Palo Alto Networks ® GlobalProtect Administrator’s Guide Version 6.
Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/ About this Guide This guide takes you through the configuration and maintenance of your GlobalProtect infrastructure. For additional information, refer to the following resources: For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to https://www.paloaltonetworks.
Table of Contents GlobalProtect Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 About the GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up the GlobalProtect Mobile Security Manager . . . . . . . . . . . . . . . . . . . 59 Mobile Security Manager Deployment Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Set Up Management Access to the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Register, License, and Update the Mobile Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GlobalProtect Quick Configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Remote Access VPN (Authentication Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Remote Access VPN (Certificate Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Remote Access VPN with Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi GlobalProtect Administrator’s Guide
GlobalProtect Overview Whether checking email from home or updating corporate documents from the airport, the majority of today's employees work outside the physical corporate boundaries. This increased workforce mobility brings increased productivity and flexibility while simultaneously introducing significant security risks.
About the GlobalProtect Components GlobalProtect Overview About the GlobalProtect Components GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access for all your users, regardless of what devices they are using or where they are located.
GlobalProtect Overview About the GlobalProtect Components GlobalProtect Client The GlobalProtect client software runs on end user systems and enables access to your network resources via the GlobalProtect portals and gateways you have deployed. There are two types of GlobalProtect clients: The GlobalProtect Agent—Runs on Windows and Mac OS systems and is deployed from the GlobalProtect portal.
About the GlobalProtect Components GlobalProtect Overview GlobalProtect Mobile Security Manager The GlobalProtect Mobile Security Manager provides management, visibility, and automated configuration deployment for mobile devices—either company provisioned or employee owned—on your network.
GlobalProtect Overview What Client OS Version are Supported with GlobalProtect? What Client OS Version are Supported with GlobalProtect? The following table summarizes the supported GlobalProtect following desktop, laptop, and mobile devices and the minimum PAN-OS and GlobalProtect agent/app versions required to support each one: Supported Client OS Versions Minimum Agent/App Version Minimum PAN-OS Version Apple Mac OS 10.6 1.1 4.1.0 or later Apple Mac OS 10.7 1.1 Apple Mac OS 10.8 1.1.
About GlobalProtect Licenses GlobalProtect Overview About GlobalProtect Licenses If you simply want to use GlobalProtect to provide a secure, remote access or virtual private network (VPN) solution via a single, external gateway, you do not need any GlobalProtect licenses.
Set Up the GlobalProtect Infrastructure In order for GlobalProtect to work, you must set up the basic infrastructure that allows all of the components to communicate. At a basic level, this means setting up the interfaces and zones that the GlobalProtect end users will connect to in order to access the portal and gateways. Because the GlobalProtect components communicate over secure channels, you must acquire and deploy all of the required SSL certificates on the various components.
Create Interfaces and Zones for GlobalProtect Set Up the GlobalProtect Infrastructure Create Interfaces and Zones for GlobalProtect You must configure the following interfaces and zones for your GlobalProtect infrastructure: GlobalProtect portal—Requires a Layer 3 or loopback interface for GlobalProtect clients to connect to. If the portal and gateway are on the same firewall, they can use the same interface.
Set Up the GlobalProtect Infrastructure Create Interfaces and Zones for GlobalProtect Set Up Interfaces and Zones for GlobalProtect (Continued) Step 2 On the firewall(s) hosting GlobalProtect 1. gateway(s), configure the logical tunnel 2. interface that will terminate VPN tunnels 3. established by the GlobalProtect agents. IP addresses are not required on the tunnel interface unless you require dynamic routing.
Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components All interaction between the GlobalProtect components occurs over an SSL connection. Therefore, you must generate and/or install the required certificates before configuring each component so that you can reference the appropriate certificate(s) in the configurations.
Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components Table: GlobalProtect Certificate Requirements Certificate Usage Issuing Process/Best Practices CA certificate Used to sign certificates issued to the GlobalProtect components. If you plan to use self-signed certificates, it is a best practice to generate a CA certificate on the portal and then use that certificate to issue the required GlobalProtect certificates.
Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure Certificate Usage Issuing Process/Best Practices (Optional) Machine certificates Ensures that only trusted machines can connect to GlobalProtect. In addition, machine certificates are required for use of the pre-logon connect method, which allows for establishment of VPN tunnels before the user logs in.
Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL certificates to the GlobalProtect components: Deploy SSL Server Certificates to the GlobalProtect Components To import a certificate and private key from a public CA, make sure the certificate and key files are accessible from your management system and that you have the passphrase to decrypt t
Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure Deploy SSL Server Certificates to the GlobalProtect Components (Continued) • Generate a self-signed server certificate. Use the root CA on the portal to generate server certificates for each gateway you plan to deploy and optionally for the Mobile Security Manager management interface (if this is the interface the gateways will use to retrieve HIP reports).
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Set Up GlobalProtect User Authentication The portal and gateway require the end-user authentication credentials before the GlobalProtect agent/app will be allowed access to GlobalProtect resources. Because the portal and gateway configurations require you to specify which authentication mechanisms to use, you must configure authentication before continuing with the portal and gateway setup.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Supported GlobalProtect Authentication Methods Authentication Method Description Local Authentication Both the user account credentials and the authentication mechanisms are local to the firewall. This authentication mechanism is not scalable because it requires an account for every GlobalProtect end user and is therefore only recommended in very small deployments.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Authentication Method Description Two-factor authentication You can enable two-factor authentication by configuring both a certificate profile and an authentication profile and adding them both to the portal and/or gateway configuration. Keep in mind that with two-factor authentication, the client must successfully authenticate via both mechanisms in order to gain access to the system.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Set Up External Authentication The following workflow describes how to set up the portal and/or gateway to authenticate users against an existing authentication service. GlobalProtect supports external authentication using LDAP, Kerberos, or RADIUS. GlobalProtect also supports local authentication.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Set Up External User Authentication (Continued) Step 2 Create an authentication profile. 1. The authentication profile specifies which server profile to use to authenticate users. 2. You can attach an authentication profile to a portal or gateway configuration. 3. Enter a Name for the profile and then select the Authentication type (LDAP, Kerberos, or RADIUS). Select the Server Profile you created in Step 1. 4.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Set Up Client Certificate Authentication Step 1 To issue unique certificates for individual clients or machines, use your enterprise CA or a public CA. However, if you want to use client certificates to validate that the user belongs to your organization, The method for issuing client certificates generate a self-signed client certificate as follows: depends on how you are using client 1.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Set Up Client Certificate Authentication (Continued) Step 2 For example, to install a certificate on a Windows system using the Microsoft Management Console: 1. From the command prompt, enter mmc to launch the console. If you are using unique user certificates or machine certificates, each certificate must 2. Select File > Add/Remove Snap-in. be installed in the personal certificate 3.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Set Up Client Certificate Authentication (Continued) Step 3 Verify that the certificate has been added Look to see that the certificate you just installed is there. to the personal certificate store. Step 4 Import the root CA certificate used to issue the client certificates onto the firewall. 1. Download the root CA certificate used to issue the client certificates (Base64 format). 2.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Set up Two-Factor Authentication If you require strong authentication in order to protect your sensitive resources and/or comply with regulatory requirements—such as PCI, SDX, or HIPAA—configure GlobalProtect to use an authentication service that uses a two-factor authentication scheme such as one-time passwords (OTPs), tokens, smart cards, or a combination of external authentication and client certificate authentication.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Enable Two-Factor Authentication Step 1 Note Create a server profile. 1. Select Device > Server Profiles and select type of profile (LDAP, Kerberos, or RADIUS). The server profile instructs the firewall 2. how to connect to an external authentication service and access the authentication credentials for your users. 3. Click Add and enter a Name for the profile, such as GP-User-Auth.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Enable Two-Factor Authentication (Continued) 1. Step 3 Create a client certificate profile. Note If you setting up the portal and/or gateway for two-factor authentication, if 2. the client certificate contains a username field, the username value from the certificate will be used as the username when authenticating the user to your external authentication service.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Enable OTP Support (Continued) Step 2 1. On the firewall that will act as your gateway and/or portal, create a RADIUS server profile. 2. Select Device > Server Profiles > RADIUS, click Add and enter a Name for the profile. Best Practice: To add a RADIUS server entry, click Add in the Servers section and then enter the following information: 3.
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication Enable OTP Support (Continued) Step 6 Save the configuration. Step 7 Verify the configuration. Click Commit. From a client system running the GlobalProtect agent, try to connect to a gateway or portal on which you enabled OTP authentication. This step assumes that your gateway and You should see two prompts similar to the following: portal are already configured.
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure Enable Smart Card Authentication (Continued) Step 2 Import the Root CA certificate that issued Make sure the certificate and key files are accessible from your the client certificates contained on the management system and that you have the passphrase to decrypt the end user smart cards. private key and then complete the following steps: 1. Select Device > Certificate Management > Certificates > Device Certificates.
Set Up the GlobalProtect Infrastructure Enable Group Mapping Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, the identity of each GlobalProtect user is known.
Enable Group Mapping Set Up the GlobalProtect Infrastructure Map Users to Groups Step 1 1. Create an LDAP Server Profile that specifies how to connect to the directory 2. servers to which the firewall should 3. connect to obtain group mapping information. 4. Select Device > Server Profiles > LDAP. Click Add and then enter a Name for the profile. (Optional) Select the virtual system to which this profile applies from the Location drop-down.
Set Up the GlobalProtect Infrastructure Enable Group Mapping Map Users to Groups (Continued) Step 2 Step 3 Add the LDAP server profile to the User-ID Group Mapping configuration. Save the configuration. GlobalProtect Administrator’s Guide 1. Select Device > User Identification > Group Mapping Settings and click Add. 2. Enter a Name for the configuration. 3. Select the Server Profile you just created. 4. Make sure the Enabled check box is selected. 5.
Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways Because the GlobalProtect configuration that the portal delivers to the agents includes the list of gateways the client can connect to, it is a good idea to configure the gateways before configuring the portal. The GlobalProtect Gateways can be configured to provide two main functions: Enforce security policy for the GlobalProtect agents and apps that connect to it.
Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways Configure the Gateway (Continued) Step 2 Specify the network information to enable agents to connect to the gateway. 1. Select the Interface that agents will use for ingress access to the gateway. If you have not yet created the network 2. Select the IP Address for the gateway web service. interface for the gateway, see Create 3. Select the Server Certificate for the gateway from the Interfaces and Zones for drop-down.
Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure Configure the Gateway (Continued) Step 5 (Tunnel Mode only) Configure the network settings to assign the clients’ virtual network adapter when an agent establishes a tunnel with the gateway. 1. On the GlobalProtect Gateway dialog, select Client Configuration > Network Settings. 2.
Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways Configure the Gateway (Continued) Step 6 (Optional) Define the notification messages end users will see when a security rule with a host information profile (HIP) is enforced. 1. On the Client Configuration > HIP Notification tab, click Add. 2. Select the HIP Profile this message applies to from the drop-down. 3. This step only applies if you have created host information profiles and added them to your security policies.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal The GlobalProtect Portal provides the management functions for your GlobalProtect infrastructure. Every client system that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the gateways.
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Set Up Access to the Portal Step 1 Step 2 Add the portal. Specify the network information to enable agents to connect to the portal. 1. Select Network > GlobalProtect > Portals and click Add. 2. On the Portal Configuration tab, enter a Name for the portal. The portal name should not contain any spaces. 3. (Optional) Select the virtual system to which this portal belongs from the Location field. 1.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure The root CA certificate required to enable the agent/app to establish an SSL connection with the GlobalProtect gateway(s) and/or the Mobile Security Manager. The client certificate that agent should present to the gateway when it connects. This is only required if mutual authentication is required between the agent and the gateway.
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Create a GlobalProtect Client Configuration (Continued) Step 3 Step 4 If you do not require the GlobalProtect agent to establish tunnel connections when on the internal network, enable internal host detection. 1. Select the Internal Host Detection check box. 2. Enter the IP Address of a host that can only be reached from the internal network. 3. Enter the DNS Hostname that corresponds to the IP address you entered.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure Create a GlobalProtect Client Configuration (Continued) Step 6 Specify which users to deploy this configuration to. There are two ways to specify who will get the configuration: by user/group name and/or the operating system the agent is running on.
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Create a GlobalProtect Client Configuration (Continued) Step 8 Specify the gateways that users with this configuration can connect to. 1. Best Practices: 2. •If you are adding both internal and external gateways to the same configuration, make sure to enable Internal Host Detection. See Step 3 in 3. Define the GlobalProtect Client Configurations for instructions.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure Create a GlobalProtect Client Configuration (Continued) Step 11 Arrange the client configurations so that the proper configuration is deployed to each agent. When an agent connects, the portal will compare the source information in the packet against the client configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list.
