How can I configure LDAP and local DB for the authentication using the same gateway and portal. My goal is to achieve local users to permit full tunnel and LDAP users to have split tunnel.
Hi Rafis, I'm new to Palo Alto and am starting this config with version 7.1.4 Most parts are similar to your instructions, but there are some differences to your video too. Do you plan on doing an updated version based on the newer code?
Hi Rafis, When we create Gateway for remote access users - we should choose external interface and pick up IP address from available scope, but in my case this section is empty ('none' parameter). I'm not able to put IP address manually either. I suppose that the problem is that I have Dynamic-DHCP Client on the eth1/1 interface instead of static. Is there any work arounds to make it work? Thank you again for your incredible work.
@min 7:04 it should be called client configuration as the portal will push the configuration to clients (PAN-GPA in case of on-deman or PAN_GPS in on pre-logon) regarding their gateways matching User Groups / OS www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-quick-configs/remote-access-vpn-with-pre-logon
Thank you for the tutorial, I'm hoping you can shed some light on how this would be configured with the interface is set to DHCP? I'm unable to specify an IP address when configuring the Globalprotect gateway. Is there a work-around for this? Thank you in advance.
Chris Wilson As I remember it is possible to configure GlobalProtect with DHCP on external interface. Specify external interface as address and it will be replaced by actual IP address assigned via DHCP.
Yo tengo una interfaz externa con DHCP. Se puede configurar el certificado con la dirección IP pública actual y cuando cambie es necesario únicamente cambiar en el certificado, al igual que el Gateway del portal. Eso es todo.
Magdiel Areli Mata Burciaga In the certificate use FQDN instead of IP address. DDNS to update IP address associated with the domain on the IP address change. In DNS set TTL for the firewall FQDN lets say about 15 min. And if you use DHCP for your external IP - how else would you know what IP was assigned in the case of reconnect.
Porque tengo clonada la MAC address del ISP. En la pestaña de Network me da la nueva dirección IP que se asigno al momento de caerse el ISP. No es mucho problema saber cual es mi nueva IP.
thanks RAfis first of all. m using 8.1.7 version and 5.0.2 GP version. I am getting invalid cert error when trying to connect using global protect client. any tips on this please.
Hi Rafis, I followed your steps and it works fine and GlobalProtect status is Connected and I actually can Ping some internal hosts. My problem is that I can't access internal resources like web applications installed on my local servers or my shared files on my local file server. Appreciate your help.
+Rafis Garipov Actually, I did some changes on my network and forgot to change the default gateway for those resources and now everything work perfect. Thanks too much Rafis.
I have not tried it yet, although the documentation says it is possible: live.paloaltonetworks.com/t5/Configuration-Articles/Using-DHCP-Interface-as-GlobalProtect-IP/ta-p/52358
Hi, Wondering can I have two local groups cater for only one gateway? (eg. First group will be getting IP Pool 1 and Second Group will be getting IP Pool 2) Appreciate alot.
+edcuslee Hi mate - please try to configure separate Agent profiles with different IP Pools. Assign the agent profiles based on local user / user group membership. Although if you have such requirements - it is not a small installation and I would suggest to use external user database rather than local users/user groups. Scalability!
I cannot add local users as source user in GP gateway network settings. How do you configure global protect to grant access to external staff if these employees does not exist in AD?
Elena Pereira It depends... If you have one gateway it is included in base license. I recommend to look into official documents for such question though. live.paloaltonetworks.com/docs/DOC-4768 GlobalProtect uses SSL VPN as transport.
Hi Rafis, I have configured the GP VPN portal and GW on my PA which is inside VM and am accessing PA FW from my local pc by using bridged network adaptor but i am not able to access global protect portal page from my local pc do i need to built one seprate pc inside VM or any network settings is required to access GP portal Thanks in advance
Hello! This tutorial is very useful for me everytime I need to deploy GP VPNs Could you update it to the new versions of PANOS? (7.1.x) Thanks for your help and best regards!
Hello Rafis, your tutorials about Palo Alto were very useful and your explanation was in simple way. I have started with Palo Alto 5 months ago. I made the configuration of GlobalProtect with local database. But I want to learn more about GlobalProtect. Could you send me your E-Mail address? best regards
Good stuff Rafis. Stumbled across this by chance whilst working on a GlobalProtect implementation. Turns out its an old friend!
Gracias. Tenía un problema con la configuración de GlobalProtect. Únicamente tenía que cambiar la dirección IP del certificado. Excelente video!
Great video! Thanks for uploading!
These all video are really helpful, Thanks you very much.
Worked first time. Thanks
good video. gave me enough steps to figure this out in 2018 :D
Great explaination in simple way! just got one question, can we use different public IP for portal and gateway - other than interface IP of firewall?
thanks, that is awesome. very well explained.
Happy for such comment!
How can I configure LDAP and local DB for the authentication using the same gateway and portal. My goal is to achieve local users to permit full tunnel and LDAP users to have split tunnel.
Hi Rafis,
I'm new to Palo Alto and am starting this config with version 7.1.4
Most parts are similar to your instructions, but there are some differences to your video too.
Do you plan on doing an updated version based on the newer code?
Thank you for the note.
I'm trying to get a new license for my PA-200. Then I will check what should be updated.
Hi Rafis,
When we create Gateway for remote access users - we should choose external interface and pick up IP address from available scope, but in my case this section is empty ('none' parameter). I'm not able to put IP address manually either.
I suppose that the problem is that I have Dynamic-DHCP Client on the eth1/1 interface instead of static.
Is there any work arounds to make it work?
Thank you again for your incredible work.
+noodzyk
Correct - leave it blank if you use DHCP.
@min 7:04 it should be called client configuration as the portal will push the configuration to clients (PAN-GPA in case of on-deman or PAN_GPS in on pre-logon) regarding their gateways matching User Groups / OS www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-quick-configs/remote-access-vpn-with-pre-logon
Thank you for the tutorial, I'm hoping you can shed some light on how this would be configured with the interface is set to DHCP? I'm unable to specify an IP address when configuring the Globalprotect gateway. Is there a work-around for this? Thank you in advance.
Chris Wilson As I remember it is possible to configure GlobalProtect with DHCP on external interface. Specify external interface as address and it will be replaced by actual IP address assigned via DHCP.
Yo tengo una interfaz externa con DHCP. Se puede configurar el certificado con la dirección IP pública actual y cuando cambie es necesario únicamente cambiar en el certificado, al igual que el Gateway del portal. Eso es todo.
Magdiel Areli Mata Burciaga
In the certificate use FQDN instead of IP address. DDNS to update IP address associated with the domain on the IP address change. In DNS set TTL for the firewall FQDN lets say about 15 min. And if you use DHCP for your external IP - how else would you know what IP was assigned in the case of reconnect.
Porque tengo clonada la MAC address del ISP. En la pestaña de Network me da la nueva dirección IP que se asigno al momento de caerse el ISP. No es mucho problema saber cual es mi nueva IP.
thanks RAfis first of all. m using 8.1.7 version and 5.0.2 GP version. I am getting invalid cert error when trying to connect using global protect client. any tips on this please.
Hi Rafis, I followed your steps and it works fine and GlobalProtect status is Connected and I actually can Ping some internal hosts. My problem is that I can't access internal resources like web applications installed on my local servers or my shared files on my local file server. Appreciate your help.
Check security policies. Cheers!
+Rafis Garipov Actually, I did some changes on my network and forgot to change the default gateway for those resources and now everything work perfect. Thanks too much Rafis.
do you have any Topology Diagram for this configuration?. thanks
Thank you, I will keep it in mind for the update.
Hi Rafis,
Is that posible to make it work if I have DHCP (reserved lease) adress on my external interface?
I have not tried it yet, although the documentation says it is possible: live.paloaltonetworks.com/t5/Configuration-Articles/Using-DHCP-Interface-as-GlobalProtect-IP/ta-p/52358
Hi, Wondering can I have two local groups cater for only one gateway? (eg. First group will be getting IP Pool 1 and Second Group will be getting IP Pool 2)
Appreciate alot.
+edcuslee
Hi mate - please try to configure separate Agent profiles with different IP Pools.
Assign the agent profiles based on local user / user group membership.
Although if you have such requirements - it is not a small installation and I would suggest to use external user database rather than local users/user groups. Scalability!
I cannot add local users as source user in GP gateway network settings. How do you configure global protect to grant access to external staff if these employees does not exist in AD?
Hello , I need a Licence to make this work right?
Does it use IPsec or SSL?
Great video , Regards
Elena Pereira
It depends...
If you have one gateway it is included in base license. I recommend to look into official documents for such question though.
live.paloaltonetworks.com/docs/DOC-4768
GlobalProtect uses SSL VPN as transport.
Nice video , but theres no network topology nor understanding to actual pool settings
Hi Rafis,
I have configured the GP VPN portal and GW on my PA which is inside VM
and am accessing PA FW from my local pc by using bridged network adaptor
but i am not able to access global protect portal page from my local pc
do i need to built one seprate pc inside VM or any network settings is required to access GP portal
Thanks in advance
Please check your VMWare settings, also if you have VMWare Workstation on Windows 10 - it is well known issue.
Thanks Rafis for your valuable information and time.
Izhar
Hello! This tutorial is very useful for me everytime I need to deploy GP VPNs
Could you update it to the new versions of PANOS? (7.1.x)
Thanks for your help and best regards!
can you configure this for 2 factor auth?
SpartanFit! Hi mate, I see no problem with 2FA. As I remember PA confirmed 2FA support. Please check it with online documentation.
fairly easy to use RADIUS to point to an external 2FA service. I've done this with Duo Security and a radius proxy
Hello Rafis,
your tutorials about Palo Alto were very useful and your explanation was in simple way. I have started with Palo Alto 5 months ago. I made the configuration of GlobalProtect with local database. But I want to learn more about GlobalProtect.
Could you send me your E-Mail address?
best regards
Cyberoam NetGenie NG11EH please upload videos
Sagol yerli