Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

GlobalProtect™ Administrator’s Guide Version 7.0 2 • GlobalProtect 7.0 Administ

GlobalProtect™ Administrator’s Guide Version 7.0 2 • GlobalProtect 7.0 Administrator’s Guide © Palo Alto Networks, Inc. Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact‐support About this Guide This guide takes you through the configuration and maintenance of your GlobalProtect infrastructure. For additional information, refer to the following resources:  For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to https://www.paloaltonetworks.com/documentation.  For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com.  For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.  For the most current PAN‐OS 7.0 release notes, go to https://www.paloaltonetworks.com/documentation/70/pan‐os/pan‐os‐release‐notes.html.  For the most current GlobalProtect agent release notes, go to the GlobalProtect 7.0 documentation page: https://www.paloaltonetworks.com/documentation/70/globalprotect.html. To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. Palo Alto Networks, Inc. www.paloaltonetworks.com © 2007–2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: March 17, 2017 © Palo Alto Networks, Inc. GlobalProtect 7.0 Administrator’s Guide • 3 Table of Contents GlobalProtect Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 About the GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 GlobalProtect Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 What Client OS Versions are Supported with GlobalProtect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About GlobalProtect Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Set Up the GlobalProtect Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Create Interfaces and Zones for GlobalProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Enable SSL Between GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 About GlobalProtect Certificate Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 GlobalProtect Certificate Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Deploy Server Certificates to the GlobalProtect Components . . . . . . . . . . . . . . . . . . . . . . . 16 Set Up GlobalProtect User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 About GlobalProtect User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Set Up External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Set Up Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Set Up Two‐Factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Set Up Authentication for strongSwan Ubuntu and CentOS Clients . . . . . . . . . . . . . . . . . . 33 Enable Group Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configure GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Prerequisite Tasks for Configuring the GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . 43 Configure a GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configure the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Prerequisite Tasks for Configuring the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . 49 Set Up Access to the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Define the GlobalProtect Client Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . uploads/s1/ globalprotect-admin-guide.pdf