topic Re: Clientless VPN in General Topics

Clientless VPN

Tician — Tue, 15 Aug 2017 12:30:09 GMT

Hi All,

can someone provide configuration example for Clientless VPN access through GP portal...
I was already used configuration steps explained on this page, but seem that it not helped in my case. I'm able to authenticate and open portal landing page with published app, but there is no response of it. I'm pretty sure that all steps of configuration is by the book, but I'm not sure about step 10 where have to create security rules... With my opinion it is a bit grayed and confused, how exactly policies has to be created.
If someone have this operational, it could be very appriciated to share configuration with us...

P.S. I used troubleshooting procedure provided here and after generated logs and pcap's, only strange I can find is:

Cannot de-NAT v4 packet, no port match

== 2017-08-15 10:49:11.393 +0200 ==
Packet received at ingress stage, tag 262143, type ORDERED
Packet info: len 91 port 16 interface 256 vsys 1
wqe index 229186 packet 0x0x800000041da465c2, HA: 0
Packet decoded dump:
L2: 00:1b:17:4c:8f:10->00:70:76:69:66:00, type 0x0800
IP: 89.x.x.x (portal public IP)->10.x.x.x(dns internal) , protocol 17
version 4, ihl 5, tos 0x00, len 73,
id 44114, frag_off 0x4000, ttl 64, checksum 63738(0xf8fa)
UDP: sport 54788, dport 53,

It looks like that portal ask internal dns (DNS proxy) for resolution of published url app, but has this "de-NAT port not match" issue. Seem that packet flow after establishing initial vpn connection to portal, enforce NAT policy stage....

PANOS 8.0.4

Re: Clientless VPN

Retired Member — Wed, 25 Oct 2017 13:02:28 GMT

Have you tasted that on PAN-OS 8.0.5?

Re: Clientless VPN

Tician — Wed, 25 Oct 2017 14:22:22 GMT

no, but I'll try this days and post results...

Re: Clientless VPN

ice-quake — Fri, 02 Mar 2018 19:32:46 GMT

I agree. Step 10 is confusing. I want to create a seperate zone for clientless VPN, but what interface do I assign it to? Doesn't seem possible to use a tunnel interface. Do I not assign the zone to an interface?

If I use the untrust/outside zone then the policy doesn't really make sense. Do I allow access from the "internet" to my internal resources? How about DNS proxy? The documentation around this piece is poor at best.

Re: Clientless VPN

junior_r — Thu, 06 Sep 2018 02:42:59 GMT

did you guys get what you where looking for?

Re: Clientless VPN

junior_r — Thu, 06 Sep 2018 02:44:42 GMT

@Tician did you get this working?