7.1.2 Unable to reach GlobalProtect portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

7.1.2 Unable to reach GlobalProtect portal

L1 Bithead

Hey guys,

 

I am trying to get the GlobalProtect piece of the FW to work, I followed word for word from the 7.1 admin guide and still no luck.  When I go to monitor I see the source coming from the external-untrust zone (which is correct), but the to zone shows (internal - trust). If I am reading this doc correctly, the VPN should terminate on the tunnel interface it makes you create right?

 

Page 157 -

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/globalprotect/global...

 

Any ideas?

 

Regards

 

Capture1.PNGCapture2.PNG

2 accepted solutions

Accepted Solutions

L4 Transporter

Hi Digitaltrance,

 

If you're trying to web browse to your global protect portal you would ideally host this on your external interface or on a loopback interface. The tunnel interface would be for when you are connecting to the GP VPN and establishing a tunnel rather than web browsing to the portal.

 

To establish the connection you will need to first allow the external client to access the portal to authenticate then also allow the gateway authentication. 

 

As your log shows external to internal hitting the default interzone deny, rather than say external to external intrazone default allow then it looks like you may be accidentally NATing your traffic destined to your portal to your internal zone? Or you have set up your GP portal for an interface in your internal zone rather than an external zone? As you don't have a policy to allow that I can see in your screenshots.

 

Check the detailed log view (spyglass on the left of the log) and you can see if your traffic is being NATed incorrectly in the destination panel.

 

hope this helps,

Ben

View solution in original post

Cyber Elite
Cyber Elite

I think @bmorris1 pretty much nailed the first things to look at and you'll likely find an error with where you have the tunnel as far as the security zone goes or something weird with your NAT policy. I would look at the tunnels security zone first, and then look at the NAT as I think it's actually more likely that you actually set your tunnel interface to your internal zone. 

 

One thing that I might recommend is actually making a GlobalProtect zone. It makes creating access policies and the like a little bit easier if you are looking to lock down your VPN users access, and it helps keep it really simple as far as access rules go. 

View solution in original post

4 REPLIES 4

L4 Transporter

Hi Digitaltrance,

 

If you're trying to web browse to your global protect portal you would ideally host this on your external interface or on a loopback interface. The tunnel interface would be for when you are connecting to the GP VPN and establishing a tunnel rather than web browsing to the portal.

 

To establish the connection you will need to first allow the external client to access the portal to authenticate then also allow the gateway authentication. 

 

As your log shows external to internal hitting the default interzone deny, rather than say external to external intrazone default allow then it looks like you may be accidentally NATing your traffic destined to your portal to your internal zone? Or you have set up your GP portal for an interface in your internal zone rather than an external zone? As you don't have a policy to allow that I can see in your screenshots.

 

Check the detailed log view (spyglass on the left of the log) and you can see if your traffic is being NATed incorrectly in the destination panel.

 

hope this helps,

Ben

Cyber Elite
Cyber Elite

I think @bmorris1 pretty much nailed the first things to look at and you'll likely find an error with where you have the tunnel as far as the security zone goes or something weird with your NAT policy. I would look at the tunnels security zone first, and then look at the NAT as I think it's actually more likely that you actually set your tunnel interface to your internal zone. 

 

One thing that I might recommend is actually making a GlobalProtect zone. It makes creating access policies and the like a little bit easier if you are looking to lock down your VPN users access, and it helps keep it really simple as far as access rules go. 

It was a bad NAT policy guys, thanks so much for the help. It is working now.

 

Now i just need to figure out how to get the routing correct to get to the internet, I can only access internal devices over the VPN atm.

@digitaltrance, If everything else is working, you need to take a look at your access route for GlobalProtect.

Check inside of the WebGUI > Network > GlobalProtect > Click configuration for a gateway > Agent tab > click on a config profile > Network Settings - Access route on the right hand side. 

This is where the GP client will get its "access route" in order to know where to go. 

 

If you only give it access to your internal network, then that is all it has access to. 

If you want it to route all of its traffic over GP, then you can use a 0.0.0.0/0 network. But please be aware, that this can cause local access issues for the GP client.

 

I hope this helps.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 2 accepted solutions
  • 4788 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!