Set Up Access to Your Corporate Network

In some cases, you will want to enable the GlobalProtect cloud service to access your data center/HQ network. For example, if your security policy requires user authentication using an on-premise authentication service, such as your Active Directory, you will need to enable the GlobalProtect cloud service to access the corporate location where the service resides (and set up a service account that the service can use to access it). Similarly, if you have corporate resources that your remote networks and mobile users will need to access, you must enable the GlobalProtect cloud service to access the corresponding corporate network. You can set up service connections to up to three sites. Traffic over the service connections does not decrement bandwidth from the bandwidth pool you purchased, and GlobalProtect cloud service does not limit the bandwidth over this connection.
In other cases, you might not need to enable access to your data center/HQ network, but you do want to enable your mobile users to access your remote network locations. In this case, Create a Service Connection to Enable Access between Mobile Users and Remote Networks . Configuring a service connection allows the remote networks and mobile users to connect to each other using the service connection in a hub-and-spoke architecture.
In order for the GlobalProtect cloud service to route users to the resources they need in your data center/HQ networks via the service connection, you must provide the routes to the resources. You can do this in several ways. You can either define a static route to each subnetwork or specific resource that you want your users to be able to access, or configure BGP between your service connection locations and the GlobalProtect cloud service, or use a combination of both methods. If you configure both static routes and enable BGP, the static routes will take precedence. While it might be convenient to use static routes if you have just a few subnetworks or resources you want to allow access to, in a large data center/HQ environment where you have routes that change dynamically, BGP will enable you to scale easier. Dynamic routing also provides redundancy for your service connections. If one service connection tunnel is down, BGP can dynamically route mobile user and remote network traffic over the operational service connection tunnel.
  1. Select PanoramaCloud ServicesConfigurationService Setup.
  2. In the Onboarding section, Add a new service connection to one of your corporate network sites.
  3. Specify a Name for the corporate site.
  4. Select the Region closest to where the site is located.
    GlobalProtect cloud service supports the following AWS regions:
    • Asia Pacific (Mumbai)
    • Asia Pacific (Seoul)
    • Asia Pacific (Singapore)
    • Asia Pacific (Sydney)
    • Asia Pacific (Tokyo)
    • Canada (Montreal)
    • EU (Frankfurt)
    • EU (Ireland)
    • EU (London)
    • South America (Sao Paulo)
    • US East (N. Virginia)
    • US East (Ohio)
    • US West (N. California)
    • US West (Oregon)
    You can also see a list of all the supported regions in the drop-down:
    regions-supported.png
  5. Select or add a new IPSec Tunnel configuration to access the firewall, router, or SD-WAN device at the corporate location:
    • If you have added a template to the Service _Conn_Template_Stack (or modified the predefined Service_Conn_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel from the drop-down. Note that the tunnel you are creating for each service connection connects the GlobalProtect cloud service to the IPSec-capable device at each corporate location. The peer addresses in the IKE Gateway configuration must be unique for each tunnel. You can, however, re-use some of the other common configuration elements, such as Crypto profiles.
      The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4 only.
    • To create a new IPSec Tunnel configuration, click New IPSec Tunnel, give it a Name and configure the IKE Gateway , IPSec Crypto Profile , and Tunnel Monitoring settings.
      • If the IPSec-capable device at your HQ or data center location uses policy-based VPN, on the Proxy IDs tab, Add a proxy ID that matches the settings configured on your local IPSec device to ensure that the GlobalProtect cloud service can successfully establish an IPSec tunnel with your local device.
    • Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
    • Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information.
    • To enable tunnel monitoring for the service connection, select Tunnel Monitor.
      • Enter a Destination IP address.
        Specify an IP address at your HQ or data center site to which the GlobalProtect cloud service can send ICMP ping requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the entire GlobalProtect cloud service infrastructure subnet.  
      • If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or add a New Proxy ID that allows access from the infrastructure subnet to your HQ or data center site.
        The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24 in this example) as the Local IP subnet and the HQ or data center’s subnet (10.1.1.0/24 in this example) as the Remote subnet.
        tunnel-monitor-proxy-id.png
        The following figure shows the Proxy ID you created being applied to the tunnel monitor configuration by specifying it in the Proxy ID field.
      service-connection-tunnel-profile.png
      To find the destination IP address to use for tunnel monitoring from your data center or HQ network to the GlobalProtect cloud service, select PanoramaCloud ServicesStatusNetwork Details, click the Service Infrastructure radio button, and find the Tunnel Monitor IP Address.
