Palo Alto GlobalProtect VPN Configuration [2024 IMPROVED!!!]

แชร์
ฝัง
  • เผยแพร่เมื่อ 29 ธ.ค. 2024

ความคิดเห็น • 74

  • @netsums
    @netsums  10 หลายเดือนก่อน

    FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources

  • @bjornm.2183
    @bjornm.2183 11 หลายเดือนก่อน +1

    Good Job, Ricardo!

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Thank you, I hope I could help!

  • @sx91k
    @sx91k ปีที่แล้ว +2

    Great explanation, thanks!

    • @netsums
      @netsums  ปีที่แล้ว

      You're welcome, I'm glad you liked it!

  • @seththomas3194
    @seththomas3194 3 หลายเดือนก่อน +1

    Good Tutorial...updated and accurate! Thanks

    • @netsums
      @netsums  3 หลายเดือนก่อน

      Glad it was helpful, thank you for the feedback.

  • @_prince_isra_9845
    @_prince_isra_9845 9 หลายเดือนก่อน +1

    Thank you for video. I learned a lot.

    • @netsums
      @netsums  9 หลายเดือนก่อน

      Very nice, I'm glad we could help you 😊

  • @zs8850
    @zs8850 7 หลายเดือนก่อน +1

    Great video! Thank you for what you do!

    • @netsums
      @netsums  7 หลายเดือนก่อน

      No worries, I'm glad you liked the video!

  • @nimolluon3158
    @nimolluon3158 10 หลายเดือนก่อน +1

    great presentation, it is just my preference that should not move the screen around because it is difficult to follow. Again it is just for me. good job!

    • @netsums
      @netsums  10 หลายเดือนก่อน

      Hi. Thank you for the comment and for your feedback! These feedbacks help us a lot to improve the video quality. :)

  • @jaydipparmar5653
    @jaydipparmar5653 11 หลายเดือนก่อน +1

    you explained very well. let me test this in lab

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Cool, I'm glad you liked it. Let me know later if it worked in your lab

    • @jaydipparmar5653
      @jaydipparmar5653 11 หลายเดือนก่อน

      @@netsums Sure, will do. also can you please create one for SSL forward & SSL Inbound decryption.?

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Here a video about SSL Forward Proxy: th-cam.com/video/UuKcjfQicNw/w-d-xo.html. I still need to do the one about SSL Inbound, though. I will keep it in mind.

  • @bryanthompson696
    @bryanthompson696 11 หลายเดือนก่อน +2

    good video thank you

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Glad you enjoyed it!

  • @honno7765
    @honno7765 4 หลายเดือนก่อน

    Amazing video. Thank you! I think, after watching it I was able to figure out why I am getting connected to portal but the connection fails at finding the best available gateway. I misconfigured the Agent External part which is crucial to connect to the gateway

    • @netsums
      @netsums  4 หลายเดือนก่อน

      Cool! I'm glad I could help.

  • @sridharbvnl2101
    @sridharbvnl2101 ปีที่แล้ว +2

    awesome

    • @netsums
      @netsums  ปีที่แล้ว

      I'm glad you liked it. 👍

  • @hakimwalugembe9634
    @hakimwalugembe9634 8 หลายเดือนก่อน

    Thanks for the great video, Can you do video for pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers,

    • @netsums
      @netsums  8 หลายเดือนก่อน

      What do you mean exactly? Do you mean site to site VPN?

  • @JoseMendez-h1y
    @JoseMendez-h1y 9 หลายเดือนก่อน

    Great video, it was very informative. I realize you purchased the certificate from Digicert, but can you show which certificate type you chose and the step by step process to import the certificate? I've seen the self signed certificate process, but that's not quite the same. Again, great video!!

    • @netsums
      @netsums  9 หลายเดือนก่อน

      Thank you. We just bought the cheapest one we found, since it was just for our lab.
      I released a video about 2 weeks ago (Inbound SSL Decryption) where I show how you can import a Let's Encrypt certificate to the firewall, if you're interested. As a result, you get a public certificate for free. :-) But for that you need a Linux server. Take a look there and let me know if that's what you were looking for:
      th-cam.com/video/HIt65vK2TXI/w-d-xo.htmlfeature=shared

  • @Rich-p5o
    @Rich-p5o 3 หลายเดือนก่อน

    Good Video...

  • @veerabsc
    @veerabsc 10 หลายเดือนก่อน

    Very good 👍, if you could show how certificates has done for this GP, would be lovely. Thank you for your hard work

    • @netsums
      @netsums  10 หลายเดือนก่อน +1

      Hi. I'm glad you liked the video. Here we bought a certificate for vpn.netsums.com, but there are other videos that we created a Root-CA certificate on the firewall (CA), and used this CA to sign other certificates we generated locally. Could I answer your question? :-)

  • @konglyhok4343
    @konglyhok4343 11 หลายเดือนก่อน

    Thanks you! So can you show us how to configured with multiple gateway? It would be useful.

