Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to configure GlobalProtect VPN using an external Root CA - Knowledge Base - Palo Alto Networks

How to configure GlobalProtect VPN using an external Root CA

121266
Created On 10/11/19 16:09 PM - Last Modified 03/24/20 15:52 PM


Symptom


This document describes the steps to configure GlobalProtect VPN using an External Root CA such as Windows Server 2012 w/ AD Certificate Services running on it.

If a third-party certificate authority is being used (such as GlobalSign, GoDaddy, DigiCert, Symantec, etc.), the same steps below can be followed to deploy GlobalProtect, but instead of each Windows Server step below (such as in step 2 and step 4), use the third-party certificate vendor for each of those steps instead.


Environment


  • Panorama
  • 10.50.1.50
  • Firewall
  • Management interface: 10.50.1.10
  • Untrust interface: 42.11.45.1/24
  • DMZ interface: 172.16.45.1/24
  • Web Server (behind DMZ): 172.16.45.50
  • Windows Server 2012
  • 172.16.45.50
  • Windows 7 PC
  • 192.168.45.10
 
  • Verify the Windows Server 2012 has Active Directory installed and running with groups and users created on it.
  • Configure/verify that DNS is fully working between the following IP Addresses and systems (forward and reverse) (i.e. make sure nslookup works):
  • Windows 7 PC
  • Windows Server 2012 
  • PAN Firewall
  • (i.e. Windows 7 PC must be able to nslookup the Outside interface IP address of the PAN firewall and resolve to the FQDN of the firewall in a browser)


Resolution


  1. Install Certificate Services on Windows Server 2012 (i.e. make Windows Server 2012 the Root CA)
  2. Export the Root CA Certificate from the Windows Server 2012 Root CA
  3. Install the Root CA Certificate on employee Windows/Mac PCs
  4. Import Root CA Certificate into firewall, generate CSR on firewall, get CSR signed by Windows Server 2012 Root CA, and then install that signed certificate on the firewall
  5. Configure GlobalProtect on the Firewall and configure Security Policy rule to allow VPN traffic from Outside to Inside/DMZ
  6. Download/Activate GlobalProtect client software images which the Firewall will serve to the employee Windows/Mac PCs 
  7. Download, install, and connect to the firewall using GlobalProtect VPN client software on employee Windows/Mac PCs
  8. Troubleshooting/Verification/Debugs

Install Certificate Services on Windows Server 2012 (i.e. make Windows Server 2012 the Root CA)
  1. Open Server Manager > click Add roles and Features
add roles and features
  1. Click Role-based and click Next
role based or feature based installation
  1. Select the Windows Server and click Next
add roles and features wizard select destination server
  1. Select Active Directory Certificate Services and click Next
add roles and features wizard server roles
  1. Click Next twice
add roles and features select features
  1. Select Certification Authority Web Enrollment and click Next twice
add roles and features select ad cs role services
  1. Click Next
add roles and features select web server role
  1. Check the Restart the destination server automatically if required checkbox and click Install
Wait for the loading bar to finish - Windows Server 2012 will not reboot.
Warning: this will cause the Windows Server 2012 to reboot (not yet, but it could later in a next step in this document)

 
add roles and features confirm installation selections
  1. Once the loading bar is done above, click Configure Active Directory Certificate Services on the destination server
add roles and features installation progress
  1. Click Next
ad cs configuration credentials
  1. Check Certification Authority and Certification Authority Web Enrollment and click Next twice
ad cs configuration role services
  1. Select Root CA and click Next
ad cs configuration ca type
  1. Select Create a new private key and click Next
ad cs configuration private key
  1. Select SHA256 as the hash algorithm which this Windows Server 2012 Root CA will use to sign certificates (most modern browsers will show warnings for anything below SHA256) - click Next
ad cs configuration private key cryptography
  1. Save this information to a notepad - click Next until the next step (Confirmation screen)
ad cs configuration private key ca name
  1. Click Configure
ad cs configuration confirmation
  1. Launch a web browser and go to http://172.16.45.50/certsrv - type in the Administrator credentials for Windows Server 2012
windows server sign in window
  1. Now the Windows Server 2012 is a Root CA. Now, it can sign CSRs submitted to it - Windows Server 2012 will take the CSR and give back a signed certificate in return (i.e. that certificate will be signed by Windows Server 2012 which is the Root CA)
microsoft ad directory certificate services welcome


Export the Root CA Certificate from the Windows Server 2012 Root CA
In this section, we will use Microsoft Windows Server 2012 as our Root CA for certificates. The Client PC's will trust this Root CA to connect securely to the firewall via the GlobalProtect VPN client software. This will make sure the end users can connect securely to the firewall over the internet and access internal resources from home. Their client PC will trust the connection in their browser and in the GlobalProtect VPN client software.
  1. Click Download a CA certificate, certificate chain, or CRL
microsoft ad directory certificate services welcome download a ca certificate certificate chain or crl highlighted
  1. Click Download CA Certificate
microsoft ad directory certificate services download a ca certificate
  1. Rename it to RootCACert
rename to rootcacert


Install the Root CA Certificate on employee Windows/Mac PCs
  1. Put the RootCACert file on the Windows 7 client PC and double-click to install the certificate:
rootcacert
Note: If deploying GlobalProtect VPN in a large enterprise or if deploying GlobalProtect to many employee PC's/users, the Root CA certificate can be pushed to the employee PCs using Windows Server 2012 Group Policy via this method instead of installing it on each PC individually like we do below:
 
certificate information install certificate
  1. Click Next
certificate import wizard welcome
  1. Select Place all certificates in the following store - click Browse and select the Trusted Root Certification Authorities folder - click Ok and Next and click Finish
certificate import wizard trusted root certification authorities
 
certificate import wizard import was successful
Note: If an Intermediate CA Certificate is also used/needed, the same process above can be performed to import it to the PC, but choose 'Intermediate Certification Authorities' folder instead


Import Root CA certificate on to firewall, generate CSR on firewall, get CSR signed by Windows Server Root CA, and then install that signed certificate on the firewall
  1. Go to http://172.16.45.50/certsrv and click Download a CA Certificate, certificate chain, or CRL
microsoft ad directory certificate services welcome download a ca certificate certificate chain or crl highlighted 2
  1. Select Base 64 > click Download CA Certificate
microsoft ad directory certificate services download a ca certificate base 64
  1. Rename it to RootCACertFW
rename it to rootcacertfw
  1. Go to Panorama or the Firewall and go to Device > Certificate Management > Certificates > click Import
  2. Type a Certificate Name for the Root CA Certificate
  3. Select the RootCACertFW certificate we just downloaded
  4. Select the File Format as Base64 Encoded Certificate (PEM)
  5. Click Ok
import certificate to panorama
 
panorama device certificated

Note: If you have an Intermediate Root CA Certificate, import it here now under the Root CA Certificate

  1. Go to Panorama or the Firewall and go to Device > Certificate Management > Certificates and click Generate
  2. Type the Certificate Name for the certificate as GPPortalGatewayCert (this field will be important later - remember the Certificate Name)
  3. Type the Common Name as the Outside IP Address of the firewall (or whatever DNS name that IP Address nslookup's to if on internet)
  4. Select the Signed By option as 'External Authority (CSR)'
  5. Click Add to add a SAN field (IP) to the certificate - this IP/SAN field must match the firewall's FQDN and must be resolvable by the employee PC's in order to connect to the firewall's portal and gateway via the GlobalProtect VPN client
  6. Click Generate
panorama generate certificate
 