  6. Enable routing to the subnetworks or individual IP addresses at the corporate site that your users will need access to.
    The GlobalProtect cloud service uses this information to route requests to the appropriate site. The networks at each site cannot overlap with each other or with IP address pools that you designated for the service infrastructure or for the GlobalProtect cloud service for mobile users IP pools. You can configure Static Routes, BGP, or a combination of both.
    To configure Static Routes:
    1. On the Static Routes tab, click Add and enter the subnetwork address (for example, 172.168.10.0/24) or individual IP address of a resource, such as a DNS server (for example, 10.32.5.1/32) that your remote users will need access to.
    2. Repeat for all subnets or IP addresses that the GlobalProtect cloud service will need access to at this location.
      service-connection-onboarding.png
    To configure BGP:
    1. On the BGP tab, select Enable.
    2. (Optional) To prevent the BGP peer on the cloud firewall from forwarding routes into your data center/HQ network, select Don’t export routes.
      By default, the GlobalProtect cloud service advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent the GlobalProtect cloud service from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.
      Since the GlobalProtect cloud service does not send BGP advertisements if you select this option, you must configure static routes on the on-premise equipment to establish routes back to the GlobalProtect cloud service.
    3. Enter the Peer AS, which is the autonomous system (AS) to which the firewall virtual router or BGP router at your data center/HQ network belongs.
    4. Enter the IP address assigned as the Router ID of the eBGP router on the data center/HQ network for which you are configuring this service connection as the Peer Address.
    5. (Optional) Enter and confirm a passphrase to authenticate BGP peer communications.
      service-connection-bgp-onboarding.png
  7. If you have a secondary WAN link at this location, select Enable Secondary WAN and then select or configure an IPSec Tunnel the same way you did to set up the primary IPSec tunnel.
    If the primary WAN link goes down, the GlobalProtect cloud service detects the outage and establishes a tunnel to the remote network location over the secondary WAN link. If the primary WAN link becomes active, the link switches back to the primary link.
  8. Commit all your changes to Panorama and push the configuration changes to the GlobalProtect cloud service.
    1. Click CommitCommit to Panorama.
    2. Click CommitPush to Devices and select Edit Selections. Select GlobalProtect cloud serviceGlobalProtect cloud service for service setup then click OK and Push.
      gpcs-commit-service-setup.png
  9. Configure the IPSec tunnel from your IPSec-capable device on your corporate network back to the GlobalProtect cloud service.
    1. To determine the IP address of the tunnel within the GlobalProtect cloud service, select PanoramaCloud ServicesStatusNetwork Details, click the Service Connection radio button, and note the Service IP Address for the site.
      The Service IP Address is the public-facing address that you will need to connect to when you create the tunnel from your IPSec-capable device back to the GlobalProtect cloud service.
      network-details-service-connection-ip-address.png
    2. On your IPSec-capable device at the corporate location, configure an IPSec tunnel that connects to the Service IP Address within the GlobalProtect cloud service and commit the change on that device so that the tunnel can be established.
  10. To verify that the service connection has been successfully set up, select Panorama > Cloud Services > Status > Status and check that the Status is OK.
    gpcs-service-connection-status.png
    If the status is not OK, hover over the Status icon to view any errors.
  11. To see a graphical representation of the service connection along with status details, select Service Connection on the Monitor tab.
    Hover over any of the circled locations for a region to see the number of tunnels and their status.
    verify_service_connection.PNG
  12. (Optional) If you configured BGP, check the BGP status. Select PanoramaCloud ServicesStatusNetwork Details, select Service Connection, and Show BGP Status.
    show-bgp-status.png
    The BGP Status dialog displays. This table provides you with the following information:
    • Peer—Routing information for the BGP peer.
      bgp-status-peer.png
    • RIB In—Routing information that has been received from different peers and is stored in the Routing Information Base (RIB).
      Only the first 256 entries are shown. To view additional entries, enter a subnet or IP address in the Filter field and click Apply Filter to view a subset of the routing entries up to a maximum of 256.
      bgp-status-rib-in.png
    • RIB Out—Routing information that the GlobalProtect cloud service advertises to its peers through BGP update messages. See How BGP Advertises Mobile User IP Address Pools for an example of this table.

Related Documentation