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Hi. I will consider it for an upcoming video. Thank you for the request.

  • @abhirajdeshmukh273
    @abhirajdeshmukh273 8 หลายเดือนก่อน

    Thank you for this video, I have a quick question, since I have centralized approach to achieve Hub and spoke model in AWS, which allows data flow on only one private interface in Palo Alto but those are divided into 3 sub interfaces(ingress, egress and east - west). Could you please guide in that case how should I proceed the configurations of Global Protect?

    • @netsums
      @netsums  8 หลายเดือนก่อน

      Hi. Do any of the sub interfaces have a public IP? If not, you would have to configure NAT somewhere. If I were you, I think I would configure a loopback address specially for the portal and gateway configuration and configure the address translation from the public IP to this loopback address. Would it be possible? How does it sound for you?

    • @abhirajdeshmukh273
      @abhirajdeshmukh273 8 หลายเดือนก่อน

      @@netsums so neither of these sub interfaces have public IP, however I do have NAT gateway outside of PA. These sub interfaces are plugged in through endpoints for traffic inspection.
      Where do I need to configure these loopback addresses and how should I configure the address translation?

    • @netsums
      @netsums  8 หลายเดือนก่อน

      You configure the loopback addresses under network -> interfaces. I unfortunately cannot help you with the configuration of your gateway NAT on AWS, because it has been a long time I configured one. It should be a static NAT, all packets addressed to the public IP should be forwarded to THE firewall loopback address.
      If it's too complicated, you can also forward to a physical interface. I just think the configuration with the loopback is "cleaner", because you have a dedicated interface for GlobalProtect. Just a personal preference. :-)

  • @reginaldoredondo
    @reginaldoredondo 11 หลายเดือนก่อน

    hello my friend.
    I have a problem in my environment that, every time the user logs into the internal environment, global protect closes the connection and the client cannot access the internal network. It's as if global protect blocked access.
    How can I resolve this situation? can you help me?

    • @netsums
      @netsums  11 หลายเดือนก่อน

      Hi. I am not sure I understood your problem. Do you have GlobalProtect setup with internal gateway? What does the log from the GlobalProtect client say (under settings -> troubleshooting)? I would suggest to start with the event log (I think it's called pan_gp_event.log).

  • @pramodkumargangwar5598
    @pramodkumargangwar5598 5 หลายเดือนก่อน

    hi sir I am using Palo Alto VM trail version there is no license, can I perform this practical?

    • @netsums
      @netsums  5 หลายเดือนก่อน

      I'm not sure. Give it a try to see if it accepts the configuration.

  • @Bormanb23
    @Bormanb23 7 หลายเดือนก่อน

    Hello, with always on, is there a way to exclude auto connecting to GP when user is in the corporate network?

    • @netsums
      @netsums  7 หลายเดือนก่อน

      Hi. Yes, you're looking for internal gateway. Take a look at this video: th-cam.com/video/5PvzQ2GoUR0/w-d-xo.htmlsi=-vB6IKju_5Sz7vXw

    • @Bormanb23
      @Bormanb23 7 หลายเดือนก่อน

      @@netsums sorry that not what I meant what I want is for users not to auto connect to global protect if they are sitting in the office I only want them to order. Connect to Global protect when they go home.

    • @netsums
      @netsums  7 หลายเดือนก่อน

      The only way I know around this problem is to use the internal host detection that I show in this video.

  • @samsal073
    @samsal073 5 หลายเดือนก่อน

    Hi , I was trying Verizon home internet and noticed whenever i connect my machine to work via global protec the speed goes really down. Why is that? Is there anything I can do to fix?

    • @netsums
      @netsums  5 หลายเดือนก่อน

      Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.

    • @samsal073
      @samsal073 5 หลายเดือนก่อน

      @@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?

    • @netsums
      @netsums  5 หลายเดือนก่อน

      On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.

  • @Tyler-k9b3f
    @Tyler-k9b3f ปีที่แล้ว

    I wonder how NAT applies to this? the portal URL is typically public IP? this just requires DNS record of the public facing IP on the firewall?

    • @netsums
      @netsums  ปีที่แล้ว +1

      If you have a public IP for your portal, you don't need NAT. You said it correctly, it is typically like this, but not a requirement. You can have a private IP for your portal, as I have in my lab, and still make it reachable from the Internet through a NAT device doing destination NAT.

