Basic GlobalProtect Clientless VPN Portal with Web Application
67628
Created On 09/25/20 16:27 PM - Last Modified 07/23/24 12:42 PM
Objective
This article explains how to configure Clientless VPN on PAN-OS Firewall.
Pre-requisites:
Active GlobalProtect License
Configure an Interface for the Clientless VPN Portal
Authentication (Local)
Certificate Authentication for the GlobalProtect Portal
Official PAN configuration:
Clientless VPN
Environment
In this example it is used the following:
- PA-VM with PAN-OS 9.1.3
- Application Server - Centos 7 64x
- Web Application - Nginx
- Local Authentication
Procedure
Configuration
- Step 1: Download and install the GlobalProtect Clientless VPN dynamic update
GUI: Device > Dynamic Updates > Check Now > GlobalProtect Clientless VPN >
Download and then activate after the download completes.
Download and then activate after the download completes.
- Step 2: Configure the Clientless VPN application
Network > GlobalProtect > Clientless Apps > click Add
- Enter a Name for the entry (This will only be displayed in the firewall)
- Enter the Application Home URL
- In this example, http://10.73.105.181/ links to the default nginx directory /usr/share/nginx/html/
- Enter the Application Description (This will be displayed once you successfully log in to the Clientless VPN Portal)
- Step 3: Configure DNS Proxy
Network > DNS Proxy > click Add
- Enter a Name for the entry (This will only be displayed in the firewall)
- Enter a Primary DNS server
- Enter a Secondary DNS server
- Add the correct interface that the Clientless VPN Portal is assigned to
- Step 4: Configure GlobalProtect Portal for Clientless VPN access
Network > GlobalProtect > Portals > Add
- Configure Network Settings
- Select the correct interface from the Interface drop-down
- Select the correct IP Address from the IPv4 Address drop-down
- Configure Server Authentication and Client Authentication
- For Server Authentication select the correct SSL/TLS Service Profile configured from the Pre-requisites: Configure an Interface for the Clientless VPN Portal
- For Client Authentication select the correct Authentication Profile configured from the Pre-requisites: Local Authentication
- Configure GlobalProtect Portal Clientless VPN (General)
- Click the checkbox to enable Clientless VPN on the Portal
- Select the correct Hostname (FQDN/IP) that is configured for the Portal
- Select the correct Security Zone that was configured for the interface from the Pre-requisites: Configure an Interface for the Clientless VPN Portal
- Select the correct DNS Proxy profile that was configured in Step 3
- Configure Clientless VPN (Applications)
- Select Add on the Applications Tab to show the Applications to User Mapping window
- Enter a Name for the entry (This will only be displayed in the firewall
- Click the checkbox for Any user to be allowed.
- For this example, we will not include Group-Mapping
- If you require specific User/User Group settings, please configure Group-Mapping
- Add the application(s) from Step 2 that will be available once you successfully log in to the Portal
- (Optional) Configure Clientless VPN (Crypto Settings)
- Change any crypto settings you want to comply with security standards
Additional Information
Verification/Troubleshooting:
Step 1: Access the Clientless VPN Portal and Authenticate. https://IP/ or https://fqdn
Step 2: Click the Application.
Step 3: Verify the application is viewed through the Clientless VPN Portal.
Step 4: Show connected users
- >show global-protect-portal current-user portal GP-Portal filter-user all-users
GlobalProtect Portal : GP-Portal
Vsys-Id : 1
User : user1
Session-id : 6b36Lv0fXV9IdpaxD2IoYVKNhU28Gcqt
Client-IP : 172.16.0.10
Session start time : Wed Sep 9 11:14:02 2020
Inactivity Timeout : 1800
Seconds before inactivity timeout : 1791
Login Lifetime : 10800
Seconds before login lifetime : 10790
Size of cookie cache : 0
Source Region : 172.16.0.0-172.31.255.255
Total number of user sessions: 1
Step 5: Verify the session
- > show session all filter destination 172.16.0.1
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
16853 ssl ACTIVE FLOW *ND 172.16.0.10[64867]/L3-Trust/6 (172.16.0.10[64867])
vsys1 172.16.0.1[443]/L3-Trust (172.16.0.1[20077])
16765 undecided ACTIVE FLOW *ND 172.16.0.10[64868]/L3-Trust/6 (172.16.0.10[64868])
vsys1 172.16.0.1[443]/L3-Trust (172.16.0.1[20077])
2. > show session id 16853
Session 16853 c2s flow: source: 172.16.0.10 [L3-Trust] dst: 172.16.0.1 proto: 6 sport: 64867 dport: 443 state: ACTIVE type: FLOW src user: user1 dst user: unknown s2c flow: source: 172.16.0.1 [L3-Trust] dst: 172.16.0.10 proto: 6 sport: 20077 dport: 64867 state: ACTIVE type: FLOW src user: unknown dst user: user1 start time : Wed Sep 9 11:33:47 2020 timeout : 120 sec time to live : 99 sec total byte count(c2s) : 1787 total byte count(s2c) : 0 layer7 packet count(c2s) : 7 layer7 packet count(s2c) : 0 vsys : vsys1 application : ssl rule : interzone service timeout override(index) : False session to be logged at end : True session in session ager : True session updated by HA peer : False session proxied : True address/port translation : destination nat-rule : (vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : True session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/2 session QoS rule : N/A (class 4) end-reason : unknown Proxy Info: Proxy Flow Index: 222, Type: offload, Tag: 16853, Dir: cts Stopped
Make sure a security policy is in place to allow the traffic from the user to the Portal, and from the Portal to the application server
Make sure the portal is reachable Ping must be allowed on the interface to test connectivity via ping The portal must be accessed via 443. https://IP/ or https://fqdn
Make sure authentication is successful
- tail follow yes mp-log authd.log
debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "user1" ; auth profile "Local-Auth"
; vsys "vsys1"
debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (Local-Auth/vsys1) is NOT auth sequence
debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Local-Auth-vsys1-mfa
debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1045): MFA is not configured for the auth profile.
No mfa server ids for the user "" (prof/vsys: Local-Auth/vsys1)
debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1056): MFA configured, but bypassed for GP user ''.
(prof/vsys: Local-Auth/vsys1)
debug: _authenticate_initial(pan_auth_state_engine.c:2562): Keep original username, i.e., whatever end-user typed, "user1"
in request->username
debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:628): This is a single vsys platform, group
check for allow list is performed on "vsys1"
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1819): Authenticating user "user1" with
<profile: "Local-Auth", vsys: "vsys1">
debug: pan_auth_response_process(pan_auth_state_engine.c:4301): auth status: auth success
debug: pan_auth_response_process(pan_auth_state_engine.c:4322): Authentication success: <profile: "Local-Auth", vsys:
"vsys1", username "user1">
authenticated for user 'user1'. auth profile 'Local-Auth', vsys 'vsys1', From: 172.16.0.10.
debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_SUCCESS auth response for user 'user1' (exp_in_days=-1
(-1 never; 0 within a day))(authd_id: 6870881929005105157)
Client PCAP after clicking application
- The PC forms an SSL connection with the portal.
Firewall PCAP after clicking the application
- The firewall forms a TCP connection with the application server and requests the http page (port 80 not secured, as configured)
Server PCAP after clicking the application
- The application server sends the requested information to the portal, and then the http page is sent to the user device
- 10.73.108.13 is the IP of the public interface.