topic Re: GlobalProtect Access Route for a public website? in General Topics

GlobalProtect Access Route for a public website?

OMatlock — Wed, 27 Jun 2018 11:53:51 GMT

Hi folks,

We are using a PA 3020 PANOS 7.1.14.

We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.

Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).

We want split tunnelling except for when accessing <name>.okta.com.

We have our internal DNS server IP added for the GlobalProtect clients to use (forwarding configured to public DNS).

However, when connected to GlobalProtect <name>.okta.com will not resolve, "this site can't be reached", times out.

I've confirmed with a ping -a that the public IP it resolves to is in the list for access routes.

I've also tried adding adding an internal DNS zone for <name>.okta.com, but has not helped.

Wondering if anyone has any tips?

Re: GlobalProtect Access Route for a public website?

JoeAndreini — Wed, 27 Jun 2018 12:16:56 GMT

Are you positive there is a nat rule for this outbound traffic?

Scurity policy to allow it?

Do you see this traffic in the logs?

Re: GlobalProtect Access Route for a public website?

OMatlock — Wed, 27 Jun 2018 14:05:39 GMT

Yea, I think your are right, thank you. We do not have a security rule in place from VPN zone to Untrust zone. I assume because it was not necessary.

I just tried it, but still not working. I believe I need to add all the IPs in there, since I am now getting a page not found error (instead of time out).

Traffic to the Okta public IP is not even registering the traffic log at the moment, have not packet captured yet.

Not sure if the internal DNS zone I created for <name>.okta.com is needed or not, will try to find out.

Still testing, will update.

Re: GlobalProtect Access Route for a public website?

OtakarKlier — Wed, 27 Jun 2018 15:04:54 GMT

Hello,

Just another though might be to not decypt the traffic to Okta, if you are decrypticing traffic.

Regards,

Re: GlobalProtect Access Route for a public website?

BPry — Wed, 27 Jun 2018 15:19:47 GMT

@OMatlock,

Just to ensure that you are actually getting all of the logs you might want to override the interzone default policy to log the traffic, as if you don't have a security policy allow it the denied traffic won't be logged by default.

Re: GlobalProtect Access Route for a public website?

OMatlock — Wed, 27 Jun 2018 21:54:59 GMT

You were right. I did not think to go add the VPN zone to the security rule to Untrust and Dynamic IP and Port NAT rule.

Resolved. Thanks again!