How to Configure GlobalProtect (Palo Alto Networks)

Owned by Ran Lampert
Last updated: Oct 19, 2022 by Raja Nejem (Deactivated)

Configure GlobalProtect SAML Authentication

This document contains instructions for configuring SAML authentication for Palo Alto Networks' GlobalProtect in brokering mode.

Please make sure to configure your identity provider first (instructions link)

Infinipoint Configuration

  1. Create a “Palo Alto GlobalProtect” Application in Infinipoint:

    1. Access → Applications, Click add and select “Add from catalog” , Select Palo Alto Global Protect

    2. Select your Identity provider

    3. Enter Application Name: GlobalProtect

    4. Origin URL: https://[REPLACE-WITH-GP-GATEWAY-IP]:443

      • The GlobalProtect Gateway IP can be fetched from the Firewall Management under:

        1. Network → GlobalProtect → Portals, Select Your Portal

        2. Then select Agent Tab → Select Your Configuration

        3. Then External Tab → Copy the IP Address from the selected Gateway

    5. Click to “Download the Metadata XML” (save for later)

    6. Click to “Download Certificate” (save for later)

    7. Click on “Save” to save the Application

GlobalProtect Configuration

  1. Create a new “SAML Identity Provider” in the Firewall

    1. Device → Server Profiles → SAML Identity Provider

      1. Click to “Import”

        1. Profile Name: Infinipoint

        2. Identity Provider Metadata: [Click “Browse” and Select the Metadata XML that we saved from the Infinipoint Console]

        3. Uncheck “Sign SAML Message to IDP”

          • Example “SAML Identity Provider” Configuration:

             

  2. Create on “Authentication Profile”

    1. Device → Authentication Profile, Click on “Add”

      1. Name: Infinipoint

      2. Type: SAML

      3. IdP Server Profile: [The SAML Identity Profile we have created]

      4. Certificate Profile: [The Infinipoint IdP Certificate we have downloaded]

      5. Username attribute: username

        • Example “Authentication Profile”

  3. Assign the Infinipoint Authentication Profile to the GlobalProtect Portals and Gateways

    1. Network → GlobalProtect → Portals, Select [Your Portal]

      1. Select from GlobalProtect Portal Configuration →Authentication, Add or change to “Authentication Profile” based on your Infinipoint Profile

        • Example Client Authentication Config:

      2. Select from GlobalProtect Portal Configuration → Agent, [Select your agent configuration]

        1. Click on the “App” Tab

        2. Scroll the “App Configurations” to set “Use Default Browser for SAML Authentication” to “Yes”

          1. Example:

Configure GlobalProtect Continuous Checks with Infinipoint

This document contains instructions for configuring GlobalProtect continuous checks and HIP notification with Infinipoint.

It is recommended to set the Firewall HIP Check Interval to 60 seconds via the firewall CLI tool with the following commands:

debug global-protect portal interval 60 debug global-protect portal on configure commit force

TBD (instructions for setting Infinipoint’s “Compliance Triggers” and GP HIP check and notification)

HTML Template for HIP Notification

<div style="text-align: center;"><br></div><div style="text-align: center;"><br></div><div style="text-align: center;"><br></div><div style="text-align: center;"><strong style="color: #ff0000;"><span style="font-size:5vw;">Attention: Action Required</span></strong></div> <div style="text-align: center;"><strong style="color: #ff0000;"><span style="font-size: small;"></span></strong></div> <div style="text-align: center; color: #070808;"> <p class="p1" style="text-align: center; margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; line-height: normal; font-family: 'Helvetica Neue'; color: #000000;"><span style="font-size: 3vw;"><br></span></p><p class="p1" style="text-align: center; margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; line-height: normal; font-family: 'Helvetica Neue'; color: #000000;"><span style="font-size: 3vw;">Your device is non-compliant with our company policy.<br><br></span></p> <p class="p1" style="text-align: center; margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; line-height: normal; font-family: 'Helvetica Neue'; color: #000000;"><span style="font-size: 3vw;">Please click the link below to view and remediate your device:</span></p><p class="p1" style="text-align: center; margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; line-height: normal; font-family: 'Helvetica Neue'; color: #000000;"><span style="font-size: 3vw;"><br></span></p> <p class="p1" style="text-align: center; margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; line-height: normal; font-family: 'Helvetica Neue'; color: #000000;"><span style="font-size: small;"></span></p> </div> <div style="text-align: center; color: #070808;"><a href="https://auth.infinipoint.io/auth/realms/Infinipoint-Demo/device-service"><span style="font-size: 3.5vw;">Infinipoint Self-Service</span></a></div>

https://auth.infinipoint.io/auth/realms/Infinipoint-Demo/device-service URL needs to be replaced with your own “Self-service Portal” (requires user-authentication) or “Device Posture” (does not require user-authentication) URL.