- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2019 05:28 PM
Hello Community,
I am new to palo alto. we have deployed some firewalls in our company. I am trying to configure globlalprotect on the branch offices to add more gateways. I have an extra internet connection at one location and wanted to know if its possible to configure global protect on one of the interfaces.
the firewall is currently behind a cisco router an connect to our switch. ut i wanted to configure on interface with the the extra internet provider and configure GP. I configured the interface with the public IP and a PBF rule since I already have a default route configured. But is not responding to ping to that interface. is this possible ?
11-12-2019 09:02 AM
Another option would be to create a separate virtual router for the other ISP connection and keep the GP traffic on that. That way you can manage routing separately and not worry about PBF.
11-19-2019 06:56 PM
What @rmfalconer mentioned is one way of doing things, however not what I would do in your case as you are wasting ports. When you configure a route you will use the option "Next VR" under your next hop setting and you can pass the traffic to your primary VR without needing to dedicate a port simply to route the traffic.
11-11-2019 11:11 PM
Yes, it is possible to do what you are attempting to do.
If you are not getting pings to work, then you would need to look at your logs to see IF you FW sees the pings coming inbound from the extra ISP network (or similar).
You would also want to confirm that you have a interface mgmt profile enabled on the 2nd FW public interface, that allows ping.
What other questions can we answer for you?
11-12-2019 09:02 AM
Another option would be to create a separate virtual router for the other ISP connection and keep the GP traffic on that. That way you can manage routing separately and not worry about PBF.
11-12-2019 04:01 PM
Hello Steve,
Yes I have the ping profile configured for that ISP.
if you see that 1/1 connecting to the router is not a public ip. I am sending the default router with static routes and NAT is not configured since the router is doing it.
11-12-2019 09:32 PM
@Ralvarado10 you have me a little confused.
I see that ethernet1/1 is your primary ISP, with a private IP.
You have connected your DSL to your ethernet 1/5, with a public IP
You stated you could not ping the portal (at least that was my understanding), and you responded that you had the ping enabled on ethernet1/1... but your portal is on ethernet1/5. I do see that your portal has a ping-only profile.
What do your traffic logs show, when you try to ping the portal's IP from the DSL ISP.
Thanks.
11-19-2019 02:58 PM
Hello,
I ended up creating a VR for this ISP and now I am able to connect now. i configured GP.
the only issue that I am having now is that I cannot access the internal network.
any ideas ?
your help is appreciated.
thank you.
11-19-2019 03:13 PM
If you use a separate VR, then you'll need another interface in that new VR connected to your L3 switch for access to the networks it manages.
The L3 switch will also need a static route for the GP client network pointing to the new VR internal interface.
11-19-2019 06:56 PM
What @rmfalconer mentioned is one way of doing things, however not what I would do in your case as you are wasting ports. When you configure a route you will use the option "Next VR" under your next hop setting and you can pass the traffic to your primary VR without needing to dedicate a port simply to route the traffic.
11-25-2019 02:06 PM
Thank you all for all the help I got from you.
I created a separate VR for the second ISP as recommended. I also try both solution to configure another interface and connect it to the core, as well as the one where you point the static route to the other "VR". both worked but as mention by BPry to reduce the ports I used the option of the Next VR and worked perfect .
thank you all again for helping me with this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!