How to Configure a GlobalProtect Client to Get the Same IP Address

Printer Friendly Page

Overview

This document describes how to configure reserved IPs for GlobalProtect.

 

Symptom

Currently, there is no way to create a reservation for an IP address for the GlobalProtect users that connects to the gateway.

 

Workaround

See the following workarounds to resolve the symptom:                                                                                                  

  1. Use the registry to give preferred IP address to the client
    • From the WebGUI, Go to Network > Gateways
    • Click Add > Client Configuration > Network Settings
    • The GlobalProtect user will be offered the first IP address that is defined in the pool of IP addresses.
      For the following scenario, "10.200.200.101" IP address is being used:
      Screen Shot 2014-12-31 at 3.01.38 PM.png

      From the CLI:
      Use the following command to determine if the user got the address as expected:
      > show global-protect-gateway current-user

      GlobalProtect Gateway: GP-GW-2 (1 users)
      Tunnel Name          : GP-GW-2-N
      Domain-User Name          : al\emea
      Computer                  : ILIJA_WIN7_DMZ
      Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit
      Mobile ID                :
      Private IP                : 10.200.200.101
      Public IP                : 10.193.83.98
      ESP                      : exist
      SSL                      : none
      Login Time                : Dec.31 14:57:36
      Logout/Expiration        : Jan.30 14:57:36
      TTL                      : 2591981
      Inactivity TTL            : 10796

      The next time the client needs to connect it will notify the gateway, they have a preferred IP address, if that address is free they can use it again.

      If the IP pool is large enough so the preferred IP is always available, the user should theoretically get the same IP. This setting can be configured by editing the registry on the client's machine, as shown below:
      Under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\PreferredIP add the desired IP:
      Screen Shot 2014-12-31 at 2.50.44 PM.png
      Modify the preferred IP address to a high end IP (in this case 10.200.200.150):
      Screen Shot 2014-12-31 at 2.51.19 PM.png
      In this case, the pool is 50 IP addresses and are not expecting more than 50 users to connect concurrently. The last IP will always be free on the gateway and can be used by the client.

      The user connects and should see the following:
      > show global-protect-gateway current-user

      GlobalProtect Gateway: GP-GW-2 (1 users)
      Tunnel Name          : GP-GW-2-N
      Domain-User Name          : al\emea
      Computer                  : ILIJA_WIN7_DMZ
      Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit
      Mobile ID                :
      Private IP                : 10.200.200.150
      Public IP                : 10.193.83.98
      ESP                      : exist
      SSL                      : none
      Login Time                : Dec.31 15:00:15
      Logout/Expiration        : Jan.30 15:00:15
      TTL                      : 2591981
      Inactivity TTL            : 10798

  2. Create an extra Gateway for that particular user by defining the source user in the GlobalProtect configuration, assign a pool to the gateway. The user will get the first IP address from the pool, as no one else would be sharing that pool.
    • Note: The smallest pool that can be defined is /30, it is not possible to add a subnet with a /32 mask. This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it does not scale to doing this for dozens of individual IPs, but for one user it should work fine.

 

If in above example, the user is getting different IP addresses from the pool, define a static source NAT between the SSLVPN zone and Trust Zone, so that traffic from the VPN user should be seen from a single IP address on the Trust Side

 

Note: These workarounds are for limited use, for proper functionality a feature request must be submitted.

 

owner: ialeksov

Comments

I've been using the extra gateway approach but with an IP range (i.e. 10.0.0.10-10.0.0.10), this avoids the restriction of not letting configure a /32 netmask. It's been working ok but it's not scalable, good solution if you have a couple of users that need this.

In Pan OS 7.x you can use Retrieve Framed-IP-Address attribute from authentication server.

This setting is located under Global Protect Gateway > Client Configuration > Network Settings.

I have used this feature which ties back to Active Directory. Once you define the static ip for the AD user on the AD side when logging in via Global Protect you will get the same GP ip address everytime.

Currently works great running PanOS 7.0.5-h2.