PaloAlto | Global Protect - VPN
1. Create Object Address Segment Network. Menu (Object >> Address)
2. Create Zone Internet, LAN, SERVER_PROD, SERVER_UAT dan Global Protect (Network >> Zone)
3. Create Interface Tunnel .102 (Network >> Interface >> Tunnel) tunnel.102
4. Create Sub-Interface di ether3 untuk vlan 10 dan vlan 20. Dan juga set IP address interface di Inside, internet dan Vlan20 dan Vlan20. (Network >> Interface >> Ethernet).
5. Create User (Devide >> Local User Database >> User)
6. Create Certificate (Device >> Certificate Management >> Certifcate)
7. Create Certificate (Device >> Certificate Management >>SSL / TLS Service Profile)
8.Seting Authenctication Profile untuk menentukan user login di Global-Protect. ( Device >> Authentication Profile)
7. Create Certificate (Device >> Certificate Management >>SSL / TLS Service Profile)
8.Seting Authenctication Profile untuk menentukan user login di Global-Protect. ( Device >> Authentication Profile)
10. Setting Portal Global-Protect. (Network >> GlobalProtect >>Portal >> Authentication >> Add
.11. Setting Portal Global-Protect. (Network >> GlobalProtect >>Portal >> Agent >> Add Agent >> Authentication. Dan Add certifcate di bagian TRUSTED ROOT CA.
12. Setting Portal Global-Protect. (Network >> GlobalProtect >>Portal >> Agent >> Add Agent >> Config Selector Criteria. Di Tab ini untuk memasukkan user dan OS.
12.Setting Portal Global-Protect. (Network >> GlobalProtect >>Portal >> Agent >> Add Agent >> External. Di Tab ini untuk memasukkan Gateway External.
13.Setting Portal Global-Protect. (Network >> GlobalProtect >>Portal >> Agent >> Add Agent >> App. Di Tab ini untuk menentukan port, misal 443 atau 10443.
14.Setting Portal Global-Protect. (Device >> GlobalProtect >>Gateways>> Add >> General
15. Setting Portal Global-Protect. (Network >> GlobalProtect >>Gateways>> Add >> Authentication >> Add Client Authentication.
16. Setting Portal Global-Protect. (Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> Config Selection Criteria.
17. Setting Portal Global-Protect. (Network >> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> Authentication Override.
18. Setting Portal Global-Protect. (Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> Authentication Override.
19. Setting Portal Global-Protect. (Device >> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> IP Pools.
.
20. Setting Portal Global-Protect. (Network >> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >>Split Tunnel. Dibagian ini adalah masukkan segment network server yang di ijinkan dikases dari remote-site.
21. Setting Portal Global-Protect. (Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >>Network Services. Dibagian ini set domain dan IP DNS yang nantinya si client akan menerima IP dan DNS ini di networknya bagian VPN setelh terhubung ke ke GP.
23.Configurasi CiscoSRV
hostname ciscoSRV
!
ip domain name training.lab
!
username admin privilege 15 password 0 123
!
interface Ethernet0/0
ip address 10.87.10.1 255.255.255.0
duplex auto
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.87.10.254
!
line vty 0 4
password 123
login local
transport input all
!
crypto key generate rsa
[2048]
!
ciscoSRV#
24. Verifikasi dan Monitoring User.
!
ip domain name training.lab
!
username admin privilege 15 password 0 123
!
interface Ethernet0/0
ip address 10.87.10.1 255.255.255.0
duplex auto
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.87.10.254
!
line vty 0 4
password 123
login local
transport input all
!
crypto key generate rsa
[2048]
!
ciscoSRV#
24. Verifikasi dan Monitoring User.
Then...Global Protect di PC-remote
SELESAI....!!!
palo vpn global
=====================================================
Skenarion-2
Jika ingin user yang dipakai login GLobal Protect dari LDAP (AD-Server) maka ada beberapa tambahan konfigurasinya.
Jika ingin user yang dipakai login GLobal Protect dari LDAP (AD-Server) maka ada beberapa tambahan konfigurasinya.
1. Integrasikan LDAP dengan PaloAlto, lihat link berikut ini:
https://imcbatam.blogspot.com/2024/11/paloalto-ldap-server.html
https://imcbatam.blogspot.com/2024/11/paloalto-ldap-server.html
2. Berikut Setingan disisi GlobalProtect
Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> Config Selection Criteria >> User / User Group. Lalu tambahkan group yang berasalal dari AD-Server.
3. Berikut Setingan disisi GlobalProtect
Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >>Agent >> Client Setting >>Add >> Config Selection Criteria. Lalu tambahkan group yang berasalal dari AD-Server.
4. Aktifkan USer Identification di Zone INSIDE (SERVER_PRODUTION, SERVER_UAT) dimana zone ini akan diakses dari GlobalProtetct.
Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >> Client Setting >> Config Selection Criteria >> User / User Group. Lalu tambahkan group yang berasalal dari AD-Server.
3. Berikut Setingan disisi GlobalProtect
Network>> GlobalProtect >>Gateways>> Add >> Agent >> Klick Add >>Agent >> Client Setting >>Add >> Config Selection Criteria. Lalu tambahkan group yang berasalal dari AD-Server.
4. Aktifkan USer Identification di Zone INSIDE (SERVER_PRODUTION, SERVER_UAT) dimana zone ini akan diakses dari GlobalProtetct.
5. Firewalll Security
6. Verifikasi:
Done...!!
Posting Komentar untuk "PaloAlto | Global Protect - VPN"