Warning: Most modern browsers as well as the firewall itself require that the firewall's Global Protect Server certificate SAN field must match the FQDN of the firewall in order to connect successfully via VPN and for end users to navigate to the GlobalProtect Portal in their browser successfully. If the SAN field exists at all with at least one entry in the certificate/CSR, then the FQDN being used for portal/gateway for this firewall should always be present in that SAN list. The FQDN of the firewall can be found here:
 
panorama firewall fqdn
 
FQDN: fw1.panlab.com
panorama generate certificate and key pair confirmation
  1. Select the checkbox for the CSR and click Export Certificate - the certificate will download to the PC
panorama device certificate csr export
 
It will be named cert_GPPortalGatewayCert.csr
panorama csr name
  1. Launch a web browser and go to http://172.16.45.50/certsrv
  2. Click Request a Certificate
microsoft ad directory certificate services request a certificate
  1. Click Advanced Certificate Request
microsoft ad directory certificate services request a certificate advanced certificate request
  1. Open cert_GPPortalGatewayCert.csr using Notepad - copy and paste the contents into the field like below:
  2. Select Certificate Template Web Server
  3. Click Submit
microsoft ad directory cert services submit a cert request or renewal request
  1. Select Base 64 encoded
  2. Click Download Certificate
microsoft ad directory certificate services certificate issued and download certificate base 64

This will download the now-signed certificate in the browser - rename it to GPPortalGatewayCert
 
download certificate

Note: When importing this signed cert, it must have the exact same name as the CSR (Certificate Name field) we generated in the Firewall Web UI above i.e. it must be named GPPortalGatewayCert
  1. Open Panorama again and go to Device > Certificate Management > Certificates > checkbox the existing CSR and click Import 
  2. Type the Certificate Name
  3. Click Browse and select GPPortalGatewayCert.cer
  4. Select the File Format as Base64 Encoded Certificate (PEM)
  5. Click Ok
panorama import certificate

At this point, the firewall has a Root CA Certificate RootCACertFW, and the firewall has a Firewall Server Certificate GPPortalGatewayCert which is signed by that Root CA Certificate.
 
This Firewall Server Certificate is the certificate which will be presented to the Client PCs when they connect to the firewall via GlobalProtect. The Client PCs will trust this certificate because the client PC also trusts this Root CA due to the step we did earlier in this document where we installed the Root CA Certificate on the Windows 7 Client PC

panorama successful certificate import listed below the root cert


Configure GlobalProtect on the Firewall and configure Security Policy rule to allow the VPN traffic from Outside to Inside/DMZ
  1. Go to Device > Certificate Management > SSL/TLS Service Profile and create an SSL/TLS Service Profile referencing the signed Firewall Server Certificate GPPortalGatewayCert, which we got signed and imported in the above step:
configure certificate for globalprotect on the firewall
  1. Go to Device > Server Profiles > LDAP > click Add
  2. Type a Profile Name
  3. Under Server List > click Add and type the IP address of the Windows Active Directory (LDAP server) and port 389 for LDAP
  4. Click Ok
configure ldap server profile
  1. Navigate to Device > Authentication Profile > click Add 
  2. Type a Name
  3. Select Type LDAP
  4. Select Server Profile created above panlabDCldapserverprof
  5. Type Login Attribute as sAMAccountName
configure ldap authentication profile authentication tab
  1. Click Advanced tab > click Add and add 'all' or select certain groups if GlobalProtect VPN should restrict access to certain AD/LDAP groups only
configure ldap authentication profile advanced tab
  1. Create a tunnel interface to use for GlobalProtect VPN and give it a tunnel number
  2. Select the Virtual Router
  3. Select a Security Zone - it is recommended to create a separate Security Zone for VPN traffic as it gives more flexibility in creating Security Policy for the VPN traffic
  4. Click Ok
create a tunnel interface
(no IP address needed for this tunnel.2 interface)
  1. Go to Network > GlobalProtect > Portals > click AddGeneral tab
  2. Select which Interface and IP address which is to be the GlobalProtect Portal that the Client PC's will connect to
globalprotect portal configuration general tab
  1. From the Authentication tab
  2. Select the SSL/TLS Service Profile created above
  3. Click Add under Client Authentication
  4. Type a Name
  5. Select the Authentication Profile we made above
  6. Select Yes (User Credentials OR Client Certificate Required)
  7. Click Ok
globalprotect portal configuration authentication tab
 
