05-27-2020 01:12 AM - edited 05-27-2020 01:15 AM
Hi,
We have issues with a service using GP. To solve it we add the IP Palo GP tunnel in the PanGP adapter gateway in local machine. Why this is happening? is there any way to configure this pangp gateway from palo alto when user connects in GP?
05-29-2020 11:12 AM
NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.
A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects.
* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation
- Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.
- subnet definitions are authoritative: Enable the policy so that the above works properly.
With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues.
05-27-2020 07:12 AM
No the default gateway is not configurable...
you probably had issues with NLA.
what IP did you add to the gateway option. was it on the same network as youre GP client receives or was it a locally connected gateway.
05-27-2020 07:17 AM
The IP we added for panGP gateway was the PAlo ALTO IP tunnel interface for GP
05-29-2020 03:42 AM
what you mean with NLA?
The point is that if we add the gateway the issue are solved....weird...
05-29-2020 10:23 AM - edited 05-29-2020 10:25 AM
What happens if you use the ip address of your local router...?
05-29-2020 11:12 AM
NLA is a Windows function. Essentially Windows by default will create a few firewall entries when you connect to any network to allow certain traffic, but since the GP tunnel doesn't have a gateway address these routes are never added. This effects primarily Microsofts Store access and UWP applications primarily from my experience, but it can technically effect other applications as well.
A really simple fix is to apply the following in Group Policy, which will essentially tell Microsoft to allow the traffic and you don't have to do any scripting to get the gateway assigned to the GlobalProtect interface every time a client connects.
* Computer Configuration > Policies > Administrative Templates > Network > Network Isolation
- Private Network ranges for apps: Enable policy and specify your GlobalProtect IP ranges under Private Subnets.
- subnet definitions are authoritative: Enable the policy so that the above works properly.
With both these changes pushed out the NLA issue goes away. I would try this fix first before you attempt to actually programmatically assign the GP interface a gateway address whenever someone connects to GlobalProtect and just let those settings manage themselves as long as this takes care of your issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
