topic Untrust interface we have created Global protect gateway in General Topics

Untrust interface we have created Global protect gateway

bit_byte — Sun, 19 Jul 2020 08:11:46 GMT

we have separated GP portal and GP gateway interface.

Untrust interface we have created Global protect gateway and we allowed ping on the interface but when we are typing untrust interface IP address on our browser eg https://112.20.20.1 . We are getting the above message 502 bad gateway.

Qustion :we have only allowed ping on GP gateway interface ...why https or https port open here ??

Is that normal?

Re: Untrust interface we have created Global protect gateway

Remo — Sun, 19 Jul 2020 22:49:56 GMT

Hi @bit_byte

Did you check the monitor tab of you see this connection in your logs?

In addition, what PAN-OS version do you have installed?

Re: Untrust interface we have created Global protect gateway

MP18 — Mon, 20 Jul 2020 02:56:09 GMT

@bit_byte

As the GP Gateway Interface and your Interface connected to ISP belongs to same untrust zone thats the reason you are able to access the GP on port 443.

It is Intrazone traffic which is allowed by default.

Please check your Traffic logs as next step as mentioned by the Remo.

Regards

Re: Untrust interface we have created Global protect gateway

bit_byte — Mon, 20 Jul 2020 05:47:00 GMT

GP gateway zone:VPN_zone
outside inteface:Untrust_zone

Both are different zone

Yes traffic is hitting intrazone

249916 ssl DISCARD FLOW *ND 84.210.70.110[54375]/Untrust/6 (84.210.70.110
92[54375])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2
0077])
124853 ssl DISCARD FLOW *ND 84.210.70.110[54379]/Untrust/6 (84.210.70.110
92[54379])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2

OS version:9.0.8

untrust interface we have applied management profile and we have only allowed ping but why it is listening to HTTP or https traffic.

@Remo

Thanks for your reply.

Re: Untrust interface we have created Global protect gateway

Remo — Mon, 20 Jul 2020 06:34:04 GMT

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.