ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS GlobalProtect cloud service extends Palo Alto Networks Next-Generation Security Platform to your remote networks and mobile users. It operationalizes next-generation security deployment to these through a cloud-based security infrastructure managed by Palo Alto Networks. Based on our Next-Generation Security Platform, you administrate GlobalProtect cloud service with Panorama network security management, allowing you to create and deploy consistent security policies across your entire organization. GlobalProtect Cloud Service for Remote Networks GlobalProtect cloud service for remote networks lets you extend the prevention philosophy of your corporate network to your remote networks, safely enabling commonly used applications and web access. Remote networks are connected to GlobalProtect cloud service through VeloCloud, the VMware NSX SD-WAN fabric. www It secures enterprise and cloud applications over internet and hybrid WAN, simplifies deployment and reduces costs. GlobalProtect cloud service takes advantage of our full suite of Next-Generation Security Platform features. AutoFocus contextual threat intelligence and Aperture SaaS security services can be deployed to complement GlobalProtect. For onboarding, an instance of GlobalProtect cloud service for remote networks will be set up. Figure 1 demonstrates onboarding three locations two branches and one headquarters that connect to GlobalProtect cloud service. For simplicity of validation, each branch will be given a unique subnet. (It should be noted that Palo Alto Networks does not recommend using overlapping IP GlobalProtect Cloud Service PN Logging Service Headquarters Add/remove locations and users, manage policy IPsec/SSL VPN Figure 1: Onboarding with GlobalProtect cloud service Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 1
subnets in general, although they can be configured with certain limitations in functionality.) We will first establish the IPSec tunnel from each location to the cloud firewall(s). Please refer to the last section for IPSec tunnel setup. The environment has three SD-WAN components: 1. VMware NSX SD-WAN Edge by VeloCloud: The edge device is a zero-touch, enterprise-class appliance that provides secure, optimized connectivity to private, public and hybrid applications, compute, and virtualized services. These edges perform deep application recognition, application and packet steering, performance metrics, and end-to-end quality of service in addition to hosting virtual network function services. 2. VMware NSX SD-WAN Gateway by VeloCloud: A distributed network of service gateways deployed at top-tier cloud datacenters around the world provides scalability, redundancy and on-demand flexibility. These gateways provide optimized data paths to all applications, branches and data centers along with the ability to deliver network services from the cloud. 3. VMware NSX SD-WAN Orchestrator by VeloCloud: The orchestrator provides centralized, enterprise-wide installation, configuration and real-time monitoring in addition to orchestrating data flow through the cloud network. The orchestrator enables one-click provisioning of virtual services in the branch, the cloud or the enterprise data center. Onboarding Validation Checklist Validation Environment Product Name Version Environment/Operating System VeloCloud Edge Release 2.3 VeloCloud Gateway Release 2.3 VeloCloud Orchestrator Release 2.3 Validation Test Cases Status IPSec tunnels connectivity Branch-to-branch connectivity/communication Branch-to-corporate connectivity/communication Branch-to-internet connectivity/communication ü ü ü ü ü= Pass, X = Fail, N/A = Not Applicable Topology for Test Cases With SD-WAN: 1. Branch to branch: Branch1 SD-WAN HUB/GW GlobalProtect cloud service (hairpin back) SD-WAN HUB/GW Branch2 (SD-WAN handles routing) 2. Branch to HQ/DC: Branch1 SD-WAN HUB/GW GlobalProtect cloud service (hairpin back) SD-WAN HUB/GW Hub (SD-WAN handles routing) 3. Branch to internet: Branch1 SD-WAN GlobalProtect cloud service internet Passing Criteria: 1. Branch to branch: host at Branch1 passes traffic to host at Branch2 and vice versa 2. Branch to HQ/DC: host at Branch1 passes traffic to host at HQ/DC and vice versa 3. Branch to internet: host at branch reaches internet Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 2
Testing Scenarios Remote network: SD-WAN integration On-board 2 branches with 1 IPsec tunnel of 300 Mbps GlobalProtect Cloud Service Internet PN 300 Mbps SD-WAN FABRIC Headquarters Traffic flow IPsec Remote network: scaling with SD-WAN On-board 1 branch with 600 Mpbs as 2 300 Mbps tunnel to cloud service GlobalProtect Cloud Service Internet PN 300 Mbps 300 Mbps SD-WAN FABRIC Headquarters IPsec Remote network: scaling with SD-WAN 2 IPsec tunnels of 300 Mbps each for 5 branches of 100 Mbps each GlobalProtect Cloud Service Internet PN 300 Mbps 300 Mbps SD-WAN FABRIC Headquarters IPsec Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 3
