GlobalProtect Review and Alternatives

Palo Alto produces system security products, most famously, its next-generation firewall, NGFW; this service can reach across the internet to protect remote networks and individual devices. But, of course, those internet connections need to be secured, and a network of VPNs provides that security.

A VPN needs software at each end to manage the encryption that provides session security. GlobalProtect is the agent that operates at the remote end of a Palo Alto VPN connection to perform encryption and decryption of traveling packets.

About Palo Alto Networks

Palo Alto Networks is a US company that specializes in cybersecurity products. The business was founded by Nir Zuk, an Israeli cybersecurity specialist, in 2005. The company’s first product was its next-generation firewall. This product took two years to develop and it is still the company’s main product.

The company has since expanded its firewall offerings by making the service available on the internet with the Firewall-as-a-Service (FWaaS) model. The system is able to reach across the internet to centralize the coverage of many sites. This necessitated the development of a secure virtual network service, which is called a software-defined wide area network (SD-WAN). Combining the SD-WAN and the FWaaS creates a secure access service edge (SASE) system.

The Palo Alto NGFW

Nir Zuk is credited with inventing the stateful firewall while working for Check Point Software. The concept of a stateful firewall examines the contents of packets, whereas traditional firewalls only look at each packet’s headers individually.

The problem with implementing deep packet inspection at the firewall is that communications over the internet rely on encryption to protect contents across the internet. That encryption is usually managed end-to-end, so the endpoint involved in the connection will encrypt and decrypt data. This means that the firewall is unable to view the contents as they pass through, coming in from the internet or going out.

To combat the issue of contents being protected from inspection, Nir Zuk created the idea of SSL offloading, which means that the firewall becomes the endpoint for all connections and manages the encryption and decryption of contents. With the responsibility for encryption, shifted to the firewall, all content can be made visible for inspection. Thus, the firewall can perform content filtering and data loss prevention as well as the traditional firewall tasks of blocking intruders and malware.

Palo Alto Prisma

The SD-WAN product of Palo Alto Networks is called Prisma. The combination of the SD-WAN and a firewall for external traffic management outside of the virtual network is called Prisma Access.

An SD-WAN is an overlay network. It unifies the IP address pools of several networks. Another purpose of an SD-WAN is to create address persistence independent of the underlying physical infrastructure of the network. With all applications operating over the SD-WAN, technicians can make changes to the configuration of the network without having to alter the settings of endpoints and their services.

Palo Alto connection security

GlobalProtect is essential to the successful operation of those Palo Alto products that work across the internet. Whether the Palo Alto product is based on the client’s site or the Palo Alto cloud platform, coordinating connection security for communication with the central server has to be protected because of the Palo Alto strategy of SSL offloading.

As the Palo Alto firewall performs connection security for communicating with locations outside of the business, the unencrypted packets from business endpoints need to be protected in transit to the firewall, which could be on another site or based in the cloud.

GlobalProtect is an agent that manages the VPNs from one site or a remote endpoint. This communicates with the firewall server to establish session security. Once that connection has been made, it can endure for a long time. The same encryption will protect traffic from any endpoints on a network as it travels to the NGFW server.

When the traffic from an endpoint reaches the firewall, inspection takes place, and then the firewall establishes a connection with the intended destination of that traffic and encrypts it. So, GlobalProtect operates within the private network, creating a virtual private network between locations, using the public medium of the internet. Therefore, it does not apply to the encryption work that the firewall performs when communicating with the outside world.

GlobalProtect network address translation

GlobalProtect acts as a remote agent for Palo Alto service. When operating as part of the Prisma system, the GlobalProtect agent also has to interpret network addresses. As a result, it is possible to coordinate local IP addresses on each LAN in a multi-site system so that IP addresses are allocated to different sites, ensuring no overlap and maintaining that range for use locally. However, that separation does not need to be enforced in an SD-WAN.

The key feature is that IP address management is performed by a central server that overlays addresses over the actual address used on each LAN that is included in the WAN. The system needs to be set up so that the allocated IP address only needs to be unique on the WAN.

The local network may continue with its address allocation scheme for local traffic. The SD-WAN address needs to be applied to traffic that exits the LAN and travels to another site on the WAN or to the Prisma server to forward a server outside of the private network. This requires network address translation to manage the dual identities of each device on the LANs that are included in the SD-WAN. This network address translation (NAT) is performed by the GlobalProtect agent.

GlobalProtect deployment options

GlobalProtect is an agent for Palo Alto services, so it isn’t sold separately. It facilitates the connections between sites in an SD-WAN, in a SASE system, or between remote endpoints and networks and the Palo Alto FWaaS.

If a firewall or a Prisma service covers an entire network, the GlobalProtect software can be installed on that network’s gateway. However, if an individual remote device is being enrolled into the protected network, it needs a GlobalProtect app installed.

