topic Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address in General Topics

Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

szannikos — Wed, 07 Mar 2018 07:17:50 GMT

I'm very very new to Palo Alto. For the few weeks that I've been using it, I've been very impressed with its ease of use, and functionality. I have a question when it comes to GlobalProtect. We have a webserver that we want to exclude from the GlobalProtect VPN tunnel. Let's say the site is test.testcompany.com. In the Client settings, in GlobalProtect, I see that you can exclude addresses from going through the tunnel. Since this website is part of a round robin, is there a way to exclude by FQDN instead of by IP? From the looks of it, you can't. The second question I have is let's say that the internal IP address for test.testcompany.com is 10.10.10.10. If I want GlobalProtect users to route to this servers public address, let's say 30.30.30.30, instead of 10.10.10.10, is there a way to do this through the Palo Alto? I've tried researching, but haven't come up with anything concrete. Appreciate your help!

Re: Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

reaper — Wed, 07 Mar 2018 14:50:47 GMT

split tunneling manipulates the routing table, so there's no possibility to do this based on FQDN

if you have an internal DNS server you can have it serve up different dns entries based on the source of the query. alternatively you can set up a dns proxy and have your GP clients use this as their dns server. You can set the external ip as the dns record for your site

Re: Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

BPry — Wed, 07 Mar 2018 14:56:02 GMT

@szannikos,

SO first things first lets look at the webserver exlusion.

1) If you followed best practices and the GlobalProtect terminates on it's own security zone, then you would simply create a security policy that says that anything from the zone 'GP' or whatever you named it, cannot access the webserver. Alternatively if you have a rule allowing all traffic simply add the IP that you don't want them visiting to the 'destination' field and then utilize the 'Negate' option. This will continue to allow all traffic unless the IP is listed in the destination field.

2) If you didn't terminate GlobalProtect in it's own zone you'll need to add the IP into the 'Excludes' Split Tunnel configuration on the GP Gateway Client Settings. Since you can't take advantage of FQDN you'll need to include all of the IPs of the servers particiapting in the round-robin configuration.

Your second question gets a little more complicated. What you'd need to do is actually setup a destination NAT. Essentially stating that if something comes from the GlobalProtect zone with the GP IP range to 10.10.10.10, the translated packet is going to be setup as a destination address translation to 30.30.30.30 to a translated port of 443.

Edit:

@reaper's suggestion is by far easier to configure 🙂