Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

L1 Bithead

I'm very very new to Palo Alto.  For the few weeks that I've been using it, I've been very impressed with its ease of use, and functionality.  I have a question when it comes to GlobalProtect.  We have a webserver that we want to exclude from the GlobalProtect VPN tunnel.  Let's say the site is test.testcompany.com.  In the Client settings, in GlobalProtect, I see that you can exclude addresses from going through the tunnel. Since this website is part of a round robin, is there a way to exclude by FQDN instead of by IP?  From the looks of it, you can't.  The second question I have is let's say that the internal IP address for test.testcompany.com is 10.10.10.10.  If I want GlobalProtect users to route to this servers public address, let's say 30.30.30.30, instead of 10.10.10.10, is there a way to do this through the Palo Alto?  I've tried researching, but haven't come up with anything concrete.  Appreciate your help!

2 REPLIES 2

Cyber Elite
Cyber Elite

split tunneling manipulates the routing table, so there's no possibility to do this based on FQDN

 

if you have an internal DNS server you can have it serve up different dns entries based on the source of the query. alternatively you can set up a dns proxy and have your GP clients use this as their dns server. You can set the external ip as the dns record for your site

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@szannikos,

SO first things first lets look at the webserver exlusion. 

1) If you followed best practices and the GlobalProtect terminates on it's own security zone, then you would simply create a security policy that says that anything from the zone 'GP' or whatever you named it, cannot access the webserver. Alternatively if you have a rule allowing all traffic simply add the IP that you don't want them visiting to the 'destination' field and then utilize the 'Negate' option. This will continue to allow all traffic unless the IP is listed in the destination field. 

2) If you didn't terminate GlobalProtect in it's own zone you'll need to add the IP into the 'Excludes' Split Tunnel configuration on the GP Gateway Client Settings. Since you can't take advantage of FQDN you'll need to include all of the IPs of the servers particiapting in the round-robin configuration. 

 

Your second question gets a little more complicated. What you'd need to do is actually setup a destination NAT. Essentially stating that if something comes from the GlobalProtect zone with the GP IP range to 10.10.10.10, the translated packet is going to be setup as a destination address translation to 30.30.30.30 to a translated port of 443. 

 

Edit:

@reaper's suggestion is by far easier to configure 🙂 

  • 1591 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!