Chapter 3. Advanced Networking

3.2 Remote Access VPN

Learning Objectives

  • Configure a tunnel interface
  • Configure a remote access VPN

Prerequisites:

  • Setup Zones
  • Some interface configuration
  • Create a new user
  • Create an auth policy
  • Policy that allows VPN to Inside
  • Policy that allows Outside to VPN
  • Knowledge of previous labs

Scenario: VPNs aren’t just about changing your location like many advertisements say they’re for. What it’s really used for is to securely access a remote location’s resources like your workplace, or even your own home. That is what this lab will focus on. We are going to install GlobalProtect Agent on Kali and then we’ll try to reach the Internal through VPN connection.

main scenario
Figure 3.27: Main scenario
Table 3.5: Addressing Table
Device Configuration
PaloAlto-1 management: 192.168.0.1/24
Ethernet1/1: 10.0.0.1/24
Ethernet1/2: DHCP
Internal (WordPress) eth0: 10.0.0.2/24 GW: 10.0.0.1
KaliLinux2019.3-1 eth0: DHCP
Management eth0: 192.168.0.2/24
Table 3.6: Zone Configuration
Zone Interface
Inside Ethernet1/1
Outside Ethernet1/2
VPN Tunnel.1

Create a Tunnel Interface

Under Network > Interfaces in the Tunnel tab, click Add.

Creating a Tunnel
Figure 3.28: Creating a Tunnel

In the new window, change the virtual router to default, and the security zone to the VPN zone.

Tunnel Interface
Figure 3.29: Tunnel Interface

Then click OK.

Enable User ACL for a Zone

Under Network > Zone, click the VPN zone.

Create a VPN Zone
Figure 3.30: Create a VPN Zone

Tick the Enable user identification box.

Enable User Identification under VPN Zone
Figure 3.31: Enable User Identification under VPN Zone

Then press OK.

Generate Certs

Under Device > Certificate Management > Certificates, click on Generate.

Generate a certificate
Figure 3.32: Generate a certificate

Configure these settings in the new window:

Table 3.7: Certificate Generation
Parameters Value
Certificate Name Cert Name Here
Common Name The DHCP IP of Ethernet1/2
Certificate Authority Tick this box
Generate a certificate
Figure 3.33: Generate a certificate

Then click Generate.

Create an SSL/TLS Service Profile

Under Device > Certificate Management > SSL/TLS Service Profile, click Add.

Add SSL/TLS Service Profile
Figure 3.34: Add SSL/TLS Service Profile

In the new window, add the certificate you generated.

Configure SSL/TLS Service Profile
Figure 3.35: Configure SSL/TLS Service Profile

Then click OK.

Create a GlobalProtect Portal

Under Network > GlobalProtect > Portals, then click Add.

Add a Portal
Figure 3.36: Add a Portal

In the general tab, set the interface to Ethernet1/2.

GlobalProtect Portal Configuration
Figure 3.37: GlobalProtect Portal Configuration

In the authentication tab, select SSL/TLS profile you created in the previous step, then click Add.

Adding SSL/TLS Profile
Figure 3.38: Adding SSL/TLS Profile

In the new window, change the authentication profile, then press OK.

Adding Authentication Profile
Figure 3.39: Adding Authentication Profile

In the agent tab, in the agent section, click Add.

Adding the agent
Figure 3.40: Adding the agent

In the internal tab in the Internal gateway, click Add.

Configure Internal Gateway
Figure 3.41: Configure Internal Gateway

In this window, change the Address to select IP, and in the IPv4 box, type in the IP of Ethernet1/2.

Set the IP address for Internal Gateway
Figure 3.42: Set the IP address for Internal Gateway

Press OK twice to get back to the agent tab. Then in the trusted root ca section, add your generated cert, and tick the box to install in local root certificate store.

Add the Root CA certificate
Figure 3.43: Add the Root CA certificate

Then press OK.

Create a GlobalProtect Gateway

Under Network > GlobalProtect > Gateways, click Add.

Add a Gateway
Figure 3.44: Add a Gateway

In the general tab, set the interface to Ethernet1/2.

GlobalProtect Gateway Configuration
Figure 3.45: GlobalProtect Gateway Configuration

In the Authentication tab, add your SSL/TLS profile, then click Add.

SSL/TLS Service Profile
Figure 3.46: SSL/TLS Service Profile

In the new window, select your authentication profile, then click OK.

Authentication Profile
Figure 3.47: Authentication Profile

Under the agent tab, in tunnel settings, tick the tunnel mode checkbox and select the tunnel you made.

Tunnel Mode and Interface
Figure 3.48: Tunnel Mode and Interface

In client settings, click Add.

Client Settings
Figure 3.49: Client Settings

Make sure the Any checkbox is ticked on top of the OS category, then press OK.

Select Client as Any
Figure 3.50: Select Client as Any

In client IP pool settings, add an IP pool range of this:

172.16.10.1-172.16.10.10

IP Pool Configuration
Figure 3.51: IP Pool Configuration

Then press OK. Don’t forget to commit the configuration!

Install the GlobalProtect Client on Kali

Open up a terminal window and run the following commands:

#curl -L https://bit.ly/32Ljx1y --output GP.deb
#sudo dpkg -i GP.deb
#globalprotect connect -p [IP of Palo Alto Ethernet1/2 Here]

When connecting, it will show an error about validation. Type in y then press enter.

It will also ask for your username and password. Enter the one you created prior.

Installing GlobalProtect on Kali Linux
Figure 3.52: Installing GlobalProtect on Kali Linux

Test Remote Access VPN

On Kali, after connecting to GlobalProtect, navigate to the IP of the WordPress Server (Internal).

Verify your configuration
Figure 3.53: Verify your configuration

If everything was correct, it should display the WordPress site!

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.