You can also set the IPSec Crypto policy to use more secure method here such as AES-256-GCM.Ĭlick OK twice and save / commit all of the settings.A virtual private network (VPN) offers secure connectivity to the SRJC network, but requires that any application you use is already installed on your home computer. The PA will try to negotiate IPSec first, if it cant it will fall back to TLS (SSL). For example if the deployment is for work from home and the user gets disconnected due to home broadband drop out, once reconnected during the cookie window user wont be asked for authentication. This will make it so once the user passes both GlobalProtect and DUO authentication they wont have to re-authenticate during this time period. You will need to select a valid certificate for authentication cookie Encrypt and Decrypt. Tick generate cookie and accept cookie and set the lifetime. Click on the name of your config to open it.Ĭlick on Authentication Override. Set the authentication profile to be the one we just configured in step 4.Ĭontinuing with GlobalProtect Gateway settings:Ĭlick the Agent tab on the left and then click the Client Settings tab. Network > GlobalProtect > Gateways > edit gateway and select Authentication tab. This means users wont have to type the domain name on the Global Protect client login (only the username). Set User Domain to your Active Directory short hand domain name.
![how to use globalprotect how to use globalprotect](https://blog.appsverse.com/content/images/2021/11/globalprotect.png)
Set Server Profile to the previous created RADIUS profile. Essentially the DUO Proxy is a RADIUS server: I am using 1812, however if your sever had Microsoft NPS on it already using 1812, you can use a non standard port for RADIUS such as 1810.Ĭonfigure the PA to point to the DUO Proxy. It is also cool that you can bind the DUO Proxy to any port. Note that the service will not start if there is a misconfiguration in the config file. Once configured, save the file and start the service from services.msc. Substitute your secrets such as ikey / skey and the ip addresses as per above. This is handy for servers that have multiple nics. I also configure the interface IP of the server to bind to. OK so in this example we are pointing the DUO Proxy to the PA firewall interface 192.168.1.254 as the radius authenticator. Service_account_password = secretpassword Once installed you need to configure the proxy by editing the authproxy.cfg file in C:\Program Files (x86)\Duo Security Authentication Proxy\conf\
#HOW TO USE GLOBALPROTECT WINDOWS#
These are used to configure the Duo proxy.Ĭonfigure a local Windows VM on your windows domain. Make a note of your integration and secret keys.
![how to use globalprotect how to use globalprotect](http://wp.12p.no/wp-content/uploads/2020/01/image-23.png)
Select protect an application and Palo Alto SSL VPN. Select Applications menu option in your DUO admin panel tenancy. More information on the deployment methods of DUO can be found here For DUO we are going to use RADIUS deployment method with the DUO Proxy. The Palo Alto deployment method is Global Protect client based IPSec VPN with SSL fallback. You have experience with PAN OS and have setup Palo Alto GlobalProtect. Below I detail the steps to configure DUO with Palo Alto GlobalProtect. During the COVID-19 lockdown I was asked to setup a VPN and secure it with two factor authentication.