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Customize the Agent Step 1 Go to the Agent tab in the client configuration you want to customize. GlobalProtect Administrator’s Guide 1. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a client configuration (or click Add to add a new configuration). 2.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure Customize the Agent (Continued) Step 2 Define what the end users with this configuration can do from the agent. By default, the agent functionality is fully enabled (meaning all check boxes are selected).
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Customize the Agent (Continued) Step 3 Specify whether users can disconnect from GlobalProtect. • To prevent users in user-logon mode from disconnecting, select disabled from the Agent User Override drop-down.
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure Customize the Agent (Continued) Step 4 Specify how GlobalProtect agent upgrades will occur. By default, the Agent Upgrade field is set to prompt the end user to upgrade. To modify this behavior, select one of the following options: If you want to control when users can upgrade, for example if you want to test a • If you want upgrades to occur automatically without interaction with the user, select transparent.
Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal Customize the Portal Login Page Step 1 Step 2 Export the default portal login page. Edit the exported page. 1. Select Device > Response Pages. 2. Select the GlobalProtect Portal Login Page link. 3. Select the Default predefined page and click Export. 1. Using the HTML text editor of your choice, edit the page. 2.
Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software In order to connect to GlobalProtect, an end host must be running GlobalProtect client software. The software deployment method depends on the type of client as follows: Mac OS and Microsoft Windows hosts—Require the GlobalProtect agent software, which is distributed by the GlobalProtect portal.
Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software Host Agent Updates on the Portal The simplest way to deploy the GlobalProtect agent software is to download the new agent installation package to the firewall that is hosting your portal and then activate the software for download to the agents connecting to the portal. To do this automatically, the firewall must have a service route that enables it to access the Palo Alto Networks Update Server.
Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure Host Agent Updates on a Web Server If you have a large number of client systems that will need to install and/or update the GlobalProtect agent software, consider hosting the GlobalProtect agent software images on an external web server. This helps reduce the load on the firewall when users connect to download the agent. To use this feature, the firewall hosting the portal must be running PAN-OS 4.1.7 or later.
Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software Test the Agent Installation Use the following procedure to test the agent installation. Test the Agent Installation Step 1 Create a client configuration for testing the agent installation. As a best practice, create a client configuration that is limited to a small group of users, such as administrators in the IT department responsible for administering the firewall: 1.
Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure Test the Agent Installation (Continued) Step 3 Download the agent. 1. Click the link that corresponds to the operating system you are running on your computer to begin the download. 2. When prompted to run or save the software, click Run. 3. When prompted, click Run to launch the GlobalProtect Setup Wizard. Note Step 4 Step 5 Complete the GlobalProtect agent setup. 1. Log in to GlobalProtect.
Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software Deploy Agent Settings Transparently As an alternative to deploying agent settings from the portal configuration, you can define them directly from the Windows registry or global MAC plist or—on Windows clients only—from the MSIEXEC installer. The benefit of this is that it enables deployment of GlobalProtect agent settings to client systems prior to their first connection to the GlobalProtect portal.
Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure Customizable Agent Settings In addition to pre-deploying the portal address, you can also define the agent configuration settings. Table: Customizable Agent Settings describes each customizable agent settings. Settings defined in the GlobalProtect portal client configuration take precedence over settings defined in the Windows Registry or the Mac plist.
Set Up the GlobalProtect Infrastructure Deploy the GlobalProtect Client Software Deploy Agent Settings in the Windows Registry or Mac plist You can set the GlobalProtect agent customization settings in the Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\) or the Mac global plist file (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist).
Deploy the GlobalProtect Client Software Set Up the GlobalProtect Infrastructure Test the App Installation (Continued) Step 2 From the mobile device, follow the • On Android devices, search for the app on Google Play prompts to download and install the app. • On iOS devices, search for the app at the App Store Step 3 Launch the app. When successfully installed, the GlobalProtect app icon displays on the device’s Home screen. To launch the app, tap the icon.
Set Up the GlobalProtect Infrastructure Reference: GlobalProtect Agent Cryptographic Functions Reference: GlobalProtect Agent Cryptographic Functions The GlobalProtect agent uses the OpenSSL library 0.9.8p to establish secure communication with the GlobalProtect portal and GlobalProtect gateways.
Reference: GlobalProtect Agent Cryptographic Functions 58 Set Up the GlobalProtect Infrastructure GlobalProtect Administrator’s Guide
Set Up the GlobalProtect Mobile Security Manager As mobile devices become more powerful, end users increasingly rely on them to perform business tasks. However, these same devices that are accessing your corporate network are also connecting to the Internet without protection against threats and vulnerabilities. The GlobalProtect Mobile Security Manager provides mechanisms to configure device settings and accounts and perform device actions, such as locking and/or wiping lost or stolen mobile devices.
Mobile Security Manager Deployment Best Practices Set Up the GlobalProtect Mobile Security Manager Mobile Security Manager Deployment Best Practices GlobalProtect Mobile Security Manager (running on the GP-100 appliance) works in concert with the rest of the GlobalProtect infrastructure to ensure a complete mobile security solution.
Set Up the GlobalProtect Mobile Security Manager Set Up Management Access to the Mobile Security Manager Set Up Management Access to the Mobile Security Manager By default, the management port (MGT) on the GP-100 appliance (also called the Mobile Security Manager) has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other Mobile Security Manager configuration.
Set Up Management Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Set Up Network Access to the GP-100 Appliance (Continued) Step 6 (Optional) Configure general appliance settings. 1. Select Setup > Settings > Management and click the Edit icon in the General Settings section of the screen. 2. Enter a Hostname for the appliance and enter your network Domain name. The domain name is just a label; it will not be used to join the domain.
Set Up the GlobalProtect Mobile Security Manager Set Up Management Access to the Mobile Security Manager Set Up Network Access to the GP-100 Appliance (Continued) Step 11 Open an SSH management session to the Using a terminal emulation software, such as PuTTY, launch an SSH GP-100 appliance. session to the appliance using the new IP address you assigned to it: 1. Enter the IP address you assigned to the MGT port in the SSH client. 2. Use port 22. 3.
Register, License, and Update the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Register, License, and Update the Mobile Security Manager Before you can begin using the Mobile Security Manager to manage mobile devices, you must register the GP-100 appliance and retrieve the licenses. If you plan to manage more than 500 mobile devices you must purchase a one-time GlobalProtect Mobile Security Manager perpetual license based on number of mobile devices to be managed.
Set Up the GlobalProtect Mobile Security Manager Register, License, and Update the Mobile Security Manager Activate/Retrieve the Licenses The Mobile Security Manager requires a valid support license, enabling it to retrieve software updates and dynamic content updates. The appliance comes with 90-days of free support; however, you must purchase a support license to continue receiving updates after this introductory period.
