topic Re: Clientless VPN - Application is not accessible in Next-Generation Firewall Discussions

Clientless VPN - Application is not accessible

akilan.r@tutelartechlabs.com.panwpartner — Sun, 12 Feb 2023 08:46:21 GMT

Hello All,

This is my topology I have configured Clientless VPN hosting two application as, paloaltonetworks.com (external-application) and amazon.forest.in (internal hosted application). But i am unable to access the application that hosted inside. In this question have attached my configuration also. other than that there is no sent byte for clientless-VPN traffic also.

External application works but no sent bytes ?

ISSUE NOTE : 1.External Application working but there is no sent bytes

2.Internal Application not accessible

Re: Clientless VPN - Application is not accessible

nikoolayy1 — Tue, 14 Feb 2023 20:24:31 GMT

This sigfnals a routing issue or DNS issue as 0 bites are send. Check if the DNS resolution is working for the Palo Alto as maybe the routing or Service route is wrong (palo alto by default uses the managment):

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes

Also check the config:

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/configure-clientless-vpn

Finally just check the global counters, tcdump for drops and the security policy:

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102

Also there are a lot of articles for debuging web issues for clientless vpn and try using different browsers:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPizCAG

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/troubleshoot-clientless-vpn

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POjmCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSiCAO

Re: Clientless VPN - Application is not accessible

nikoolayy1 — Mon, 20 Feb 2023 09:17:28 GMT

Hello, Did you test the DNS resolution and routing are correct ? If so using another browser as your error seems to be seen a lot for chrome browser and then finally doing tcpdump/pcap capture for the rewrite action to see how Palo Alto rewrites the HTTP/HTML content and you can find this from the links I shared and also using Fiddler to see how direct access to application looks like without the Clientless VPN and with it and to compare.

Re: Clientless VPN - Application is not accessible

raghavendra.badiger — Sat, 07 Sep 2024 06:03:48 GMT

I am having different issue, not sure if this is only for me or other users as well. If my issue is faced by everyone then I am not sure how clientless VPN is helpful.

So I will take example of above images:

User logs in to Clientless VPN at https://192.168.29.245 and on portal page, user clicks on Palo Alto tile. This opens a new tab with URL as https://192.168.29.245/https/www.paloaltonetworks.com/ , as shown in above image.

Now the issue is - On the Palo Alto page if I click on any link(for example 'Sign in', then it takes to login page. However on the browser URL appears to be https://signin.palolaltonetworks.com not https://192.168.29.245/https/signin.paloaltonetworks.com .

Former URL is not going via firewall rather it goes directly from user machine to the webpage, how can I ensure any link on the page is prefixed by VPN portal "https://192.168.29.245"?

Support isnt able to solve the problem from past 1 week. I am using stable PAN-OS 11.1.3 and Clientless app version 98-260(latest).

Thanks.

Re: Clientless VPN - Application is not accessible

nikoolayy1 — Wed, 20 Nov 2024 07:42:54 GMT

Support seems right to me as if traffic does not go through the firewall then it can't resolved from the firewall side as it seems that your web app design and DNS is the one that needs some reconfiguration. Nowadays DNS servers can return different IP addresses for DNS requests based on the source IP address/network of the client, so your DNS can return the firewalls IP address (you may need to change the SSL cert in that case on FW to have the CN as the fqdn) or you can direct traffic to the firewall and use static entries option.

How to Configure DNS Proxy on a Palo Alto Networks Firewall - Knowledge Base - Palo Alto Networks

Re: Clientless VPN - Application is not accessible

nikoolayy1 — Wed, 20 Nov 2024 16:31:01 GMT

Maybe also as the User authentication is in SAML or Oauth it can't be rewritten as it is not css, html or javascript, which seems normal to me.

If the auth is SAML/OAUTH SSO you can configure the NGFW to be IsP SAML (if the app is SAML IsP then the the same thing should be done from the firewall) for example as when the user has the SAML assertion then it shouldn't be an issue to log into the backend and there to be no authentication need on the backend.

If this does not work may need to disable the authentication for when the source ip is the firewall as the NGFW can still forward the username to the app in a header https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/insert-username-in-http-headers and the NGFW will do authentication for the user https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn