Global Protect external IP address - Best practice?

Reply
L0 Member

Global Protect external IP address - Best practice?

Hello, 

 

We are a moderately-sized customer without an assigned sales or engineering resource due to account transitions.

 

We are in the process of moving to a new ISP and it has been suggested by internal resources, for other reasons, to utilize the same IP for the Global Protect Gateway as is already assigned as the outside IP on the public interface.   In the past, and at all other locations, we have used a separate, dedicated IP address for the GP gateway.

 

What is the best practice?   What risks do we undertake by placing the GP GW on the same IP as the public interface to the ISP?   We already do not allow outside management access via HTTP or SSH via the public IP on this particular firewall, so that would not be a consideration.

 

Thanks.

 

 

L7 Applicator

Re: Global Protect external IP address - Best practice?

Hello,

We always use DNS records for the client connection so that the backend IP doesnt matter as much. However you will need to modify the SSL cert to match the IP's and DNS names so you wont get errors. 

 

If you are using IP's, I would suggest transitioning to a DNS based approach and obtaining a certificate that has both DNS and IP addresses so that when the transition occurs, only a DNS change and the PAN IP address changes and nothing on the client side should change.

 

Hope that makes sense.

L0 Member

Re: Global Protect external IP address - Best practice?

Hi there and thanks for replying.

 

I should have stated that we already use DNS for the portal address, and not the IP address itself.  

 

I guess I am really looking for any gotchas about having the outside interface and the GP GW using the same IP on the Firewall itself.

L7 Applicator

Re: Global Protect external IP address - Best practice?

Hello,

Besides the SSL certificate, there shouldnt be any issues that I can think of. I have used the PAN IP for GP in the past without any issues.

 

Regards,

Re: Global Protect external IP address - Best practice?

Hi @Cindy-Resiter,

 

For configuration simplicity I would suggest to use the firewall public IP for the GlobalProtect. The reason for that is you need to select an interface on which you want to enable the GP. So the firewall will allow you to set an IP address that is already assigned to it, and the simpliest configuration would be to just select publicaly faced interface.

 

Technically speaking I am not even sure that you can use different IP for the GP in all cases:

- If your fiirewall is assigned with 1.1.1.1/29 and you ISP gives you (route to your FW) 2.2.2.2. You can configure the 2.2.2.2 as a loopback and use it for the GP

- But if your firewall is assigned with 1.1.1.1/29 and you try to use 1.1.1.2 for GP, I don't believe FW will allow you that. If you try to configure loopback with 1.1.1.2/32 it should overlap with your public interface and commit should fail.

 

So my personal prefferable way to configure GlobalProtect is always use the firewall IP - simple, standard, always work, without interfering other services

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!