Hardware reference guide
170 GlobalProtect Administrator’s Guide
Mixed Internal and External Gateway Configuration GlobalProtect Quick Configs
Step 2 Purchase and install a GlobalProtect
Portal license on the firewall hosting the
portal and gateway subscriptions for each
firewall hosting a gateway (internal and
external).
After you purchase the portal license and gateway subscriptions and
receive your activation code, install the license on the firewall hosting
the portal and install the gateway subscriptions on the firewalls
hosting your gateways as follows:
1. Select
Device > Licenses.
2. Select
Activate feature using authorization code.
3. When prompted, enter the
Authorization Code and then click
OK.
4. Verify that the license and subscriptions were successfully
activated.
Contact your Palo Alto Networks Sales Engineer or Reseller if you
do not have the required licenses. For more information on licensing,
see About GlobalProtect Licenses.
Step 3 Obtain server certificates for the
GlobalProtect portal and each
GlobalProtect gateway.
In order to connect to the portal for the
first time, the end clients must trust the
root CA certificate used to issue the
portal server certificate.
You can use self-signed certificates on the
gateways and deploy the root CA
certificate to the agents in the client
configuration. The best practice is to
generate all of the certificates on firewall
hosting the portal and deploy them to the
gateways.
The recommended workflow is as follows:
1. On the firewall hosting the portal:
a. Import a server certificate from a well-known, third-party
CA.
b. Create the root CA certificate for issuing self-signed
certificates for the GlobalProtect components.
c. Generate a self-signed server certificate. Repeat this step for
each gateway.
2. On each firewall hosting a gateway:
a. Deploy the self-signed server certificates.
Step 4 Define how you will authenticate users to
the portal and the gateways.
You can use any combination of certificate profiles and/or
authentication profiles as necessary to ensure the security for your
portal and gateways. Portals and individual gateways can also use
different authentication schemes. See the following sections for
step-by-step instructions:
• Set Up External Authentication (authentication profile)
• Set Up Client Certificate Authentication (certificate profile)
• Set up Two-Factor Authentication (token- or OTP-based)
You will then need to reference the certificate profile and/or
authentication profiles you defined in the portal and gateway
configurations you define.
Quick Config: GlobalProtect Mixed Internal & External Gateway Configuration (Continued)