globalprotect portal configuration authentication tab client authentication
  1. From the Agent tab
  2. Click Add under Agent
  3. Under Authentication tab type a Name
globalprotect portal configuration agent tab authentication
  1. Under External Gateways tab click Add
  2. Type a Name
  3. Enter the FQDN of the Firewall which was put in the certificate's SAN/Host Name field earlier in this document (in GPPortalGatewayCert)
globalprotect portal configuration agent tab external gateway
  1. Under the App tab select Connect Method drop-down and select On-demand (Manual user initiated connection)
globalprotect portal configuration agent tab app tab connection method
  1. Click Ok
  2. Click Add to add RootCACertFW (imported into the Firewall earlier in this document) to the list of Trusted Root CAs for the GlobalProtect Portal
globalprotect portal configuration agent tab add root ca to list of trusted root ca for the globalprotect portal

Note: If you have an Intermediate CA Certificate, add it here below the Root CA Certificate
  1. Click Ok
  2. From Configure GlobalProtect Gateway
  3. Type a Name
globalprotect portal configuration general tab 2
  1. Select an SSL/TLS Service Profile
  2. Under Client Authentication, click Add
globalprotect portal configuration authentication tab
  1. Type a Name
  2. Select the Authentication Profile created earlier in the step above
  3. Select Yes (User Credentials OR Client Certificate Required)
globalprotect portal configuration authentication tab client authentication
  1. Click Ok
  2. Select the Tunnel Interface created for this GlobalProtect configuration earlier in this document
  3. Select the checkbox 'Enable IPSec' - if GlobalProtect fails to connect to the Firewall over IPSec, it will fall back to SSL
globalprotect portal configuration authentication tab client authentication tunnel settings
  1. Under Client Settings tab click Add
59-globalprotect portal configuration authentication tab client authentication client settings
  1. Type a Name
globalprotect portal configuration authentication tab client authentication client settings config selection criteria
  1. Type a pool of IP addresses which will be the IP addresses the GlobalProtect Client PC's will receive as an IP Address on their GlobalProtect VPN adapter on their PC when they connect via the GlobalProtect VPN Agent
globalprotect portal configuration authentication tab client authentication client settings ip pools
Note: Make sure this pool of IP addresses does not overlap/is not already in use anywhere in the organization/company's existing network.
  1. Click Ok

Download/Activate GlobalProtect client software images which the Firewall will serve to the employee Windows/Mac PCs
  1. Go to Panorama/Firewall Web UI and go to Panorama tab > Device Deployment > click GlobalProtect Client
  2. Click Download and click Activate on whichever version of GlobalProtect software the end users will use. This will also be the version which the Firewall gives to the Client PC's if they go to the Portal page of the Firewall and download GlobalProtect for use.
panorama download globalprotect client software images
 
panorama activate globalprotect client software images
 
Example: When the end user clicks Download Windows 64 bit GlobalProtect agent, they will now be downloading the GlobalProtect 5.0.4 installer, which will install version 5.0.4 of GlobalProtect software on their Client PC:
 
globalprotect portal get software page

Once Activate is clicked, the end user can then go https://fw1.panlab.com in their browser and download the version of GlobalProtect which has been currently Activated, or if they already have GlobalProtect installed, and they try to connect via GlobalProtect VPN, the GlobalProtect software on their PC will prompt them to upgrade their version to the one the firewall is offering/has Activated.