Register, License, and Update the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Activate the Licenses (Continued) Step 2 Activate the license(s). 1. If the Mobile Security Manager will manage more than 500 mobile devices, a 2. GlobalProtect Mobile Security Manager perpetual license is required. 3.
Set Up the GlobalProtect Mobile Security Manager Register, License, and Update the Mobile Security Manager Get Software and Content Updates (Continued) Step 2 Step 3 Step 4 Check for, download, and install the latest 1. Mobile Security Manager content update. The Mobile Security Manager content updates include all Android application package (APK) malware signatures, including new malware detected by WildFire. 2. Click Download to obtain the desired version. 3.
Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management Before you can begin using the Mobile Security Manager to manage mobile devices, you must set up the device management infrastructure.
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management Set Up the Mobile Security Manager for Device Check-In (Continued) Step 2 Step 3 (Optional) Modify the device check-in settings. 1. Select Setup > Settings > Server and then click the Edit in the Device Check-in Settings section. icon By default, the Mobile Security Manager 2. listens on port 443 for both enrollment requests and check-in requests.
Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Check-In (Continued) Step 4 Import a server certificate for the Mobile To import a certificate and private key, download the certificate and key file from the CA and then make sure they are accessible from Security Manager device check-in your management system and that you have the passphrase to interface. decrypt the private key.
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management Set Up the Mobile Security Manager for Device Check-In (Continued) Step 5 Obtain a certificate for the Apple Push Notification Service (APNs). 1. To create the CSR, select Setup > Certificate Management > Certificates and then click Generate. The APNs certificate is required for the Mobile Security Manager to be able to send push notifications to the iOS devices it manages.
Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Check-In (Continued) Step 6 1. Obtain a key and sender ID for the Google Cloud Messaging (GCM) service. Open a new browser window and navigate to the Google APIs console at the following URL: The GCM key and sender ID are required for the Mobile Security Manager to send 2. push notifications to the Android devices 3. it manages. https://cloud.google.
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management Configure the Mobile Security Manager for Enrollment In order for a mobile device to be managed by the GlobalProtect Mobile Security Manager, it must be enrolled with the service.
Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Enrollment (Continued) Step 2 Step 3 Configure the Mobile Security Manager to use the authentication profile for device enrollment. 1. Select Setup > Settings > Server and then click the Edit in the Authentication Settings section. icon 2. Select the Authentication Profile from the drop-down. 3.
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management Set Up the Mobile Security Manager for Enrollment (Continued) Step 4 (Optional) Configure the Mobile Security 1. Manager to integrate with an existing enterprise SCEP server for issuing identity certificates to iOS devices. The benefit of SCEP is that the private key never leaves the mobile device. 2.
Set Up the Mobile Security Manager for Device Management Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Enrollment (Continued) Step 6 (Optional) Force device users to re-enroll To force mobile device users to re-enroll when certificates expire: upon identity certificate expiry. 1. Select Setup > Settings > Server and then click the Edit icon in the Enrollment Renewal Settings section.
Set Up the GlobalProtect Mobile Security Manager Enable Gateway Access to the Mobile Security Manager Enable Gateway Access to the Mobile Security Manager If you plan to Configure HIP-Based Policy Enforcement on your firewalls, you can configure the GlobalProtect gateways to retrieve the HIP reports for the mobile devices managed by the Mobile Security Manager.
Enable Gateway Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Enable Gateway Access to Mobile Security Manager (Continued) Step 3 Step 4 Specify which server certificate the Mobile Security Manager should use enable the gateway establish an HTTPS connection for HIP retrieval.
Set Up the GlobalProtect Mobile Security Manager Enable Gateway Access to the Mobile Security Manager Enable Gateway Access to Mobile Security Manager (Continued) Step 5 Configure the gateways to access the Mobile Security Manager. GlobalProtect Administrator’s Guide From each firewall hosting a GlobalProtect gateway, do the following: 1. Select Network > GlobalProtect > MDM and then click Add to add the Mobile Security Manager. 2.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies After a mobile device successfully enrolls with the GlobalProtect Mobile Security Manager, it checks in with the Mobile Security Manager to submit its host data at regular intervals (every hour by default). The Mobile Security Manager uses deployment policy rules you define to determine what configuration profiles to push to the device.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies characteristics of the device, such as OS version, tag, or device model. See About HIP Matching. – Configurations—Contain the configuration settings, certificates, provisioning profiles (iOS only), and device restrictions to push to the devices that match the corresponding policy rule.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager supports a variety of LDAP directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server. See Integrate the Mobile Security Manager with your LDAP Directory for instructions on setting up user and group matching.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies The way you choose to manage and configure to the mobile devices depends on the particular requirements in your company and the sensitivity of the resources to which the configurations provide access. For details on setting up HIP notification messages, see Define HIP Objects and HIP Profiles.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Push a GlobalProtect VPN configuration profile to simplify deployment—To simplify the deployment of the GlobalProtect agent settings to the iOS devices you manage, create an iOS configuration profile and configure the VPN settings so that the device will automatically be able to connect to your GlobalProtect VPN upon deployment of the corresponding policy.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Integrate the Mobile Security Manager with your LDAP Directory Use the following procedure to connect to your LDAP directory to enable the Mobile Security Manager to retrieve user and group information: Integrate with the Directory Server Step 1 Create an LDAP Server Profile that specifies how to connect to the directory servers you want the Mobile Security Manager to use to obtain user and group information. 1.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Integrate with the Directory Server (Continued) Step 2 Add the LDAP server profile to the directory integration configuration. 1. Select Setup > User Database > Directory Integration and click Add. 2. Select the Server Profile you just created. 3. Make sure the Enabled check box is selected. 4.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create HIP Objects and HIP Profiles Step 1 Create the HIP objects to filter the data reported by the device. 1. Select Policies > Host Information > HIP Objects and click Add. 2. On the General tab, enter a Name and optionally a Description for the object. The tag feature allows you to create custom labels for the devices you 3. manage for easy grouping.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create HIP Objects and HIP Profiles (Continued) Step 2 Create the HIP profiles that you plan to use in your policies. 1. 2. When you create your HIP profiles, you can combine the HIP objects you 3. previously created (as well as other HIP profiles) using Boolean logic such that 4. when a traffic flow is evaluated against the resulting HIP profile it will either match or not match.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create HIP Objects and HIP Profiles (Continued) Step 5 Define the notification messages device users will see when a policy rule with a HIP profile is enforced. 