A brief guide on creating a SSL portal and obtaining/deploying the SSL VPN client.
Download and Enable the SSL Client
Users will need to have the SSL VPN client installed before they’ll be able to access the SSL portal. This client is downloaded on 1st logon, but for it to be available to the user you’ll need to download the installer to the Palo Alto device. This can be accomplished by following the steps below:
1. Navigate to Device > SSL-VPN Client > Refresh – for this step to successfully complete the FW will require Internet access.
2. Choose the appropriate version of the client and select download.
3. Once downloaded the client will need to be activated. Select ‘activate’ to do this.
4. The SSL client installer is ready for deployment from the device.
Create a SSL-VPN Profile
This profile will be assigned to clients included in the specified authentication group(s). Different SSL portals can be created for different user/group(s) if required.
1. Navigate to Network > SSL-VPN > New.
2. Portal name: Enter a portal name.
3. Virtual system: If left blank this will be automatically populated on saving.
4. Tunnel interface: Select or create a tunnel interface that will be used with this profile.
5. Authentication: Select or create an authentication profile.
- Device > Authentication Profile > New.
- Name: Enter a meaningful name for the profile.
- Lockout – failed attempts: If 0 is used the account will never become locked out.
- Lockout – lockout time: If 0 is used the account lockout time never takes effect.
- Allow list > Edit allow list: Enter/select the groups/users that should be granted access to the SSL portal.
- Authentication: Select from the drop-down list the type of authentication that should be used. Methods include Local DB (a user/group will need to be created on the Palo Alto FW), RADIUS or LDAP.
6. Server certificate: A self-signed certificate can be generated, but if this is to be used on the public domain it may be best to purchase a public cert.
7. Enable IPsec encapsulation of client traffic: Check this box.
8. Redirect HTTP traffic to HTTPS login page: Optional.
9. Interface: Select the interface that will be used for incoming VPN connections.
10. IP address: Select the appropriate IP address from the list (as more than one may be bound to the interface).
11. Login lifetime: Enter a max session lifetime.
12. Inactivity logout: Enter an inactivity timeout value .
13. Client Configuration.
- Primary/Secondary DNS: Primary/Secondary DNS server addresses.
- Primary/Secondary WINS: Primary/Secondary WINS server addresses.
- IP Pool – Subnet/Range: Enter an IP address range that can be assigned to remote clients.
- DNS Suffix: Enter the DNS suffix.
- Split tunnelling route: If you’re allowing clients use multiple subnets, enter the routes here.
There you have it, your SSL VPN is created.