Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Configure the Router Instances

Onboard Branch Offices in Mainland China to Prisma Access

Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama)	Prisma Access license

To complete the mobile user setup for Prisma Access, you create a GlobalProtect gateway and add that gateway to the Prisma Access portal. You configure the gateway in the VM-series firewall (Router 1) instance in VPC 1 in mainland China. After configuration is complete, mobile users in mainland China connect to the Prisma Access portal, which directs them to the GlobalProtect gateway in mainland China.

To configure the gateway and portal for a mainland China deployment, compete the following steps.

Add a GlobalProtect gateway and give it a name.
1. Select an Interface of ethernet1/1.
2. Add an Authentication method, specifying the Authentication Profile you created when you configured the router instances
3. Configure Tunnel Settings by enabling Tunnel Mode and selecting tunnel.1 as the Tunnel Interface.
4. For the Client IP Pool, select the IP address and subnet that you specified for the tunnel.1 tunnel interface (192.168.200.0/24 in this example).
5. For Network Services, select the primary DNS IP address of the tunnel.1 interface as the Primary DNS IP address.
Add and configure a DNS proxy to provide DNS services to mobile users.
1. Select NetworkDNS Proxy and Add a DNS proxy.
2. Specify the IP address of the Alibaba Cloud DNS server as the Primary server.
3. To configure a different DNS proxy server to resolve internal domains, Add one or more DNS Proxy Rules and specify the Primary IP address of your organization’s DNS server and your organization’s Domain Name.
4. Save and Commit your changes.
5. (Optional) If redundancy is required, add one more VM-series instance as a GlobalProtect gateway and a router instance Router 2 in Alibaba Cloud. You can deploy this second set in the same or different regions and it will operate as an additional GlobalProtect gateway in China.
Configure a Prisma Access portal and configure that portal to use the mainland China gateway.
1. From the Panorama that manages Prisma Access, select NetworkGlobalProtectPortals
  Be sure to select Mobile_User_Template from the Template drop-down.
2. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
3. Select the Agent tab and select the DEFAULT agent configuration or Add a new one.
4. Select the External tab and Add an on-premise gateway with the name GPCS-CHINA-GW.
5. Specify the following parameters:
  Specify the IP address of the VM-series ENI-Untrust interface.
  Select the Source Region of CN.
  Set the priority to High.
6. Click OK to save your changes.
7. Continue to click OK until the portal configuration window closes.
Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click CommitCommit to Panorama.
2. Click CommitPush to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure that Prisma Access for users is selected and then click OK.
4. Click Push.