FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
@netsums
9 ай бұрын
In this tutorial you're going to learn how to configure remote access VPN on the Palo Alto Firewall. Palo Alto has its own VPN client (or app), called GlobalProtect.
@douglaspayne5029
5 ай бұрын
You did an excellent job esplaining this topic. Thank you!
@netsums
5 ай бұрын
Thank you also for the nice comment! I'm glad you liked the video. 😊
@jucelinodosreis
6 күн бұрын
congratulations!
@ErickVivas-s9v
Ай бұрын
You did an excellent job here! Thank you very much mate!
@netsums
Ай бұрын
Thank you for your reply, I'm glad you liked it!
@mdmasumali2258
9 ай бұрын
Excellent! This video will help a lot of students. Thank you!!!!!
@netsums
9 ай бұрын
Glad it was helpful! Thank you for the comment.
@mohammedqureshi995
Жыл бұрын
Thanks for your valuable session, appreciate your efforts to spread the knowledge for real knowledge seekers. Sir if you can create a new video for PaloAlto Integrating with Windows Radius and Google Authenticator OTP. God bless you.
@netsums
Жыл бұрын
Hi Mohammed, thank you for the nice words. My next video will be about Palo Alto and OTP, but integrating with a Linux Radius server instead of Windows. I hope it will still be useful for you. :)
@gabintalla1096
6 ай бұрын
complete video...good work. Thank you...
@netsums
6 ай бұрын
Thank you for the comment, I'm glad you liked it. :-)
@planet-itracunalniskiinzen6074
8 ай бұрын
Great article!
@netsums
8 ай бұрын
Thank you, I'm glad you liked it.
@SaSemairesearch
10 күн бұрын
perfect!!
@mainetworking
Жыл бұрын
over all is good but too fast on configuration part please slow down a little bit so that can be focus on how it be done
@netsums
Жыл бұрын
Thank you for the feedback. I think I didn't speed up as much in the newest videos, but I will pay more attention. :)
@MarcusSoares22
Жыл бұрын
Hi Bro, thanks and congratulations! I'm very appreciated your tutorial in this video, you winning a subscriber ! Go ahead and publish more videos, congratulations again.
@netsums
Жыл бұрын
Thank you for your very nice comment! I'm glad you like the videos. :)
@mirabbasquraishi5020
10 ай бұрын
very nice explanation
@netsums
10 ай бұрын
Thank you for the comment, I'm glad you liked the video.
@sridharbvnl2101
11 ай бұрын
very good video
@netsums
11 ай бұрын
I'm glad you liked the video. :)
@sean-jp1xu
Жыл бұрын
Great video, can you do a video on the basic initial setup of a Palo, internet,dhcp,lan etc?
@netsums
Жыл бұрын
Thank you for the reply, I will keep it in mind for the next videos. :)
@shakarchy
Жыл бұрын
Thank you for the great video, it helps me to set up quick remote VPN, one thing need to know if you can explain the GP EXTERNAL GATEWAY PRIORITY BY SOURCE LOCATION that will be great
@netsums
Жыл бұрын
Hi. Thank you for the comment, I'm glad you liked the video. :) I will keep your suggestions in mind for the next videos.
@baller15g
Жыл бұрын
Cool Video thanks
@netsums
Жыл бұрын
Thank you for your comment, I'm glad you liked the video. :)
@brahimhamdi
2 ай бұрын
Hello, I need create two pools with different subjets. It’s possible ? How to do it? On asa it’s possible
@brandone7273
Жыл бұрын
Awesome video, thank you so much!
@netsums
Жыл бұрын
You're welcome, I'm glad you liked it! Thank you also for the comment. :)
@rashpal81
3 ай бұрын
Brilliant video. thanks.
@netsums
3 ай бұрын
Thank you also, I'm glad you liked it!
@TsH18
3 ай бұрын
great tutorial! thanks!
@netsums
3 ай бұрын
Hi. Thank you, I'm glad you liked it!
@mohamedabdi2245
9 ай бұрын
Good stuff :)
@netsums
9 ай бұрын
Thank you for the nice comment. :)
@MM_twins23
Жыл бұрын
i don't understand where/how you configure the Google authentication. can you make a quick video for that as well?
@netsums
Жыл бұрын
Hi. The Google authenticator has to be configured on your authentication server, in the case of this tutorial, on the Radius server. I will see if I can make a video about it. Thanks for the feedback. :)
@abdimohamed1554
5 ай бұрын
Hey this is amazing step by step video. Do you have a document that we can follow.
@netsums
5 ай бұрын
Hi. You could start with this one. knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK But just search Google and you will find some documentation directly from Palo Alto.
