Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

161

162

163

164

165

166

167

168

169

170

GlobalProtect Administrator’s Guide 161

GlobalProtect Quick Configs GlobalProtect Multiple Gateway Configuration

Step 4 Obtain server certificates for the

interfaces hosting your GlobalProtect

portal and each of your GlobalProtect

gateways using the following

recommendations:

• (On the firewall hosting the portal or

portal/gateway) Import a server

certificate from a well-known,

third-party CA.

• (On a firewall hosting only a gateway)

Generate a self-signed server

certificate.

On each firewall hosting a portal/gateway or gateway, select

Device

> Certificate Management > Certificates

to manage certificates as

follows:

• Obtain a server certificate for the portal/gw1. Because the portal

and the gateway are on the same interface you must use the same

server certificate. The CN of the certificate must match the

FQDN, gp1.acme.com. To enable clients to connect to the portal

without receiving certificate errors, use a server certificate from a

public CA.

• Obtain a server certificate for the interface hosting gw2. Because

this interface hosts a gateway only you can use a self-signed

certificate. The CN of the certificate must match the FQDN,

gp2.acme.com.

Step 5 Define how you will authenticate users to

the portal and the gateways.

You can use any combination of certificate profiles and/or

authentication profiles as necessary to ensure the security for your

portal and gateways. Portals and individual gateways can also use

different authentication schemes. See the following sections for

step-by-step instructions:

• Set Up External Authentication (authentication profile)

• Set Up Client Certificate Authentication (certificate profile)

• Set up Two-Factor Authentication (token- or OTP-based)

You will then need to reference the certificate profile and/or

authentication profiles you defined in the portal and gateway

configurations you define.

Step 6 Configure the gateways. This example shows the configuration for gp1 and gp2 shown in

Figure: GlobalProtect Multiple Gateway Topology. See Configure a

GlobalProtect Gateway for step-by-step instructions on creating the

gateway configurations.

On the firewall hosting gp1, configure the gateway

settings as follows:

Select

Network > GlobalProtect > Gateways and

add the following configuration:

Interface—ethernet1/2

IP Address—198.51.100.42

Server Certificate—GP1-server-cert.pem issued

by Go Daddy

Tunnel Interface—tunnel.2

IP Pool—10.31.32.3 - 10.31.32.118

On the firewall hosting gp2, configure the gateway settings as

follows:

Select

Network > GlobalProtect > Gateways and add the following

configuration:

Interface—ethernet1/2

IP Address—192.0.2.4

Server Certificate—self-signed certificate, GP2-server-cert.pem

Tunnel Interface—tunnel.1

IP Pool—10.31.33.3 - 10.31.33.118

Quick Config: GlobalProtect Multiple Gateway Configuration (Continued)