Globalprotect Overview Palo Alto Networks Globalprotect™ Administrator’s Guide Version 7.0

Transcript

GlobalProtect Overview Palo Alto Networks GlobalProtect™ Administrator’s Guide Version 7.0 Copyright © 2007-2015 Palo Alto Networks Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us About this Guide This guide takes you through the configuration and maintenance of your GlobalProtect infrastructure. For additional information, refer to the following resources:  For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to https://www.paloaltonetworks.com/documentation.  For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com.  For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.  For the most current PAN-OS and GlobalProtect 7.0 release notes, go to https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes.html. For the most current GlobalProtect agent release notes, go to the GlobalProtect 7.0 documentation page: https://www.paloaltonetworks.com/documentation/70/globalprotect.html. To provide feedback on the documentation, please write to us at: [email protected]. Palo Alto Networks, Inc. www.paloaltonetworks.com © 2015–2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: January 27, 2016 2 • GlobalProtect 7.0 Administrator’s Guide Copyright © 2007-2015 Palo Alto Networks © Palo Alto Networks, Inc. GlobalProtect Overview Whether checking email from home or updating corporate documents from the airport, the majority of today's employees work outside the physical corporate boundaries. This increased workforce mobility brings increased productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the building with their laptops or mobile devices they are bypassing the corporate firewall and associated policies that are designed to protect both the user and the network. GlobalProtect solves the security challenges introduced by roaming users by extending the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located. The following sections provide conceptual information about the Palo Alto Networks GlobalProtect offering and describe the components of GlobalProtect and the various deployment scenarios:  About the GlobalProtect Components  What Client OS Versions are Supported with GlobalProtect?  About GlobalProtect Licenses © Palo Alto Networks, Inc. GlobalProtect 7.0 Administrator’s Guide • 5 Copyright © 2007-2015 Palo Alto Networks About the GlobalProtect Components GlobalProtect Overview About the GlobalProtect Components GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access for all your users, regardless of what devices they are using or where they are located. This infrastructure includes the following components:  GlobalProtect Portal  GlobalProtect Gateways  GlobalProtect Client GlobalProtect Portal The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every client system that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In addition, the portal controls the behavior and distribution of the GlobalProtect agent software to both Mac and Windows laptops. (On mobile devices, the GlobalProtect app is distributed through the Apple App Store for iOS devices or through Google Play for Android devices.) If you are using the Host Information Profile (HIP) feature, the portal also defines what information to collect from the host, including any custom information you require. You Configure the GlobalProtect Portal on an interface on any Palo Alto Networks next-generation firewall. GlobalProtect Gateways GlobalProtect gateways provide security enforcement for traffic from GlobalProtect agents/apps. Additionally, if the HIP feature is enabled, the gateway generates a HIP report from the raw host data the clients submit and can use this information in policy enforcement.  External gateways—Provide security enforcement and/or virtual private network (VPN) access for your remote users.  Internal gateways—An interface on the internal network configured as a GlobalProtect gateway for applying security policy for access to internal resources. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic by user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. You Configure GlobalProtect Gateways on an interface on any Palo Alto Networks next-generation firewall. You can run both a gateway and a portal on the same firewall, or you can have multiple, distributed gateways throughout your enterprise. 6 • GlobalProtect 7.0 Administrator’s Guide Copyright © 2007-2015 Palo Alto Networks © Palo Alto Networks, Inc. GlobalProtect Overview About the GlobalProtect Components GlobalProtect Client The GlobalProtect client software runs on end user systems and enables access to your network resources via the GlobalProtect portals and gateways you have deployed. There are two types of GlobalProtect clients:  The GlobalProtect Agent—Runs on Windows and Mac OS systems and is deployed from the GlobalProtect portal. You configure the behavior of the agent—for example, which tabs the users can see, whether or not users can uninstall the agent—in the client configuration(s) you define on the portal. See Define the GlobalProtect Client Configurations, Customize the GlobalProtect Agent, and Deploy the GlobalProtect Agent Software for details.  The GlobalProtect App—Runs on iOS and Android devices. Users must obtain the GlobalProtect app from the Apple App Store (for iOS) or Google Play (for Android). See What Client OS Versions are Supported with GlobalProtect? for more details. The following diagram illustrates how the GlobalProtect portals, gateways, and agents/apps work together to enable secure access for all your users, regardless of what devices they are using or where they are located. © Palo Alto Networks, Inc. GlobalProtect 7.0 Administrator’s Guide • 7 Copyright © 2007-2015 Palo Alto Networks About the GlobalProtect Components GlobalProtect Overview For more information on the GlobalProtect Mobile Security Manager, see the GlobalProtect™ Administrator’s Guide. 8 • GlobalProtect 7.0 Administrator’s Guide Copyright © 2007-2015 Palo Alto Networks © Palo Alto Networks, Inc. GlobalProtect Overview What Client OS Versions are Supported with GlobalProtect? What Client OS Versions are Supported with GlobalProtect? The following table summarizes the supported GlobalProtect desktop, laptop, and mobile device operating systems and the minimum PAN-OS and GlobalProtect agent/app versions required to support each one. Supported Client OS Versions Minimum Agent/App Version Minimum PAN-OS Version Apple Mac OS 10.6 1.1 4.1.0 or later Apple Mac OS 10.7 1.1 Apple Mac OS 10.8 1.1.6 Apple Mac OS 10.9 1.2 Apple Mac OS 10.10 2.1 Apple Mac OS 10.11 2.3.2 Windows XP (32-bit) 1.0 Windows Vista (32-bit and 64-bit) 1.0 Windows 7 (32-bit and 64-bit) 1.0 Windows 8 (32-bit and 64-bit) 1.2 Windows 8.1 (32-bit and 64-bit) 1.2 Windows Surface Pro 1.2 Windows 10 (32-bit and 64-bit) 2.3.1 Apple iOS 6.0 1.3 app Apple iOS 7.0 1.3 app Apple iOS 8.0 2.1 app Apple iOS 9.0 2.3.2 app Google Android 4.0.3 or later 1.3 app 4.1.6 or later Google Android 4.0 2.3.3 app 7.0 or later Google Android 5.0 2.3.3 app 7.0 or later Google Android 6.0 2.3.3 app 7.0 or later Third-party X-Auth IPsec Clients: • iOS built-in IPsec client N/A 5.0 or later N/A 6.1 4.0 or later 4.1.0 or later • Android built-in IPsec client • VPNC on Ubuntu Linux 10.04 and later versions and CentOS 6 and later versions • strongSwan on Ubuntu Linux and CentOS* *For details on enabling strongSwan Ubuntu and CentOS clients to access GlobalProtect VPN, refer to Set Up Authentication for strongSwan Ubuntu and CentOS Clients. Users must obtain the GlobalProtect app from the Apple App Store (for iOS) or Google Play (for Android). For information on how to distribute the GlobalProtect agent, see Deploy the GlobalProtect Agent Software. © Palo Alto Networks, Inc. GlobalProtect 7.0 Administrator’s Guide • 9 Copyright © 2007-2015 Palo Alto Networks About GlobalProtect Licenses GlobalProtect Overview About GlobalProtect Licenses If you simply want to use GlobalProtect to provide a secure, remote access or virtual private network (VPN) solution via single or multiple internal/external gateways, you do not need any GlobalProtect licenses. However, to use some of the more advanced features, such as enabling HIP checks and associated content updates and enabling support for the GlobalProtect mobile app for iOS and Android, you need to purchase an annual gateway subscription. This license must be installed on each firewall running a gateway(s) that performs HIP checks and that supports the GlobalProtect app on mobile devices. In versions earlier than PAN-OS 7.0, a GlobalProtect portal license was required to enable remote access or virtual private network (VPN) solution via single or multiple internal/external gateways. To use these features in PAN-OS 7.0, a portal license is not required, but you must upgrade the GlobalProtect portal to PAN-OS 7.0 (the GlobalProtect gateway can run PAN-OS 7.0 or earlier). Feature Gateway Subscription Single, external gateway (Windows and Mac) Single or multiple internal gateways Multiple external gateways HIP Checks Mobile app for iOS and/or Android See Activate Licenses for information on installing licenses on the firewall. 10 • GlobalProtect 7.0 Administrator’s Guide Copyright © 2007-2015 Palo Alto Networks © Palo Alto Networks, Inc.