Securing GlobalProtect

Securing GlobalProtect

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.

In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.

The Process

I will be using the address 192.168.187.2 for this example.

It should look something like this once completed.

In my setup that is loopback.2

Depending on your settings you may also need to update the GlobalProtect Portal Agent Config External Gateway address. In my case, I am using the external FQDN so I don’t need to change anything.

In my setup that is loopback.2

The NAT policy rule should look something like this.

I will be using the Security Profile Group I already have called Inbound which includes a vulnerability protection profile.

The Security policy rule should look something like this

You now have GlobalProtect still running on 443 but using a NAT policy rule to send it to the loopback interface and a security policy rule to add vulnerability and other protections to the GlobalProtect interface.

If you are protecting against CVE-2024-3400 you may need to make changes to your Vulnerability Protection Profile to include Threat IDs 95187, 95189, and 95191. For more information see the Palo Alto Security Advisory for CVE-2024-3400.

This process can help mitigate CVE-2024-3400 for more information and direction from Palo Alto Networks for the vulnerability here is the Palo Alto Security Advisory for CVE-2024-3400.

Exit mobile version