Professional Documents
Culture Documents
Tech Note
PAN-OS 4.1
Prerequisites
• GlobalProtect Gateway
Support for X-Auth is introduced in PAN-OS 4.1 as a feature of GlobalProtect Gateway and
doesn’t require any specific license to be activated.
• Apple iOS
Supported Apple iOS device running iOS 4.3 and later.
Certificate Creation
In order to setup certificate-based IKE phase 1 authentication, you need to create three
certificates either in the PAN-OS management UI or in an external certificate authority.
• Gateway Certificate
The certificate for the gateway can be created on PAN-OS or imported from an external
certificate authority. This section only covers how to create a certificate locally with a CA
certificate on the device
1. To create a certificate locally, navigate to the Certificate page on the Device tab and select
Generate.
2. Enter a unique name for the certificate in the configuration.
3. Enter the gateway’s DNS hostname as the Common Name (CN).
4. Enter the gateway’s IP address in IP address field. Use the device’s internal and assigned IP
address if your device resides behind a NAT device.
5. Select the certificate authority created in the “Root Certificate Authority“section in the
Signed By drop-down to issue this certificate.
6. Click Generate.
• Identity Certificate
In the case of certificate based authentication, the client and the gateway go through a mutual
authentication. Therefore the iOS device requires a certificate from a certificate authority
trusted by the gateway. This certificate can either be issued by an external certificate
• Certificate Profile
In order to validate the client certificate, a Client Certificate Profile needs to be created which
includes the CA certificate used to create the Identity Certificate. Please refer to the
corresponding section on creating Client Certificate Profiles in the Palo Alto Networks
Administrator’s Guide.
1. In the Server Certificate drop-down, select the gateway certificate created in the “Gateway
Certificate” section of this document.
2. In the Client Certificate Profile drop-down, select the certificate profile which includes the
CA certificate used to issue the client certificate in the “Client Certificate” section.
3. Enable “Tunnel Mode” and select “Enable IPSec”.
4. Enable “Enable X-Auth Support” to enable Extended Authentication.
5. Leave the “Group Name” and “Group Password” fields empty to enable certificate
authentication in IKE phase 1.
6. Click OK and commit the configuration changes.
1. Compose a new email and attach the Identity Certificate exported in the section above.
2. Send the email to the iOS user.
3. On the device, open the new email and tap on the identity certificate attached.
4. Select install in the certificate information.
5. Select Install Now when prompted in the dialog and enter your device password.
6. Enter the export password you specified in the previous section and click “Next”
Your VPN profile is now configured and you can enable the VPN connection through the iOS
device Settings.
For more information on distributing profiles, refer to Distributing Configuration Profiles Using
MDM Software.
1. On the GlobalProtect Gateway, navigate to Network > GlobalProtect > Gateways and create a
new Gateway configuration or modify an existing Gateway.
2. From the General tab, enable Tunnel Mode and then select Enable IPSec and Enable X-Auth
Support.
3. Enter a Group Name.
4. Enter and confirm the Group Password.
5. Click Ok and then commit the configuration.
1. On the Apple device, open Settings and navigate to General > Network > VPN section and select
Add VPN Configuration.
2. Select type IPSec.
3. Enter a description of the new profile in the Description field.
4. In the Server field, enter the address of the GlobalProtect Gateway.
5. Enter your username in the Account field and your password in the Password field.
6. Enter the group name configured previously in the Group Name field.
7. Enter the group password in the Secret field.
If you configure a pre-shared secret through the iPhone Configuration Utility, you don't need to go
through any of the certificate import steps previously outlined. Just perform the following steps to
create your VPN configuration profile:
• MobilIron
• Zenprise
MobileIron
MobileIron reduces the cost, risk and usability challenges associated with mobile device management.
The MobileIron Virtual Smartphone Platform is the first solution to combine data-driven smart device
management with real-time wireless cost control. MobileIron is a flexible platform and offers many
features to control and secure mobile platforms, this configuration relies on a properly installed VSP
instance with iOS MDM Certificate signed and installed prior to configuring the MobileIron VSP
platform to distribute GlobalProtect profiles. It is also assumed that iOS devices are already enrolled in
the MobileIron system.
First, create or ensure that a label exists within the MobileIron VSP, in this case we are leveraging an
existing label “Company-Owned”
Next, the certificates created in the “Root Certificate Authority” and “Identity Certificate” section need
to be exported from PAN-OS and imported into the MobileIron VSP.
3. Apply the Certificate to the label by selecting the check box next to the certificate entry that
was just created, then Select More Actions > Apply to Label.
10. Save the VPN Profile, then select More Actions > Apply to Label.
11. Select the check box next to Company-Owned and click Apply.
Your VPN profile is now configured in MobileIron and will be automatically distributed to all managed
devices attached to the Company-Owned label. Once deployed, the VPN connection can be enabled
through the iOS device Settings or automatically depending on the VPN on-demand and match settings
in MobileIron.
Zenprise
Zenprise is focused on managing mobile device lifecycle for enterprise customers. Whether delivered as
an on-premise mobile device management server or cloud solution, Zenprise MobileManager lets you
manage the device lifecycle across every major platform—iPhone, iPad, Android, BlackBerry, Symbian,
and Windows Mobile. Zenprise is a flexible platform and offers many features to control and secure
mobile platforms, this configuration relies on a properly installed Device Manager instance with iOS
MDM Certificate signed and installed prior to configuring the Zenprise Device Manager platform to
distribute GlobalProtect profiles. It is also assumed that iOS devices are already enrolled in the
Zenprise system.
First, the certificates created in the “Root Certificate Authority” and “Identity Certificate” section need
to be exported from PAN-OS and imported into the Zenprise Device Manager.
Your VPN profile is now configured in Zenprise and will be automatically distributed to all managed
devices attached to the deployment package that you created. Once deployed, the VPN connection can
be enabled through the iOS device settings or automatically depending on the VPN on-demand and
match settings in Zenprise Device Manager.