Assign gateway to PanGP interface

Reply
L4 Transporter

Assign gateway to PanGP interface

Hi,

 

We have issues with a service using GP. To solve it we add the IP Palo GP tunnel in the PanGP adapter gateway in local machine. Why this is happening? is there any way to configure this pangp gateway from palo alto when user connects in GP? 


Accepted Solutions
Highlighted
Cyber Elite

@jesuscano,

NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.

A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects. 

 

* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation

Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.

-  subnet definitions are authoritative: Enable the policy so that the above works properly.

 

With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues. 

View solution in original post


All Replies
Highlighted
L0 Member

No the default gateway is not configurable...

you probably had issues with NLA.

 

what IP did you add to the gateway option.  was it on the same network as youre GP client receives or was it a locally connected gateway.

Highlighted
L4 Transporter

The IP we added for panGP gateway was the PAlo ALTO IP tunnel interface for GP

Highlighted
L4 Transporter

what you mean with NLA?

 

The point is that if we add the gateway the issue are solved....weird...

 

 

Highlighted
L7 Applicator

What happens if you use the ip address of your local router...?

Highlighted
Cyber Elite

@jesuscano,

NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.

A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects. 

 

* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation

Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.

-  subnet definitions are authoritative: Enable the policy so that the above works properly.

 

With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!