Summary:

  1. PKI: CSR > have CA to sign > install both signed and root CA (3rd party) certs

  2. Authentication Profile: LDAP server profile > Authentication profile > enable User-ID (already done from my previous lab)

  3. Create GlobalProtect or VPN Zone and Tunnel Interface for VPN 

  4. Gateway / IP Pool and Portal Configuration 

  5. Client Software 

  6. Security Policy (allow from GP or VPN zone to other zones)

    1. outside to outside: ssl, panos-global-protect, panos-web-interface

    2. vpn zone to other zones

Details:

  1. PKI - CSR > have CA to sign > install both signed and root CA (3rd party) certs 

  • Use Windows Server 2012 as a certificate authority (I used this link for reference)

  • Generate a CSR (certificate signing request) from Palo, hand the CSR to your internal CA (win2012) for it to sign

  • Install winServer 2012 root CA and signed cert (this is what you requested and got) onto Palo

- Common name: I just use outside interface IP

- Signed By: since this is for external CA to sign, so we choose "External Authority (CSR)"

- Uncheck "Certificate Authority" because this is not for self-signed purpose

Note, it's in pending stat.

  • Download the cert and send it to CA (win 2012 in our case)

Open the cert server http://10.1.1.111/certsrv

copy and paste the cert we generated from Palo to here:

Download the signed cert, and I renamed it to "TCF-Signed-Cert.cer"

Now we need to download the root CA of winServer 2012 (TCF), and I renamed it to "TCF-Root-CA-Cert.cer"

Now we need install both signed (TCF-Signed-Cert.cer) and winServer 2012 root CA (TCF-Root-CA-Cert) onto Palo

Very important: when importing, for the signed CSR, you want to use the SAME NAME as your original CSR, so Palo knows this is the signed copy!

If everything works fine, you should be able to see the CSR is showing "valid". Don't forget to commit at this point.

2. Authentication Profile: LDAP server profile > Authentication profile > enable User-ID (already done from my previous lab)

The only modification is to add "Login Attribute" to the Authentication Profile

 

3. Create GlobalProtect or VPN Zone and tunnel interface

 

 

4. Configure Gateway, IP Pool, and Portal Configuration 

Portal: you can configure this so let the user know if there are other VPN you can connect if the current GlobalProtect is down

 

  • Now, for the server authentication, we want to use the newly signed cert to create a new SSL/TLS Service Profile

 

  • For the client authentication, we want to use the existing authentication profile

 

  • Select tunnel interface:

 

  • Define a IP Pool:

 

Note, you need to define which subnets you want to be able to go to

 

  • Define a dns for GP if you have an internal one, I used my AD winServer 2012

 

  • Config Portal

 

5. Client Software

 

6. Security Policy

6.1 outside to outside: ssl, panos-global-protect, panos-web-interface

 

6.2 allow vpn zone

 

  • Test 1:

 

  • Test 2: