Use Anyconnect to connect to Palo Alto gateway

BigPalo — Fri, 06 Nov 2020 10:40:25 GMT

Hi,

We would like to know if its possible to configure Palo Alto GP gateway in order to permit connect using Cisco anyconnect client?

what it would be the config to do that?

Re: Use Anyconnect to connect to Palo Alto gateway

S.Cantwell — Fri, 06 Nov 2020 13:49:20 GMT

Yes it is possible to do this.

Do you have a Global Protect gateway license installed on FW?

I have found this may help (not completely fix any issues)

There is documentation on PANW website on how to get to the gateway config.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway

Take note at task 4 ( If you Enable X-Auth Support). You will see that it asks for a Group Name and a password, just like the Cisco AnyConnect needs a Group name and password.

Now, my personal experience is this... I can get the AnyConnect to create the tunnel to the FW, so it know it works.

BUT!!!! The AnyConnect software (and NOT the PANW) puts the default gateway of the AnyConnect to the next virtual IP (from your webpool). Example. You config a virtual/web pool address of.. 10.99.99.0/24), so that any user (GP or AnyConnect) will get from the pool.

A GP user creates his tunnel, and gets IP 10.99.99.4/24 (just some random IP) The GP software does NOT need/have a default gateway to route traffic across the PANW tunnel.,

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : PANGP Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 02-50-41-00-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.99.99.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

But!!!!

The AnyConnect would get 10.99.99.5 (for example) and the default gateway would be the next IP.

IPv4 Address. . . . . . . . . . . : 10.99.99.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.99.99.6

But if 10.99.99.6 has not been assigned yet... then the tunnel (which is established correctly, according to the standards) will still not function because (for whatever reason... AnyConnect pulls 2 IPs)

So, until you contact Cisco and understand how/why their client does this... I fear that your traffic will not pass correctly.

Again, I have tested this in the past, but I am not a Cisco focused person, so who knows why this happens, but it's not a PANW issue to resolve (IMHO)

Thanks

topic Use Anyconnect to connect to Palo Alto gateway in General Topics

Use Anyconnect to connect to Palo Alto gateway

Re: Use Anyconnect to connect to Palo Alto gateway