NetConnect GlobalProtect Migration

Revision A 2011, Palo Alto Networks, Inc.

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

2011, Palo Alto Networks, Inc. [2]

Contents Overview ............................................................................................................................................... 3

GlobalProtect Overview ........................................................................................................................ 3

LICENSING ........................................................................................................................................... 3 UPGRADE ............................................................................................................................................ 3

Understanding the Migrated Configuration ........................................................................................... 5

PORTAL CONFIGURATION .................................................................................................................... 6 GATEWAY CONFIGURATION DETAILS .................................................................................................... 9

Distributing GlobalProtect Agent ......................................................................................................... 10

POINTS TO CONSIDER WHEN USING OTP ........................................................................................... 11

Verification .......................................................................................................................................... 12

Troubleshooting .................................................................................................................................. 14


Overview NetConnect SSL-VPN provides remote users with an SSL-based connection to the corporate network. NetConnect users can be authenticated via local DB, RADIUS, LDAP, Active Directory and CAC card. NetConnect fully integrates with App-ID, User-ID and Content-ID, enabling full control and inspection of application activity, based on users and groups. NetConnect client support includes Windows 7, Vista, Windows XP and Mac OSX 10.5 and 10.6. With PAN-OS 4.1, NetConnect SSL-VPN is replaced with GlobalProtect for remote access solution. This document provides an understanding of the GlobalProtect configuration for users upgrading from NetConnect. It also covers the necessary migration steps and tips for customers using NetConnect remote access solution upgrading to PAN-OS 4.1

GlobalProtect Overview GlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be protected by the logical perimeter in the same manner that they would be if they were working from their office.

GlobalProtect includes three major components:

GlobalProtect Portal: A Palo Alto Networks firewall that provides centralized control over the GlobalProtect system. Portal maintains the list of all gateways, certificates used for authentication, and the list of categories for checking the end host.

GlobalProtect Gateway: One or more interfaces on one or more Palo Alto Networks firewall that provides security enforcement for traffic from the GlobalProtect Agent. The gateways can be internal i.e. in the LAN or external where they are deployed to be reachable via the public internet.

GlobalProtect Agent: Client software on the laptop that is configured to connect to the GlobalProtect deployment.

Note: A single firewall can function both as the portal and gateway. This is recommended path for users migrating from NetConnect to GlobalProtect as a replacement solution for NetConnect without any added functionality of GlobalProtect.

Licensing No additional license is required to run GlobalProtect for customers upgrading from NetConnect.

Upgrade When customers using NetConnect upgrade to PAN-OS version 4.1, NetConnect functionality will automatically be migrated to GlobalProtect. The end users will have to install the new GlobalProtect Agent. The NetConnect client cannot be used to connect to a GlobalProtect gateway. NetConnect specific configurations on the firewall will be automatically migrated to GlobalProtect configuration.


The figure below shows a sample topology with the firewall configured to use NetConnect and then configured to use GlobalProtect after the upgrade. The NetConnect tunnel end point IP address will now be used as the GlobalProtect portal and gateway IP address.

In this example, the firewall is configured with NetConnect SSL VPN with details shown below

tunnel.1 : Tunnel interface for VPN termination Authentication method: RADIUS DNS Server: 10.0.0.246 and 10.0.0.247 IP pool : 172.16.0.1- 172.16.1.254 DNS suffix: mycompany.com Access route: 192.168.0.0/16

The screen shots that follow shows the NetConnect configuration:


Note: Before upgrading to 4.1

1. Backup your current configuration 2. Navigate to Device> GlobalProtect Client, and download and activate the GlobalProtect

Client.

Understanding the Migrated Configuration After upgrading from PAN-OS 4.0 to PAN-OS 4.1, the NetConnect configuration will be migrated to the equivalent GlobalProtect configuration. Note: The SSL-VPN configuration option is not available in PAN-OS 4.1.


You will see the relevant migrated configuration under the GlobalProtect Portal and gateway section. The screen shots that follow show the GlobalProtect portal and gateway configuration after upgrading from PAN-OS 4.0 with NetConnect to PAN-OS 4.1.

GlobalProtect Portal

GlobalProtect Gateway

Portal Configuration In this section we will discuss the portal configuration as it relates to NetConnect.

Name: System created identifier for the portal Authentication Profile: The authentication method used for authenticating the remote users. This is migrated from the NetConnect configuration Server Certificate: Certificate used in the NetConnect Portal Address: This is the NetConnect gateway interface and IP address


General Configuration:

The configuration on the portal controls the behavior of the GlobalProtect agent on end hosts. The On demand option enables the end users to activate the GlobalProtect agent when they want to connect to the gateway. This is the default setting for NetConnect to GlobalProtect migration. Gateway tab


The external gateway is the IP address of the NetConnect Gateway. GlobalProtect agents establish tunnel to this address

Agent Tab

The Enabled Advanced View option allows the end users to select the advanced view section of the agent as follows:

Tip: It is recommended to disable Advanced View for agents to prevent users from changing settings User can save password: Allows the user to save password on the GlobalProtect agent. Client Upgrade: The end users will be prompted for upgrade when a new version of the client is available. This is the default option when upgrading from PAN OS 4.0 to 4.1. The other option is transparent, which automatically downloads the newer version of agent when available without prompting the user for upgrade


Gateway Configuration Details This section of the configuration is similar to the NetConnect configuration in PAN OS 4.0 with the exception of the HIP notification section. The parameter in the General section and Client Configuration is similar to the NetConnect configuration. The HIP notification allows firewall administrators to configure notifications that will be displayed when users connect to the GlobalProtect gateway.

