GlobalProtect setup frustration

Reply
Highlighted
L3 Networker

Re: GlobalProtect setup frustration

@BPry Ok, next problem.  I can get connected to the Gateway and into my network with an IP from the pool range.  But I can't get to the Internet while connected to the VPN.  I think it's because the PANGP Virtual Adapter has an IP and DNS settings, but no default gateway listed.  I can't seem to figure out where to add that???

L6 Presenter

Re: GlobalProtect setup frustration

@Shawverr , PanGP does not have or require a default gateway, default gateways are only required for last resort unknown networks, the system knows all routes are via the VPN so no gateway is required.

 

is your tunnel interface associated with a virtual router ? Also... from VPN zone to external or untrusted zone will be classed as in intrazone and not a interzone so you may require a security policy to allow interwebby stuff.

 

for diagnostics add a deny all policy at the end of your policies and log session start. Then enter your PanGP address in the traffic filter to see if it’s not being allowed in other policies.

L7 Applicator

Re: GlobalProtect setup frustration

@Shawverr ,

Just because it catches a lot of people, ensure that you actually have security policies and a NAT policy allowing the GlobalProtect traffic outbound through  your untrust interface. Nine times out of ten, that's the issue when people can't browse when connected to GlobalProtect. 

L3 Networker

Re: GlobalProtect setup frustration

@BPry @MickBall That was it guys!  Thanks again!  On to HIPS!!!

L3 Networker

Re: GlobalProtect setup frustration

HIP Object > Custom Checks > Process List > What the heck do I got to put in there to make it work?

L6 Presenter

Re: GlobalProtect setup frustration

I have not used the process option but i would assume it would be the name of any process you have running locally (or not) have you tried it?

L3 Networker

Re: GlobalProtect setup frustration

@MickBall Hey!  Yes, I've tried C:\windows\AppName\Name.exe as well as just Name.exe - no dice.

L7 Applicator

Re: GlobalProtect setup frustration

@Shawverr,

Just to verify, you do actually have a GlobalProtect subscription correct? 

L3 Networker

Re: GlobalProtect setup frustration

@BPry Yup!

L3 Networker

Re: GlobalProtect setup frustration

I figured it out.  Just in case anyone else needs it, you have to set up a Custom Check in three places, The HIP object, the Portal and the Gateway.

  1. Create the HIP Object
    1. Objects > GlobalProtect > HIP Objects > Add > Custom Checks > ProcessName.exe
  2. Create Portal Config
    1. Network > GlobalProtect > (click on your portal name) > Agent Tab > (open your agent config) > HIP Data Collection Tab > Custom Checks > Process List > Add > ProcessName.exe
  3. Network > GlobalProtect > (click on your Gateway name) > Agent Tab > HIP Notification Tab
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!