Download, install, and connect to the firewall using GlobalProtect VPN client software on employee Windows/Mac PCs
  1. Have the end user go to https://fw1.panlab.com and login using their credentials
Note: Remember, the GlobalProtect software could be pushed out to each PC so that end users can skip this step and just open GlobalProtect on their laptop and Connect
 
globalprotect portal login page
  1. The end user will see a screen like this where they can choose which GlobalProtect software they would like to download and install:
globalprotect portal get software page 2
  1. Click Connect
globalprotect connect
  1. Have the end user type their credentials and click Sign In
globalprotect login
  1. The Client PC is now successfully connected into the corporate network via GlobalProtect VPN:
globalprotect connected confirmation
  1. The Client PC is connected via GlobalProtect VPN to the firewall over the internet, and the Client PC can reach a web server behind the DMZ interface/zone of the firewall successfully now that he is VPN'd:
globalprotect connected cli verification

Troubleshooting/Verification/Debugs
From the Client PC
  1. Make sure the end user's PC can reach the firewall's Outside interface by its FQDN - and that it resolves to the correct IP address
troubleshooting fqdn and resolves to the correct ip address
  1. Open GlobalProtect on the client PC > click the top-right three-bars icon in GlobalProtect > click Settings
troubleshooting globalprotect on client pc general tab
 
troubleshooting globalprotect on client pc connection tab
 
troubleshooting globalprotect on client pc host profile tab

From the GlobalProtect Agent
  1. Go to Settings > Troubleshooting tab > Collect Logs > unzip them and open > PanGPA.log
  2. Logs of the new GlobalProtect 5.0.4 software downloading and installing:
(T1216) 09/16/19 13:26:17:197 Debug( 642): PanClient sent successful with 3088 bytes
(T3192) 09/16/19 13:26:20:519 Debug(  93): Received data from Pan Service
(T3192) 09/16/19 13:26:20:519 Debug( 332): ### Download parameters ###: m_dwLatestDownlaod=1568658367, m_bDownloadStarted=0, bCheckTunnelOK=1, m_bOnDemandRead=0, bUsingCachedPortal=0, lastfaileddownload=0, m_nUpgradeMethod=2
(T3192) 09/16/19 13:26:20:519 Debug( 430): CPanClient::startUpgradeProcess, the download package is h
(T3192) 09/16/19 13:26:20:519 Debug(  25): create thread 0x1d0 with thread ID 2844
(T3192) 09/16/19 13:26:20:519 Info (1238): CSessionPage::URMMsiDownload - update dialog thread started
 
(T2844) 09/16/19 13:28:30:639 Info (1137): CPanDownloadProgress::OnInitDialog - downloadproc thread started
(T1480) 09/16/19 13:28:30:795 Info (1040): Download started.
(T1480) 09/16/19 13:28:30:826 Debug( 433): winhttp SetSecureProtocol, hSession=02f07aa0, bAllProtocol=0, gbFips=0
(T1480) 09/16/19 13:28:30:826 Debug( 433): winhttp SetSecureProtocol, hSession=02f08360, bAllProtocol=0, gbFips=0
(T1480) 09/16/19 13:28:39:484 Info ( 154): DownloadURLToFile: HTTP 200 OK
(T1480) 09/16/19 13:28:39:484 Debug( 369): Content-length: 32768000
(T3192) 09/16/19 13:28:40:311 Debug( 977): Receive inactive message.
(T3192) 09/16/19 13:28:42:433 Debug( 977): Receive inactive message.
(T1480) 09/16/19 13:28:42:464 Info (1087): Download completed. total time = 12 (sec).
(T1480) 09/16/19 13:28:42:464 Info (1089): Update started: from version 5.0.3-29 to version 5.0.4-16.

