Patrick Denis > Cisco > Step-by-Step Guide: Setting Up Global Protect on Palo Alto

Step-by-Step Guide: Setting Up Global Protect on Palo Alto

October 14, 2025 0 Comments

Cisco

Here’s a comprehensive guide to deploy Global Protect (Remote Access VPN) on your Palo Alto firewall

Prerequisites (Already Configured)

  • IP addresses assigned to interfaces
  • Static route to ISP router (default gateway)
  • Inside interface (e.g., 1/1) with inside zone
  • Outside interface (e.g., 1/3) with outside zone
  • Logging enabled on default intra-zone policies

Step 1: Generate Certificate Authority (CA)

  1. Navigate to Device → Certificate Management → Certificates
  2. Click Generate
  3. Configure the certificate:
    • Certificate Name: global-protect-ca-cert
    • Common Name: global-protect-ca-cert
    • Enable Certificate Authority
  4. Click Generate

Step 2: Generate Portal and Gateway Certificate

  1. In Device → Certificate Management → Certificates
  2. Click Generate
  3. Configure the certificate:
    • Certificate Name: global-protect-portal-and-gateway
    • Common Name: Enter the external IP address of your firewall (e.g., 192.168.1.1)
    • Signed By: Select the CA certificate you just created
  4. Click Generate

Step 3: Create SSL/TLS Service Profile

  1. Navigate to Device → Certificate Management → SSL/TLS Service Profile
  2. Click Add
  3. Configure:
    • Name: global-protect-ssl-tls-profile
    • Certificate: Select global-protect-portal-and-gateway
  4. Click OK

Step 4: Configure LDAP Server Profile (if using Active Directory)

  1. Go to Device → Server Profiles → LDAP
  2. Click Add
  3. Configure:
    • Profile Name: binary-avenue-ldap-profile
    • Server Name: binary-avenue
    • LDAP Server: Enter IP address (e.g., 192.168.43.3)
    • Port: 389 (default)
    • Type: Select Active Directory
    • Base DN: DC=binary-avenue,DC=com
    • Bind DN: Enter user (e.g., celestio.carval@binary-avenue.com)
    • Bind Password: Enter password
    • Disable Require SSL/TLS Secure Connection
  4. Click OK

Step 5: Create Authentication Profile

  1. Go to Device → Authentication Profile
  2. Click Add
  3. Configure:
    • Name: binary-avenue-authentication-profile
    • Type: LDAP
    • Server Profile: Select the LDAP profile you created
    • In Advanced tab: Select to retrieve all users
  4. Click OK

Step 6: Create Tunnel Interface

  1. Navigate to Network → Interfaces → Tunnel
  2. Click Add
  3. Configure:
    • Select tunnel number
    • Virtual Router: Default
    • Security Zone: Select inside zone (where users will land)
  4. Click OK

Step 7: Enable User Identification on Inside Zone

  1. Go to Network → Zones
  2. Select your inside zone
  3. Enable User Identification
  4. Click OK

Step 8: Configure Global Protect Portal

  1. Navigate to Network → Global Protect → Portals
  2. Click Add
  3. Configure:
    • Portal Name: global-protect-portal
    • Interface: Select outside interface (e.g., 1/3)
    • IPv4 Only
    • IP Address: Enter outside interface IP
    • SSL/TLS Service Profile: Select the profile you created
  4. Under Authentication:
    • Click Add for Client Authentication
    • Name: global-protect-client-authentication
    • Authentication Profile: Select the authentication profile you created
  5. Under Agent:
    • Add the CA certificate you created
    • Enable Install in Local Certificate Store
  6. Click Add to create an agent:
    • Name: global-protect-agent
    • Click Add under External
    • Name: global-protect-external-gateway
    • Address: Enter gateway IP (e.g., 192.168.1.1)
    • Source Region: Select Any
    • Disable HIP Data if no license
  7. Click OK

Step 9: Configure Global Protect Gateway

  1. Navigate to Network → Global Protect → Gateways
  2. Click Add
  3. Configure:
    • Gateway Name: global-protect-gateway
    • Interface: Select outside interface (e.g., 1/3)
    • IP Address: Enter external IP address
    • SSL/TLS Service Profile: Select the profile you created
  4. Under Authentication:
    • Click Add for Client Authentication
    • Name: global-protect-client-authentication
    • Authentication Profile: Select your authentication profile
  5. Under Agent → Tunnel Mode:
    • Enable Tunnel Mode
    • Select the tunnel interface you created
    • Enable IPSec
  6. Under Agent → Client Settings:
    • Click Add
    • Name: global-protect-client-settings
    • IP Pools: Add IP range for clients (e.g., 10.0.0.1-10.0.0.99)
    • Important: Don’t use a subnet already on your firewall
  7. Click OK

Step 10: Commit Configuration

  1. Click Commit at the top
  2. Wait for configuration to apply successfully

Step 11: Test the Connection

Access the Portal:

  1. On a remote client, open a web browser
  2. Navigate to: https://[firewall-external-ip]
  3. Accept the certificate warning
  4. Log in with AD credentials

Install Global Protect Client:

  1. Download the appropriate client from the portal (if available)
  2. Install the Global Protect client software

Connect via Global Protect Client:

  1. Open Global Protect application
  2. Enter portal address: [firewall-external-ip]
  3. Accept certificate (optionally install CA cert to trust store)
  4. Enter AD credentials
  5. Connect

Verify Connection:

  1. Check connection status in Global Protect client
  2. Verify assigned IP address
  3. Test connectivity to internal resources (e.g., ping internal server)

Troubleshooting Tips

  • Ensure the IP pool for clients doesn’t overlap with existing subnets
  • Check that logging is enabled to monitor traffic
  • Verify intra-zone policy allows traffic between tunnel interface and internal resources
  • Confirm LDAP connectivity if authentication fails
  • Check certificate validity dates

Related Posts

Leave a Comment