topic Re: Assign gateway to PanGP interface in General Topics

Assign gateway to PanGP interface

BigPalo — Wed, 27 May 2020 08:15:23 GMT

Hi,

We have issues with a service using GP. To solve it we add the IP Palo GP tunnel in the PanGP adapter gateway in local machine. Why this is happening? is there any way to configure this pangp gateway from palo alto when user connects in GP?

Re: Assign gateway to PanGP interface

Mick.Ball — Wed, 27 May 2020 14:12:28 GMT

No the default gateway is not configurable...

you probably had issues with NLA.

what IP did you add to the gateway option. was it on the same network as youre GP client receives or was it a locally connected gateway.

Re: Assign gateway to PanGP interface

BigPalo — Wed, 27 May 2020 14:17:51 GMT

The IP we added for panGP gateway was the PAlo ALTO IP tunnel interface for GP

Re: Assign gateway to PanGP interface

BigPalo — Fri, 29 May 2020 10:42:07 GMT

what you mean with NLA?

The point is that if we add the gateway the issue are solved....weird...

Re: Assign gateway to PanGP interface

Mick_Ball — Fri, 29 May 2020 17:25:21 GMT

What happens if you use the ip address of your local router...?

Re: Assign gateway to PanGP interface

BPry — Fri, 29 May 2020 18:12:45 GMT

@BigPalo,

NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.

A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects.

* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation

- Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.

- subnet definitions are authoritative: Enable the policy so that the above works properly.

With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues.