topic Re: 7.1.2 Unable to reach GlobalProtect portal in General Topics

7.1.2 Unable to reach GlobalProtect portal

digitaltrance — Tue, 24 Jan 2017 21:46:24 GMT

Hey guys,

I am trying to get the GlobalProtect piece of the FW to work, I followed word for word from the 7.1 admin guide and still no luck. When I go to monitor I see the source coming from the external-untrust zone (which is correct), but the to zone shows (internal - trust). If I am reading this doc correctly, the VPN should terminate on the tunnel interface it makes you create right?

Page 157 -

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/globalprotect/globalprotect-admin-guide.pdf

Any ideas?

Regards

Re: 7.1.2 Unable to reach GlobalProtect portal

bmorris1 — Wed, 25 Jan 2017 09:45:27 GMT

Hi Digitaltrance,

If you're trying to web browse to your global protect portal you would ideally host this on your external interface or on a loopback interface. The tunnel interface would be for when you are connecting to the GP VPN and establishing a tunnel rather than web browsing to the portal.

To establish the connection you will need to first allow the external client to access the portal to authenticate then also allow the gateway authentication.

As your log shows external to internal hitting the default interzone deny, rather than say external to external intrazone default allow then it looks like you may be accidentally NATing your traffic destined to your portal to your internal zone? Or you have set up your GP portal for an interface in your internal zone rather than an external zone? As you don't have a policy to allow that I can see in your screenshots.

Check the detailed log view (spyglass on the left of the log) and you can see if your traffic is being NATed incorrectly in the destination panel.

hope this helps,

Ben

Re: 7.1.2 Unable to reach GlobalProtect portal

BPry — Wed, 25 Jan 2017 13:36:00 GMT

I think @bmorris1 pretty much nailed the first things to look at and you'll likely find an error with where you have the tunnel as far as the security zone goes or something weird with your NAT policy. I would look at the tunnels security zone first, and then look at the NAT as I think it's actually more likely that you actually set your tunnel interface to your internal zone.

One thing that I might recommend is actually making a GlobalProtect zone. It makes creating access policies and the like a little bit easier if you are looking to lock down your VPN users access, and it helps keep it really simple as far as access rules go.

Re: 7.1.2 Unable to reach GlobalProtect portal

digitaltrance — Wed, 25 Jan 2017 13:52:55 GMT

It was a bad NAT policy guys, thanks so much for the help. It is working now.

Now i just need to figure out how to get the routing correct to get to the internet, I can only access internal devices over the VPN atm.

Re: 7.1.2 Unable to reach GlobalProtect portal

jdelio — Wed, 15 Feb 2017 20:16:15 GMT

@digitaltrance, If everything else is working, you need to take a look at your access route for GlobalProtect.

Check inside of the WebGUI > Network > GlobalProtect > Click configuration for a gateway > Agent tab > click on a config profile > Network Settings - Access route on the right hand side.

This is where the GP client will get its "access route" in order to know where to go.

If you only give it access to your internal network, then that is all it has access to.

If you want it to route all of its traffic over GP, then you can use a 0.0.0.0/0 network. But please be aware, that this can cause local access issues for the GP client.

I hope this helps.