NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Similar documents
Hollins University VPN

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

VI. Corente Services Client

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Remote Access via Cisco VPN Client

High Availability Synchronization PAN-OS 5.0.3

Realms and Identity Policies

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Sophos Firewall Configuring SSL VPN for Remote Access

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

Setting up L2TP Over IPSec Server for remote access to LAN

Barracuda Firewall Release Notes 6.6.X

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Frequently Asked Questions About Performance Monitor

Vendor: Juniper. Exam Code: JN Exam Name: Junos Pulse Access Control, Specialist (JNCIS-AC) Version: Demo

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

RU-VPN2 - GlobalProtect Installation for Windows

Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

How to Configure Authentication and Access Control (AAA)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

V7610 TELSTRA BUSINESS GATEWAY

RU-VPN2 - GlobalProtect Installation for Windows

Read the following information carefully, before you begin an upgrade.

AT&T Cloud Web Security Service

Remote Support Security Provider Integration: RADIUS Server

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

NGFW Security Management Center

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Cisco QuickVPN Installation Tips for Windows Operating Systems

vshield Administration Guide

Using VMware View Client for Mac

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

NGFW Security Management Center

Azure MFA Integration with NetScaler

NGFW Security Management Center

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

TheGreenBow IPsec VPN Client. Configuration Guide Palo Alto. Website: Contact:

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Citrix SSO for Mac OS X. User Guide

HySecure Quick Start Guide. HySecure 5.0

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VPN Guide. Pre-Requisites. Before connecting to the SGUL VPN, you must ensure the following:

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

NGFW Security Management Center

Two factor authentication for WatchGuard XTM and Firebox IPSec

Business Connect Secure Remote Access Service (SRAS) Customer Information Package

Security Provider Integration RADIUS Server

Palo Alto Networks PCNSE7 Exam

Table of Contents HOL-1757-MBL-6

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

HOW TO SETUP CFS POLICIES WITH LDAP AND SSO TO RESTRICT INTERNET ACCESS ON CFS 3.0

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Series 5000 ADSL Modem / Router. Firmware Release Notes

Configure Unsanctioned Device Access Control

Client VPN OS Configuration. Android

NGFW Security Management Center

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Paloalto Networks PCNSA EXAM

BIG-IP Access Policy Manager (APM) v11.2 Table of Contents

Barracuda Firewall Release Notes 6.5.x

Stonesoft Management Center. Release Notes Revision A

vcloud Director Tenant Portal Guide vcloud Director 8.20

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Stonesoft VPN Client. for Windows Release Notes Revision A

Table of Contents. VMware AirWatch: Technology Partner Integration

PAN 802.1x Connector Application Installation Guide

ApplicationServer XG Version 11. Last updated:

vrealize Orchestrator Load Balancing

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Deploying F5 with Microsoft Remote Desktop Services

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

vcenter Operations Management Pack for vcns

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

NCP VPN Path Finder for Juniper SRX Gateways

Module 9. Configuring IPsec. Contents:

Endian Firewall validation - REP

VNS3 Configuration. IaaS Private Cloud Deployments

Installing and Configuring vcenter Multi-Hypervisor Manager

Integrating AirWatch and VMware Identity Manager

DIGIPASS Authentication for Cisco ASA 5500 Series

Configuring Dynamic VPN

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Transcription:

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1 Revision A 2011, Palo Alto Networks, Inc.

Contents Overview... 3 GlobalProtect Overview... 3 LICENSING... 3 UPGRADE... 3 Understanding the Migrated Configuration... 5 PORTAL CONFIGURATION... 6 GATEWAY CONFIGURATION DETAILS... 9 Distributing GlobalProtect Agent... 10 POINTS TO CONSIDER WHEN USING OTP... 11 Verification... 12 Troubleshooting... 14 2011, Palo Alto Networks, Inc. [2]

Overview NetConnect SSL-VPN provides remote users with an SSL-based connection to the corporate network. NetConnect users can be authenticated via local DB, RADIUS, LDAP, Active Directory and CAC card. NetConnect fully integrates with App-ID, User-ID and Content-ID, enabling full control and inspection of application activity, based on users and groups. NetConnect client support includes Windows 7, Vista, Windows XP and Mac OSX 10.5 and 10.6. With PAN-OS 4.1, NetConnect SSL- VPN is replaced with GlobalProtect for remote access solution. This document provides an understanding of the GlobalProtect configuration for users upgrading from NetConnect. It also covers the necessary migration steps and tips for customers using NetConnect remote access solution upgrading to PAN-OS 4.1 GlobalProtect Overview GlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be protected by the logical perimeter in the same manner that they would be if they were working from their office. GlobalProtect includes three major components: GlobalProtect Portal: A Palo Alto Networks firewall that provides centralized control over the GlobalProtect system. Portal maintains the list of all gateways, certificates used for authentication, and the list of categories for checking the end host. GlobalProtect Gateway: One or more interfaces on one or more Palo Alto Networks firewall that provides security enforcement for traffic from the GlobalProtect Agent. The gateways can be internal i.e. in the LAN or external where they are deployed to be reachable via the public internet. GlobalProtect Agent: Client software on the laptop that is configured to connect to the GlobalProtect deployment. Note: A single firewall can function both as the portal and gateway. This is recommended path for users migrating from NetConnect to GlobalProtect as a replacement solution for NetConnect without any added functionality of GlobalProtect. Licensing No additional license is required to run GlobalProtect for customers upgrading from NetConnect. Upgrade When customers using NetConnect upgrade to PAN-OS version 4.1, NetConnect functionality will automatically be migrated to GlobalProtect. The end users will have to install the new GlobalProtect Agent. The NetConnect client cannot be used to connect to a GlobalProtect gateway. NetConnect specific configurations on the firewall will be automatically migrated to GlobalProtect configuration. 2011, Palo Alto Networks, Inc. [3]

The figure below shows a sample topology with the firewall configured to use NetConnect and then configured to use GlobalProtect after the upgrade. The NetConnect tunnel end point IP address will now be used as the GlobalProtect portal and gateway IP address. In this example, the firewall is configured with NetConnect SSL VPN with details shown below tunnel.1 : Tunnel interface for VPN termination Authentication method: RADIUS DNS Server: 10.0.0.246 and 10.0.0.247 IP pool : 172.16.0.1-172.16.1.254 DNS suffix: mycompany.com Access route: 192.168.0.0/16 The screen shots that follow shows the NetConnect configuration: 2011, Palo Alto Networks, Inc. [4]

Note: Before upgrading to 4.1 1. Backup your current configuration 2. Navigate to Device> GlobalProtect Client, and download and activate the GlobalProtect Client. Understanding the Migrated Configuration After upgrading from PAN-OS 4.0 to PAN-OS 4.1, the NetConnect configuration will be migrated to the equivalent GlobalProtect configuration. Note: The SSL-VPN configuration option is not available in PAN-OS 4.1. 2011, Palo Alto Networks, Inc. [5]

You will see the relevant migrated configuration under the GlobalProtect Portal and gateway section. The screen shots that follow show the GlobalProtect portal and gateway configuration after upgrading from PAN-OS 4.0 with NetConnect to PAN-OS 4.1. GlobalProtect Portal GlobalProtect Gateway Portal Configuration In this section we will discuss the portal configuration as it relates to NetConnect. Name: System created identifier for the portal Authentication Profile: The authentication method used for authenticating the remote users. This is migrated from the NetConnect configuration Server Certificate: Certificate used in the NetConnect Portal Address: This is the NetConnect gateway interface and IP address 2011, Palo Alto Networks, Inc. [6]

General Configuration: The configuration on the portal controls the behavior of the GlobalProtect agent on end hosts. The On demand option enables the end users to activate the GlobalProtect agent when they want to connect to the gateway. This is the default setting for NetConnect to GlobalProtect migration. Gateway tab 2011, Palo Alto Networks, Inc. [7]

The external gateway is the IP address of the NetConnect Gateway. GlobalProtect agents establish tunnel to this address Agent Tab The Enabled Advanced View option allows the end users to select the advanced view section of the agent as follows: Tip: It is recommended to disable Advanced View for agents to prevent users from changing settings User can save password: Allows the user to save password on the GlobalProtect agent. Client Upgrade: The end users will be prompted for upgrade when a new version of the client is available. This is the default option when upgrading from PAN OS 4.0 to 4.1. The other option is transparent, which automatically downloads the newer version of agent when available without prompting the user for upgrade 2011, Palo Alto Networks, Inc. [8]

Gateway Configuration Details This section of the configuration is similar to the NetConnect configuration in PAN OS 4.0 with the exception of the HIP notification section. The parameter in the General section and Client Configuration is similar to the NetConnect configuration. The HIP notification allows firewall administrators to configure notifications that will be displayed when users connect to the GlobalProtect gateway. End User Experience After upgrading the firewall to PAN OS version 4.1, when an end user connects with the NetConnect client, the user will be prompted for authentication by the GlobalProtect portal. The screen shot that follows shows the authentication screen: 2011, Palo Alto Networks, Inc. [9]

