Skip to main content

GlobalProtect

Support level: Community

What is GlobalProtect

GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or Prisma Access to secure your mobile workforce.

Palo Alto Networks GlobalProtect platform is a paid enterprise product.

-- https://docs.paloaltonetworks.com/globalprotect

Preparation

The following placeholders will be used:

  • gp.company is the FQDN of the GlobalProtect portal.
  • authentik.company is the FQDN of the authentik install.
caution

A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.

authentik configuration

  1. In the Admin interface of authentik, under Providers, create a SAML provider with these settings:
  • ACS URL: https://gp.company:443/SAML20/SP/ACS (Note the absence of the trailing slash, and the inclusion of the web interface port)
  • Issuer: https://authentik.company/application/saml/fgm/sso/binding/redirect/
  • Service Provider Binding: Post
  • You can of course use a custom signing certificate, and adjust durations.

  1. Select the newly created Provider and download the metadata using the tool on the 'Overview' tab.

  2. In the Admin interface of authentik, under Application, create an application with these settings:

  • Launch URL: blank://blank (This setting hides the application, while still granting access)
  • Use the Provider and Slug previously set in the first step.
  1. Set the bindings appropriately to those who will be allowed to authenticate.

GlobalProtect configuration

  1. Navigate to the GlobalProtect configuration device (Firewall or Panorama).

  2. Navigate to 'SAML Identity Provider' on the Device tab and choose the 'import' option.

  • Provide a name for the profile.
  • Import the metadata file downloaded earlier. (This will automatically install the authentik signing certificate to the system upon commit.)
  • Select 'Validate Identity Provider Certificate' if desired.
  1. Navigate to 'Authentication Profile' on the Device tab and add a new profile.
  • Type: SAML
  • IdP Server Profile: The profile just created
  • Certificate for Signing Requests: None (Optionally configure authentik for mutual SAML signature)
  • Certificate Profile: None (Optionally configure profile to validate the authentik signing cert)
  • Username Attribute: username

  1. Chose 'Advanced' within the profile and add 'all'. This will have only authentik control the authorization.

  2. Navigate to the 'GlobalProtect Portal Configuration' and chose the portal for SAML access.

  • Under 'Authentication' select the 'Authentication Profile' to the one just created. Leave all other settings as default.
  • Optionally chose to require client access via separately issued client cert as well. If not using a client cert, select 'Yes (User Credentials OR Client Certificate Required)'.

  1. Make the same exact changes to the 'GlobalProtect Gateway Configuration'.

  2. Commit the changes to the firewall.