GCP and Palo-Alto together : Solving for client to site VPN

TASK

In multiple cloud networking deployments , we commonly see a 3rd party firewall (like Palo Alto , Checkpoint , Fortinet etc) for some specific functions like IPS / IDS / L7 inspection / URL filtering etc Or simply for multiple compliance reasons .

The purpose of this blog is to showcase how a customer can use the same 3rd party firewall for client-to-site VPN functionality as well . For purpose of this blog , I am considering a palo alto firewall spinned in my project using a marketplace license

Understanding the Topology

I have divided the GCP network in 3 VPCs

1. Trust VPC : this is my inside part of the network . Not directly exposed to internet
2. Untrust VPC : This is where my external clients will land . Also can be called as ‘outside’
3. Mgmt VPC : Purely for management purpose .Ex accessing palo alto GUI access

Spinning up Palo Alto VM

1. I used the “interface swap” option and hence made e1/1 pointing to Untrust
2. Also my ‘Untrust ‘ and my ‘mgmt’ ports had external IP attached . Trust interface had just the internal private IP address attached
3. You may define the VPC firewall rules based on what all end users are allowed to gain management access to this Palo alto VM

Routing :

At a very basic level , I want all my traffic from Trust VPC to go to internet via the firewall . Hence

1. I had deleted the 0.0.0.0 route pointing to Internet gateway in Trust VPC
2. Instead , in my Trust VPC , I added a 0.0.0.0 route pointing to 192.168.30.3 (which is IP of Palo Alto VM attached to Trust VPC). So essentially I am saying send all traffic to Palo Alto VM . Let Palo Alto VM take decision
3. My Untrust VPC had a regular default route pointing to internet gateway

Palo Alto configurations

Pre-requisite configs : These configs are not related to Global protect feature but are needed as per topology shown above

1. Create zones (Trust , untrust)
2. Configure interface → assign them to zones → assign to VR → put IP address
3. Ensure that for interface corresponding to Untrust side , you add both public as well as private IP address
4. Create security policy (trust -> untrust) and (untrust -> trust) based on what’s allowed as per your requirements
5. Create a source NAT policy so that VMs on the internal trust side can reach the internet . Example

Configurations specific to Global protect

This is the main focus of this blog and hence I am breaking this configuration in multiple steps . The snapshots are self explanatory.

Step 1 : Create a certificate

I am creating a certificate corresponding to subject as external IP of my Unrust interface of firewall. This is the certificate that the GlobalProtect client will use when connected to the server

Device → certificate manager → certificates → generate

If you have a certificate form a 3rd party , please feel free to import the certificate in the Palo Alto firewall . For the purpose of this blog , I generated a certificate on Palo Alto NGFW itself

Step 2 : Create a SSL/ TLS profile

Device → certificate management → SSL/TLS service profile

Call the certificate created in step # 1

Step 3 : Users in database

Device → Local user database → users

I created a few users here

Step 4 : Create a Authentication profile

Device → auth profile → create

Step 5 : Create a zone for vpn users

I had 2 zones already : Trust & untrust . I created a 3rd zone for VPN users

Step 6 : Create an interface tunnel.1 and then add it to the zone of VPN . Ensure no IP on this tunnel interface

Step 7 : GLOBAL PROTECT GATEWAY

In this example , we are using Global Protect gateway of type manual.An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the Best Available external gateway, based on the priority you assign to the gateway, source region, and the response time

Step 7 (a)

Step 7 (b) : under gateway -> authentication , call the authentication profile created earlier

Step 7 ( c ) : Under the gateway → agent → tunnel settings , we need to define the tunnel interface and tunnel mode as IPSEC

Step 7 ( d ) : Under the gateway → agent → client settings , we need to configure

1. What internal assets will the clients be allowed to access
2. The IP pool which will be used to assign the IP address to external clients

Step 8 : Portal configuration : The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every endpoint that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways and any client certificates that may be required to connect to the GlobalProtect gateway(s).

1. Mention IP address of e1/1
2. You need to call ssl profile
3. In auth tab , You need to call auth profile

STEP 9 : On your client machine , you need to give an option to download the Global connect client software . You may also want a particular version to download . To do this , please navigate to Device → Global protect client tab . Ensure the required version is available and currently installed . Else you may use the options “check now” at bottom of this page and get the required steps done.

TESTING

1. On a external PC , attempt accessing the URL

https:// <public-IP-of-external-interface-Palo-Alto>

If configurations are correct , you should see a Global protect portal as follows . Login using one of the users created

2. Download the respective version on your client PC

3. Attempt to connect the global connect client software by mentioning the public IP address of Untrust interface of Palo alto VM

4. It may ask you for a certificate

You may allow the client software to install software on your computer

Or you may export the certificate from Palo Alto Vm , bring it to your client PC , and install in required directory

5. Finally you should see the client software able to connect to the gateway

1. Your client machine should get a IP in range 192.168.100.0/24 as configured in the gateway settings
2. On Palo Alto VM , you can also see list of connected clients as →

FORWARD Looking designs with GCP and Palo Alto

Readers are encouraged to use the design mentioned in this blog to extend their GCP network . One of the extended design can be as follows ->

1. Multiple workload projects
2. Each project can’t have a palo alto of its own . So the design assumes that you place the Palo Alto in a project called as ‘connectivity project’ and connect the workload projects behind this connectivity project (use VPC peering as an example)
3. Decide your north south traffic patterns . In the design shown here , I am assuming that all north south traffic needs to go via the firewall .
4. Hence this firewall is acting as N-S firewall as well as client to site firewall also
5. In your workload projects , ensure that your dont have a default route pointing to local internet gateway
6. Instead each of your workload projects must have a default route imported from VPC peering . This will ensure that traffic from workload project goes to common connectivity project in Trust VPC and thereafter takes the regular traffic path to go out

Disclaimer: This is to inform readers that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual. The design samples taken in this write-up by no means indicate best practices guidelines from any organization.