You are on page 1of 14

How to Configure SSL VPN on PANOS 4.

PAN administrators have the ability to configure the firewall to provide client-to-site VPN access by configuring the SSL VPN portal. This will provide a means for an end user to authenticate to a web page, automatically download a client1 and provide a network connection via IPSec or SSL2. Administrators will then be able to configure policy for individual users as they would for a normal firewall policy.

To determine beforehand:
Determine how to authenticate the users. The options, as of PANOS 4.0.0, are Local, RADIUS, LDAP, Kerberos Authentication. Determine what the clients IP pool(s), DNS servers/suffixes and tunneled subnets will be. Determine how the firewall will be physically connected and addressed. It is important to configure the proper routing in the internal network. Routes will need to be added where the destinations will be the IP pool subnets and the next hops will be the firewall. The Palo Alto Networks firewall must be running PANOS 3.0.0 or higher. If using a RADIUS server for authentication, the RADIUS server IP/port/password should already be configured on the firewall (Device tab -> Setup screen).

Part 1: Configuring the PAN Firewall

1. To load the current SSL VPN client to the firewall, login to the firewalls GUI. This client will be used when users first login to the SSL VPN Portal. Go to the Device tab -> SSL-VPN Client. Click Refresh at the bottom of the screen. 2. After the screen refreshes, click on Download next to the latest version.

A popup window will display the status. Once the download has completed, click OK in the popup.
1 2

4.0.2 support is for Windows 7, Vista, XP 32 and 64 bit. OS X 10.5 and 10.6 32 and 64 bit IPSec transport will be faster but the client will fall back to SSL if UDP 4501 is blocked somewhere along the path

PANOS 4.0.2

3. The screen will refresh and now the Download hyperlink will say Activate. Click on Activate.

This client will now be downloaded by users PCs when they initially connect to the SSL VPN. 4. To generate a self-signed certificate used by the SSL VPN portal, go to the Device tab -> Certificates. At the bottom of the page, click Generate.

5. Enter a Name for the certificate, Common Name, Pass Phrase, Country Code, State, Locality, Organization, Department and Email Addresses in the appropriate fields.

PANOS 4.0.2

After clicking Generate, the certificate will be generated and installed. 6. You have a choice of using either a RADIUS, LDAP, or Kerberos server to authenticate the remote users, or a local user database. If you are going to use a RADIUS server, skip ahead to step 8. Otherwise, you will now create users in your local database. Go to the Device tab -> Local User Database -> Users and click New. Create a username and password by entering them in the appropriate fields. Click OK when finished. You can create multiple usernames if you desire.

PANOS 4.0.2

7. (optional) You can add those users to a local group. Go to the Device tab -> Local User Database-> User Groups and click New. Give the group a name and then select the appropriate usernames. Click OK.

8. An Authentication Profile is necessary in order to tie authentication to a SSL VPN Portal. Go to Device tab -> Authentication Profile and click New. Create a name for the profile; enter numbers for the Failed Attempts and Lockout Time. Also select Local DB or RADIUS as appropriate.

9. Click on Edit Allow List. You can either: a) Select the group(s), click Add User Group and click OK, PANOS 4.0.2 4

or b) Under Users, enter the username, click Find, click Add User then OK.

PANOS 4.0.2

In this example, well use the group, so the profile will now look like this:

Click Ok to close the Authentication Profile screen.

10. Configure a tunnel interface to indicate to the firewall where the users will terminate to. You can use the default tunnel interface for the first SSL VPN Portal you configure. Go to the Network tab -> Interfaces and click tunnel.

PANOS 4.0.2

11. Set the virtual router and zone where you would like the tunnel interface to terminate.

In the example in this document, we put it in the Trust zone so that we dont have to create a policy to allow the VPN users access to internal resources. Best practice: place the tunnel interface in the untrusted zone. By doing this, you can then inspect traffic from SSL clients for threats, and control which applications the SSL clients can send into the corporate network. If you place the tunnel interface in an untrusted zone, make sure to create a policy from untrust to trust that allows traffic to flow. 12. Determine which public interface will be used as the SSL VPN external IP. Go to Networks tab -> Interfaces, and make sure that interface does NOT have https enabled in its management profile.3

13. Create a new SSL VPN Portal. This associates the certificate, authentication page, authentication profile, tunnel interface, external IP address and the client into one SSL VPN instance. Go to the Network tab -> SSL-VPN and click New.

