Skip to content

Palo Alto Global Protect

Prerequisites

Refer to the Palo Alto Networks documentation for instructions on how to configure your Palo Alto firewall as a remote-access VPN using GlobalProtect. This guide describes how to configure the connection to the Mideye RADIUS Server.

Mideye Configuration

Add Palo Alto as a RADIUS client

For instructions on how to add Palo Alto as a RADIUS client in the Mideye Server, see the section RADIUS clients in the Reference Guide.

Palo Alto Configuration

This section describes how to create a new Server Profile and apply it to a GlobalProtect Gateway.

Create a new Server Profile

Navigate to DeviceServer ProfilesRADIUS. Click Add and assign a suitable name to the Server Profile. Set the Timeout value to 35 seconds and set Retries to 1.

Click Add and define the RADIUS Server. Specify the IP address of the Mideye Server and configure a shared secret. The shared secret must be identical on both the Palo Alto firewall and the Mideye Server.

Add an Authentication Profile

Navigate to DeviceAuthentication Profile. Click Add and assign a suitable name to the Authentication Profile. Set the Type to RADIUS and select the RADIUS Server Profile created in the previous step. Click Advanced and configure the users or user groups that are permitted to use this Authentication Profile.

Change the Authentication Profile for GlobalProtect

Navigate to NetworkGlobalProtectGateways. Edit the existing GlobalProtect Gateway and configure it to use the Authentication Profile created for Mideye.

Add Palo Alto VSA Client-Source-IP for Mideye Shield

To use Mideye Shield protection, the Palo Alto firewall must send the connecting VPN client’s public IP address to the Mideye Server. Palo Alto does not use RADIUS Attribute 31 (Calling-Station-ID), instead the Vendor-Specific Attribute (VSA) Client-Source-IP is used.

Enter the following command in the Palo Alto operational CLI to include the Client-Source-IP attribute in RADIUS requests sent to the Mideye Server:
set authentication radius-vsa-on client-source-ip