NETSums Watch on YouTube

Palo Alto GlobalProtect VPN Configuration Step by Step [2025]

3 min read 6 hours ago
Published on Nov 04, 2025 This response is partially generated with the help of AI. It may contain inaccuracies.

Table of Contents

Introduction

This tutorial provides a step-by-step guide on configuring remote access VPN on a Palo Alto Firewall using the GlobalProtect client. You will learn three authentication methods: username/password, username/password with a client certificate, and username/password with Google Authenticator. This guide is beneficial for network administrators seeking to enhance security and manage remote access efficiently.

Step 1: Understand the Main Components of GlobalProtect

Before diving into the configuration, familiarize yourself with the key components of the GlobalProtect environment:

  • GlobalProtect Portal: Manages the VPN client connections and settings.
  • GlobalProtect Gateway: Handles user authentication and provides access to resources.
  • Certificates: Used for secure communication and authentication within the VPN.

Step 2: Verify Licenses and Certificates

Ensure that you have the necessary licenses for GlobalProtect and set up the required certificates:

  • Check the GlobalProtect License documentation here.
  • Generate or import root certificates for secure connections.

Step 3: Configure Firewall Interfaces

Set up the required firewall interfaces for GlobalProtect:

  1. Access the Palo Alto management interface.
  2. Navigate to Network > Interfaces.
  3. Configure the interfaces that will be used for GlobalProtect traffic. Ensure that they are properly connected to your network.

Step 4: Set Up User Authentication Methods

You will configure three different user authentication methods. Follow the steps for each method.

Step 4a: Username and Password

  1. Go to Device > User Identification > User Identification Settings.
  2. Enable user identification and configure the authentication profile.

Step 4b: Username/Password with Client Certificate

  1. Generate a client certificate or import an existing one.
  2. Configure the GlobalProtect settings to require client certificates for authentication.

Step 4c: Username/Password with Google Authenticator

  1. Install the Google Authenticator app on the user's mobile device.
  2. In the Palo Alto interface, navigate to Device > User Identification > User Identification Settings and enable two-factor authentication.
  3. Configure the authentication profile to include Google Authenticator.

Step 5: Create Objects and Security Rules

Define the necessary objects and security rules to control VPN access:

  1. Go to Objects > Addresses to create address objects for your VPN users.
  2. Navigate to Policies > Security to create rules that allow traffic from the GlobalProtect users to the internal resources.

Step 6: Configure GlobalProtect Gateway

Set up the GlobalProtect Gateway:

  1. Go to Network > GlobalProtect > Gateways.
  2. Add a new gateway and configure the following:
    • Interface
    • Authentication settings
    • Client configuration

Step 7: Configure GlobalProtect Portal

Set up the GlobalProtect Portal:

  1. Navigate to Network > GlobalProtect > Portals.
  2. Add a new portal configuration, ensuring to specify:
    • The interface it will listen on
    • The authentication profile
    • The client configuration

Step 8: Download and Install GlobalProtect Software

  1. Download the GlobalProtect client from the GlobalProtect Portal.
  2. Install the client on the Windows machine that will test the VPN connection.

Step 9: Import Root Certificate into VPN Client

  1. Open the GlobalProtect client.
  2. Go to settings and import the root certificate to establish a secure connection.

Step 10: Connect to GlobalProtect Portal

  1. Launch the GlobalProtect client.
  2. Enter the portal address and authenticate using the configured method (username/password, certificate, or Google Authenticator).

Step 11: Test Authentication Methods

Verify that each authentication method works:

  • Test the username/password method first.
  • Then, attempt the username/password with the client certificate.
  • Finally, confirm functionality with Google Authenticator.

Conclusion

You have successfully configured the Palo Alto GlobalProtect VPN with three authentication methods. Ensure you test each configuration thoroughly. For further learning, consider exploring advanced features of GlobalProtect or enrolling in online training to deepen your understanding of Palo Alto Firewalls.

Table of Contents

Recent