topic Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork in General Topics

Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud — Fri, 21 Sep 2018 19:10:52 GMT

Hi,

I followed the tutorial : How to Configure GlobalProtect Portal Page to be Accessed on any Port but it's not working.

When I connect using browser I get an error. I see in monitor that the port is accessed and I see the rules for the nat as well, but in the application it's written "incomplete". How can I debug it further ?

Thanks for help.

Jon

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

OtakarKlier — Fri, 21 Sep 2018 19:26:40 GMT

HEllo,

I would start by looking at the logs to see if/where the traffic is getting blocked. My guess is that its probably a typo somewhere and its causing a block?

Regards,

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud — Sat, 22 Sep 2018 16:22:15 GMT

There is no typo.

Here is the screenshot of the monitor:

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud — Sat, 22 Sep 2018 16:28:58 GMT

pics of loopback:

screen of nat:

security rules:

We see that all rules has count, means they are triggered...

And inside the monitr they are no block, I even override intra/interzone to show inside the logs.

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

BPry — Sat, 22 Sep 2018 19:12:13 GMT

@Jborgeaud,

I would take a look at your routing with that NAT statement in place. Your logs don't seem to show it due to where you cut them off, but are you showing any received traffic at all or just sent?

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud — Sat, 22 Sep 2018 19:19:47 GMT

Sorry but I didnt understand what you mean.
there is no routing, only default route 0.0.0.0/0 on the next hope, and if I remove loopback, nat and loopback ip on the portal/ge, the portal is working from outside using port 443.

Re: Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud — Tue, 25 Sep 2018 19:44:43 GMT

Just to add some new information.

After applying the NAT rules, I see on the other router ARP message like this: Broadcast ARP Gratuitous request for 172.16.0.254 ( duplicate use of 172.16.0.254 detected).

172.16.0.254 == my second router IP and the configured nextHop on the palo.

The network diagram is the following:

palo with ip internal 192.168.200.1 and ip external 172.16.0.200 connected to a router with ip 172.16.0.254.

I'm wondering why adding the nat rules make this message appears.

After doing packet capture on the palo, I can see in the DROP pcap, SYN from 172.16.0.144 (ip where i connect to the portal on port 30043) on port 443, on RECV pcap, I can see SYN on port 30043 from ip 172.16.0.144.

Question is why traffic is dropped on 443 ? I have rules like in the tutorial for it.