Assign gateway to PanGP interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Assign gateway to PanGP interface

L4 Transporter

Hi,

 

We have issues with a service using GP. To solve it we add the IP Palo GP tunnel in the PanGP adapter gateway in local machine. Why this is happening? is there any way to configure this pangp gateway from palo alto when user connects in GP? 

1 accepted solution

Accepted Solutions

@BigPalo,

NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.

A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects. 

 

* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation

Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.

-  subnet definitions are authoritative: Enable the policy so that the above works properly.

 

With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues. 

View solution in original post

5 REPLIES 5

L0 Member

No the default gateway is not configurable...

you probably had issues with NLA.

 

what IP did you add to the gateway option.  was it on the same network as youre GP client receives or was it a locally connected gateway.

The IP we added for panGP gateway was the PAlo ALTO IP tunnel interface for GP

what you mean with NLA?

 

The point is that if we add the gateway the issue are solved....weird...

 

 

What happens if you use the ip address of your local router...?

@BigPalo,

NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.

A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects. 

 

* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation

Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.

-  subnet definitions are authoritative: Enable the policy so that the above works properly.

 

With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues. 

  • 1 accepted solution
  • 3992 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!