice, I'm glad we could help you 😊

@honno7765 20 дней назад

Amazing video. Thank you! I think, after watching it I was able to figure out why I am getting connected to portal but the connection fails at finding the best available gateway. I misconfigured the Agent External part which is crucial to connect to the gateway

@netsums 16 дней назад

Cool! I'm glad I could help.

@bjornm.2183 7 месяцев назад

Good Job, Ricardo!

@netsums 7 месяцев назад

Thank you, I hope I could help!

@nimolluon3158 6 месяцев назад

great presentation, it is just my preference that should not move the screen around because it is difficult to follow. Again it is just for me. good job!

@netsums 6 месяцев назад

Hi. Thank you for the comment and for your feedback! These feedbacks help us a lot to improve the video quality. :)

@jaydipparmar5653 7 месяцев назад

you explained very well. let me test this in lab

@netsums 7 месяцев назад

Cool, I'm glad you liked it. Let me know later if it worked in your lab

@jaydipparmar5653 7 месяцев назад

@@netsums Sure, will do. also can you please create one for SSL forward & SSL Inbound decryption.?

@netsums 7 месяцев назад

Here a video about SSL Forward Proxy: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-UuKcjfQicNw.html. I still need to do the one about SSL Inbound, though. I will keep it in mind.

@bryanthompson696 6 месяцев назад

good video thank you

@netsums 6 месяцев назад

Glad you enjoyed it!

@hakimwalugembe9634 3 месяца назад

Thanks for the great video, Can you do video for pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers,

@netsums 3 месяца назад

What do you mean exactly? Do you mean site to site VPN?

@sridharbvnl2101 8 месяцев назад

awesome

@netsums 8 месяцев назад

I'm glad you liked it. 👍

@veerabsc 6 месяцев назад

Very good 👍, if you could show how certificates has done for this GP, would be lovely. Thank you for your hard work

@netsums 6 месяцев назад

Hi. I'm glad you liked the video. Here we bought a certificate for vpn.netsums.com, but there are other videos that we created a Root-CA certificate on the firewall (CA), and used this CA to sign other certificates we generated locally. Could I answer your question? :-)

@user-vn7ww2ze6x 5 месяцев назад

Great video, it was very informative. I realize you purchased the certificate from Digicert, but can you show which certificate type you chose and the step by step process to import the certificate? I've seen the self signed certificate process, but that's not quite the same. Again, great video!!

@netsums 5 месяцев назад

Thank you. We just bought the cheapest one we found, since it was just for our lab. I released a video about 2 weeks ago (Inbound SSL Decryption) where I show how you can import a Let's Encrypt certificate to the firewall, if you're interested. As a result, you get a public certificate for free. :-) But for that you need a Linux server. Take a look there and let me know if that's what you were looking for: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-HIt65vK2TXI.htmlfeature=shared

@konglyhok4343 7 месяцев назад

Thanks you! So can you show us how to configured with multiple gateway? It would be useful.

@netsums 7 месяцев назад

Hi. I will consider it for an upcoming video. Thank you for the request.

@abhirajdeshmukh273 3 месяца назад

Thank you for this video, I have a quick question, since I have centralized approach to achieve Hub and spoke model in AWS, which allows data flow on only one private interface in Palo Alto but those are divided into 3 sub interfaces(ingress, egress and east - west). Could you please guide in that case how should I proceed the configurations of Global Protect?

@netsums 3 месяца назад

Hi. Do any of the sub interfaces have a public IP? If not, you would have to configure NAT somewhere. If I were you, I think I would configure a loopback address specially for the portal and gateway configuration and configure the address translation from the public IP to this loopback address. Would it be possible? How does it sound for you?

@abhirajdeshmukh273 3 месяца назад

@@netsums so neither of these sub interfaces have public IP, however I do have NAT gateway outside of PA. These sub interfaces are plugged in through endpoints for traffic inspection. Where do I need to configure these loopback addresses and how should I configure the address translation?

@netsums 3 месяца назад

You configure the loopback addresses under network -> interfaces. I unfortunately cannot help you with the configuration of your gateway NAT on AWS, because it has been a long time I configured one. It should be a static NAT, all packets addressed to the public IP should be forwarded to THE firewall loopback address. If it's too complicated, you can also forward to a physical interface. I just think the configuration with the loopback is "cleaner", because you have a dedicated interface for GlobalProtect. Just a personal preference. :-)

@AbhiGangwar-wv1vj 3 месяца назад

Hi, it's a informative video, but my question is how to ping global protect user to outside server. like 1 on premise server installed in India and second server install in US. site A and Site B both side configured ip sec tunnel (site to site VPN), in my case global protect user not able to ping US server. could you please provide the solution.