If the public interface did have https enabled, then any SSL requests to the public IP would bring up a firewall login page, not the SSL VPN login page.

PANOS 4.0.2

14. On the SSL VPN tab, enter the information as follows: Portal name: any name you choose Tunnel interface: tunnel Max users: (optional) your choice, but pay attention to the limits of the device Authentication profile: LocalProfile Server certificate: SSLVPNx Enable or disable IPSec encapsulation (by not selecting this users will always use SSL) Enable or disable HTTP to HTTPS redirect (by not selecting this users must use HTTPS to get a login screen) Gateway Address Interface and IP Address is the interface and IP address where users will point their browsers to. This will be your external interface/IP. Login lifetime: (optional) Inactivity logout: (optional) Here is an example configuration:

15. Select the Client Configuration tab and enter information as follows: Primary DNS: enter an appropriate value for your network

PANOS 4.0.2

DNS suffix: (optional) IP Pool for the clients: whatever pool you choose. These IP ranges will be entered into the firewalls routing tableany traffic targeted to these IPs, will be sent over the tunnel interface. Be careful that these routes do not conflict with other routes on the firewall. Split Tunneling-Access Route: Enter the networks that need to be sent over the tunnel. These routes will go into the clients routing table. To have the client machine send everything over the tunnel, enter

Click Ok to close the New SSL-VPN Configuration screen.

16. If you put your tunnel interface in the untrusted zone, you must now create a security policy to allow traffic from the untrusted zone to the internal zone. Specify the particular applications you want to allow, and enable threat detection if you so desire. 17. Commit your changes. 18. From the firewalls CLI, run this command: show routing route. Make sure the routes you see there are as you expect. You will see that packets destined for the IP pool will be sent over the tunnel interface back to the clients. PANOS 4.0.2 9

Part 2: Establishing a tunnel from the client

19. Open a browser and HTTPS to the Gateway IP address (as configured in Step 14). You will get a certificate error- that is fine, proceed with loading the page. A login screen will appear.

20. Enter the user credentials that you created previously, and click Login.

If you cannot login, look for errors in the firewalls system log (Monitor tab -> System) 21. If you login successfully, the screen below will appear.

Click Start to begin the download and installation process. PANOS 4.0.2 10

22. After accepting some JAVA and Certificate warnings the client should automatically launch. You should see bytes received and sent in the client.

PANOS 4.0.2


23. You will also see an icon in the System Tray, and a pop-up will appear saying NetConnect is connected. The tiny orange lock on the icon also indicates the tunnel is established.

24. Right click on the NetConnect icon, and select Information.

25. Select Network Configuration, and scroll down to locate the PAN Virtual Ethernet Adapter. Notice its configuration is what you configured.

PANOS 4.0.2


26. Now that the tunnel is established, ping over the tunnel to an IP address that is in your internal network. It should be successful. If it is not successful, check the routing table on the client machine. Make sure there is a route that sends traffic over the tunnel interface. Perform a traceroute to a server in the corporate network, to try to determine where the issue is.

27. On the firewall, go to Monitor -> Logs-> Traffic to see traffic coming in from that user.

28. On the firewall, go to Monitor -> Logs-> System to view SSL VPN related messages. You can enter subtype eq sslvpn in the Filter field to show only SSL VPN related messages.

29. Login to the CLI and type show ssl-vpn current-user to see users who have established sessions. This command will show you the client IP, where they connected to and what type of tunnel they established.

You can also see this information in the GUI under Network tab -> SSL VPN -> More Users Info

PANOS 4.0.2


30. Type show ssl-vpn flow. This will give you an overview of the total number of tunnels for a given portal.

PANOS 4.0.2