Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Basic GlobalProtect Clientless VPN Portal with Web Application - Knowledge Base - Palo Alto Networks

Basic GlobalProtect Clientless VPN Portal with Web Application

67628
Created On 09/25/20 16:27 PM - Last Modified 07/23/24 12:42 PM


Objective


This article explains how to configure Clientless VPN on PAN-OS Firewall.

Pre-requisites:
Active GlobalProtect License
Configure an Interface for the Clientless VPN Portal
Authentication (Local)
Certificate Authentication for the GlobalProtect Portal

Official PAN configuration:
Clientless VPN
 


Environment


In this example it is used the following:
  • PA-VM with PAN-OS 9.1.3
  • Application Server - Centos 7 64x
  • Web Application - Nginx
  • Local Authentication


 


Procedure


Configuration
 
  1. Step 1: Download and install the GlobalProtect Clientless VPN dynamic update
GUI: Device > Dynamic Updates > Check Now > GlobalProtect Clientless VPN >
Download and then activate after the download completes.
 
User-added image
  1. Step 2: Configure the Clientless VPN application
Network > GlobalProtect > Clientless Apps > click Add
  1. Enter a Name for the entry (This will only be displayed in the firewall)
  2. Enter the Application Home URL
  3. In this example, http://10.73.105.181/ links to the default nginx directory /usr/share/nginx/html/
  4. Enter the Application Description (This will be displayed once you successfully log in to the Clientless VPN Portal)
User-added image
  1. Step 3: Configure DNS Proxy
Network > DNS Proxy > click Add
  1. Enter a Name for the entry (This will only be displayed in the firewall)
  2. Enter a Primary DNS server
  3. Enter a Secondary DNS server
  4. Add the correct interface that the Clientless VPN Portal is assigned to 
User-added image
 
  1. Step 4: Configure GlobalProtect Portal for Clientless VPN access
Network > GlobalProtect > Portals > Add
  • Configure Network Settings
  • Select the correct interface from the Interface drop-down
  • Select the correct IP Address from the IPv4 Address drop-down
User-added image
 
User-added image
 
  • Configure GlobalProtect Portal Clientless VPN (General)
  • Click the checkbox to enable Clientless VPN on the Portal
  • Select the correct Hostname (FQDN/IP) that is configured for the Portal
  • Select the correct Security Zone that was configured for the interface from the Pre-requisites: Configure an Interface for the Clientless VPN Portal
  • Select the correct DNS Proxy profile that was configured in Step 3
User-added image
 
  • Configure Clientless VPN (Applications)
  • Select Add on the Applications Tab to show the Applications to User Mapping window
  • Enter a Name for the entry (This will only be displayed in the firewall
  • Click the checkbox for Any user to be allowed.
    1. For this example, we will not include Group-Mapping
    2. If you require specific User/User Group settings, please configure Group-Mapping
  • Add the application(s) from Step 2 that will be available once you successfully log in to the Portal
User-added image
 
  • (Optional) Configure Clientless VPN (Crypto Settings)
  • Change any crypto settings you want to comply with security standards
User-added image


Additional Information


Verification/Troubleshooting:

Step 1: Access the Clientless VPN Portal and Authenticate. https://IP/ or https://fqdn

User-added image

Step 2:  Click the Application.

User-added image

Step 3: Verify the application is viewed through the Clientless VPN Portal.

User-added image

Step 4: Show connected users
  1. >show global-protect-portal current-user portal GP-Portal filter-user all-users
GlobalProtect Portal              : GP-Portal
Vsys-Id                           : 1
User                              : user1
Session-id                        : 6b36Lv0fXV9IdpaxD2IoYVKNhU28Gcqt
Client-IP                         : 172.16.0.10
Session start time                : Wed Sep  9 11:14:02 2020
 
Inactivity Timeout                : 1800
Seconds before inactivity timeout : 1791
Login Lifetime                    : 10800
Seconds before login lifetime     : 10790
Size of cookie cache              : 0
Source Region                     : 172.16.0.0-172.31.255.255
 
