Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS
Securing mobile users from threats and risky applications is often a complex mix of procuring and setting up the security and IT infrastructure, ensuring bandwidth and uptime requirements in multiple locations around the globe while staying within your budget.
The VM-Series firewall on AWS melds the security and IT logistics required to consistently and reliably protect devices used by mobile users in regions where you do not have a presence. By deploying the VM-Series firewall in the AWS cloud, you can quickly and easily deploy GlobalProtect™ gateways in any region without the expense or IT logistics that are typically required to set up this infrastructure using your own resources.
To minimize latency, select AWS regions that are closest to your users, deploy the VM-Series firewalls on EC2 instances, and configure the firewalls as GlobalProtect gateways. With this solution, the GlobalProtect gateways in the AWS cloud enforce security policy for internet traffic so there is no need to backhaul that traffic to the corporate network. Additionally, for access to resources on the corporate network, the VM-Series firewalls on AWS leverage the LSVPN functionality to establish IPSec tunnels back to the firewall on the corporate network.
For ease of deployment and centralized management of this distributed infrastructure, use Panorama to configure the GlobalProtect components used in this solution. Optionally, to ensure that mobile devices, such as smartphones and tablets, are safe for use on your network, use a Mobile Device Manager to configure and manage mobile devices.
Components of the GlobalProtect Infrastructure
To block risky applications and protect mobile users from malware, you must set up the GlobalProtect infrastructure, which includes the GlobalProtect portal, the GlobalProtect gateway, and the GlobalProtect app. Additionally, for access to corporate resources, you must set up an IPSec VPN connection between the VM-Series firewalls on AWS and the firewall in the corporate headquarters using LSVPN (a hub and spoke VPN deployment).
The GlobalProtect agent/app is installed on each end-user system that is allowed to access corporate applications and resources. The agent first connects to the portal to obtain information on the gateways and then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection between the end-user system and the gateway ensures data privacy. The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every end-user system receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In this use case, the GlobalProtect portal is a hardware-based firewall that is deployed in the corporate headquarters. The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications, users, content, device, and device state. In this use case, the VM-Series firewalls on AWS function as the GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats, and, if policy allows, sends the request to the internet or to the corporate network over the IPSec tunnel (to the LSVPN gateway). For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and the GlobalProtect Satellites (spokes).
In this use case, the hardware-based firewall in the corporate office is deployed as the GlobalProtect portal and the LSVPN gateway. The VM-Series firewalls on AWS are configured to function as GlobalProtect satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that terminates on the gateway. When a mobile user requests an application or resource that resides on the corporate network, the VM-Series firewall routes the request over the IPSec tunnel.
Deploy GlobalProtect Gateways on AWS
To secure mobile users, in addition to deploying and configuring the GlobalProtect gateways on AWS, you need to set up the other components required for this integrated solution. The following table includes the recommended workflow:
Deploy GlobalProtect on AWS
Deploy the VM-Series firewall(s) on AWS. See Deploy the VM-Series Firewall on AWS.
Configure the firewall at the corporate headquarters. In this use case, the firewall is configured as the GlobalProtect portal and the LSVPN gateway. Configure the GlobalProtect portal. Configure the GlobalProtect portal for LSVPN. Configure the portal to authenticate LSVPN satellites. Configure the GlobalProtect gateway for LSVPN.
Set up a template on Panorama for configuring the VM-Series firewalls on AWS as GlobalProtect gateways and LSVPN satellites. To easily manage this distributed deployment, use Panorama to configure the firewalls on AWS. Create template(s) on Panorama. Then use the following links to define the configuration in the templates. Configure the firewall as a GlobalProtect gateway. Prepare the satellite to join the LSVPN.
Create device groups on Panorama to define the network access policies and internet access rules and apply them to the firewalls on AWS. See Create device groups.
Apply the templates and the device groups to the VM-Series firewalls on AWS, and verify that the firewalls are configured properly.
Deploy the GlobalProtect client software. Every end-user system requires the GlobalProtect agent or app to connect to the GlobalProtect gateway. See Deploy the GlobalProtect client software.

Related Documentation