topic Re: GlobalProtect VPN - Management Access in General Topics

GlobalProtect VPN - Management Access

HyderB — Mon, 11 Nov 2019 13:53:36 GMT

Hi,

Does anyone know a way to get access to the panos web management interface over a globalprotect VPN? We are using three interfaces on our firewall;

1 - Management Interface

2 - Trust

3 - Untrust

Global Protect is setup on the trust - and I have a rule in the Security Policy to allow access from my device to anything - however I can't get to the interface - should this be something that should just work? I can't see any logging saying anything is denied after I have made a change?

Setup management access also on the trust interface for testing and I still get the same results.

Is it not meant to be managed this way?

Thanks
Stephen

Re: GlobalProtect VPN - Management Access

BatD — Mon, 11 Nov 2019 14:13:35 GMT

@HyderB Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies.

This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users.

Re: GlobalProtect VPN - Management Access

HyderB — Tue, 12 Nov 2019 11:07:50 GMT

Thanks BatD

Thats something I haven't had a look at yet - I will get into the nitty gritty and see where the routing thinks this is going to be sent out. Using this in AWS currently and had to add some static routes previously so would make sense.

Thanks

Stephen