NetConnect to GlobalProtect Migration

Tech Note
PAN-OS 4.1

Revision A

2011, Palo Alto Networks, Inc.

Contents
Overview ............................................................................................................................................... 3
GlobalProtect Overview ........................................................................................................................ 3
LICENSING ........................................................................................................................................... 3
UPGRADE ............................................................................................................................................ 3
Understanding the Migrated Configuration ........................................................................................... 5
PORTAL CONFIGURATION .................................................................................................................... 6
GATEWAY CONFIGURATION DETAILS .................................................................................................... 9
Distributing GlobalProtect Agent......................................................................................................... 10
POINTS TO CONSIDER WHEN USING OTP ........................................................................................... 11
Verification.......................................................................................................................................... 12
Troubleshooting .................................................................................................................................. 14

2011, Palo Alto Networks, Inc.

[2]

Overview
NetConnect SSL-VPN provides remote users with an SSL-based connection to the corporate network. NetConnect users can
be authenticated via local DB, RADIUS, LDAP, Active Directory and CAC card. NetConnect fully integrates with App-ID,
User-ID and Content-ID, enabling full control and inspection of application activity, based on users and groups. NetConnect
client support includes Windows 7, Vista, Windows XP and Mac OSX 10.5 and 10.6. With PAN-OS 4.1, NetConnect SSLVPN is replaced with GlobalProtect for remote access solution.
This document provides an understanding of the GlobalProtect configuration for users upgrading from NetConnect. It also
covers the necessary migration steps and tips for customers using NetConnect remote access solution upgrading to PAN-OS
4.1

GlobalProtect Overview
GlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all
users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond
the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be
protected by the logical perimeter in the same manner that they would be if they were working from their office.
GlobalProtect includes three major components:

GlobalProtect Portal: A Palo Alto Networks firewall that provides centralized control over the GlobalProtect
system. Portal maintains the list of all gateways, certificates used for authentication, and the list of categories for
checking the end host.

GlobalProtect Gateway: One or more interfaces on one or more Palo Alto Networks firewall that provides
security enforcement for traffic from the GlobalProtect Agent. The gateways can be internal i.e. in the LAN or
external where they are deployed to be reachable via the public internet.

GlobalProtect Agent: Client software on the laptop that is configured to connect to the GlobalProtect
deployment.

Note: A single firewall can function both as the portal and gateway. This is recommended path for users migrating
from NetConnect to GlobalProtect as a replacement solution for NetConnect without any added functionality of
GlobalProtect.

Licensing
No additional license is required to run GlobalProtect for customers upgrading from NetConnect.

Upgrade
When customers using NetConnect upgrade to PAN-OS version 4.1, NetConnect functionality will automatically be
migrated to GlobalProtect. The end users will have to install the new GlobalProtect Agent. The NetConnect client cannot be
used to connect to a GlobalProtect gateway. NetConnect specific configurations on the firewall will be automatically
migrated to GlobalProtect configuration.

2011, Palo Alto Networks, Inc.

[3]

The figure below shows a sample topology with the firewall configured to use NetConnect and then configured to use
GlobalProtect after the upgrade. The NetConnect tunnel end point IP address will now be used as the GlobalProtect portal
and gateway IP address.

In this example, the firewall is configured with NetConnect SSL VPN with details shown below
tunnel.1 : Tunnel interface for VPN termination
Authentication method: RADIUS
DNS Server: 10.0.0.246 and 10.0.0.247
IP pool : 172.16.0.1- 172.16.1.254
DNS suffix: mycompany.com
Access route: 192.168.0.0/16
The screen shots that follow shows the NetConnect configuration:

2011, Palo Alto Networks, Inc.

[4]

Note: Before upgrading to 4.1

1. Backup your current configuration
2. Navigate to Device> GlobalProtect Client, and download and activate the GlobalProtect
Client.

Understanding the Migrated Configuration

After upgrading from PAN-OS 4.0 to PAN-OS 4.1, the NetConnect configuration will be migrated to the equivalent
GlobalProtect configuration.
Note: The SSL-VPN configuration option is not available in PAN-OS 4.1.

2011, Palo Alto Networks, Inc.

[5]

You will see the relevant migrated configuration under the GlobalProtect Portal and gateway section. The screen shots that
follow show the GlobalProtect portal and gateway configuration after upgrading from PAN-OS 4.0 with NetConnect to
PAN-OS 4.1.

GlobalProtect Portal

GlobalProtect Gateway

Portal Configuration
In this section we will discuss the portal configuration as it relates to NetConnect.

Name: System created identifier for the portal

Authentication Profile: The authentication method used for authenticating the remote users. This is migrated from the
NetConnect configuration
Server Certificate: Certificate used in the NetConnect
Portal Address: This is the NetConnect gateway interface and IP address

2011, Palo Alto Networks, Inc.

[6]

General Configuration:

The configuration on the portal controls the behavior of the GlobalProtect agent on end hosts.
The On demand option enables the end users to activate the GlobalProtect agent when they want to connect to the
gateway. This is the default setting for NetConnect to GlobalProtect migration.
Gateway tab

2011, Palo Alto Networks, Inc.