1. Select Policies > Host Information > Notifications and then click Add. 2. Select the HIP Profile this message applies to from the drop-down. The decision as to when to display a message (that is, whether to display it 3.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Configuration Profiles—Contain the configuration settings, restrictions, and web clips to be pushed to managed devices upon check-in. You must create separate configuration profiles for iOS and Android devices due to differences in OS functionality. For details on creating the profiles, see Create an Android Configuration Profile and Create an iOS Configuration Profile.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create Web Clip Icons Step 1 Create the image files you want to use as Android Icon Guidelines your web clip icons. Use 32-bit PNG files with an alpha channel for transparency. Use The icons you create for use with different dimensions for different screen densities as follows: your web clips must meet specific image and naming criteria in order for the OS to display them properly.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create an iOS Configuration Profile (Continued) Step 2 Step 3 Step 4 Enter identifying information for the configuration. 1. On the General tab, enter a Name to display for the configuration in the Mobile Security Manager web interface. 2. Enter a Display Name to show on the Detail/Profiles screen on the mobile device as well as on the device HIP report. 3.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create an iOS Configuration Profile (Continued) Step 6 Provide configuration settings that enable device access to one or more of the following services: • Wi-Fi • VPN (GlobalProtect) • Email • Exchange Active Sync • LDAP To enable configuration settings for a specific type of resource: 1. Select the tab and the corresponding check box to enable the configuration.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create an iOS Configuration Profile (Continued) Step 8 Step 9 1. Add certificates to push to the mobile devices. These can either be certificates 2. that you generated on the Mobile Security Manager, or certificates that you import 3. from a different CA. You can push any certificate the device will need to connect to your internal applications and services. Set up an access point name (APN) for 1.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create a GlobalProtect VPN Configuration (Continued) Step 3 Step 4 Specify how to populate the VPN 1. account username and password settings. Specify where to get the VPN username by selecting a value from the Account drop-down. By default, the GlobalProtect VPN configuration is set to Use Saved, allowing it to use the user name the device user provided during enrollment.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create a GlobalProtect VPN Configuration (Continued) Step 5 (Optional) Specify what device traffic to 4. tunnel through the VPN. By default, the GlobalProtect app will tunnel all traffic as specified in its corresponding portal client configuration. However, you can override the portal tunnel configuration by defining VPN on Demand setting in the Mobile Security Manager configuration.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create an Android Configuration Profile (Continued) Step 3 Specify passcode requirements for the devices. If you specify passcode requirements, the device users will be forced to adhere to the passcode settings you define. Step 4 Set restrictions on what the user can do with the device. 1.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create an Android Configuration Profile (Continued) Step 5 Provide configuration settings that enable 1. device access to one or more Wi-Fi 2. networks. Select the Wi-Fi tab and then click Add. On the Settings tab, enter a Name to identify this Wi-Fi configuration on the Mobile Security Manager. For detailed information about each field, 3. refer to the online help.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Import an iOS Provisioning Profile To prevent the propagation of potentially malicious apps, iOS only allows users to install apps from approved sources via the App Store. To enable users to install internally-developed apps on their iOS devices, you must obtain a provisioning profile from the iOS Developer Enterprise Program (iDEP).
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Set Up a SCEP Configuration (Continued) Step 2 Step 3 Specify the type of challenge to use. The challenge is the one-time password (OTP) that is shared between the Mobile Security Manager and the SCEP server. The Mobile Security Manager includes the OTP in the SCEP configuration it sends to the mobile device, and the device uses it to authenticate itself to the SCEP server. Specify how to connect to the SCEP server.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Set Up a SCEP Configuration (Continued) Step 4 Specify attributes of the certificates to be 1. generated. Enter a Subject name for the certificates generated by the SCEP server. The subject must be a distinguished name in the = format and must include the common name (CN) key.
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager Create Deployment Policies Step 1 Step 2 Create a new policy rule. 1. Select Policies > Policies and click Add. 2. Enter a descriptive Name to identify the policy rule. Select the Users/HIP Profiles tab and then specify how to determine Specify which mobile device users to deploy this configuration to.
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies Create Deployment Policies (Continued) Step 4 Arrange the deployment policy rules so • To move a deployment policy rule up on the list of rules, select the rule and click Move Up. that the proper configuration is deployed to each device upon check-in. • To move a deployment policy rule down on the list of rules, select the rule and click Move Down.
Verify the Mobile Security Manager Configuration Set Up the GlobalProtect Mobile Security Manager Verify the Mobile Security Manager Configuration After you finish setting up the Mobile Security Manager (configuring the device check-in interface, enabling enrollment, and defining configuration and deployment profiles) and setting up the GlobalProtect portal with the URL for device check-in interface, you should verify that you can successfully enroll a device and that the Mobile Security Manager profile i
Set Up the GlobalProtect Mobile Security Manager Verify the Mobile Security Manager Configuration Verify the Mobile Security Manager Configuration (Continued) Step 3 Step 4 Enroll the mobile device with the GlobalProtect Mobile Security Manager. Verify that the expected configuration profiles were pushed to your device. 1. When prompted to enroll with the GlobalProtect Mobile Device Management, tap Enroll. 2. When prompted to receive push notifications from GlobalProtect, tap OK. 3.
Verify the Mobile Security Manager Configuration Set Up the GlobalProtect Mobile Security Manager Verify the Mobile Security Manager Configuration (Continued) Step 5 Step 6 106 From the Mobile Security Manager, test that push notifications are working. 1. Select Devices and locate and select your device on the list. 2. Click Message and enter text to send to the device in the Message Body text box and then click OK. 3. Verify that you receive the message on your device.
Set Up the GlobalProtect Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager By default, the GlobalProtect Mobile Security Manager comes preconfigured with a default administrative account (admin), which provides full read-write access (also known as superuser access) to the appliance.
Set Up Administrative Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Create an Authentication Profile Step 1 Step 2 Step 3 Create a server profile that defines how to connect to the authentication server. Create an authentication profile. Commit your changes. 1. Select Setup > Server Profiles and then select the type of authentication service to connect to (LDAP, RADIUS, or Kerberos). 2. Click Add and then enter a Name for the profile. 3.
Set Up the GlobalProtect Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager Enable Certificate-Based Authentication (Continued) Step 2 Step 3 Step 4 Step 5 Create the Client Certificate Profile that 1. will be used for securing access to the web interface. 2. Configure the Mobile Security Manager to use the client certificate profile for admin authentication. Create or modify an administrator account to enable client certificate authentication on the account.