Palo Alto Networks GlobalProtect Cloud Service Configuration GlobalProtect cloud service must be configured with branch site network details; IPsec tunnel and Internet Key Exchange, or IKE, configuration for protocol negotiation between your remote network location and the GlobalProtect cloud service; remote network configuration; and any other needed security policies. This can be configured through Panorama. These steps only provide a broad configuration guideline using Panorama, and screens may change over time. Please refer to the GlobalProtect Cloud Service Getting Started Guide for additional details. Install the Cloud Services plugin on Panorama before you proceed with configuration. GlobalProtect Cloud Service Setup Palo Alto Networks requires that you configure an infrastructure subnet that doesn t overlap with any of your existing network. This is used to create a network backbone for communication between your branch office networks and GlobalProtect cloud service. To create this, navigate to Panorama Cloud Services Configuration, select Service Setup and click the Settings icon. Configure Zone Mapping You must create zone mappings so GlobalProtect cloud service will know whether to associate a zone with an internal (trust) interface or an external (untrust) interface on the firewalls it instantiates within the cloud. To create zone mapping: 1. Go to Panorama Network Zones 2. Create your trusted and untrusted zones 3. Map them under Panorama Cloud services Configuration Remote Networks Zone Mapping Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 4
Onboard VeloCloud Headend as a Branch To onboard a VeloCloud headend as a branch, you must establish an IPSec tunnel between GlobalProtect cloud service and the headend site. Follow the steps below: Go to Panorama Cloud services Configuration Remote Networks Add IPSec Tunnel To create a new IPSec tunnel, click New IPSec Tunnel, give it a name, and configure the IKE gateway, IPSec Crypto Profile. You can use default setting for IPSec Crypto Profile. The following figures show a sample configuration for IKE gateway and IPSec tunnel. IKEv1 and v2 static and dynamic peer are supported. Note that if the far end is policy-based VPN only, proxy-id needs to be configured, where local subnet could be any and remote is the assigned subnet. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 5
You should commit all your changes to Panorama and push the configuration changes to GlobalProtect cloud service. Click: Commit Commit to Panorama. List of VeloCloud SD-WAN components used in the validation: 1. VeloCloud Edge Models: Edge 510, Edge 520, Edge 540, Edge 840, Edge 2000, Virtual Edge 2. VeloCloud Gateway 3. VeloCloud Orchestrator GlobalProtect Cloud IPsec tunnel Servers VeloCloud Gateway Data center Internet Branch1 SD-WAN overlay tunnels Branch2 Client 1 Client 2 Steps to configure: 1. Establish connectivity from VeloCloud Gateway to Palo Alto GlobalProtect Cloud (GPC) service. a. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO). b. Navigate to Configure Network Services. Go to the Non-VeloCloud Sites section and click New to create a new non-velocloud site. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 6
1. Configure a name and select Palo Alto as the type. b. Configure the public IP address of the firewall in GlobalProtect cloud service. c. Click on the Next button to create the site and generate the IKE/IPSec configuration and pre-shared key for the site. d. Once the site is created, click on the Advanced button to update the IKE/IPSec configuration. Also, add the site subnets that need to be protected. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 7
e. Click on the Enable Tunnel(s) checkbox and then Save Changes. f. You can view the detailed IKE/IPSec configuration needed to configure the Palo Alto Networks firewall by clicking the View IKE/IPSec Template button in the screenshot shown in step 1.f. The VeloCloud Gateway public IP address can be retrieved from this template. 2. Verify that the connectivity between the VeloCloud Gateway and the Palo Alto Networks firewall is successfully established. a. Go to Monitor Network Services. 3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer s SD-WAN. a. Go to Configure Profiles <Profile_Name> and click on the Device tab. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 8
b. Enable the Cloud VPN feature to turn on VPN connectivity from the Branch and DC sites. c. Check Enable under the Branch to Non-VeloCloud Site section and select the configured Palo Alto GPC FW configured in Step 1. 4. Click Save Changes. At this stage, the Palo Alto firewall in GPC is successfully service-chained into the customer s VeloCloud SD-WAN. 5. Define application-aware business policies to redirect traffic through GlobalProtect cloud service. The following scenarios are covered: a. Redirect branch-to-internet or cloud traffic through Palo Alto Networks GlobalProtect cloud service. Configure a business policy to redirect internet traffic through Palo Alto Networks GlobalProtect cloud service. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 9
b. Redirect branch-to-data-center traffic through GlobalProtect cloud service. Configure a business policy to redirect data center traffic through GlobalProtect cloud service. c. Redirect branch-to-branch traffic through GlobalProtect cloud service. Configure a business policy to redirect branch traffic through GlobalProtect cloud service. 3000 Tannery Way Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. velocloudintegration-guide-ds-030218