topic Re: loopback for globalprotect VPN in General Topics

loopback for globalprotect VPN

jdprovine — Tue, 15 May 2018 19:42:15 GMT

What is the advantage of using a loopback interface for a global protect VPN?

Re: loopback for globalprotect VPN

reaper — Tue, 15 May 2018 20:42:17 GMT

-It allows you to pick a different IP than the one that's attached to the physical interface (no need to fuss with subnetting etc)

-It also provides a layer of protection, since you're able to create a security policy for <untrust to untrust, destination IP of the loopback>, that will actually protect against a few potential exploits (some zero-day web-targetted exploits could theoretically go unblocked by a threat prevention profile if the GP gateway is on the physical interface as it could hit before the profile is triggered)

-it provides more clarity in 'topology', as the GP is running on it's own interface+ip

if you really really need it, it could run on

a different zone and
a different internal IP range and go through NAT

although I would not recommend this, as it makes the deployment far more complex, but there could be a need to do so

Re: loopback for globalprotect VPN

jdprovine — Wed, 16 May 2018 13:17:01 GMT

@reaper

I assume it allows you to add more virtual interfaces to one physical interface. I had read something that wa using a physical outside interface for their VPN. I guess thats okay if you only have one VPN and can spare a whole interface.

Thanks reaper you helped me decide that for me created the new VPN on a loopback make more sense than assigning a whole interface to the outside to it

Re: loopback for globalprotect VPN

fjwcash — Wed, 23 May 2018 20:16:42 GMT

On a GP Gateway box, using a loopback interface with a private IP address also let's you share a single public IP and just forward ports through as needed.

We have this setup on one of our GP Gateway firewalls as there are 3 separate Gateways configured. They all share the same public IP, but have separate private IPs on loopback interfaces. There are NAT Policies in place to forward specific destination ports to each of the private IPs (using the standard GP port).

Then, in the GP Portal, we have it configured to send different users to different gateways, and have the port listed in the config there.

Re: loopback for globalprotect VPN

M.Alam277086 — Tue, 28 May 2024 21:48:31 GMT

can someone provide a real KB link to configure GP with loopback interface?

Re: loopback for globalprotect VPN

reaper — Wed, 29 May 2024 09:02:55 GMT

LMGTFY: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0

Re: loopback for globalprotect VPN

Raido_Rattameister — Wed, 29 May 2024 14:18:39 GMT

Although you can use loopback for GlobalProtect I suggest not to.

If you have multiple ISPs and need to DNAT different WAN IPs to single GlobalProtect portal/gateway IP then use DMZ interface.

Limitation of loopback interface is that you can't apply QoS to it.