GlobalProtect: Using an alternative port

MGiusti — Thu, 03 Nov 2022 10:42:56 GMT

Good morning.

I require a bit of assistance for deploying GlobalProtect with a twist.

A client of ours wishes to deploy Global Protect but unfortunately, they also have a Web Facing application using SSL on the same ISP interface.

This is unfortunately causing issues since GP also makes use of 443(SSL) and due to the DNAT rule in place for this web app, any traffic originating with application SSL is being natted to the internal web-app server.

I did some research and found implemented the following:
How to Configure GlobalProtect Portal Page to be Accessed on an... - Knowledge Base - Palo Alto Networks

But this did not resolve the SSL issue.

Therefore, it seems that there can only be either a DNAT that will point SSL traffic to the loopback of the global protect or a DNAT that will point SSL traffic to the web-app server.

One alternative is making use of the alternative ISP link but the client does not wish to go down that route for the time being.

I hope I have provided enough information.

Any ideas would be appreciated.
Thanks.

Re: GlobalProtect: Using an alternative port

BPry — Tue, 08 Nov 2022 01:38:20 GMT

@MGiusti,

Your DNAT statement for GlobalProtect wouldn't be using tcp/443 when you change the port of the portal/gateway, it'll be using whatever port you've selected that isn't already being used for your web server. How exactly are you attempting to set up your NAT statements? Sounds like something that you're setting there isn't being done properly.

topic GlobalProtect: Using an alternative port in GlobalProtect Discussions

GlobalProtect: Using an alternative port

Re: GlobalProtect: Using an alternative port