topic GlobalProtect Gateway Behind Nginx Issue in General Topics

GlobalProtect Gateway Behind Nginx Issue

MeCJay12 — Sat, 04 Nov 2023 22:15:06 GMT

Hello everyone! My environment only has one public IPv4 so I'm trying to make the most of it. We already run a number of web services on port 80/443 behind an Nginx reverse proxy. I'm trying to add GlobalProtect to the mix. I have my portal and gateway running on the same IP. When I forward the ports (80, 443, 4501) the portal seems to work correctly but the gateway just fails. Everything in my FW GP logs says success and my client logs just have a generic "no route" error. Sometimes they connect and can't pass traffic. I've done. Bunch of testing and what I've found is that port 443 needs to be forwarded/streamed directly to the FW otherwise clients fail. Does anyone know why this is or what setting I need to tweak to get the gateway to work behind Nginx?

Re: GlobalProtect Gateway Behind Nginx Issue

Raido_Rattameister — Sun, 05 Nov 2023 06:08:01 GMT

You don't need to run GlobalProtect portal and gateway on WAN interface.

You can run them on DMZ interface for example and use NAT.

In this case you can DNAT any port and don't need to use defaults (portal tcp/443 and gateway udp/4501).

Re: GlobalProtect Gateway Behind Nginx Issue

MeCJay12 — Sun, 05 Nov 2023 15:30:21 GMT

Thanks for the reply. This is a good idea to eliminate the reverse proxy (which I'm a fan of). I gave it a try this morning and maybe I have something else going on but it didn't quite work either. I have the portal using 80/443 behind the reverse proxy (which in my testing so far hasn't been an issue) and I have the gateway DNAT'd from 8443 to 443 and 4501 to 4501. I can connect immedeatly but then the VPN doesn't allow TCP traffic. ICMP and DNS work fine but websites all get err_time_out and this is consistant to external and internal IPs. I can see the traffic coming through in the traffic logs and being allowed without any errors or anything. The logs don't seem to have any errors. Any ideas?

Re: GlobalProtect Gateway Behind Nginx Issue

MeCJay12 — Mon, 06 Nov 2023 15:25:21 GMT

Found the second issue. I was testing external user access from a T-Moblie internet connection. Apparently T-Mobile requires lowering the GlobalProtect MTU. For anyone coming across this in the future, I lowered it to 1280 for the time being. I may try raising/tweaking it again later.