PaloAlto SSL VPN設定方式

啟用 SSL VPN client Device > SSL VPN Client > Activate 建立憑證 Device > Certificates > Generate 選擇 SSL VPN 的 user 來源 Device > Authentication (Local DB, RADIUS, LDAP, Kerberos) SSL VPN  網路環境設定 Network > Interface Network > Zones SSL VPN 連線是必須由 untrust(來源) 到 trust(目地)，所以需設定兩個 ethernet，以及切兩個 zone。 設定路由 Network > Virtual Routers 勾選為 SSL VPN 設定的 ethernet，以及一個 tunnel。 設定一條路由往 untrust Destination (e.g: IP 0.0.0.0)，Interface 選擇 untrust 的 ethernet，以及設定該 ethernet 的 Router server IP 另一條設定往 SSL VPN 要前往的網段，Interface 選擇 trust 的 ethernet。 最後設定 SSL VPN Network > SSL VPN > Add 其中 Server Certificate 選擇我們之前建立的憑證， Authentication Profile 選擇我們之前所建立的 Authentication。 Tunnel Interface 選擇 tunnel，MAX User 也要設定，依該 server model 可選擇最高的 User 數。 Gateway Address 請選擇 untrust 來源的 Interface，以及該 ethernet 的 IP。 Client Configuration 請設定當 SSL VPN 連線成功後，該 SSL VPN client 解析 DNS 的 Primary DNS Server IP， IP pool 則是 SSL VPN client 取得 IP 的網段， Access Router 則是設定 SSL VPN user 可出去的網段 router server IP。 驗證 SSL VPN https://IP (untrust ethernet IP) 以上文章參考至網路上不明來源之文章 Palo Alto – SSL VPN Configuration Published on March 18, 2011 by Owen in Palo Alto Networks A brief guide on creating a SSL portal and obtaining/deploying the SSL VPN client. Download and Enable the SSL Client Users will need to have the SSL VPN client installed before they’ll be able to access the SSL portal. This client is downloaded on 1st logon, but for it to be available to the user you’ll need to download the installer to the Palo Alto device. This can be accomplished by following the steps below: 1. Navigate to Device > SSL-VPN Client > Refresh – for this step to successfully complete the FW will require Internet access. 2. Choose the appropriate version of the client and select download. 3. Once downloaded the client will need to be activated. Select ‘activate’ to do this. 4. The SSL client installer is ready for deployment from the device. Create a SSL-VPN Profile This profile will be assigned to clients included in the specified authentication group(s). Different SSL portals can be created for different user/group(s) if required. 1. Navigate to Network > SSL-VPN > New. 2. Portal name: Enter a portal name. 3. Virtual system: If left blank this will be automatically populated on saving. 4. Tunnel interface: Select or create a tunnel interface that will be used with this profile. 5. Authentication: Select or create an authentication profile. Device > Authentication Profile > New. Name: Enter a meaningful name for the profile. Lockout – failed attempts: If 0 is used the account will never become locked out. Lockout – lockout time: If 0 is used the account lockout time never takes effect. Allow list > Edit allow list: Enter/select the groups/users that should be granted access to the SSL portal. Authentication: Select from the drop-down list the type of authentication that should be used. Methods include Local DB (a user/group will need to be created on the Palo Alto FW), RADIUS or LDAP. 6. Server certificate: A self-signed certificate can be generated, but if this is to be used on the public domain it may be best to purchase a public cert. 7. Enable IPsec encapsulation of client traffic: Check this box. 8. Redirect HTTP traffic to HTTPS login page: Optional. 9. Interface: Select the interface that will be used for incoming VPN connections. 10. IP address: Select the appropriate IP address from the list (as more than one may be bound to the interface). 11. Login lifetime: Enter a max session lifetime. 12. Inactivity logout: Enter an inactivity timeout value . 13. Client Configuration. Primary/Secondary DNS: Primary/Secondary DNS server addresses. Primary/Secondary WINS: Primary/Secondary WINS server addresses. IP Pool – Subnet/Range: Enter an IP address range that can be assigned to remote clients. DNS Suffix: Enter the DNS suffix. Split tunnelling route: If you’re allowing clients use multiple subnets, enter the routes here. There you have it, your SSL VPN is created.