Consistent Policy & Enforcement for All UsersGlobalProtect extends the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located. In effect, GlobalProtect establishes a logical perimeter that extends policy beyond the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be protected by the logical perimeter in the same manner that they would be if they were working from their office.
Standardized control of applications, users and content, irrespective of locationGlobalProtect delivers a significant benefit to organizations; a consistent firewall-based security policy for all users, irrespective of location. The creation and management of separate policies for firewalls and remote users is eliminated, as are the associated management efforts. Using GlobalProtect, roaming devices will automatically discover the organizations' nearest Palo Alto Networks gateway and upon login, will be protected as though they were working locally. The same application enablement, threat prevention, and URL filtering policies that are applied to users within the corporate walls are applied to users when they login remotely. The result is a streamlined security infrastructure that eliminates duplicate security components and builds a more consistent security policy.
Protects the network from out-of-date laptops and PCs
GlobalProtect expands the security policy matching criteria beyond applications, users and content to include information about the host state. Prior to granting access to a network resource, host state policies can be established to verify critical elements such as OS patch level or updated virus protection being available and active on the client computer.
Single Sign-on streamlines login process
For Microsoft Windows users, single sign-on can be established, taking full advantage of the Windows login process, for a seamless user experience. Currently supported operating systems include Windows XP, Vista, and Windows 7 (32- and 64 bit).
FAQs - Global Protect
- What is Palo Alto Networks GlobalProtect?[+]It is a software agent that that extends the protection of a corporate perimeter to remote user laptops thereby applying all the same policies and protections to remote users. This includes URL filtering, threat inspection, visibility, etc. already being provided to local users. It does this by utilizing three components:
1) Existing corporate PAN firewall(s) acting as gateways.
2) A GlobalProtect portal for management including host configuration characteristics. The portal deals with authentication and downloading of new agent software if needed for the client.
3) An agent that communicates to the portal, creates an encrypted session to the gateway(s) and it creates a Host Information Profile (HIP) of the client device.
4) New - Now with support for Apple iOS.
- What are the benefits?[+]Consistent policy and central management to apply to local or remote users thereby simplifying policy enforcement without additional hardware or additional management systems.
- What platforms does it run on?[+]The portal management runs on the Palo Alto Networks firewall (High Availability option too). The user software agents are supported on: Microsoft Windows XP, Microsoft Windows 7, Microsoft Windows Vista and Apple IOS.
- What do I need [to buy]?[+]PAN firewalls are used as the enforcement appliances. From a license perspective, a portal license must be purchased for the unit (or more for redundancy) doing the portal management. Licenses for GlobalProtect are required on all desired PAN units acting as gateways (this does not have to be all the deployed PANs, just those desired as remote access gateways). Support is purchased for updates to the software along with technical support.
GP (Global Protect) is included in a lite basic form which supports a single gateway and portal (without the host endpoint enforcement). To enable multiple gateways and/or endpoint enforcement, optional licenses purchases and subscriptions are required.
- What about split tunneling?[+]Yes, split tunneling policies can be defined via the portal management system.
- How does it compare to SSL VPN?[+]SSL VPN connectivity via a lite version of GP is already included on the PAN base systems to address remote access for users. GlobalProtect license option extends this further by automatically selecting the closet gateway, making sure remote users get the same policies applied by keeping them connected to the gateways enforcing the policies and making sure that hosts comply with configuration requirements.
GlobalProtect acts as a transparent SSL VPN regardless of how users connect to the Internet and making sure those connections remain encrypted. GP will use IPSec by default for performance benefits, but can fallback to SSL where networks disallow IPSec traffic.
- What kind of host characteristics can be checked via HIP (Host Information Profiles)?[+]- Operating system and patch level
- Host anti-malware version
- Host firewall version
- Disk encryption
- Data backup products
- Customized host conditions
NOTE: Above are enabled via HIP profiles on the portal and require optional Global Protect license(s).
- Are all users placed in the same internal network/zone?[+]You can control where users are placed in terms of a security zone. Users can be placed in the same internal network (typically Trust) zone or they can have their tunnels terminated in a different secure zone (e.g. RemoteUsers) and then use security policies tied to usernames and/or applications to control and restrict access. This includes threat inspection features, spyware, malware, ant-virus, etc.
- How/Can I remove Global Protect from my computer/laptop?[+]It can be done, but you need to talk with your PAN administrator and have them check the Palo Alto Networks support site. We're not going to help IT users remove a corporate control from their desktops except via the official corporate administrators. Yes, GP is an excellent tool for enforcing corporate policies and as such should not be easy to disable or remove by unauthorized users.
If you would like us to work with the IT department, we are available for Professional Services via a billable engagement.
GlobalProtect Configuration FAQs
- How is GlobalProtect different than the previous SSL NetConnect client?[+]Global Protect enhancements over previous NetConnect
Completely transparent to user
* With Single Sign On Enabled, GP Client is completely transparent to the user
* Because of its unobtrusive nature, GP client requires zero user education
* Always on connection
Single Sign On (optional)
* Uses Windows logon credentials to authenticate GP client
* Support for smartcard authentication using the MSCAPI (Microsoft Crypto API)
* Windows Vista and Windows 7 (Leverages Microsoft Credential Provider)
* Windows XP (Leverages GINA chaining and "secure attention sequence")
- Allows users to disable GP by entering a password
- From an overview perspective, what are the steps required to configure GlobalProtect?[+]
- What are all the steps required to install and configure PANOS GP?[+]
- What are the minimum steps required to install and configure PANOS Global Protect?[+]
- How are iPhones done via PANOS GlobalProtect?[+]1) Configure a Global Protect portal and gateway as usual
2) Edit the Global Protect Gateway:
- Check "Enable IPSec Tunnel"
- Check "Enable 3rd party VPN support"
- Fill out the group name and group password
3) This configuration will generate a group password auth (VPN client) and Xauth authentication for users
4) Use the built-in VPN capability in IOS
- What certificates are needed for Global Protect?[+]
- What are common trouble shooting commands and debug commands for Global Protect?[+]show log system direction equal backward subtype equal globalprotect
show global-protect-gateway flow
show global-protect-gateway flow tunnel-id
show global-protect-gateway current-user
show global-protect-gateway gateway name
show user ip-user-mapping
show user ip-user-mapping type GP
show user ip-user-mapping ip
debug device-server dump hip-profile-database
debug device-server dump hip-report computer
tail follow yes mp0log devsrv-log
tail follow yes mp-log authd.log
- What Global Protect debug commands are available for the GlobalProtect agent?[+]
- What additional resources and documents are available for assistance in configuring Global Protect?[+]