 
Total number of user sessions: 1

Step 5: Verify the session
  1. > show session all filter destination 172.16.0.1
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
16853        ssl            ACTIVE  FLOW *ND   172.16.0.10[64867]/L3-Trust/6  (172.16.0.10[64867])
vsys1                                          172.16.0.1[443]/L3-Trust  (172.16.0.1[20077])
16765        undecided      ACTIVE  FLOW *ND   172.16.0.10[64868]/L3-Trust/6  (172.16.0.10[64868])
vsys1                                          172.16.0.1[443]/L3-Trust  (172.16.0.1[20077])
       2. > show session id 16853
Session           16853
 
        c2s flow:
                source:      172.16.0.10 [L3-Trust]
                dst:         172.16.0.1
                proto:       6
                sport:       64867           dport:      443
                state:       ACTIVE          type:       FLOW
                src user:    user1
                dst user:    unknown
 
        s2c flow:
                source:      172.16.0.1 [L3-Trust]
                dst:         172.16.0.10
                proto:       6
                sport:       20077           dport:      64867
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    user1
 
        start time                           : Wed Sep  9 11:33:47 2020
        timeout                              : 120 sec
        time to live                         : 99 sec
        total byte count(c2s)                : 1787
        total byte count(s2c)                : 0
        layer7 packet count(c2s)             : 7
        layer7 packet count(s2c)             : 0
        vsys                                 : vsys1
        application                          : ssl 
        rule                                 : interzone
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        session proxied                      : True
        address/port translation             : destination
        nat-rule                             : (vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : any
        session via syn-cookies              : False
        session terminated on host           : True
        session traverses tunnel             : False
        session terminate tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/2
        egress interface                     : ethernet1/2
        session QoS rule                     : N/A (class 4)
        end-reason                           : unknown
        Proxy Info:                            
                Proxy Flow
                Index: 222, Type: offload, Tag: 16853, Dir: cts
                Stopped

Make sure a security policy is in place to allow the traffic from the user to the Portal, and from the Portal to the application server 

User-added image

Make sure the portal is reachable Ping must be allowed on the interface to test connectivity via ping The portal must be accessed via 443. https://IP/ or https://fqdn

User-added image

 Make sure authentication is successful
  1. tail follow yes mp-log authd.log
debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "user1" ; auth  profile "Local-Auth"
 ; vsys "vsys1"
debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (Local-Auth/vsys1) is NOT auth sequence
debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Local-Auth-vsys1-mfa
debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1045): MFA is not configured for the auth profile. 
No mfa server ids for the user "" (prof/vsys: Local-Auth/vsys1)
debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1056): MFA configured, but bypassed for GP user ''. 
(prof/vsys: Local-Auth/vsys1)
debug: _authenticate_initial(pan_auth_state_engine.c:2562): Keep original username, i.e., whatever end-user typed, "user1"
 in request->username
debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:628): This is a single vsys platform, group 
check for allow list is performed on "vsys1"
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1819): Authenticating user "user1" with 
<profile: "Local-Auth", vsys: "vsys1">
debug: pan_auth_response_process(pan_auth_state_engine.c:4301): auth status: auth success
debug: pan_auth_response_process(pan_auth_state_engine.c:4322): Authentication success: <profile: "Local-Auth", vsys:
 "vsys1", username "user1">
authenticated for user 'user1'.   auth profile 'Local-Auth', vsys 'vsys1', From: 172.16.0.10.
debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_SUCCESS auth response for user 'user1' (exp_in_days=-1
 (-1 never; 0 within a day))(authd_id: 6870881929005105157)

Client PCAP after clicking application
  1.  The PC forms an SSL connection with the portal. 
User-added image

Firewall PCAP after clicking the application
  1. The firewall forms a TCP connection with the application server and requests the http page (port 80 not secured, as configured) 
User-added image
 
Server PCAP after clicking the application
  1. The application server sends the requested information to the portal, and then the http page is sent to the user device
  2. 10.73.108.13 is the IP of the public interface.
User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAt7CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language