https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531067#M466 <P>Thank you for your advice. However, it looks like the problem is in Authentication.<BR />The GP client logs in and receives a cookie for 24 hours. However, after expiring this cookie, it is unable to re-authenticate.<BR />I'll try enabling SAML portal now and see what happens.</P> Tue, 14 Feb 2023 12:34:23 GMT Vachy 2023-02-14T12:34:23Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/530206#M460 <P>Hi, Comunity,</P> <P>I'd like to ask your advice.<BR />Is there any instruction somewhere on how to do the best set of the rules on Firewall PAN to only allow traffic for global protect clients?<BR />The clients are on a normal network with DHCP. They have DNS from AD server. <BR />I want the client to get to the Internet only via Prisma Access/ This means that the client passes through a firewall that only allows access to&nbsp; Mobile Users Gateways.</P> <P>I have found via API in Panorama/Cloud Plugin GW addresses, Portals and even IP ranges. I gradually prepared the rules. <BR />I still have a problem with this. After setting the rules it works. However, the next day it doesn't.</P> <P>Thank you</P> Tue, 07 Feb 2023 23:40:04 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/530206#M460 Vachy 2023-02-07T23:40:04Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531043#M464 <P>You can try on the Firewall to create a policy rule that allows only the Globalprotect Application from your source IP addresses/username/ad groups as a workaround.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nikoolayy1_0-1676366109548.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47918i2209A17C1CABDBAA/image-size/medium?v=v2&amp;px=400" role="button" title="nikoolayy1_0-1676366109548.png" alt="nikoolayy1_0-1676366109548.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Outside of that better make a server that pulls your Prisma Access endpoint addresses using the API as you already saw and then make an External Dynamic List that the Palo Alto Firewalls can ingest but will be complex. You can alse feed in the firewalls using their API and and modify the address object. As Prisma Access addreses change better pull the data every maybe 10 minutes.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The API to retrive the Prisma Access addresses:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 14 Feb 2023 09:21:34 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531043#M464 nikoolayy1 2023-02-14T09:21:34Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531067#M466 <P>Thank you for your advice. However, it looks like the problem is in Authentication.<BR />The GP client logs in and receives a cookie for 24 hours. However, after expiring this cookie, it is unable to re-authenticate.<BR />I'll try enabling SAML portal now and see what happens.</P> Tue, 14 Feb 2023 12:34:23 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531067#M466 Vachy 2023-02-14T12:34:23Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531151#M467 <P>Also check if the cookies are correctly configured as maybe the portal cookie timeout is different of the gateway one:</P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">How to generate cookies on GlobalProtect Portal and use cookies for Gateway Authentication</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY</A></P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">GlobalProtect portal and gateway authentication override cookie lifetime does not expire or last for set lifetime</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> Tue, 14 Feb 2023 20:04:59 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/global-protect-clients-connection-policies-through-the-ngfw/m-p/531151#M467 nikoolayy1 2023-02-14T20:04:59Z