@netsums 3 месяца назад

There are many reasons for the connection not to be working. But I would start with verifying if the firewall in US can route the global protect network. If yes, I would verify if the encryption domain in the s2s tunnel is encrypting the global protect traffic going to the US servers. Do you see the traffic arriving in US or not? I am assuming the global protect user is connecting to a gateway in India.

@samsal073 Месяц назад

Hi , I was trying Verizon home internet and noticed whenever i connect my machine to work via global protec the speed goes really down. Why is that? Is there anything I can do to fix?

@netsums Месяц назад

Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.

@samsal073 Месяц назад

@@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?

@netsums 29 дней назад

On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.

@Bormanb23 3 месяца назад

Hello, with always on, is there a way to exclude auto connecting to GP when user is in the corporate network?

@netsums 3 месяца назад

Hi. Yes, you're looking for internal gateway. Take a look at this video: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-5PvzQ2GoUR0.htmlsi=-vB6IKju_5Sz7vXw

@Bormanb23 3 месяца назад

@@netsums sorry that not what I meant what I want is for users not to auto connect to global protect if they are sitting in the office I only want them to order. Connect to Global protect when they go home.

@netsums 3 месяца назад

The only way I know around this problem is to use the internal host detection that I show in this video.

@seanbyrne960 3 месяца назад

thank you -- the software will not accept my tunnel interface -- "invalid tunnel reference" in validate commit

@netsums 3 месяца назад

Strange. Are you using Panorama for the configuration? If yes, are your gateway and tunnel configurations in different templates?

@seanbyrne960 3 месяца назад

@@netsums yes I am using Panorama for this deployment -- there are two existing GP Portals & Gateways -- the logs show only one template --thank you

@seanbyrne960 3 месяца назад

does your training course cover Panorama deployments & configuration ?

@netsums 3 месяца назад

Take a look in the template stack to see if everything is there, the gateways, the tunnels and the virtual routers, if you're still having problems. And yes, the course I'm building will cover templates and device groups deployment. :-)

@seanbyrne960 3 месяца назад

@@netsums the interfaces , gateways and tunnels are all part of the same template stack

@RayAlejandroGaviriaAlegria 6 месяцев назад

tks for this video, its similar configuration for android user ?

@netsums 6 месяцев назад

Hi. Yes, it is. Just be careful that for android you need the GlobalProtect Gateway license.

@reginaldoredondo 7 месяцев назад

hello my friend. I have a problem in my environment that, every time the user logs into the internal environment, global protect closes the connection and the client cannot access the internal network. It's as if global protect blocked access. How can I resolve this situation? can you help me?

@netsums 7 месяцев назад

Hi. I am not sure I understood your problem. Do you have GlobalProtect setup with internal gateway? What does the log from the GlobalProtect client say (under settings -> troubleshooting)? I would suggest to start with the event log (I think it's called pan_gp_event.log).

@user-bz7jo9qc9i 8 месяцев назад

I wonder how NAT applies to this? the portal URL is typically public IP? this just requires DNS record of the public facing IP on the firewall?

@netsums 8 месяцев назад

If you have a public IP for your portal, you don't need NAT. You said it correctly, it is typically like this, but not a requirement. You can have a private IP for your portal, as I have in my lab, and still make it reachable from the Internet through a NAT device doing destination NAT.

@user-bz7jo9qc9i 8 месяцев назад

@@netsumsthank you very much for the response. I recently tried configuring a gp vpn on a client's FW in which they had an existing gp vpn tunnel but wanted a second...i was creating the second GP VPN using their public IP that they use for the existing GP VPN. This caused users to redirect. Do you know off the top of your head by chance why that is? I thought the packet would reach its final destination (the FW) and would get to the code and go to the correct Portal and GW(?). Our new plan is to use a spare public IP they have for the new tunnel.

@netsums 8 месяцев назад

I would strongly recommend you to use the second IP for the other portal, I don't think Palo Alto supports two portals sharing the same interface. Why do you need a new portal, anyway? Different authentication methods?

@netsums 8 месяцев назад

When you say new tunnel, do you mean new GlobalProtect Gateway? If I were you, I would configure second portal and second gateway sharing the same public IP. The tunnel interface doesn't need an IP address.

@user-bz7jo9qc9i 8 месяцев назад

@@netsums thank you again for your response sir. The client needs a second GP VPN Tunnel because they want to authenticate with corp laptops with certificate, they have an existing GP VPN tunnel for personal devices. I am going to work with the client in about two hours from now to configure it up. The plan is to use their second public IP for the new GP VPN Tunnel. Only thing I'm unsure of now is how routing and NAT will work with this but I'm looking into it now and think I can figure it out on the fly, hopefully, when I hop on the call with them to see how their current is configured.