topic How to...(VPN globalprotect) in General Topics

How to...(VPN globalprotect)

PedroPablo — Mon, 13 May 2019 09:40:21 GMT

Hello guys,

I'm trying to do something and i'm not really sure if it's possible. Let's get into...

I have an url that is for example: "www.myweb.com". Our partner is hosting that web and with his firewall is just allowing us the access through our IP WAN.

Everything works fine, we can access, but the problem comes when we tried to do it through our VPN (globalprotect). Our clients going through the VPN are not having the same IP WAN so our partner firewall is blocking it and obviously they cannot allow all traffic.

I'm just trying to think in a solution but my mind is blocked. Any suggestions?

Thank you!

Re: How to...(VPN globalprotect)

Chacko42 — Mon, 13 May 2019 10:04:08 GMT

Hi @PedroPablo,

you can define a policy based routing rule to route traffic through another firewall interface for that specific address.

In addition to that, you will need another Hide-NAT rule to use the other public IP for that session.

If the other public IP is not managed by the VPN-Palo Alto, you need to route that traffic (with PBF) to the other gateway.

Best Regards

Chacko

Re: How to...(VPN globalprotect)

PedroPablo — Tue, 14 May 2019 09:07:19 GMT

Hi @Chacko42,

I defined a pbf rule to route the traffic for the object "globalprotect clients" to one of my interfaces (the one that my partner allowed in his firewall). Also i defined a nat rule doing the same but when i connect the globalprotect client is not routing the traffic where i want. It routes the traffic through my carrier o wherever i'm connected to.

I don't know if this is what you meant, if not, i think i didn't understand really well you solution.

Thank you for your support though.

Kind Regards

Re: How to...(VPN globalprotect)

Chacko42 — Tue, 14 May 2019 09:12:12 GMT

@PedroPablo: okay, I don't know your network setup, but maybe you can upload a small network topology with your network, interfaces, ip's and routes - then we can try to help you with the routing issue

Re: How to...(VPN globalprotect)

PedroPablo — Tue, 14 May 2019 10:18:15 GMT

Hi @Chacko42

I made a little quick diagram to help:

So, what i did is:

- I defined a nat rule where the source is the object GlobalProtect Clients ( 10.10.10.0/24) and the source translation (dynamic ip and port) the interface wan ( eth1/1 - 222.11.22.11)

- I also defined a pbf rule where the source is the object GlobalProtect Clients (10.10.10.0/24) and the next hop is the GW of the IP pool where 222.11.22.11 is included.

My problem is that people connected through GlobalProtect client is using the wan that the carrier is giving them so they cannot access to the website i want due to the security rule that my partner company defined only allowing traffic from my interface WAN 222.11.22.11.

I was thinking in the globalprotect configuration, in the split tunnel conf, include the IP of my partner server where the website is hosted but that won't work due to the dynamic Ips.

I've tried to explain myself the best i can sorry if something does not make sense to you.

Kind Regards.

Re: How to...(VPN globalprotect)

Chacko42 — Tue, 14 May 2019 12:59:13 GMT

@PedroPablo: okay, which ip routes do the GP clients receive?

External GW > Agent > Client Settings > Split Tunnel

Re: How to...(VPN globalprotect)

PedroPablo — Thu, 16 May 2019 09:07:47 GMT

I have define some routes of some branch offices that i need my GP clients to access to. I was thinking to define routes to access the servers where the website is hosted at but with dynamic IPs is not gonna work. 😞

Re: How to...(VPN globalprotect)

Chacko42 — Thu, 16 May 2019 09:09:46 GMT

@PedroPablo: in this case, you can use a domain-based route - just create an entry <target-website-fqdn>:443

Re: How to...(VPN globalprotect)

PedroPablo — Thu, 16 May 2019 09:20:23 GMT

Hi @Chacko42

First of all, thank you for your help.

I tried that before, but i can't include the address object with the target-website-fqdn.

It's like the fw just let me include objects with IP addresses because when i'm going to include the object with the fqnd i can't see it

Re: How to...(VPN globalprotect)

Chacko42 — Thu, 16 May 2019 09:24:40 GMT

@PedroPablo: in the client-settings where you configure the ip-routes. There is a second tab with domain and application.

There you can say sample.com with port 443 will be routed through the tunnel. that doen't work?

Re: How to...(VPN globalprotect)

PedroPablo — Thu, 16 May 2019 09:41:20 GMT

In the client settings (GP settings?). Where i define the IP routes is here:

I don't follow you, sorry.

Re: How to...(VPN globalprotect)

Chacko42 — Thu, 16 May 2019 09:48:06 GMT

@PedroPablo: right:

Obviously, your view is different - which PAN-OS are you using? Which GP-Client Version?

Re: How to...(VPN globalprotect)

PedroPablo — Thu, 16 May 2019 09:53:18 GMT

Ohh okay, sorry. I was so confused.

PAN-OS: 8.0.12

GP: 4.1.0

I guess i need to upgrade the GP version, don't i? 😕

Re: How to...(VPN globalprotect)

Chacko42 — Thu, 16 May 2019 11:02:51 GMT

@PedroPablo: okay, that seems to be the issue.

If your environment is fine with it, you can go to 8.1.7 and got that domain-based split-tunnel feature.

GP is the current version 4.1.11/12 - there are a few fixes, that may help you.

Re: How to...(VPN globalprotect)

PedroPablo — Thu, 16 May 2019 11:46:00 GMT

Okay , thank you so much for your help @Chacko42

Then for sure i have to go with a recent version. I'll keep you updated to see if this will solve my problem.

And also for everyone with a similar situation.

Kind Regards.

Re: How to...(VPN globalprotect)

PedroPablo — Mon, 20 May 2019 10:29:06 GMT

Hi @Chacko42

I just wanted to update the issue. The domain-based split-tunnel feature it worked like a charm!

Thank you so much for your help! Hope you have a great day.

Kind Regards