Skip to content

Palo Alto Global Protect

Prerequisites

Refer to Palo Alto-documentation how to setup your Palo Alto to act as a remote-access VPN using GlobalProtect. This guide will not explain how to create a new gateway for GlobalProtect.

Add Palo Alto RADIUS client in the Mideye Server

See section RADIUS clients in the reference guide.

Decrease push-delivery failure timeout

In the current version of GlobalProtect, the RADIUS timeout is limited to 25 seconds, even if it is set to a higher value in the Palo Alto administrative interface. To enable manual signatures with Mideye+ when the phone is unreachable, the push delivery failure timeout in Mideye has to be decreased from 17 to 11 seconds.

  1. Open Configuration-tool.
  2. Navigate to RADIUS-server and select the RADIUS-server used by the RADIUS-client. Click modify.
  3. Select the App Configuration tab.
  4. Decrease the Delivery failure timeout from 17 seconds to 11 seconds.
  5. Click OK, Save followed by Close to restart the services.

Edit delivery failure timeout in App Configuration

Configuration

This section will explain how to add a new server profile and apply it to the GlobalProtect gateway.

Create a new Server profile

Navigate to “Device” and select “Server Profile” followed by “RADIUS”. Click “Add” and give the profile a suitable name. Change the timeout to 35 seconds and decrease retries to 1. (This is the preferred setting, but in the current version of Palo Alto the timeout will still be 25 seconds. See section Decrease push-delivery failure timeout for a fix.)

Add a server profile

Click “Add” and name the RADIUS-server. Add the IP-address to the Mideye-server and a shared secret. This shared secret must be identical on both Palo Alto and on the Mideye Server.

Add Authentication Profile

From Palo Alto, navigate to “Device” and Select “Authentication Profile”. Click “Add” and give the profile a suitable name. Choose type “RADIUS” and select the the RADIUS-profile created above. Click “Advanced” and select what users that should be allowed to use the authentication profile.

Create a authentication profile

Change authentication Profile for GlobalProtect

Navigate to “Network” followed by “GlobalProtect”. Click “Gateways” and modify your existing gateway to use the authentication profile for Mideye.

Add the authentication profile to global protect