topic Re: GlobalProtect - To which ethernet interface? WAN Facing? in General Topics

GlobalProtect - To which ethernet interface? WAN Facing?

catrock — Wed, 17 Oct 2018 14:46:04 GMT

Greetings,

I am setting up GP on a small home office PA220 . I have a single E 1/1 Untrusted L3 interface that is internet facing.

My logic tells me this interface should have the GP configured on it. However, the documentation and video turtorials don't specifically outline that the GP needs to be on an internet facing interface.

I have followed the configurations to a 'T' with my GP interface being Untrusted L3 E 1/8. This E 1/8 interface has no physical ethernet cable connected to it, nor does it actually bind with anything other than the tunnel.1

My question is: Have I configure the GP properly and it should work by visiting my external IP address from an outside location? I wouldn't think so - but....

If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?

Thanks PA-LC for all your help 🙂

Re: GlobalProtect - To which ethernet interface? WAN Facing?

LukeBullimore — Wed, 17 Oct 2018 15:20:38 GMT

Hey @catrock

It really depends on what GlobalProtect setup you want, there are multiple.

1. If you want remote access to your home office, where you would be connecting from externally (internet cafe etc) then both the GlobalProtect portal and gateway should reside on your Outside interface.

2. If you want GlobalProtect as an extra layer of security where you would be connecting to it from inside the network, you would configure a GlobalProtect gateway to terminate on your internal interface.

Edit:

"Have I configure the GP properly and it should work by visiting my external IP address from an outside location? I wouldn't think so - but...."

Correct. Once the GlobalProtect portal and gateway are configured against your outside interface, visiting the IP address (recommended to use an FQDN) will present you with the portal login page.

"If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?"

When you select the interface for the globalprotect portal/gateway terminates on, by default the "IPv4 Address" dropdown will be set to "None" but selecting the dropdown will allow you to chose the IPs that are set on that interface.

Hope this answers your question, there's some useful docs on this too:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-gateways/globalprotect-gateway-concepts/types-of-gateways

The below article covers scenario one. step 6 discusses configuring the gateway on the untrust interface.

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/remote-access-vpn-authentication-profile

The below article covers scenario two

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/globalprotect-multiple-gateway-configuration

Cheers,

Luke.

Re: GlobalProtect - To which ethernet interface? WAN Facing?

OtakarKlier — Wed, 17 Oct 2018 15:52:30 GMT

Hello,

Do you have a policy that allows that traffic to the IP? I always put a DENY ALL polic at the bottom of my policy list and have it log so I know if things are getting blocked.

Regards,

Re: GlobalProtect - To which ethernet interface? WAN Facing?

catrock — Wed, 17 Oct 2018 19:30:55 GMT

@LukeBullimore

Thanks much for the response.

Option 1 - is what I am after.

I do have a dynamic IP frm my ISP. This map to a host nmane using a DynDns agent running inside my lan/network. *Looks like there's no DynDnS agent option to run directly on the PA220?

In my reading on NAT'g- I do see where I will want to assign the external facing interface the FQDN as well. I have used the FQDN in my GP certificate as well.

Re: GlobalProtect - To which ethernet interface? WAN Facing?

LukeBullimore — Wed, 17 Oct 2018 16:44:54 GMT

Hey @catrock

You're correct that PAN doesn't support DynDNS - but that shouldn't be required. Things that would be needed:

A port forward on your ISP router to forward all tcp/443 requests to your PAN FW IP.

Regarding NAT - you'll want to make sure that the inbound traffic to your GP portal isn't hitting your outbound NAT rule, it may be required to make a "No-NAT" rule to say if you're coming from external going to the IP of your untrust interface then do not nat it.

Do you see the logs of your attempts in the traffic logs?

You may have to override the default intrazone and interzone-default rules and enable logging at session end.

Thanks,

Luke.

Re: GlobalProtect - To which ethernet interface? WAN Facing?

catrock — Wed, 17 Oct 2018 17:00:35 GMT

Greetings @OtakarKlier,

The default DENY is in place at the bottom - yes.

Re: GlobalProtect - To which ethernet interface? WAN Facing?

catrock — Wed, 17 Oct 2018 23:34:16 GMT

@LukeBullimore

I was able to get the login GP screen.

Gateway and Portal interface have been changed to the E1/1 Untrusted interface.

As my E/1/ inteface is DHCP the IP setting was left at none vs. an IP for the GP interace.

Now - working through authentication (AD/LDAP).

Thanks again.