Deploying GlobalProtect with an Internal IP Behind an Edge Internet Device

Printer Friendly Page


GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:




Internal Network > PAN ( > ( Internet Router ( ISP


Setup instructions:

  1. In the above setup, the Edge Internet Router ( is performing NAT to the PAN's untrust interface ( This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned  a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router.

    For example, ->resolves to or to the latest Dynamic public address received by the Internet router.

  2. In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address, as shown in the screen shots below:

  3. However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below.  This list of gateways gets pushed to the PC which will try to tunnel and connect to them.


owner: achitwadg



I've configured as stated but the GP client stays on connecting.

In the logs , i see network discover is not successful. Is this related to the certificate?

Also, should the certificate be signed by a CA?


Is there a NAT in place somewhere? My public IP for the portal gw doesnt respond.