Below this in Network Settings, select the interface on which you want to accept requests from the GlobalProtect client.Īccess the Authentication Tab, and select the SSL/TLS service profile which you are created in Step 2. Access the General tab and Provide the name for GloablProtect Portal Configuration. Now we will start configuring the actual configuration for GlobalProtect. Step 7: Portal Configuration for GlobalProtect Clientless VPN Although, you do not need to assign an IP address to this interface. You can attach a management profile to the tunnel interface as per your requirement. Also, make sure you assign the same security zone which is created in the previous step. Go to Network > Interfaces > Tunnel > Add, to create a tunnel interface. Likewise IPSec tunnel, you need to create a separate tunnel interface for the GlobalProtect VPN. Step 6: Creating a tunnel interface for Clientless GlobalProtect Make sure the Zone Type should be Layer 3 and Enable User Identification.
To create Security Zone, go to Network > Zones > Add. LAN, but it is always recommended to create a new zone so that you have granular control over the GlobalProtect traffic. Although you can choose one of the pre-created zones, i.e. Like IPSec VPN, in GlobalProtect VPN, you need to create a zone for the tunnel interface. Step 5: Creating a zone for GlobalProtect Just follow the steps and create a new Authentication profile. Access the Advanced tab, and add users to Allow List. Go to Device > Authentication Profile and click on Add.
Now, you need to create an authentication profile for Clientless VPN Users. Step 4: Creating an Authentication Profile for Clientless VPN Go to Device > Local User Database > Users and click on Add. If you are running LDAP in your environment, you can integrate GlobalProtect VPN with your LDAP Server. GlobalProtect VPN needs to be authenticated during the VPN connection process. Step 3: Creating Local Users for GP Clientless VPN Select the certificate you just created and the minimum and maximum version of TLS. So, Go to Device > Certificate Management > SSL/TLS Service Profile > Add. Now, you need to create an SSL/TLS profile that is used for portal configuration. Step 2: Creating an SSL/TLS Service Profile Make sure you put your Common name should be the same as the interface IP on which you are configuring the GlobalProtect. Now, just fill the Certificate filed as per the reference Image. To generate a self-sign certificate, Go to Device > Certificate Management > Certificates > Device Certificates > Generate. So, you can generate your own certificate on Palo Alto firewall or you can use any certificate which is signed by any of the CA authority. To configure the GlobalProtect VPN, you must need a valid root CA certificate. Step 1: Generating a Self Sign Certificate Also, as in clientless VPN, Palo Alto firewalls act as a reverse proxy, so you might access only web applications/servers.
If you already know to configure GlobalProtect VPN, you can skip 1 – 9 steps. To configure clientless VPN, you first need to configure Palo Alto GlobalProtect VPN, and after you need to configure Clientless VPN. Steps to configure Clientless VPN in Palo Alto Firewall The IP address of the Web server is 192.168.1.10. A test webserver is taken in the LAN zone. In this example, I’ve configured two security zones i.e. Scenario – Configure GlobalProtect Clientless VPN in Palo Alto
#Globalprotect saml verification