Hardware reference guide
164 GlobalProtect Administrator’s Guide
GlobalProtect for Internal HIP Checking and User-Based Access GlobalProtect Quick Configs
Quick Config: GlobalProtect Internal Gateway Configuration
Step 1 Create Interfaces and Zones for
GlobalProtect.
In this configuration, you must set up
interfaces on each firewall hosting a portal
and/or a gateway. Because this
configuration uses internal gateways only,
you must configure the portal and
gateways on interfaces on the internal
network.
Use the
default virtual router for all
interface configurations to avoid
having to create inter-zone routing.
On each firewall hosting a portal/gateway:
1. Select an Ethernet port to host the portal/gateway and then
configure a Layer3 interface with an IP address in the l3-trust
security zone. (
Network > Interfaces > Ethernet).
2.
Enable User Identification on the l3-trust zone.
Step 2 Purchase and install a GlobalProtect
Portal license on the firewall hosting the
portal and gateway subscriptions for each
firewall hosting an internal gateway. This
is required to enable an internal gateway
configuration and enable HIP checks.
After you purchase the portal license and receive your activation
code, install the license on the firewall hosting the portal as follows:
1. Select
Device > Licenses.
2. Select
Activate feature using authorization code.
3. When prompted, enter the
Authorization Code and then click
OK.
4. Verify that the license was successfully activated.
Contact your Palo Alto Networks Sales Engineer or Reseller if you
do not have the required licenses. For more information on licensing,
see About GlobalProtect Licenses.
Step 3 Obtain server certificates for the
GlobalProtect portal and each
GlobalProtect gateway.
In order to connect to the portal for the
first time, the end clients must trust the
root CA certificate used to issue the
portal server certificate. You can either
use a self-signed certificate on the portal
and deploy the root CA certificate to the
end clients before the first portal
connection, or obtain a server certificate
for the portal from a trusted CA.
You can use self-signed certificates on the
gateways.
The recommended workflow is as follows:
1. On the firewall hosting the portal:
a. Import a server certificate from a well-known, third-party
CA.
b. Create the root CA certificate for issuing self-signed
certificates for the GlobalProtect components.
c. Generate a self-signed server certificate. Repeat this step for
each gateway.
2. On each firewall hosting an internal gateway:
a. Deploy the self-signed server certificates.