How to Configure GlobalProtect Portal Page to be Accessed on any Port

Printer Friendly Page

Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.

 

Here is how to do that:

  1. Create a loopback2018-07-19_14-48-09.jpg

     

  2. Make sure the untrust interface can ping the loopback.
  3. Assign the loopback as the portal address and the gateway address2018-07-19_14-50-55.jpg

    2018-07-19_14-52-32.jpg

     

     

  4. In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)


    2018-07-19_14-56-34.jpg

     

    Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443

  5. lp.JPG

  6. Create a security policy with destination address as the untrust interface and services as 7000 and 443

    lp.JPG

  7. With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1.Download and install the GlobalProtect client software.3581_lp.png

     

  8. Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.

 

4184_gp non https 2.png

 

 

 

4185_gp non https 4.jpg

 

 

owner: mvenkatesan

Tags (8)
Comments

Great article, thanks a lot! We used it to make the GP portal accessible over two different Internet connections (ISP1 + ISP2).

I would like to post a little annex to this document. I configured Palo following this doc and result was this, i was able to connect to the portal and download GP client but remote user was not able to connect using GP client. To solve this problem one thing was recommended from Palo support (Dileep Kumar Reputi): on the external gateways in the client configuration of the GP portal must be set to <public-ip:port>

This solved the problem for win7 pc, but i have now problems with installing GP client on win xp :smileysad:. I get some kind of application error.

works like a charm!

@agrgic: I tried the same configuration on windows xp host and it worked fine. You may open a case for the same with support to troubleshoot more on this issue.

My Public IP address is obtained via DHCP.  I tried to use the same steps but, it doesn't work.  Has anyone tried this using a DHCP addresses Public interface?

Ok, I'm totally baffled!!!  Like I said in my previous post, I've tested this configuration with my Public IP address coming from DHCP.  However, if when I tested NATting to the loopback interface just accessing the PAN Web GUI for management, it works perfectly.  It's only when I tie the loopback interface to the GP Portal & Gateway that it doesn't pull anything up.  Can someone please explain this phenomena??

Hi,

This method doesn't work on 5.0.4 panos version...

Do you know how to configure on the last panos ? With port 7000 for example ?


I was attempting to setup a loopback in 5.0.4 for GlobalProtect as well, and when I'm setting the External Gateway in the Client Configuration of the Portal, it is telling me that <publicip:7000> is invalid.  Thoughts?

Same problem for me

I opened a case for that.

that was working on 5.0.2 but on 5.0.3 and 5.0.4 there is a bug.They will fix it

Unfortunately for me, I'm preparing to rollout the firewall for production, and need to have this working soon (being able to use 443 for Exchange OWA, so loopback on the GlobalProtect).  I've mentioned it in a case today as well, hopefully there's some progress, or a different way to do it.

It was suggested to me, and makes sense, that if you have to use another (2nd) public IP for the loopback, then to just use the loopback address for the portal and gateway and you don't need to specify the port, since you will be able to use the 1st public IP on port 443 for Exchange OWA or whatever application.

panos wrote:

I opened a case for that.

that was working on 5.0.2 but on 5.0.3 and 5.0.4 there is a bug.They will fix it

Same error with 5.0.5

works on 5.0.7

Great article man, I just want to use the public interface to use HTTPs mgt and globalprotect.

Is this procedure supposed to work from exteranl GWs? The screenshots show no tunnel mode, so it is not external.  

@SagiBarOr, this article is about accessing the Portal Page.. not the gateway.  When the Portal Page is accessed, it is not a VPN connection, it needs to be logged into first in order to know what Gateway to connect to. 

 

Also, Tunnel Mode just ensures if IPSEC is used, as SSL will be used if IPSEC is unavailable.