GloablProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GloablProtect

L1 Bithead

Hello Community,

 

I am new to palo alto. we have deployed some firewalls in our company. I am trying to configure globlalprotect on the branch offices to add more gateways. I have an extra internet connection at one location and wanted to know if its possible to configure global protect on one of the interfaces.

 

the firewall is currently behind a cisco router an connect to our switch. ut i wanted to configure on interface with the the extra internet provider and configure GP. I configured the interface with the public IP and a PBF rule since I already have a default route configured. But is not responding to ping to that interface. is this possible ?

 

 

 

Globalprotect.PNG

2 accepted solutions

Accepted Solutions

L5 Sessionator

Another option would be to create a separate virtual router for the other ISP connection and keep the GP traffic on that. That way you can manage routing separately and not worry about PBF. 

View solution in original post

@Ralvarado10,

What @rmfalconer mentioned is one way of doing things, however not what I would do in your case as you are wasting ports. When you configure a route you will use the option "Next VR" under your next hop setting and you can pass the traffic to your primary VR without needing to dedicate a port simply to route the traffic. 

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Yes, it is possible to do what you are attempting to do.

 

If you are not getting pings to work, then you would need to look at your logs to see IF you FW sees the pings coming inbound from the extra ISP network (or similar).  

 

You would also want to confirm that you have a interface mgmt profile enabled on the 2nd FW public interface, that allows ping.

 

What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions

L5 Sessionator

Another option would be to create a separate virtual router for the other ISP connection and keep the GP traffic on that. That way you can manage routing separately and not worry about PBF. 

Hello Steve,

 

Yes I have the ping profile configured for that ISP.

 

if you see that 1/1 connecting to the router is not a public ip. I am sending the default router with static routes and NAT is not configured since the router is doing it.

 

clipboard_image_0.png

@Ralvarado10  you have me a little confused.

 

I see that ethernet1/1 is your primary ISP, with a private IP.  

You have connected your DSL to your ethernet 1/5, with a public IP

 

You stated you could not ping the portal (at least that was my understanding), and you responded that you had the ping enabled on ethernet1/1... but your portal is on ethernet1/5.   I do see that your portal has a ping-only profile.

 

What do your traffic logs show, when you try to ping the portal's IP from the DSL ISP.

 

Thanks.

 

Help the community: Like helpful comments and mark solutions

Hello, 

I ended up creating a  VR for this ISP and now I am able to connect now. i configured GP.

 

the only issue that I am having now is that I cannot access the internal network. 

 

any ideas ? 

 

your help is appreciated.

 

thank you.

If you use a separate VR, then you'll need another interface in that new VR connected to your L3 switch for access to the networks it manages.

The L3 switch will also need a static route for the GP client network pointing to the new VR internal interface. 

@Ralvarado10,

What @rmfalconer mentioned is one way of doing things, however not what I would do in your case as you are wasting ports. When you configure a route you will use the option "Next VR" under your next hop setting and you can pass the traffic to your primary VR without needing to dedicate a port simply to route the traffic. 

L1 Bithead

Thank you all for all the help I got from you.

 

I created a separate VR for the second ISP as recommended. I also try both solution to configure another interface  and connect it to the core, as well as the one where you point the static route to the other "VR". both worked but as mention by BPry to reduce the ports I used the option of the Next VR and worked perfect .

 

thank you all again for helping me with this. 

 

  • 2 accepted solutions
  • 4200 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!