Set Up Administrative Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Enable Certificate-Based Authentication (Continued) Step 6 Save your configuration changes. Click Commit. You will be logged out of the web interface. Step 7 Step 8 Import the administrator's client certificate into the web browser of the client that the administrator will use to access the Mobile Security Manager web interface. Log in to the Mobile Security Manager web interface.
Set Up the GlobalProtect Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager Enable SSH (Public-Key Based) Authentication (Continued) Step 2 Create an account for the administrator and enable certificate-based authentication. 1. Select Setup > Administrators and then click Add. 2. Enter a user Name and Password for the administrator. You will need to configure a password.
Set Up Administrative Access to the Mobile Security Manager Set Up the GlobalProtect Mobile Security Manager Create an Administrator Account Step 1 Step 2 Complete the following steps for each role you want to create: If you plan to use Admin Role Profiles rather than Dynamic Roles, create the 1. Select Setup > Admin Roles and then click Add. profiles that define what type of access, if 2.
Set Up the GlobalProtect Mobile Security Manager Set Up Administrative Access to the Mobile Security Manager Create an Administrator Account (Continued) Step 3 Create an account for each administrator. 1. Select Setup > Administrators and then click Add. 2. Enter a user Name for the administrator. 3. Specify how to authenticate the administrator: • To use local authentication, enter a Password and then Confirm Password. • To use external authentication, select an Authentication Profile.
Set Up Administrative Access to the Mobile Security Manager 114 Set Up the GlobalProtect Mobile Security Manager GlobalProtect Administrator’s Guide
Manage Mobile Devices After your mobile device users enroll with the GlobalProtect Mobile Security Manager, you can monitor the devices and ensure that they are maintained to your standards for protecting your corporate resources and data integrity standards.
Group Devices by Tag for Simplified Device Administration Manage Mobile Devices Group Devices by Tag for Simplified Device Administration A tag is a text label that you can assign to a managed mobile device to simplify device administration by enabling grouping of devices. The tags you define can be used to identify a group of devices to which to apply similar policies, to interact with OTA—for example to push a new policy or send a message.
Manage Mobile Devices Group Devices by Tag for Simplified Device Administration Create Tags and Assign them to Managed Devices (Continued) 1. Go to the Devices tab. Step 2 Assign tags to managed mobile devices. Note 2. You can also use this procedure to remove tags from devices, selecting the tags you want to remove and then clicking Untag. 3. Select the devices you want to assign the tag to by clicking in the row that corresponds to the device entry.
Group Devices by Tag for Simplified Device Administration Manage Mobile Devices Import a Batch of Devices (Continued) Step 2 Step 3 118 Import the device list. 1. Go to the Devices tab and click . 2. Enter the path and name of the CSV or XLS File you created or Browse to it. 3. Click OK to import the device list and associate the Imported tag with the devices, along with any other tags you defined per-device within the file. Verify that device import was successful.
Manage Mobile Devices Monitor Mobile Devices Monitor Mobile Devices One of the problems with allowing mobile device access to your corporate resources is the lack of visibility into the state of the devices and the identifying information that is required in order to track down devices that pose a threat to your network and your applications. Monitor Mobile Devices • Use the Dashboard for at-a-glance information The Dashboard tab provides a collection of widgets that display about managed devices.
Monitor Mobile Devices Manage Mobile Devices Monitor Mobile Devices (Continued) From the Mobile Security Manager web interface, select Monitor > • Monitor the MDM logs for a information on Logs > MDM. device activities, such as check-ins, cloud messages, and broadcast of HIP reports to gateways. The MDM log will also alert you to high severity events such as a device reporting a rooted/jailbroken status.
Manage Mobile Devices Monitor Mobile Devices Monitor Mobile Devices (Continued) • Monitor the HIP Match logs on the Mobile Security Manager From the Mobile Security Manager web interface, select Monitor > Logs > HIP Match. Click a column header to choose which columns to display. • Monitor HIP Match logs on the GlobalProtect From the web interface on the firewall hosting the GlobalProtect gateway, select Monitor > Logs > HIP Match. gateway.
Monitor Mobile Devices Manage Mobile Devices Monitor Mobile Devices (Continued) From the web interface on the firewall hosting the GlobalProtect • Monitor the ACC on the firewall hosting the GlobalProtect gateway. Or, monitor the ACC on gateway, select ACC and view the HIP Matches section. Panorama for an aggregated view of HIP match data across all managed GlobalProtect gateways.
Manage Mobile Devices Administer Remote Devices Administer Remote Devices One of the most powerful features of GlobalProtect Mobile Security Manager is the ability to administer managed devices—wherever they are in the world—by sending push notifications over-the-air (OTA). For iOS devices, the Mobile Security Manager sends messages over the Apple Push Notification service (APNs). For Android devices, the Mobile Security Manager sends messages over Google Cloud Messaging (GCM).
Administer Remote Devices Manage Mobile Devices Perform an Action on a Remote Device (Continued) Step 2 Select an action. Click one of the buttons at the bottom of the screen to perform the corresponding action on the selected device(s). For example: • To send a message to the end users who own the selected device(s), click , enter the Message Body, and then click OK.
Manage Mobile Devices Administer Remote Devices Remove Devices Although end users can manually unenroll from GlobalProtect Mobile Security Manager directly from the GlobalProtect app, as administrator you can also unenroll devices OTA. This is useful in cases where an employee has left the company without unenrolling from the Mobile Security Manager on a personal device.
Create Security Policies for Mobile Device Traffic Enforcement Manage Mobile Devices Create Security Policies for Mobile Device Traffic Enforcement The deployment policies you create on the GlobalProtect Mobile Security Manager provide simplified account provisioning for access to your corporate applications for mobile device users.
Manage Mobile Devices Create Security Policies for Mobile Device Traffic Enforcement Create Security Policy for Managed Devices on the GlobalProtect Gateway (Continued) Step 2 See Group Devices by Tag for Simplified Device Administration for (Optional) On the Mobile Security Manager, define the tags you want to use detailed instructions. for security policy enforcement on the gateway and assign them to managed mobile devices.
Create Security Policies for Mobile Device Traffic Enforcement 128 Manage Mobile Devices GlobalProtect Administrator’s Guide
Use Host Information in Policy Enforcement Although you may have stringent security at your corporate network border, your network is really only as secure as the end devices that are accessing it.
About Host Information Use Host Information in Policy Enforcement About Host Information One of the jobs of the GlobalProtect agent is to collect information about the host it is running on. The agent then submits this host information to the GlobalProtect gateway upon successfully connecting. The gateway matches this raw host information submitted by the agent against any HIP objects and HIP profiles you have defined. If it finds a match, it generates an entry in the HIP Match log.