[7]

The external gateway is the IP address of the NetConnect Gateway. GlobalProtect agents establish tunnel to this address
Agent Tab

The Enabled Advanced View option allows the end users to select the advanced view section of the agent as follows:

Tip: It is recommended to disable Advanced View for agents to prevent users from changing settings
User can save password: Allows the user to save password on the GlobalProtect agent.
Client Upgrade: The end users will be prompted for upgrade when a new version of the client is available. This is the default
option when upgrading from PAN OS 4.0 to 4.1. The other option is transparent, which automatically downloads the
newer version of agent when available without prompting the user for upgrade

2011, Palo Alto Networks, Inc.

[8]

Gateway Configuration Details

This section of the configuration is similar to the NetConnect configuration in PAN OS 4.0 with the exception of the HIP
notification section. The parameter in the General section and Client Configuration is similar to the NetConnect
configuration. The HIP notification allows firewall administrators to configure notifications that will be displayed when
users connect to the GlobalProtect gateway.

End User Experience

After upgrading the firewall to PAN OS version 4.1, when an end user connects with the NetConnect client, the user will be
prompted for authentication by the GlobalProtect portal. The screen shot that follows shows the authentication screen:

2011, Palo Alto Networks, Inc.

[9]

Once authenticated, the user will be prompted to download the GlobalProtect agent msi file. The user will need information
about the operating system before downloading the agent. If they choose the incorrect Windows or Mac version, the install
will fail.

Note: Administrator privilege is required to install the GlobalProtect agent for the first time.
Subsequent upgrades do not require administrator privilege

Distributing GlobalProtect Agent

In Active Directory environments, GlobalProtect agent can also be distributed to end users using AD group policy. AD
Group Policy allows administrators to automatically modify Windows client computer settings and install software. Refer
to the article at http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to automatically
distribute applications to client computers or users.
The GlobalProtect agent msi file can be downloaded using one of the two methods:

Browsing to the address of the portal https://<hostname or IP address>

2011, Palo Alto Networks, Inc.

[10]

Connecting to the portal using the NetConnect client

Points to Consider When Using OTP

The GlobalProtect agent will authenticate to the portal and the gateway before establishing the connection. This is different
from NetConnect behavior where the clients authenticate once to the NetConnect gateway. When using OTP for
authentication, the users will be prompted to enter the password twice, once each for portal and gateway in order to
establish the tunnel.
If you prefer that the end users input the password only once, but still use OTP as authentication method, you can configure
the portal to use different authentication method such as RADIUS and have the gateway use OTP for authentication. On the
GlobalProtect agent, configure the username and password used to authenticate against the portal. Upon the first
connection, the agent will send this credential to authenticate against the portal, and will then prompt for a new password to
connect to the gateway. The configuration snap shot of both the portal and gateway for such scenario follows:

2011, Palo Alto Networks, Inc.

[11]

The end user will be prompted for authenticating to the gateway after connecting to the portal as follows:

Verification
Viewing the active flow
admin@LAB> show global-protect-gateway flow
total tunnels configured:
filter - type GlobalProtect-Gateway, state any

total GlobalProtect-Gateway tunnel shown:

id
name
local-i/f
local-ip
tunnel-i/f
---------------------------------------------------------------------------------------------2
Corp-NetConnect
ethernet1/1
10.2.133.195
tunnel.1

2011, Palo Alto Networks, Inc.

[12]

admin@LAB> show global-protect-gateway flow tunnel-id 2

tunnel

Corp-NetConnect
id:
type:
local ip:
inner interface:
ssl cert:
active users:

2
GlobalProtect-Gateway
10.2.133.195
tunnel.1
outer interface:
Netconnect
1

ethernet1/1

assigned-ip
remote-ip
encapsulation
----------------------------------------------------------------------------------------------172.16.0.1
10.20.0.240
IPSec SPI 448772F2 (context 3)

Viewing the Gateway Configuration

admin@LAB> show global-protect-gateway gateway name Corp-NetConnect

GlobalProtect Name
Tunnel ID
tunnel-interface
encap-interface
inheritance-from
Local Address
SSL server port
IPSec encap
tunnel negotiation
HTTP redirect
UDP port
Max users
IP pool ranges
DNS servers

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
WINS servers
:
:
DNS suffix
:
Access routes
:
VSYS
:
SSL Server Cert
:
Auth Profile
:
Client Cert Profile :
Lifetime
:
Idle timeout
:

Corp-NetConnect
2
tunnel.1
ethernet1/1
10.2.133.195
443
yes
ssl
no
4501
0
172.16.0.1 - 172.16.1.254;
4.2.2.2
0.0.0.0
0.0.0.0
0.0.0.0
mycompany.com
192.168.0.0/16;
vsys1 (id 1)
Netconnect
RADIUS
259200 seconds
10800 seconds

Viewing the connected users

show global-protect-gateway current-user user

Or

From Network>GlobalProtect>Gateway choose More users info

2011, Palo Alto Networks, Inc.

[13]

Troubleshooting

This section lists some of the basic troubleshooting steps for both the firewall and the agent.
Firewall
Authentication failures
o Verify the users can authenticate by browsing to the IP address of the portal and authenticating to it.
o View the authentication logs on the firewall in real time using the following command- tail follow yes mplog authd.log.
GlobalProtect specific logs can be viewed on the firewall system logs by filtering on (subtype eq globalprotect)
Agent
If the agent fails to connect, you can view the debug logs on the agent. The advanced view on the agent must be enabled to
view the troubleshooting tab of the agent.
Set the log to PanGPService and Debug level to debug. You can see authentication failed messages and connectivity failure
messages as follows:

To collect the tech support equivalent logs from the agent, select File > Collect Log and click on collect logs.

2011, Palo Alto Networks, Inc.

[14]