Once authenticated, the user will be prompted to download the GlobalProtect agent msi file. The user will need information about the operating system before downloading the agent. If they choose the incorrect Windows or Mac version, the install will fail. Note: Administrator privilege is required to install the GlobalProtect agent for the first time. Subsequent upgrades do not require administrator privilege Distributing GlobalProtect Agent In Active Directory environments, GlobalProtect agent can also be distributed to end users using AD group policy. AD Group Policy allows administrators to automatically modify Windows client computer settings and install software. Refer to the article at http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to automatically distribute applications to client computers or users. The GlobalProtect agent msi file can be downloaded using one of the two methods: Browsing to the address of the portal https://<hostname or IP address> 2011, Palo Alto Networks, Inc. [10]

Connecting to the portal using the NetConnect client Points to Consider When Using OTP The GlobalProtect agent will authenticate to the portal and the gateway before establishing the connection. This is different from NetConnect behavior where the clients authenticate once to the NetConnect gateway. When using OTP for authentication, the users will be prompted to enter the password twice, once each for portal and gateway in order to establish the tunnel. If you prefer that the end users input the password only once, but still use OTP as authentication method, you can configure the portal to use different authentication method such as RADIUS and have the gateway use OTP for authentication. On the GlobalProtect agent, configure the username and password used to authenticate against the portal. Upon the first connection, the agent will send this credential to authenticate against the portal, and will then prompt for a new password to connect to the gateway. The configuration snap shot of both the portal and gateway for such scenario follows: 2011, Palo Alto Networks, Inc. [11]

The end user will be prompted for authenticating to the gateway after connecting to the portal as follows: Verification Viewing the active flow admin@lab> show global-protect-gateway flow total tunnels configured: 1 filter - type GlobalProtect-Gateway, state any total GlobalProtect-Gateway tunnel shown: 1 id name local-i/f local-ip tunnel-i/f ------------------------------------------------------------------------------------------- ---- 2 Corp-NetConnect ethernet1/1 10.2.133.195 tunnel.1 2011, Palo Alto Networks, Inc. [12]

admin@lab> show global-protect-gateway flow tunnel-id 2 tunnel Corp-NetConnect id: 2 type: GlobalProtect-Gateway local ip: 10.2.133.195 inner interface: tunnel.1 outer interface: ethernet1/1 ssl cert: Netconnect active users: 1 assigned-ip remote-ip encapsulation ----------------------------------------------------------------------------------------------- 172.16.0.1 10.20.0.240 IPSec SPI 448772F2 (context 3) Viewing the Gateway Configuration admin@lab> show global-protect-gateway gateway name Corp-NetConnect GlobalProtect Name : Corp-NetConnect Tunnel ID : 2 tunnel-interface : tunnel.1 encap-interface : ethernet1/1 inheritance-from : Local Address : 10.2.133.195 SSL server port : 443 IPSec encap : yes tunnel negotiation : ssl HTTP redirect : no UDP port : 4501 Max users : 0 IP pool ranges : 172.16.0.1-172.16.1.254; DNS servers : 4.2.2.2 : 0.0.0.0 WINS servers : 0.0.0.0 : 0.0.0.0 DNS suffix : mycompany.com Access routes : 192.168.0.0/16; VSYS : vsys1 (id 1) SSL Server Cert : Netconnect Auth Profile : RADIUS Client Cert Profile : Lifetime : 259200 seconds Idle timeout : 10800 seconds Viewing the connected users show global-protect-gateway current-user user Or From Network>GlobalProtect>Gateway choose More users info 2011, Palo Alto Networks, Inc. [13]

Troubleshooting This section lists some of the basic troubleshooting steps for both the firewall and the agent. Firewall Authentication failures o Verify the users can authenticate by browsing to the IP address of the portal and authenticating to it. o View the authentication logs on the firewall in real time using the following command- tail follow yes mplog authd.log. GlobalProtect specific logs can be viewed on the firewall system logs by filtering on (subtype eq globalprotect) Agent If the agent fails to connect, you can view the debug logs on the agent. The advanced view on the agent must be enabled to view the troubleshooting tab of the agent. Set the log to PanGPService and Debug level to debug. You can see authentication failed messages and connectivity failure messages as follows: To collect the tech support equivalent logs from the agent, select File > Collect Log and click on collect logs. 2011, Palo Alto Networks, Inc. [14]

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback