HTTPS using the outside IP address of the PAN Firewall (203.0.113.20) in order to download the
GlobalProtect (GP) Agent.
Login to the GP Portal using a local user account.
The GP Setup Wizard will appear. Click Next and follow the Setup Wizard for the GP installation.
The GP Agent will appear after installation completes.
To create a Host Information Profile (HIP), go to Objects > GlobalProtect > HIP Objects.
Under General > type a Name (HIP-AV1) > you can optionally type a Description.
Under Antivirus > tick Antivirus to enable > Vendor > click Add.
Select Vendor: ClamWin.
Click OK.
Click OK again.
To create a HIP Profile, go to Objects > GlobalProtect > HIP Profiles.
Type a Name (HIP-PROFILE-1) > click Add Match Criteria > the HIP Objects will appear on the left > select HIP-AV1 created earlier > click OK.
To apply the GlobalProtect HIP, go to Policies > Security > click Rule #2 (Allow-Inside-Out).
Go to User tab > under HIP Profiles > click Add > select the HIP Profile (HIP-PROFILE-1) created earlier > click OK.
To configure a HIP Notification, go to Network > GlobalProtect > Gateways > click gp-ext-gateway.
Under Agent > HIP Notification > click Add.
Under Host Information > select the HIP Profile (HIP-PROFILE-1) created earlier.
Under Match Message > tick Enable > leave the default Show Notification: System Tray Balloon > under Template > type a customized message.
Under Not Match Message > tick Enable > leave the default Show Notification: System Tray Balloon > under Template > type a customized message > click OK.
Click Commit.
On the GP Agent > under Portal > type the PAN Firewall outside IP: 203.0.113.20 > type the Username and Password > click Connect.
A Server Certificate Error message will be displayed. Click Continue.
The HIP Not Match (fail) message will appear.
Disable GP and install ClamWin Antivirus on the client machine.
Re-enable GP and it will automatically tries to re-connect. The Server Certificate Error message will be displayed again. Click Continue.
The HIP Match (success/pass) message will appear.
Notice Status: Connected under Home tab.
Under Details tab, you'll see the Assigned Local IP and Gateway info.
You can find host specific info under Host State tab.
You can use this link to verify GP users. To view GP users, go to Network > GlobalProtect > Gateways > gp-ext-gateway > under Info column > click Remote Users (hyperlink).
Go to Current User to view the active GP users. Notice a red circle mark under Logout column which means the user hasn't logout yet.
Go to Previous User to view the inactive GP users. Notice the timestamp under the Logout At column.
You can also use the CLI command show global-protect-gateway command to view and troubleshoot GP.
The show global-protect-gateway gateway displays GP Gateway specific info.
The show global-protect-gateway statistics displays GP Gateway counters or stats.
The show global-protect-gateway current-user displays active or connected GP user.
The show global-protect-gateway previous-user displays inactive GP users historical stats.
These are some other useful troubleshooting steps for GP.
To verify if there's a hit on the HIP policy, go to Monitor > HIP match > click on the magnifying glass icon to view Log Details.
You can verify successful GP authentication under Monitor > System > under Event: auth-success.
Click
Continue to this website (not recommended).
Login to the GP Portal using a local user account.
Download
the GP Agent according to your machine OS. In this case I Download Windows 64
bit GlobalProtect agent > click Run.
The GP Setup Wizard will appear. Click Next and follow the Setup Wizard for the GP installation.
The GP Agent will appear after installation completes.
To create a Host Information Profile (HIP), go to Objects > GlobalProtect > HIP Objects.
Under General > type a Name (HIP-AV1) > you can optionally type a Description.
Under Antivirus > tick Antivirus to enable > Vendor > click Add.
Select Vendor: ClamWin.
Click OK.
Click OK again.
To create a HIP Profile, go to Objects > GlobalProtect > HIP Profiles.
To apply the GlobalProtect HIP, go to Policies > Security > click Rule #2 (Allow-Inside-Out).
Go to User tab > under HIP Profiles > click Add > select the HIP Profile (HIP-PROFILE-1) created earlier > click OK.
To configure a HIP Notification, go to Network > GlobalProtect > Gateways > click gp-ext-gateway.
Under Agent > HIP Notification > click Add.
Under Host Information > select the HIP Profile (HIP-PROFILE-1) created earlier.
Under Match Message > tick Enable > leave the default Show Notification: System Tray Balloon > under Template > type a customized message.
Under Not Match Message > tick Enable > leave the default Show Notification: System Tray Balloon > under Template > type a customized message > click OK.
Click Commit.
On the GP Agent > under Portal > type the PAN Firewall outside IP: 203.0.113.20 > type the Username and Password > click Connect.
A Server Certificate Error message will be displayed. Click Continue.
The HIP Not Match (fail) message will appear.
Disable GP and install ClamWin Antivirus on the client machine.
Re-enable GP and it will automatically tries to re-connect. The Server Certificate Error message will be displayed again. Click Continue.
The HIP Match (success/pass) message will appear.
Notice Status: Connected under Home tab.
Under Details tab, you'll see the Assigned Local IP and Gateway info.
You can find host specific info under Host State tab.
You can use this link to verify GP users. To view GP users, go to Network > GlobalProtect > Gateways > gp-ext-gateway > under Info column > click Remote Users (hyperlink).
Go to Current User to view the active GP users. Notice a red circle mark under Logout column which means the user hasn't logout yet.
Go to Previous User to view the inactive GP users. Notice the timestamp under the Logout At column.
You can also use the CLI command show global-protect-gateway command to view and troubleshoot GP.
The show global-protect-gateway gateway displays GP Gateway specific info.
The show global-protect-gateway statistics displays GP Gateway counters or stats.
The show global-protect-gateway current-user displays active or connected GP user.
The show global-protect-gateway previous-user displays inactive GP users historical stats.
These are some other useful troubleshooting steps for GP.
To verify if there's a hit on the HIP policy, go to Monitor > HIP match > click on the magnifying glass icon to view Log Details.
No comments:
Post a Comment