    • @Tyler-k9b3f
      @Tyler-k9b3f ปีที่แล้ว

      @@netsumsthank you very much for the response. I recently tried configuring a gp vpn on a client's FW in which they had an existing gp vpn tunnel but wanted a second...i was creating the second GP VPN using their public IP that they use for the existing GP VPN. This caused users to redirect. Do you know off the top of your head by chance why that is? I thought the packet would reach its final destination (the FW) and would get to the code and go to the correct Portal and GW(?). Our new plan is to use a spare public IP they have for the new tunnel.

    • @netsums
      @netsums  ปีที่แล้ว

      I would strongly recommend you to use the second IP for the other portal, I don't think Palo Alto supports two portals sharing the same interface. Why do you need a new portal, anyway? Different authentication methods?

    • @netsums
      @netsums  ปีที่แล้ว

      When you say new tunnel, do you mean new GlobalProtect Gateway? If I were you, I would configure second portal and second gateway sharing the same public IP. The tunnel interface doesn't need an IP address.

    • @Tyler-k9b3f
      @Tyler-k9b3f ปีที่แล้ว

      @@netsums thank you again for your response sir. The client needs a second GP VPN Tunnel because they want to authenticate with corp laptops with certificate, they have an existing GP VPN tunnel for personal devices.
      I am going to work with the client in about two hours from now to configure it up. The plan is to use their second public IP for the new GP VPN Tunnel. Only thing I'm unsure of now is how routing and NAT will work with this but I'm looking into it now and think I can figure it out on the fly, hopefully, when I hop on the call with them to see how their current is configured.

  • @RayAlejandroGaviriaAlegria
    @RayAlejandroGaviriaAlegria 10 หลายเดือนก่อน

    tks for this video, its similar configuration for android user ?

    • @netsums
      @netsums  10 หลายเดือนก่อน

      Hi. Yes, it is. Just be careful that for android you need the GlobalProtect Gateway license.

  • @VortexRiddle
    @VortexRiddle 3 หลายเดือนก่อน

    Can we use wildcard certificate for multiple gateway ?

    • @netsums
      @netsums  3 หลายเดือนก่อน

      Yes, it should not be a problem.

  • @AbhiGangwar-wv1vj
    @AbhiGangwar-wv1vj 7 หลายเดือนก่อน

    Hi, it's a informative video, but my question is how to ping global protect user to outside server. like 1 on premise server installed in India and second server install in US. site A and Site B both side configured ip sec tunnel (site to site VPN), in my case global protect user not able to ping US server. could you please provide the solution.

    • @netsums
      @netsums  7 หลายเดือนก่อน

      There are many reasons for the connection not to be working. But I would start with verifying if the firewall in US can route the global protect network. If yes, I would verify if the encryption domain in the s2s tunnel is encrypting the global protect traffic going to the US servers. Do you see the traffic arriving in US or not?
      I am assuming the global protect user is connecting to a gateway in India.

  • @seanbyrne960
    @seanbyrne960 8 หลายเดือนก่อน

    thank you -- the software will not accept my tunnel interface -- "invalid tunnel reference" in validate commit

    • @netsums
      @netsums  8 หลายเดือนก่อน

      Strange. Are you using Panorama for the configuration? If yes, are your gateway and tunnel configurations in different templates?

    • @seanbyrne960
      @seanbyrne960 8 หลายเดือนก่อน

      @@netsums yes I am using Panorama for this deployment -- there are two existing GP Portals & Gateways -- the logs show only one template --thank you

    • @seanbyrne960
      @seanbyrne960 8 หลายเดือนก่อน

      does your training course cover Panorama deployments & configuration ?

    • @netsums
      @netsums  8 หลายเดือนก่อน

      Take a look in the template stack to see if everything is there, the gateways, the tunnels and the virtual routers, if you're still having problems.
      And yes, the course I'm building will cover templates and device groups deployment. :-)

    • @seanbyrne960
      @seanbyrne960 8 หลายเดือนก่อน

      @@netsums the interfaces , gateways and tunnels are all part of the same template stack

  • @Alex-un5tl
    @Alex-un5tl ปีที่แล้ว

    can you make one for ipv6 as well please?

    • @netsums
      @netsums  ปีที่แล้ว

      That's a good suggestion! I'll keep this in mind, thanks!

  • @JakirHossene-j4f
    @JakirHossene-j4f 3 หลายเดือนก่อน

    Thomas Matthew Rodriguez Eric Lewis Sandra

  • @KristaWedwick-s5t
    @KristaWedwick-s5t 3 หลายเดือนก่อน

    Jones Sharon Davis Daniel Young George