@antonioremualdo3317
Жыл бұрын
Hello, great video, in the 27:29 you start to show how configure the side of client, I have a VM in azure, that VM have the Windows 10 Multisession, where some users connect the same time, I installed the GlobalProtect to they can connect, but only the first user enter in the machine can connect using GlobalProtect, another after cant connect and the first user lost the connection. So what the better way could I resolve this? remove global protect of the machine and configure a gateway or a tunnel vpn its a possible solution? Thx for you time.
@netsums
Жыл бұрын
Hi, thank you for the comment. I don't have experience with Windows 10 multi-session, but I think the first thing I would do is to configure GlobalProtect to be always-on. I am not sure if it works with the multi-session OS and if the VPN tunnel would be available for all users. If you need to identify the users on the Firewall, you could install a TS-Agent on the Windows 10. I saw somewhere that they should support W10 multi-session. I hope I could help. :-)
@alfiananto5963
Жыл бұрын
Hai, sorry im confuse to implement it. focused on what IP address will implement on GP gateway and GP Portal? its use an IP public or use IP at feet on NAT (reference on your figure)
@netsums
Жыл бұрын
You can choose if you want to use NAT or not, it depends on your network. I only used NAT because I didn't have any other option in my lab. But many companies have a public IP address attached to the outside interface of their Firewalls. The important thing is that the outside interface is reachable through the Internet. I used a DNS name, but you can as well use an IP address. Just be sure your certificate is setup and issued accordingly.
@user-bz7jo9qc9i
8 ай бұрын
A+
@markaiello8862
3 ай бұрын
Hello, Thank you for this info. It was a great help. I come from the Cisco ASA Firewalls, and we just moved to the PA 1410s. Very different! I do have one questions regarding VPNs. With the ASAs I was able to setup groups for all of our Vendors and assign them IPs and have them access only the networks they needed. We use RADIUS for all connections. I have the VPN setup like your video and its working but I'm having an issue setting up vendors. I don't know what's the best route to go. Can you point me in the right directions? A GP Portal for each vendor? A GP Gateway for each? We do not have any extra licenses for GP. Basic GP License. Thank You in advance, Mark
@netsums
3 ай бұрын
Hi. Thank you for the comment! I would suggest you to use only one portal and one gateway for the vendors, if the authentication should be the same (ldap, saml, etc). And in each gateway configuration you have one agent configuration for each vendor, using the user group field (active directory groups) to match each vendor to its configuration.
@netsums
3 ай бұрын
There, I knew I had a video regarding this topic: kzitem.info/news/bejne/y2uCyoqNfJiphYI
@markaiello8862
3 ай бұрын
@@netsums Thank you for replying. I will work on it and let you the out come. Thank you for taking the time to answer me. Much appreciated!
@markaiello8862
3 ай бұрын
@@netsums Another question :-} We used RADIUS for Anyconnect for Vendors clients and some employees. We have about 100 employees using NetMotion(A automatic VPN Connection using ldap) We want to get rid of Netmotion and use GP for automatically logging the computer and the user into the network. I watched one of your videos using a pre-login for the pc for updates and such. What would you recommend going forward? RADIUS or LDAP? Also, I sent you a message on your website. Mark Aiello
@billosias6294
5 ай бұрын
I have a question. I use GlobalProtect for my remote work which provided by our company, can I use this while I'm traveling internationally?
@netsums
5 ай бұрын
Hi. If your company doesn't explicit block connections from abroad, you could be able to use it internationally, yes.
@gtaadayinthelife4592
5 ай бұрын
Great video, but did the DNS get covered? I might have missed it in the gateway and portal config, but I couldn't find it.
@netsums
5 ай бұрын
Thank you for the comment. No, I didn't really cover dns, since I consider the configuration rather straightforward. I configured an A record pointing to my NAT router. What specific questions do you have?
@zerodoc304
5 ай бұрын
Thank you for this video, it is so helpful! Is it possible to do a similar configuration but without the RADIUS server?
@netsums
5 ай бұрын
Thank you, I'm glad it could help you. You can do a similar configuration using saml, for example, or LDAP, or local user. We have a video for Azure/SAML, with MS Active directory/LDAP, and another one with OKTA/SAML. Just search the channel. We don't have one for local authentication though.
@KamalAhmed-tp1zc
4 ай бұрын
Amazing
@hariprasad-uw2yn
7 ай бұрын
Brother you are great. Can you release the video of Global protect with 2FA using TOTP using Microsoft Authenticator
@netsums
7 ай бұрын
Hi, thank you for the nice comment. :) Do you mean this one here, for example? kzitem.info/news/bejne/zKR7z2aKfJahZqg In the video I don't show how to configure MFA, but it can be done easily on Azure.
@paulbranfield7550
10 ай бұрын
Great video, I have a question though. I have ipsec tunnels setup to some cloud services (AWS and OCI for example) When a user connects to the corp network using Global protect they can access the AWS servers as if they are in the office. However the OCI servers are only accessible when physically in the office, through global protect they do not work. Any ideas what i am missing.
@ed_59
10 ай бұрын
Access Route, if youre using split tunnel? Is the VPN traffic even hitting the firewall?
@seanbyrne960
4 ай бұрын
thank you for this video -- if there are multiple entries under Global Protect Portal how are the profiles selected ? first in queue or other ?
@netsums
4 ай бұрын
Thank you for the comment. Each portal you create has to have a different IP/interface associated with it. But if you mean in the agent configuration in the portal configuration, the firewall matches the configuration from top to bottom. I hope I could answer your question. :)
@seanbyrne960
4 ай бұрын
@@netsums thank you
@seanbyrne960
4 ай бұрын
@@netsums hello is there a paid subscription service I can join for tech support /design discussion ?
@netsums
4 ай бұрын
We don't offer any service like that. You could join the subreddit r/paloaltonetworks, you can find lots of information there, and it's free. reddit.com
@seanbyrne960
3 ай бұрын
@@netsums hello I am trying to create a new portal with a new IP Address - the software will not allow me to add the IP Address -there are other addresses listed in the drop down that I can select but not the new one that has been ordered . What has to happen before the new IP Address is recognised ? I tried configuring the address on a tunnel.199 but this did not solve the problem
@user-qu3hc9kt6i
9 ай бұрын
hello Could you please make a video on setting up and testing Google authentication with two factors? Please wait a moment.
@netsums
9 ай бұрын
I will keep this in mind, thank you for your suggestion.
@richardmallare4504
9 ай бұрын
Can this be done even if the PA-VM w/o licensed(expired trial version). I want to test it in virtual lab environment. Thank u
@netsums
9 ай бұрын
I'm not sure, but I think it would work. Maybe you won't be able to download the client to the firewall, though, but it shouldn't be a big deal if your test client has GlobalProtect installed.
@SMARGRID
Жыл бұрын
Urgent!! when we connect to "Global protect VPN" by default its selecting Local user(Logged in user) in General -> Account -> User: its not prompting for user id and password. how can we fix this. does Admin need to configure in their server? Please suggest.
@netsums
Жыл бұрын
Sorry for the late reply. Can it be that you've chosen to save a cookie at the client's computer? In this case after the first login GlobalProtect won't ask for the credentials anymore until the cookie expires.
@SMARGRID
Жыл бұрын
@@netsums Fixed, issue was due to other VPN installed. Thank you.
@user-bw1mr6iv3n
2 ай бұрын
Thank you for the great explanation. However, I'm encountering an issue. While all the settings appear to be correct and functional, I've noticed that when I attempt to work from home using my laptop, I'm not prompted to enter the MFA code. It's possible that I may have done so once, perhaps around 6 months ago. As a result, I can access my company's IP address without the need for MFA. Occasionally, I do receive a prompt asking for the MFA code, but if I cancel it, I'm still able to continue working without any interruption. Could you please advise on how I can adjust the settings to ensure that users are always required to enter the MFA code? Otherwise, users should not be able to access the trusted IP range.
@netsums
2 ай бұрын
What kind of authentication are you using? Ldap, Radius, Saml... ?
@user-bw1mr6iv3n
2 ай бұрын
@@netsums Saml
@user-bw1mr6iv3n
2 ай бұрын
@@netsums Saml
@user-bw1mr6iv3n
2 ай бұрын
@@netsums SAML
@user-bw1mr6iv3n
2 ай бұрын
update please?
@LorDarkGoose
10 ай бұрын
Thanks for the informative video. What if I don't want to use Radius?
@netsums
10 ай бұрын
You can use something else, such as ldap or saml. Just change the authentication profile on the portal and gateway. I hope I understood your question right. :)
@LorDarkGoose
10 ай бұрын
@@netsums Thanks!
@melapi
Жыл бұрын
Thanks for the great video, how do we restrict the VPN to domain-connected devices? What are the certs which we want to import to the firewall?
@netsums
Жыл бұрын
Hi, sorry for the late reply. If your clients have certificates issued from your internal Microsoft Domain Controller, you can import to the firewall the domain root certificate. After importing it, you can add it to the field CA Certificates under Device -> Certificate Management -> Certificate Profile. Whenever you link this certificate profile to your portal or gateway, the firewall will verify if the certificate being presented from the client has been signed from the CA added to the certificate profile. I hope I could help.
@pitansimisinuola7448
Жыл бұрын
Hi, you will not be needing the rule you created allowing GP-client to communicate with Portal. by default untrust to untrust is allowed intrazone rule" that is how the client is able to connect to the portal. Also, you can log your rules all you need to is click on the green gear it allows for you to override the existing implicit rules..
@netsums
Жыл бұрын
Thank you for your feedback. If I have a denyAny rule, I would need the rule to allow the GP client to communicate with the Portal or Gateway. But if I use an override for the default interzone rule as you suggested, than the rule would be needless, correct.
@AISynthar
Жыл бұрын
At 29:32, This is where we're stuck. I'm trying to deploy the Client and certs through Intune but Getting the cert to the User Store keeps failing. Do you know any other methods?
@netsums
Жыл бұрын
Hi. I'm sorry you're getting stuck. I haven't worked with any other mobile device management tool before, so I wouldn't be able to help you there. I have worked with classical Microsoft AD environment, and the certificates were deployed through active directory group policies. But why are the certificates failing? What is the error message?
@micho101
Жыл бұрын
Is it possible to reject or deny connection if hip profile is not met ? I would like to refuse or disconnect gp if they end user doesnt pass the hip object assoicated to HIP profile.
@netsums
Жыл бұрын
As far as I know, the gateway doesn't do much other than send a message back to the client, stating if he "passed" the HIP test or not. The decision if the client is allowed access or not is taken in the security profiles. But I guess you already knew that. :-) I don't think it's possible to do what you want.
@hirwalambert8131
Жыл бұрын
Hello sir, i want to ask a quick question is it possible using Global protect and work outside the country where you are supposed to work from? like i am working from home but in the one country and i want to go to another country to work from there without being noticed by my company is that possible? Thank you so much.
@netsums
Жыл бұрын
I don't see why it shouldn't work, unless your Palo Alto firewall has a country restriction. You could try to use a VPN service, but I'm not sure if it would work. But I would advise you to be open with your boss, I wouldn't advise you to try to hide from them that you are working from a foreign country.
@MaruTheGreat
9 ай бұрын
I'm connected to the GlobalProtect VPN, but it is killing my internet speeds. I've reebooted my router as well as updating the firmware on it. Are there any fixes?
@netsums
9 ай бұрын
Maybe after connected to global protect you're sending all the traffic to your company? Try using the split tunnel function of the global protect gateway, so that you only send what you need through the vpn tunnel, and the rest gets sent to the internet locally.
@ah.shawky01
10 ай бұрын
Could you please help me? I have EC2 windows server and i installed global protect on it and connect to server "palo alto FW" When i login to windows via remote desktop the vpn connected successfully when i close the session of RDP the VPN is disconnected
@netsums
10 ай бұрын
You probably need to configure the Pre-Logon option on your portal configuration. Search for "Pre-Logon netsums" and you should find a video I made about this topic. You shouldn't configure your firewall exactly as I show in the video, but hopefully it will point you to the right direction. :-) let me know later if you managed to configure it.
@ah.shawky01
10 ай бұрын
@netsums thank you for your valuable session ❤️❤️ i will check and feedback
@ah.shawky01
10 ай бұрын
@netsums i had configured the pre login as you mentioned but i still have the same issue , i have read in the log of GP socket closed exit now It is happening when i close the RDP
@netsums
9 ай бұрын
Sorry, I only saw your reply today. If you have Pre-logon (always-on) configured on your portal and the certificate is okay, when the user logs out of the RDP session, the EC2 server should keep connected through the user pre-logon. What do you see on the Global Protect logs (under monitor)? Take a look also at the Global Protect client logs (mainly PanGPS, PanGPA and pan-gp-event-log, I think).
@ah.shawky01
9 ай бұрын
@netsums yes i have launched EC2 And after close the session EC2 connected using pre login Note When i relogined, it is reconnected and IPsec started counting again Many thanks for your efforts and videos
@njams.
Жыл бұрын
Would the same setting be applicable with third-party vpn client app or only for GP client app?
@netsums
Жыл бұрын
Hi. Sorry for the late reply. I cannot confirm that it would work with third party apps. You would need to test, I only tested this configuration with the GlobalProtect. I heard that it is possible to connect to the Palo Alto using the Cisco AnyConnect, for example, but things sometimes don't go as smooth as using GP, and you probably need to tweak your configuration to make it work as desired.
@francescodangelo5611
Жыл бұрын
Hi, i don't understand where/how you configure the Google authentication.
@netsums
Жыл бұрын
Hi. The Radius server has to be configured to send back to the firewall a challenge after the user gets successfully authenticated using username/password. At the Radius server you configure the authenticator, scan the QRCode with your smartphone, etc. The whole configuration resides there. For this video I used privacyIDEA (www.privacyidea.org) as RADIUS.
@cris-cis8967
3 ай бұрын
Is there a link to download the file? without logging in please
@netsums
3 ай бұрын
You mean the GlobalProtect client? Officially no, you need to have a support account.
Пікірлер: 111