Now we will start configuring the actual configuration for GlobalProtect. Step 7: Portal Configuration for GlobalProtect Clientless VPN Although, you do not need to assign an IP address to this interface. You can attach a management profile to the tunnel interface as per your requirement. Also, make sure you assign the same security zone which is created in the previous step. Go to Network > Interfaces > Tunnel > Add, to create a tunnel interface. Likewise IPSec tunnel, you need to create a separate tunnel interface for the GlobalProtect VPN. Step 6: Creating a tunnel interface for Clientless GlobalProtect Make sure the Zone Type should be Layer 3 and Enable User Identification. To create Security Zone, go to Network > Zones > Add. LAN, but it is always recommended to create a new zone so that you have granular control over the GlobalProtect traffic. Although you can choose one of the pre-created zones, i.e. Like IPSec VPN, in GlobalProtect VPN, you need to create a zone for the tunnel interface. Step 5: Creating a zone for GlobalProtect Make sure you put your Common name should be the same as the interface IP on which you are configuring the GlobalProtect. Now, just fill the Certificate filed as per the reference Image. To generate a self-sign certificate, Go to Device > Certificate Management > Certificates > Device Certificates > Generate. So, you can generate your own certificate on Palo Alto firewall or you can use any certificate which is signed by any of the CA authority. To configure the GlobalProtect VPN, you must need a valid root CA certificate. Step 1: Generating a Self Sign Certificate Also, as in clientless VPN, Palo Alto firewalls act as a reverse proxy, so you might access only web applications/servers. If you already know to configure GlobalProtect VPN, you can skip 1 – 9 steps. To configure clientless VPN, you first need to configure Palo Alto GlobalProtect VPN, and after you need to configure Clientless VPN. Steps to configure Clientless VPN in Palo Alto Firewall The IP address of the Web server is 192.168.1.10. A test webserver is taken in the LAN zone. In this example, I’ve configured two security zones i.e. Scenario – Configure GlobalProtect Clientless VPN in Palo Alto
Step 13: Verification of GlobalProtect Clientless VPN Configuration and Accessing webservers from GlobalProtect Portal.Step 12: Configuring the GlobalProtect Gateway to support Clientless VPN.Step 11: Configuring the Applications for Clientless VPN in Palo Alto Firewall.Step 10: Configuring DNS Proxy for Internal Web Applications.Step 9: Security policy for GlobalProtect.Step 8: Gateway Configuration for GlobalProtect.Step 7: Portal Configuration for GlobalProtect Clientless VPN.