Palo Alto GlobalProtect Zero Trust Lab

Solution Overview

GlobalProtect allows creation of precise policies that can restrict or allow access based on business need, whether users are connecting from inside or outside the organization. It provides authoritative user and device identification and enables you to enforce granular access control based on the compliance state of each device and user.

Goals & Objectives

This on-demand lab provides a safe environment to implement, manage and test the PaloAlto GlobalProtect capabilities in a traditional network environment. This is the best starting point for understanding the solution fundamentals and how it can provide value to your organization.

In this lab, you will be both the PaloAlto administrator and a remote client requiring access. The environment is intended to be fairly small and simple to ensure a smoother on-demand experience and focus on key features. The lab features two "application" environments in separate respective networks. Each application comprises 1 Linux server and 1 Windows server. Access to Application 1 has been pre-configured to demonstrate basic connectivity. As the admin, you will create a simple security policy for the remote user to gain access to Application 2. The protocols are also kept extremely basic for the sake of efficiency: ICMP, HTTP and SSH.

The lab will emphasize the following concepts:

  • Lowering risk by minimizing exploitable footprint.
  • Adopting the principles of Zero Trust architecture:
    • Granting access to enterprise resources based on contextual data including user profile, environment and enterprise.
    • Enforcing policies based on constant evaluation of the client's security posture rather than static rules.
    • Dynamic one-to-one connection, everyone attempting to access a resource must authenticate first.
  • Utilizing the concept of Zero Trust to augment or replace traditional remote access scenarios.
  • Identity-centric, with highly granular access controls and real time access changes.

Hardware & Software

This lab is 100 percent virtual and includes the following components:

  1. Single PaloAlto NGFW Appliance functioning as:
    • Portal
    • Gateway
  2. One Windows RDP Remote User
  3. One Windows RDP Management Workstation
  4. Two virtualized application environments including:
    • One simulated Linux application accessible through SSH
    • One simulated Windows IIS application over HTTP