topic Re: GlobalProtect expand IP Pool in General Topics

GlobalProtect expand IP Pool

MikeSangray2019 — Thu, 10 Oct 2024 18:43:20 GMT

We have an existing GP setup and it's working, but the IP Pool is set to a range of IPs 192.168.10.10-192.168.10.100 instead of a subnet 192.168.10.0/24.

I want to either expand the range or change it to a subnet.

I tested this by expanding the range to 192.168.10.5-192.168.10.150, but clients that got an address in the newly expanded range e.g. 192.168.10.125 were having trouble with network traffic like connecting to internal DNS.

I looked at traffic logs, etc., but nothing stood out as the issue.

Are there other places in the config I need to change the range or commands I need to run?

Policies already allow by zone. Routing is already configured to use the /24 subnet.
I did see traffic being allowed, but maybe replies weren't being routed correctly back to the expanded range?

Maybe a routing table issue?

Re: GlobalProtect expand IP Pool

Claw4609 — Thu, 10 Oct 2024 19:41:38 GMT

Hello,

That should be the only spot where you should have to specify the IP range It sounds like it possible you may now have a return route on an upstream device (or maybe you have multiple VRs and they dont have a route between each other for the ne network. I would next look at doing a packet catpure on the Palo to see if you are getting return traffic at all. If you are and its being dropped I would then check the global counters to see why its being dropped. How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Networks

Re: GlobalProtect expand IP Pool

Brandon_Wertz — Fri, 11 Oct 2024 13:34:28 GMT

@MikeSangray2019 wrote:

We have an existing GP setup and it's working, but the IP Pool is set to a range of IPs 192.168.10.10-192.168.10.100 instead of a subnet 192.168.10.0/24.

I want to either expand the range or change it to a subnet.

I tested this by expanding the range to 192.168.10.5-192.168.10.150, but clients that got an address in the newly expanded range e.g. 192.168.10.125 were having trouble with network traffic like connecting to internal DNS.

I looked at traffic logs, etc., but nothing stood out as the issue.

Are there other places in the config I need to change the range or commands I need to run?

Policies already allow by zone. Routing is already configured to use the /24 subnet.
I did see traffic being allowed, but maybe replies weren't being routed correctly back to the expanded range?

Maybe a routing table issue?

Sounds like it could be a routing issue. What type of routing are you doing, static or dynamic? After you changed your GP IP pool did you update your routing for the previous IP pool to include the new network space? You would potentially need to update the route in multiple areas on the firewall or even outside the FW if you're using static routing.

Re: GlobalProtect expand IP Pool

MikeSangray2019 — Thu, 24 Oct 2024 15:14:23 GMT

I found the issue. We had legacy config that included other GP Gateways and IP Pools. One of the pools had an overlapping IP range, so any client that received an IP from the new gateway in the overlapping portion of the range would still connect and get an IP, but traffic wouldn't flow. Removed the old gateway config and it's working fine now.