(T1216) 09/16/19 13:28:52:495 Debug( 563): Send command to Pan Service
(T1216) 09/16/19 13:28:52:495 Debug( 590): Command = <request><type>software-upgrade</type><command-line>C:\Users\jsmith\AppData\Local\Temp\_temp3120.msi</command-line></request>
(T1216) 09/16/19 13:28:52:495 Debug( 642): PanClient sent successful with 144 bytes

 
From the Firewall
  1. Go to Monitor > Logs > System Logs
troubleshooting globalprotect on firewall

admin@PA-VM2(active)> show global-protect-gateway gateway name panlab_Gateway
GlobalProtect Gateway: panlab_Gateway (1 users)
Tunnel Type          : remote user tunnel
Tunnel Name          : panlab_Gateway-N
        VSYS                       : vsys1 (id 1)
        Tunnel ID                  : 3
        Tunnel Interface           : tunnel.2
        Tunnel IPv6 Enabled        : no
        Encap Interface            : ethernet1/4
        vr-id                      : 0
        Inheritance From           :
        Local Address (IPv4)       : 42.11.45.1
        SSL Server Port            : 443
        IPSec Encap                : yes
        Tunnel Negotiation         : ssl
        HTTP Redirect              : no
        UDP Port                   : 4501
        Max Users                  : 0
        Exclude Video Traffic      : no
        Gateway-Level IP Pool Ranges:
        Gateway-Level IP Pool index:     0
        Gateway-Level IPv6 Pool Ranges:
        Gateway-Level IPv6 Pool index:     0
        config name                : panlab_GWClientSettings
        User Groups                :     any;
        OS                         :     any;
        IP Pool Ranges             :     192.168.1.50 - 192.168.1.250(192.168.1.51);
        IP Pool index              :     0
        IPv6 Pool Ranges           :
        IPv6 Pool index            :     0
        No Direct Access To Local Network:     no
        Retrieve Framed IP Address :     no
        Auth Server IP Pool Ranges :
        Auth Server IPv6 Pool Ranges:
        Access Routes              :     0.0.0.0/0
        Exclude Access Routes      :
        DNS Servers                :
        DNS Suffix                 :
        DNS Servers                :
        WINS Servers               :
        SSL Server Cert            : GPPortalGatewayCert
        Client Authentication      :    Auth Name                  : panlab_GwClientAuth
        Auth OS                    : Any
        Auth Profile               : panlabLDAP_authprof
        Allow User Credentials OR Client Cert: yes
        Client Cert Profile        :
        Lifetime                   : 2592000 seconds
        Idle Timeout               : 10800 seconds
        Disconnect On Idle         : 10800 seconds
        Disallow Automatic Restoration: no
        Source IP Check            : no
        Encryption                 : aes-128-cbc
        Authentication             : sha1
 
admin@PA-VM2(active)> show global-protect-gateway current-user gateway panlab_Gateway
admin@PA-VM2(active)> show global-protect-gateway current-user user jsmith

2019-09-15 11:15:49
GlobalProtect Gateway: panlab_Gateway (1 users)
Tunnel Name          : panlab_Gateway-N
        Domain-User Name           : \jsmith
        Computer                   : COMP-WIN7-2
        Primary Username           : jsmith
        Region for Config          : KR
        Source Region              : KR
        Client                     : Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit
        VPN Type                   : Device Level VPN
        Mobile ID                  :
        Client OS                  : Windows
        Private IP                 : 192.168.1.50
        Private IPv6               : ::
        Public IP (connected)      : 42.11.45.10
        Public IPv6                : ::
        Client IP                  : 42.11.45.10
        ESP                        : exist
        SSL                        : none
        Login Time                 : Sep.15 11:07:18
        Logout/Expiration          : Oct.15 11:07:18
        TTL                        : 2591489
        Inactivity TTL             : 10302
        Request - Login            : 2019-09-15 11:07:18.254 (1568570838254), 42.11.45.10
        Request - GetConfig        : 2019-09-15 11:07:18.396 (1568570838396), 42.11.45.10
        Request - SSLVPNCONNECT    :  (0), ::
 
admin@PA-VM2(active)> less mp-log rasmgr.log
2019-09-15 11:07:18.208 -0700 req->portal address 0x7fffdc096250
2019-09-15 11:07:18.251 -0700 192.168.1.50 is framed ip? no
2019-09-15 11:07:18.251 -0700 retrieve-framed-ip-address(no);  is-preferred-ip-a-framed-ip(no); retrieve-framed-ip-address-v6(no);  is-preferred-ip-a-framed-ipv6(no);
2019-09-15 11:07:18.252 -0700 req->portal address 0x7fffd8064ca0
2019-09-15 11:07:18.254 -0700 new cookie:  ******
2019-09-15 11:07:18.254 -0700 rasmgr_sslvpn_client_register space panlab_Gateway-N domain  user jsmith computer COMP-WIN7-2 result 0
2019-09-15 11:07:18.396 -0700 client existing address 42.11.45.10/24; preferred ip 192.168.1.50; address-v6 2002::/16,1234:1234:2d0a::1234:1234/128; preferred ipv6 None; client exclude video support yes; gw license no
2019-09-15 11:07:18.397 -0700 Adding info in usr info to haremoteusr info for:jsmith
2019-09-15 11:07:18.397 -0700 Installing GW Tunnel, indicate to keymgr...exclude_video_traffic_enable=0 [0 0]
2019-09-15 11:07:31.066 -0700 Adding info in usr info to haremoteusr info for:jsmith
 
admin@PA-VM2(active)> less appweb-log sslvpn-access.log
42.11.45.1 - - [Sun Sep 15 11:07:18 2019 PDT] "POST /ssl-vpn/prelogin.esp?kerberos-support=yes&tmp=tmp&clientVer=4100&host-id=433474f9-7a92-4f6f-9990-43731e8697fe&clientos=Windows&os-version=Microsoft+Windows+7+Enterprise+Edition+Service+Pack+1%2c+64-bit&ipv6-support=yes HTTP/1.1" 200 968
42.11.45.1 - - [Sun Sep 15 11:07:18 2019 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2840
42.11.45.1 - - [Sun Sep 15 11:07:18 2019 PDT] "POST /ssl-vpn/getconfig.esp HTTP/1.1" 200 1809
42.11.45.1 - - [Sun Sep 15 11:07:31 2019 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 561
127.0.0.1 - - [Sun Sep 15 11:08:06 2019 PDT] "GET /robots.txt HTTP/1.1" 200 250
 
admin@PA-VM2(active)> show global-protect-gateway flow
total GlobalProtect-Gateway tunnel shown:                     2
id    name                  local-i/f         local-ip                      tunnel-i/f
--    ----                  ---------         --------                      ----------
3     panlab_Gateway-N      ethernet1/4       42.11.45.1                    tunnel.2
 
admin@PA-VM2(active)> show global-protect-gateway flow name panlab_Gateway
2019-09-15 11:18:38
        id:                3
        type:              GlobalProtect-Gateway
        local ip:          42.11.45.1
        inner interface:   tunnel.2         outer interface:  ethernet1/4
        ssl cert:          GPPortalGatewayCert
        active users:      1
assigned-ip                              remote-ip                                MTU   encapsulation
----------------------------------------------------------------------------------------------------------------------
192.168.1.50                             42.11.45.10                              1420  IPSec SPI 4311646B (context 619)
 
admin@PA-VM2(active)> show global-protect-gateway flow tunnel-id 3
tunnel  panlab_Gateway-N
        id:                3
        type:              GlobalProtect-Gateway
        local ip:          42.11.45.1
        inner interface:   tunnel.2         outer interface:  ethernet1/4
        ssl cert:          GPPortalGatewayCert
        active users:      1
assigned-ip                              remote-ip                                MTU   encapsulation
----------------------------------------------------------------------------------------------------------------------
192.168.1.50                             42.11.45.10                              1420  IPSec SPI 4311646B (context 619)

 


Additional Information


To configure GlobalProtect VPN just using self-signed certificates on the firewall (instead of having an internal/external root CA issue the certificates), the document below can be followed: Basic GlobalProtect Configuration with User-logon
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language