Tech Note
PAN-OS 4.1
Revision A
Contents
Overview ............................................................................................................................................... 3
GlobalProtect Overview ........................................................................................................................ 3
LICENSING ........................................................................................................................................... 3
UPGRADE ............................................................................................................................................ 3
Understanding the Migrated Configuration ........................................................................................... 5
PORTAL CONFIGURATION .................................................................................................................... 6
GATEWAY CONFIGURATION DETAILS .................................................................................................... 9
Distributing GlobalProtect Agent......................................................................................................... 10
POINTS TO CONSIDER WHEN USING OTP ........................................................................................... 11
Verification.......................................................................................................................................... 12
Troubleshooting .................................................................................................................................. 14
[2]
Overview
NetConnect SSL-VPN provides remote users with an SSL-based connection to the corporate network. NetConnect users can
be authenticated via local DB, RADIUS, LDAP, Active Directory and CAC card. NetConnect fully integrates with App-ID,
User-ID and Content-ID, enabling full control and inspection of application activity, based on users and groups. NetConnect
client support includes Windows 7, Vista, Windows XP and Mac OSX 10.5 and 10.6. With PAN-OS 4.1, NetConnect SSLVPN is replaced with GlobalProtect for remote access solution.
This document provides an understanding of the GlobalProtect configuration for users upgrading from NetConnect. It also
covers the necessary migration steps and tips for customers using NetConnect remote access solution upgrading to PAN-OS
4.1
GlobalProtect Overview
GlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all
users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond
the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be
protected by the logical perimeter in the same manner that they would be if they were working from their office.
GlobalProtect includes three major components:
GlobalProtect Portal: A Palo Alto Networks firewall that provides centralized control over the GlobalProtect
system. Portal maintains the list of all gateways, certificates used for authentication, and the list of categories for
checking the end host.
GlobalProtect Gateway: One or more interfaces on one or more Palo Alto Networks firewall that provides
security enforcement for traffic from the GlobalProtect Agent. The gateways can be internal i.e. in the LAN or
external where they are deployed to be reachable via the public internet.
GlobalProtect Agent: Client software on the laptop that is configured to connect to the GlobalProtect
deployment.
Note: A single firewall can function both as the portal and gateway. This is recommended path for users migrating
from NetConnect to GlobalProtect as a replacement solution for NetConnect without any added functionality of
GlobalProtect.
Licensing
No additional license is required to run GlobalProtect for customers upgrading from NetConnect.
Upgrade
When customers using NetConnect upgrade to PAN-OS version 4.1, NetConnect functionality will automatically be
migrated to GlobalProtect. The end users will have to install the new GlobalProtect Agent. The NetConnect client cannot be
used to connect to a GlobalProtect gateway. NetConnect specific configurations on the firewall will be automatically
migrated to GlobalProtect configuration.
[3]
The figure below shows a sample topology with the firewall configured to use NetConnect and then configured to use
GlobalProtect after the upgrade. The NetConnect tunnel end point IP address will now be used as the GlobalProtect portal
and gateway IP address.
In this example, the firewall is configured with NetConnect SSL VPN with details shown below
tunnel.1 : Tunnel interface for VPN termination
Authentication method: RADIUS
DNS Server: 10.0.0.246 and 10.0.0.247
IP pool : 172.16.0.1- 172.16.1.254
DNS suffix: mycompany.com
Access route: 192.168.0.0/16
The screen shots that follow shows the NetConnect configuration:
[4]
After upgrading from PAN-OS 4.0 to PAN-OS 4.1, the NetConnect configuration will be migrated to the equivalent
GlobalProtect configuration.
Note: The SSL-VPN configuration option is not available in PAN-OS 4.1.
[5]
You will see the relevant migrated configuration under the GlobalProtect Portal and gateway section. The screen shots that
follow show the GlobalProtect portal and gateway configuration after upgrading from PAN-OS 4.0 with NetConnect to
PAN-OS 4.1.
GlobalProtect Portal
GlobalProtect Gateway
Portal Configuration
In this section we will discuss the portal configuration as it relates to NetConnect.
[6]
General Configuration:
The configuration on the portal controls the behavior of the GlobalProtect agent on end hosts.
The On demand option enables the end users to activate the GlobalProtect agent when they want to connect to the
gateway. This is the default setting for NetConnect to GlobalProtect migration.
Gateway tab
[7]
The external gateway is the IP address of the NetConnect Gateway. GlobalProtect agents establish tunnel to this address
Agent Tab
The Enabled Advanced View option allows the end users to select the advanced view section of the agent as follows:
Tip: It is recommended to disable Advanced View for agents to prevent users from changing settings
User can save password: Allows the user to save password on the GlobalProtect agent.
Client Upgrade: The end users will be prompted for upgrade when a new version of the client is available. This is the default
option when upgrading from PAN OS 4.0 to 4.1. The other option is transparent, which automatically downloads the
newer version of agent when available without prompting the user for upgrade
[8]
After upgrading the firewall to PAN OS version 4.1, when an end user connects with the NetConnect client, the user will be
prompted for authentication by the GlobalProtect portal. The screen shot that follows shows the authentication screen:
[9]
Once authenticated, the user will be prompted to download the GlobalProtect agent msi file. The user will need information
about the operating system before downloading the agent. If they choose the incorrect Windows or Mac version, the install
will fail.
Note: Administrator privilege is required to install the GlobalProtect agent for the first time.
Subsequent upgrades do not require administrator privilege
In Active Directory environments, GlobalProtect agent can also be distributed to end users using AD group policy. AD
Group Policy allows administrators to automatically modify Windows client computer settings and install software. Refer
to the article at http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to automatically
distribute applications to client computers or users.
The GlobalProtect agent msi file can be downloaded using one of the two methods:
[10]
[11]
The end user will be prompted for authenticating to the gateway after connecting to the portal as follows:
Verification
Viewing the active flow
admin@LAB> show global-protect-gateway flow
total tunnels configured:
filter - type GlobalProtect-Gateway, state any
id
name
local-i/f
local-ip
tunnel-i/f
---------------------------------------------------------------------------------------------2
Corp-NetConnect
ethernet1/1
10.2.133.195
tunnel.1
[12]
Corp-NetConnect
id:
type:
local ip:
inner interface:
ssl cert:
active users:
2
GlobalProtect-Gateway
10.2.133.195
tunnel.1
outer interface:
Netconnect
1
ethernet1/1
assigned-ip
remote-ip
encapsulation
----------------------------------------------------------------------------------------------172.16.0.1
10.20.0.240
IPSec SPI 448772F2 (context 3)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WINS servers
:
:
DNS suffix
:
Access routes
:
VSYS
:
SSL Server Cert
:
Auth Profile
:
Client Cert Profile :
Lifetime
:
Idle timeout
:
Corp-NetConnect
2
tunnel.1
ethernet1/1
10.2.133.195
443
yes
ssl
no
4501
0
172.16.0.1 - 172.16.1.254;
4.2.2.2
0.0.0.0
0.0.0.0
0.0.0.0
mycompany.com
192.168.0.0/16;
vsys1 (id 1)
Netconnect
RADIUS
259200 seconds
10800 seconds
Or
[13]
Troubleshooting
This section lists some of the basic troubleshooting steps for both the firewall and the agent.
Firewall
Authentication failures
o Verify the users can authenticate by browsing to the IP address of the portal and authenticating to it.
o View the authentication logs on the firewall in real time using the following command- tail follow yes mplog authd.log.
GlobalProtect specific logs can be viewed on the firewall system logs by filtering on (subtype eq globalprotect)
Agent
If the agent fails to connect, you can view the debug logs on the agent. The advanced view on the agent must be enabled to
view the troubleshooting tab of the agent.
Set the log to PanGPService and Debug level to debug. You can see authentication failed messages and connectivity failure
messages as follows:
To collect the tech support equivalent logs from the agent, select File > Collect Log and click on collect logs.
[14]