Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

151

152

153

154

155

156

157

158

159

160

148 GlobalProtect Administrator’s Guide

Remote Access VPN (Certificate Profile) GlobalProtect Quick Configs

Step 2 Create security policy to enable traffic

flow between the corp-vpn zone and the

l3-trust zone to enable access to your

internal resources.

1. Select

Policies > Security and then click Add to add a new rule.

2. For this example, you would define the rule with the following

settings:

•

Name—VPN Access

•

Source Zone—corp-vpn

•

Destination Zone—l3-trust

Step 3 Obtain a server certificate for the

interface hosting the GlobalProtect portal

and gateway using one of the following

methods:

• (Recommended) Import a server

certificate from a well-known,

third-party CA.

• Generate a self-signed server

certificate.

Select

Device > Certificate Management > Certificates to manage

certificates as follows:

• Obtain a server certificate. Because the portal and gateway are on

the same interface, the same server certificate can be used for both

components.

• The CN of the certificate must match the FQDN, gp.acme.com.

• To enable clients to connect to the portal without receiving

certificate errors, use a server certificate from a public CA.

Step 4 Issue client certificates to GlobalProtect

users/machines.

1. Use your enterprise PKI or a public CA to issue a unique client

certificate to each GlobalProtect user.

2. Install certificates in the personal certificate store on the client

systems.

Step 5 Create a client certificate profile. 1. Select

Device > Certificate Management > Certificate Profile,

click

Add and enter a profile Name such as GP-client-cert.

2. Select

Subject from the Username Field drop-down.

3. Click

Add in the CA Certificates section, select the CA

Certificate

that issued the client certificates, and click OK twice.

Step 6 Configure a GlobalProtect Gateway.

See the topology diagram shown in

Figure: GlobalProtect VPN for Remote

Access.

Select

Network > GlobalProtect > Gateways and add the following

configuration:

Interface—ethernet1/2

IP Address—199.21.7.42

Server Certificate—GP-server-cert.pem issued by Go Daddy

Certificate Profile—GP-client-cert

Tunnel Interface—tunnel.2

IP Pool—10.31.32.3 - 10.31.32.118

Quick Config: VPN Remote Access with Client Certificate Authentication (Continued)