Use Host Information in Policy Enforcement About Host Information Category Data Collected Mobile Devices Identifying information about the mobile device, including the hostname, operating system, and client version. Patch Management Information about any patch management software that is enabled and/or installed on the host and whether there are any missing patches. Firewall Information about any client firewalls that are installed and/or enabled on the host.
About Host Information Use Host Information in Policy Enforcement How Does the Gateway Use the Host Information to Enforce Policy? While the agent gets the information about what information to collect from the client configuration downloaded from the portal, you define which host attributes you are interested in monitoring and/or using for policy enforcement by creating HIP objects and HIP profiles on the gateway(s): HIP Objects—Provide the matching criteria to filter out the host information you are
Use Host Information in Policy Enforcement About Host Information You create a HIP profile that matches if the required corporate antivirus and anti-spyware software packages are not installed. In this case, you might want to create a HIP notification message for users who match the HIP profile telling them that they need to install the software (and, optionally, providing a link to the file share where they can access the installer for the corresponding software).
Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement To enable the use of host information in policy enforcement you must complete the following steps. For more information on the HIP feature, see About Host Information. Enable HIP Checking Step 1 Verify proper licensing for HIP checks.
Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement Enable HIP Checking (Continued) Step 3 (Optional) Exclude categories from collection. 1. On the firewall that is hosting your GlobalProtect portal, select Network > GlobalProtect > Portals. 2. Select your portal configuration to open the GlobalProtect Portal dialog. 3. On the Client Configuration tab, select the Client Configuration from which to exclude categories, or click Add to create a new client configuration.
Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement Enable HIP Checking (Continued) Step 4 Create the HIP objects to filter the raw host data collected by the agents. 1. The best way to determine what HIP objects you need is to determine how you 2. will use the host information you collect 3. to enforce policy. Keep in mind that the HIP objects themselves are merely building blocks that allow you to create the HIP profiles that are used in your security policies.
Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement Enable HIP Checking (Continued) Step 5 Create the HIP profiles that you plan to use in your policies. 1. When you create your HIP profiles, you 2. can combine the HIP objects you previously created (as well as other HIP profiles) using Boolean logic such that 3. when a traffic flow is evaluated against the resulting HIP profile it will either match 4. or not match.
Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement Enable HIP Checking (Continued) Step 6 Note Step 7 Step 8 On the gateway(s) that your GlobalProtect users are connecting to, select Monitor > Logs > HIP Match. This log shows all of the matches the gateway identified when evaluating the raw HIP data reported by the agents against the defined HIP objects and HIP profiles.
Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement Enable HIP Checking (Continued) Step 9 Create the HIP-enabled security rules on Add the HIP profiles to your security rules: your gateway(s). 1. Select Policies > Security and select the rule to which you want to add a HIP profile. As a best practice, you should create your security rules and test that they match the 2. expected flows based on the source and destination criteria as expected before 3.
Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement Enable HIP Checking (Continued) Step 10 Define the notification messages end users will see when a security rule with a HIP profile is enforced. 1. On the firewall that is hosting your GlobalProtect gateway(s), select Network > GlobalProtect > Gateways. 2. Select a previously-defined gateway configuration to open the GlobalProtect Gateway dialog.
Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement Enable HIP Checking (Continued) Step 11 Verify that your HIP profiles are working You can monitor what traffic is hitting your HIP-enabled policies as expected. using the Traffic log as follows: 1. From the gateway, select Monitor > Logs > Traffic. 2. GlobalProtect Administrator’s Guide Filter the log to display only traffic that matches the rule that has the HIP profile you are interested in monitoring attached.
Configure HIP-Based Policy Enforcement 142 Use Host Information in Policy Enforcement GlobalProtect Administrator’s Guide
GlobalProtect Quick Configs The following sections provide step-by-step instructions for configuring some common GlobalProtect deployments: Remote Access VPN (Authentication Profile) Remote Access VPN (Certificate Profile) Remote Access VPN with Two-Factor Authentication Always On VPN Configuration Remote Access VPN with Pre-Logon GlobalProtect Multiple Gateway Configuration GlobalProtect for Internal HIP Checking and User-Based Access Mixed Internal and External Gateway Confi
Remote Access VPN (Authentication Profile) GlobalProtect Quick Configs Remote Access VPN (Authentication Profile) In the Figure: GlobalProtect VPN for Remote Access, the GlobalProtect portal and gateway are both configured on ethernet1/2 and this is the physical interface where GlobalProtect clients connect.
GlobalProtect Quick Configs Remote Access VPN (Authentication Profile) Quick Config: VPN Remote Access (Continued) Step 2 1. Create security policy to enable traffic flow between the corp-vpn zone and the 2. l3-trust zone to enable access to your internal resources. Select Policies > Security and then click Add to add a new rule.
Remote Access VPN (Authentication Profile) GlobalProtect Quick Configs Quick Config: VPN Remote Access (Continued) Step 5 Create an authentication profile. Attach the server profile to an authentication profile: Device > Authentication Profile. Step 6 Configure a GlobalProtect Gateway. Select Network > GlobalProtect > Portals and add the following configuration: Interface—ethernet1/2 IP Address—199.21.7.42 Server Certificate—GP-server-cert.
GlobalProtect Quick Configs Remote Access VPN (Certificate Profile) Remote Access VPN (Certificate Profile) When authenticating users with certificate authentication, the client must present a unique client certificate that identifies the end user in order to connect to GlobalProtect.
Remote Access VPN (Certificate Profile) GlobalProtect Quick Configs Quick Config: VPN Remote Access with Client Certificate Authentication (Continued) Step 2 1. Create security policy to enable traffic flow between the corp-vpn zone and the 2. l3-trust zone to enable access to your internal resources. Select Policies > Security and then click Add to add a new rule.
GlobalProtect Quick Configs Remote Access VPN (Certificate Profile) Quick Config: VPN Remote Access with Client Certificate Authentication (Continued) Step 7 Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and add the following configuration: 1. Set Up Access to the Portal: Interface—ethernet1/2 IP Address—199.21.7.42 Server Certificate—GP-server-cert.pem issued by Go Daddy Certificate Profile—GP-client-cert 2.
Remote Access VPN with Two-Factor Authentication GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication When you configure a GlobalProtect portal and/or gateway with both an authentication profile and a certificate profile (called two-factor authentication), the end user will be required to successfully authenticate to both before being allowed access.
GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication Quick Config: VPN Remote Access with Two-Factor Authentication Step 1 • Select Network > Interfaces > Ethernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 199.21.7.42 and assign it to the l3-untrust security zone and the Use the default virtual router for all default virtual router. interface configurations to avoid having to create inter-zone routing.