End User Experience After upgrading the firewall to PAN OS version 4.1, when an end user connects with the NetConnect client, the user will be prompted for authentication by the GlobalProtect portal. The screen shot that follows shows the authentication screen:


Once authenticated, the user will be prompted to download the GlobalProtect agent msi file. The user will need information about the operating system before downloading the agent. If they choose the incorrect Windows or Mac version, the install will fail.

Note: Administrator privilege is required to install the GlobalProtect agent for the first time. Subsequent upgrades do not require administrator privilege

Distributing GlobalProtect Agent In Active Directory environments, GlobalProtect agent can also be distributed to end users using AD group policy. AD Group Policy allows administrators to automatically modify Windows client computer settings and install software. Refer to the article at http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to automatically distribute applications to client computers or users. The GlobalProtect agent msi file can be downloaded using one of the two methods:

Browsing to the address of the portal https://


Connecting to the portal using the NetConnect client

Points to Consider When Using OTP The GlobalProtect agent will authenticate to the portal and the gateway before establishing the connection. This is different from NetConnect behavior where the clients authenticate once to the NetConnect gateway. When using OTP for authentication, the users will be prompted to enter the password twice, once each for portal and gateway in order to establish the tunnel. If you prefer that the end users input the password only once, but still use OTP as authentication method, you can configure the portal to use different authentication method such as RADIUS and have the gateway use OTP for authentication. On the GlobalProtect agent, configure the username and password used to authenticate against the portal. Upon the first connection, the agent will send this credential to authenticate against the portal, and will then prompt for a new password to connect to the gateway. The configuration snap shot of both the portal and gateway for such scenario follows:


The end user will be prompted for authenticating to the gateway after connecting to the portal as follows:

Verification

Viewing the active flow admin@LAB> show global-protect-gateway flow total tunnels configured: 1 filter - type GlobalProtect-Gateway, state any total GlobalProtect-Gateway tunnel shown: 1 id name local-i/f local-ip tunnel-i/f ----------------------------------------------------------------------------------------------- 2 Corp-NetConnect ethernet1/1 10.2.133.195 tunnel.1


admin@LAB> show global-protect-gateway flow tunnel-id 2 tunnel Corp-NetConnect id: 2 type: GlobalProtect-Gateway local ip: 10.2.133.195 inner interface: tunnel.1 outer interface: ethernet1/1 ssl cert: Netconnect active users: 1 assigned-ip remote-ip encapsulation ----------------------------------------------------------------------------------------------- 172.16.0.1 10.20.0.240 IPSec SPI 448772F2 (context 3)

Viewing the Gateway Configuration

admin@LAB> show global-protect-gateway gateway name Corp-NetConnect GlobalProtect Name : Corp-NetConnect Tunnel ID : 2 tunnel-interface : tunnel.1 encap-interface : ethernet1/1 inheritance-from : Local Address : 10.2.133.195 SSL server port : 443 IPSec encap : yes tunnel negotiation : ssl HTTP redirect : no UDP port : 4501 Max users : 0 IP pool ranges : 172.16.0.1 - 172.16.1.254; DNS servers : 4.2.2.2 : 0.0.0.0 WINS servers : 0.0.0.0 : 0.0.0.0 DNS suffix : mycompany.com Access routes : 192.168.0.0/16; VSYS : vsys1 (id 1) SSL Server Cert : Netconnect Auth Profile : RADIUS Client Cert Profile : Lifetime : 259200 seconds Idle timeout : 10800 seconds

Viewing the connected users show global-protect-gateway current-user user Or From Network>GlobalProtect>Gateway choose More users info


Troubleshooting This section lists some of the basic troubleshooting steps for both the firewall and the agent. Firewall

Authentication failures o Verify the users can authenticate by browsing to the IP address of the portal and authenticating to it. o View the authentication logs on the firewall in real time using the following command- tail follow yes mp-

log authd.log. GlobalProtect specific logs can be viewed on the firewall system logs by filtering on (subtype eq globalprotect)

Agent If the agent fails to connect, you can view the debug logs on the agent. The advanced view on the agent must be enabled to view the troubleshooting tab of the agent. Set the log to PanGPService and Debug level to debug. You can see authentication failed messages and connectivity failure messages as follows:

To collect the tech support equivalent logs from the agent, select File > Collect Log and click on collect logs.

Overview1.1.1.

GlobalProtect OverviewLicensingUpgrade

Understanding the Migrated ConfigurationPortal ConfigurationGateway Configuration DetailsEnd User Experience

Distributing GlobalProtect AgentPoints to Consider When Using OTP

VerificationViewing the active flowViewing the Gateway ConfigurationViewing the connected users

Troubleshooting

NetConnect GlobalProtect Migration

Documents

Transcript of NetConnect GlobalProtect Migration