topic Re: GloablProtect in General Topics

GloablProtect

Ralvarado10 — Tue, 12 Nov 2019 01:28:10 GMT

Hello Community,

I am new to palo alto. we have deployed some firewalls in our company. I am trying to configure globlalprotect on the branch offices to add more gateways. I have an extra internet connection at one location and wanted to know if its possible to configure global protect on one of the interfaces.

the firewall is currently behind a cisco router an connect to our switch. ut i wanted to configure on interface with the the extra internet provider and configure GP. I configured the interface with the public IP and a PBF rule since I already have a default route configured. But is not responding to ping to that interface. is this possible ?

Re: GloablProtect

S.Cantwell — Tue, 12 Nov 2019 07:11:42 GMT

Yes, it is possible to do what you are attempting to do.

If you are not getting pings to work, then you would need to look at your logs to see IF you FW sees the pings coming inbound from the extra ISP network (or similar).

You would also want to confirm that you have a interface mgmt profile enabled on the 2nd FW public interface, that allows ping.

What other questions can we answer for you?

Re: GloablProtect

rmfalconer — Tue, 12 Nov 2019 17:02:26 GMT

Another option would be to create a separate virtual router for the other ISP connection and keep the GP traffic on that. That way you can manage routing separately and not worry about PBF.

Re: GloablProtect

Ralvarado10 — Wed, 13 Nov 2019 00:01:16 GMT

Hello Steve,

Yes I have the ping profile configured for that ISP.

if you see that 1/1 connecting to the router is not a public ip. I am sending the default router with static routes and NAT is not configured since the router is doing it.

Re: GloablProtect

S.Cantwell — Wed, 13 Nov 2019 05:32:02 GMT

@Ralvarado10 you have me a little confused.

I see that ethernet1/1 is your primary ISP, with a private IP.

You have connected your DSL to your ethernet 1/5, with a public IP

You stated you could not ping the portal (at least that was my understanding), and you responded that you had the ping enabled on ethernet1/1... but your portal is on ethernet1/5. I do see that your portal has a ping-only profile.

What do your traffic logs show, when you try to ping the portal's IP from the DSL ISP.

Thanks.

Re: GloablProtect

Ralvarado10 — Tue, 19 Nov 2019 22:58:11 GMT

Hello,

I ended up creating a VR for this ISP and now I am able to connect now. i configured GP.

the only issue that I am having now is that I cannot access the internal network.

any ideas ?

your help is appreciated.

thank you.

Re: GloablProtect

rmfalconer — Tue, 19 Nov 2019 23:13:14 GMT

If you use a separate VR, then you'll need another interface in that new VR connected to your L3 switch for access to the networks it manages.

The L3 switch will also need a static route for the GP client network pointing to the new VR internal interface.

Re: GloablProtect

BPry — Wed, 20 Nov 2019 02:56:35 GMT

@Ralvarado10,

What @rmfalconer mentioned is one way of doing things, however not what I would do in your case as you are wasting ports. When you configure a route you will use the option "Next VR" under your next hop setting and you can pass the traffic to your primary VR without needing to dedicate a port simply to route the traffic.

Re: GloablProtect

Ralvarado10 — Mon, 25 Nov 2019 22:06:48 GMT

Thank you all for all the help I got from you.

I created a separate VR for the second ISP as recommended. I also try both solution to configure another interface and connect it to the core, as well as the one where you point the static route to the other "VR". both worked but as mention by BPry to reduce the ports I used the option of the Next VR and worked perfect .

thank you all again for helping me with this.