Remote Access VPN with Two-Factor Authentication GlobalProtect Quick Configs Quick Config: VPN Remote Access with Two-Factor Authentication (Continued) Step 5 Create a client certificate profile. 1. Select Device > Certificate Management > Certificate Profile, click Add and enter a profile Name such as GP-client-cert. 2.
GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication Quick Config: VPN Remote Access with Two-Factor Authentication (Continued) Step 8 Configure a GlobalProtect Gateway. See the topology diagram shown in Figure: GlobalProtect VPN for Remote Access. Select Network > GlobalProtect > Gateways and add the following configuration: Interface—ethernet1/2 IP Address—199.21.7.42 Server Certificate—GP-server-cert.
Always On VPN Configuration GlobalProtect Quick Configs Always On VPN Configuration In an “always on” GlobalProtect configuration, the agent connects to the GlobalProtect portal upon user logon to submit user and host information and receive the client configuration. It then automatically establishes the VPN tunnel to the gateway specified in the client configuration delivered by the portal without end user intervention as shown in the following illustration.
GlobalProtect Quick Configs Remote Access VPN with Pre-Logon Remote Access VPN with Pre-Logon The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs in instead of using cached credentials.
Remote Access VPN with Pre-Logon GlobalProtect Quick Configs This example uses the GlobalProtect topology shown in Figure: GlobalProtect VPN for Remote Access. Quick Config: Remote Access VPN with Pre-Logon Step 1 • Select Network > Interfaces > Ethernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 199.21.7.42 and assign it to the l3-untrust security zone and the Use the default virtual router for all default virtual router.
GlobalProtect Quick Configs Remote Access VPN with Pre-Logon Quick Config: Remote Access VPN with Pre-Logon (Continued) Step 5 Import the trusted root CA certificate from the CA that issued the machine certificates onto the portal and gateway(s). 1. Download the CA certificate in Base64 format. 2. Import the certificate onto each firewall hosting a portal or gateway as follows: a. Select Device > Certificate Management > Certificates > Device Certificates and click Import.
Remote Access VPN with Pre-Logon GlobalProtect Quick Configs Quick Config: Remote Access VPN with Pre-Logon (Continued) Step 8 Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and add the following configuration: 1.
GlobalProtect Quick Configs GlobalProtect Multiple Gateway Configuration GlobalProtect Multiple Gateway Configuration In Figure: GlobalProtect Multiple Gateway Topology, a second external gateway has been added to the configuration. Multiple gateways are supported in all of the preceding example configurations. Additional steps include installing a GlobalProtect portal license to enable use of multiple gateways and the configuration of the second firewall as a GlobalProtect gateway.
GlobalProtect Multiple Gateway Configuration GlobalProtect Quick Configs Quick Config: GlobalProtect Multiple Gateway Configuration Step 1 Create Interfaces and Zones for GlobalProtect. In this configuration, you must set up interfaces on each firewall hosting a gateway. On the firewall hosting the portal/gateway (gw1): • Select Network > Interfaces > Ethernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 198.51.100.
GlobalProtect Quick Configs GlobalProtect Multiple Gateway Configuration Quick Config: GlobalProtect Multiple Gateway Configuration (Continued) Step 4 Step 5 Obtain server certificates for the interfaces hosting your GlobalProtect portal and each of your GlobalProtect gateways using the following recommendations: • (On the firewall hosting the portal or portal/gateway) Import a server certificate from a well-known, third-party CA.
GlobalProtect Multiple Gateway Configuration GlobalProtect Quick Configs Quick Config: GlobalProtect Multiple Gateway Configuration (Continued) Step 7 Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and add the following configuration: 1. Set Up Access to the Portal: Interface—ethernet1/2 IP Address—198.51.100.42 Server Certificate—GP1-server-cert.pem issued by Go Daddy 2.
GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access GlobalProtect for Internal HIP Checking and User-Based Access When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic by user and/or device state, replacing other network access control (NAC) services.
GlobalProtect for Internal HIP Checking and User-Based Access GlobalProtect Quick Configs Quick Config: GlobalProtect Internal Gateway Configuration Step 1 On each firewall hosting a portal/gateway: 1. Select an Ethernet port to host the portal/gateway and then configure a Layer3 interface with an IP address in the l3-trust In this configuration, you must set up security zone. (Network > Interfaces > Ethernet). interfaces on each firewall hosting a portal 2.
GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access Quick Config: GlobalProtect Internal Gateway Configuration (Continued) Step 4 Define how you will authenticate users to You can use any combination of certificate profiles and/or the portal and the gateways. authentication profiles as necessary to ensure the security for your portal and gateways. Portals and individual gateways can also use different authentication schemes.
GlobalProtect for Internal HIP Checking and User-Based Access GlobalProtect Quick Configs Quick Config: GlobalProtect Internal Gateway Configuration (Continued) Step 6 Configure the internal gateways.
GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access Quick Config: GlobalProtect Internal Gateway Configuration (Continued) Step 9 Create the HIP-enabled and/or user/group-based security rules on your gateway(s). Add the following security rules for this example: 1. Select Policies > Security and click Add. 2. On the Source tab, set the Source Zone to l3-trust. 3. On the User tab, add the HIP profile and user/group to match.
Mixed Internal and External Gateway Configuration GlobalProtect Quick Configs Mixed Internal and External Gateway Configuration In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN access and for access to your sensitive internal resources. With this configuration, agents perform internal host detection to determine if they are on the internal or external network.
GlobalProtect Quick Configs Mixed Internal and External Gateway Configuration Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration Step 1 Create Interfaces and Zones for GlobalProtect. On the firewall hosting the portal gateway (gp.acme.com): • Select Network > Interfaces > Ethernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address In this configuration, you must set up 198.51.100.
Mixed Internal and External Gateway Configuration GlobalProtect Quick Configs Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration (Continued) Step 2 Purchase and install a GlobalProtect Portal license on the firewall hosting the portal and gateway subscriptions for each firewall hosting a gateway (internal and external).
GlobalProtect Quick Configs Mixed Internal and External Gateway Configuration Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration (Continued) Step 5 Create the HIP profiles you will need to 1. enforce security policy on gateway access. See Use Host Information in Policy Enforcement for more information on HIP matching. 2. Create the HIP objects to filter the raw host data collected by the agents.
Mixed Internal and External Gateway Configuration GlobalProtect Quick Configs Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration (Continued) Step 7 Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and add the following configuration: 1.
