Palo Alto GlobalProtect: enterprise deployment guide

GlobalProtect is the de-facto remote access for Palo Alto shops. A clean enterprise design pays back in support tickets avoided.

Architecture

• Single portal, multiple gateways (internal + external).
• External gateways geo-distributed for latency.
• Internal gateway for posture without VPN tunnel.

Authentication

• SAML/OIDC against Azure AD/Okta as primary.
• MFA mandatory; certificate-based for kiosks.
• User-ID integration for downstream policy.

HIP profiles

• AV running, disk encryption, OS patch level.
• Block or quarantine on non-compliant posture.

Split tunnel

• Route only corporate ranges; internet direct.
• Exclude SaaS (Microsoft 365, Zoom) for performance.

Operations

• Monitor with Cortex Data Lake.
• Test failover quarterly with regional outages.

Train segmentation, NAT and policy reasoning at a TechLeague tournament.