The GlobalProtect app for endpoints allows users to turn the connection on and off. This is suitable for use on user-owned devices, such as computers in the homes of telecommuting workers. With this app, the user can turn on the connection and join the network, signifying that the person is now at work. Then, at the end of the working day, the worker logs off, disconnecting from the company network and changing the device’s purpose to private use.

There are GlobalProtect packages for the following systems:

  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • ChromeOS
  • Windows Mobile

The management of the download and installation of the GlobalProtect app can be implemented either on command or demand. For example, system managers enrolling company-owned endpoints or remote sites into the Palo Alto system will enter the IP addresses of those locations into the service dashboard and perform a guided download form there.

The GlobalProtect service includes a self-service portal Web page. This is a private implementation and not part of the Palo Alto website accessible by the general public. On enrolling a user into the system, the network manager sends that individual an email with a link to the company’s GlobalProtect portal. This page includes a list of available apps. The user selects the app for the relevant operating system, clicks on the appropriate link, and gets a downloaded installer. That installer runs a wizard that brings the app available on the device.

GlobalProtect strengths and weaknesses

GlobalProtect is an element that supports Palo Alto products, and so it is difficult to assess the package in isolation. However, we have identified some strengths and weaknesses with the system.

Pros:

  • Enables remote endpoints to be included in a secure virtual private network
  • Manages to address issues when including a LAN into a software-defined WAN
  • Offers a portal to enable device owners to enroll in a network
  • Provides session security
  • Enables mobile devices to be included in a corporate network
  • Provides backend security to the Palo Alto FWaaS, which implements SSL offloading

Cons:

  • Not available as a standalone product

Alternatives to Palo Alto GlobalProtect

GlobalProtect is an excellent solution in the modern era of user-owned devices because it allows roaming and telecommuting users to enroll their own devices temporarily into the company network. However, this feature has only recently become of great value due to increased work from home during the Covid pandemic.

The SD-WAN concept and Palo Alto’s signature firewall function of SSL offloading would not be possible without backend security. Unfortunately, providing virtual network security requires a remote client, where GlobalProtect comes in.

When looking at alternatives to GlobalProtect, we need to look for other options to the Palo Alto products that require the GlobalProtect service – Palo Alto NGFW, Prisma, and Prisma Access.

Here is our list of the best alternatives to Palo Alto GlobalProtect:

  1. Zscaler Private Access This service is a cloud platform that acts similarly to an SD-WAN but creates application-centered connection security. The Private Access system can include user-owned devices into a private network with the internet as its underlying infrastructure. The network can also include mobile devices. The mechanism behind this tool is known as Zero Trust Network Access (ZTNA). It is fundamentally the same as a VPN-based SD-WAN, except that it establishes secure sessions to specific application servers rather than between the gateways of separate LANs integrated into a WAN.
  2. Perimeter81 SASE The SASE package is one of the Perimeter81 packages that compete with those Palo Alto systems that operate with the GlobalProtect service. The SASE is a cloud-based subscription service that provides a unified network for multiple sites, including cloud resources and user-owned devices. Take just the FWaaS or the SD-WAN package if you don’t want the full SASE. Perimeter81 also offers an application-centric ZTNA package.
  3. VMWare SASE VMWare is the leading server virtualization provider and now offers a virtual network system that will create a unified network out of your different sites and cloud services, offering you the opportunity to integrate remote workers as well. One tricky feature of this SASE package is that it doesn’t include a firewall – you add in the FWaaS package of your choice from third-party providers. The VMWare division also offers an SD-WAN option. These services cooperate with an endpoint or LAN agent that is very similar to the GlobalProtect agent.
  4. Aruba EdgeConnect This on-premises package lets you build an SD-WAN. The critical feature of this package isn’t its security services, but bits traffic management features. The central console of the Aruba service gives you a network monitor. The behind-the-scenes transport system offers connection optimization features and traffic prioritization opportunities to speed up the delivery of time-sensitive applications, such as VoIP or video streaming. You host the central server on one of your sites, and then each branch and remote endpoint needs a gateway system, which is available as a physical or a virtual appliance.
  5. FortiGate SD-WAN This cloud-based service is facilitated by FortiClient, which performs the same function as GlobalProtect. The SD-WAN system manages network addresses to unify sites across the internet and uses VPNs to protect traffic on the virtual network. Fortinet also offers a firewall called FortiGate and a SASE system called FortiSASE. The firewall service can be implemented on a dedicated network device, virtual appliance, or cloud service. Threat detection, a SIEM, and data loss prevention are all available as add-on services to the SD-WAN, the SASE, and the firewall.
  6. Citrix SD-WAN Like VMWare, Citrix is a virtualization provider, and it is branching out into network virtualization with this SD-WAN product. IN this system, the equivalent to GlobalProtect is called the Citrix Workplace App. The app allows users to enroll their own devices into the corporate network and choose when to turn that inclusion on. In addition, this package includes performance optimization features for the internet connections that underpin the SD-WAN.