GlobalProtect Initial configuration

L1 Bithead

GlobalProtect Initial configuration

How are people configuring their PAN for clients to grab the inital GP configuration?

 

Currently, the laptops are being imaged with Windows 10 and automatically connect to our internal network via certificate based authentication. GP is set to automatically attempt to connect to our outside interface. Once that is done, it grabs the configuration. Next time the users are on site, it detects that the laptop is internal and does not create the tunnel. 

 

Is there a way to configure the PAN so that the laptops can grab the inital configuration?

L7 Applicator

Re: GlobalProtect Initial configuration

@meischc,

Are you running your own internal DNS servers? Split DNS would really be your solution for something like this. 

L6 Presenter

Re: GlobalProtect Initial configuration

@meischc, Hi.

I'm not sure what you mean, seems a bit confusing...

 

if your users (after they have connected outside) are able to detect internal host then your external portal address must be visible from your LAN otherwise you would get a portal address error.

 

I say this because I have always assumed that GP needs to connect to the portal prior to internal detection, regardless of how many times they have connected externally, otherwise if you made any changes to the app settings then users would not get this until they connected from outside.

 

anyhows... not sure what is different from your setup to mine, it may be that you need to add the reg setting "always on" in your build, or perhaps use group policy to force this reg setting when they first logon.

L1 Bithead

Re: GlobalProtect Initial configuration

Sorry, let me elaborate. After they grab the correct GP Portal configuration hitting the outside interface, everthing is working as designed.

 

The problem that I am trying to solve, is getting that GP portal configuration on the laptops, prior to hitting the outside interface. Right now, we have a WiFi hotspot that the desktop folks are using to simulate being on the outside connection.

 

Is there a way to configure an internal gateway or NoNAT so that users can hit the outside interface to grab the portal configuration without having to leave the internal network?

 

How are you accomplishing this? Or do you just wait for your users to connect from home/outside?

L6 Presenter

Re: GlobalProtect Initial configuration

thanks for the clarification....

 

OK I understand now what you are describing but I cannot understand why it is not working already...

 

on any laptop on your network, what happens when you browse to https://your-portal-address

 

can you get to the page and with certificates it should login and display GP downloads.

 

lets start there and progress...   else i get confused

L6 Presenter

Re: GlobalProtect Initial configuration

Sorry i have just realised that it may be working for me because our GP portal is on a different firewall. so we go out of our main firewall to connect to our VPN firewall...

 

not sure if NAT will suffice... you may be better off adding a second portal to your config and make it available to your internal interface.

 

then as @BPry stated, use your internal dns to resolve to the internal portal.

 

 

sorry for the confusion

 

L6 Presenter

Re: GlobalProtect Initial configuration

or simply add a NAT rule at the top of the NAT policies

 

source= trust , Destination Address="Your-portal-ip-address"  Source Translation= None

 

I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding...  and see this as a LAN attack, so add the NAT rule...

L6 Presenter

Re: GlobalProtect Initial configuration

Also.... could you confirm that currently when users connect to the lan after connecting externally that they do get the little house icon.

L1 Bithead

Re: GlobalProtect Initial configuration

Yep! They do.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!