Pre-Logon: GP connects before the user has entered credentials, to keep the system secured, and updates the user login information when they supply credentials.
User-Logon: Automatically connects when the user logs in.
On Demand: Users connect when they need to, and disconnect when completed.
Three Types of App connection Methods are supported:.
Gateways that are set as ‘manual only’ are not provided for consideration for the fastest SSL response.
A checkbox is available to manually select a tunnel.
On the external gateway, the connection is made by the fastest response time and priority.
These gateways need to be manually defined.
The internal portal can be configured under the Internal tab.
For example, a config for field users, and another for office users.
Multiple configurations can be done for different groups.
If a gateway gives a certificate that is not from the listed CA, the login is rejected
For certificate logins: A root CA must be specified under the Agent tab.
Authentication Message is an optional entry of up to 50 characters in length, to provide a message such as what kind of credentials to use.
If not using certificates, select ‘none’.
Certificate profiles are used if certificates are used for client validation.
Portal Configuration Authentication profile is used to authenticate users.
This is under Network > GlobalProtect > Portals > Add > Authentication.
Clientless VPN’s need portal page to be accessible.
This does not impact the GP Client connections, they can still connect.
Access to the Portal Login page can also be disabled (via browser on 443).
Custom pages can be created and uploaded to the firewall under Device > Response Page.
A Portal must be configured on an 元 interface.
Configuration is done under Network > GlobalProtect > Portals > General.
Manages CA Certificates for client validation of gateways.
Maintains a list of internal and external gateways.
Ability to create and store custome client configurations.
GLOBALPROTECT INTERNAL GATEWAY SOFTWARE
GP Client software only needs to be updated and activated on the portal, not on the gateways.
New versions can be downloaded and activated from this page.
Review the currently installed and activated GlobalProtect client version.
This is done under Device > Authentication Profile.
An existing Server Authentication profile can be used.
Authentication servers are used to authenticate users.
GP users use the client certificate to identify the client.
Portal will include the public server certificate, and the client certificate and key.
A public CA certificate should be used for external users to provide the correct authority and security for the Portal.
Certificate Authority Certificate (Optional).
Can also enforce HIP checks for AV/OS Patching/etc.
Profiles on the gateway can allow only certain LDAP/AD group members.
GLOBALPROTECT INTERNAL GATEWAY CODE
Examples include: Enforcing access to Engineering to Code and Bug DB’s, While blocking access to Finance and HR to that resource.
Internal Gateways are useful for enforcing group based policies, or access to restricted or confidential data.
If the IP is not resolvable, then the external gateway is used.
If the IP is able to be resolved to a hostname, then the internal gateway is used.
This should be a hostname that can only be resolved internally.
The portal may provide an IP and DNS to determine if the client is inside or outside the network.
Determining External or Internal Gateways.
If the portal is down, either restore it, or activate a portal at another location.
If Portal is down, no new clients can connect, and no new configuration changes can be sent out to existing users.
If Portal goes down, existing users can log into a cached gateway.
Only one Portal can be configured and active.
Chosen gateway is the fastest responded.
Multiple Gateways can be configured for performance and global deployments.
If Portal and Gateway share a single system, only one certificate is needed for the firewall.
In small deployments this can be on the same device.
Required at least one portal and one gateway.
When a Portal is contacted, it can provide an AWS Gateway as an option.
Infrastructure can be extended using AWS VM-series.
When the client is installed, the client will connect to the selected gateway.
If the client is not installed, it will ask to be downloaded and installed.
Client will connect to the portal with the best SSL response time.
After auth, the portal sends the configuration and list of GP Gateways.
GP client connects to the portal for authentication.
Internal Gateways apply security policy for access to internal resources.
External gateways provide security enforcement and VPN Access.
Gateways – Provide Security Enforcement for traffic.
Portal – Provides Management functions for GP every client connecting to GP receives configuration information from the portal.