Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-07-2020 03:54 AM - edited 10-07-2020 03:57 AM
Hey team hope someone can help me. I am pretty new to Palo and I am trying to setup Global Protect PreLogon in our corporate environment. I have managed to get it all working in the lab (awesome) now doing that in the live environment is different ball game...
Issue is that I am getting asymmetric routing, our default route goes out via another interface and to a legacy firewall, and I can see that the GP's wan interface is sending traffic using the default route. Not sure how I can force traffic received from GP's WAN interface. Below is my setup
IP's are different to live these are just sample IPs
WAN 1 - IP 192.168.50.1/30 (has sub IPs as well, 1 of which is used for GP wan 192.168.10.1)
WAN 2 - IP 192.168.100.1/30 (this goes to our legacy watchguard firwall) also default route is set to this next hop is 192.168.100.2/30
The Portal and Gateway uses Loopback address 10.10.10.253
Both WAN and Loopback are in the Internet Zone
Tunnel is Global Protect Zone
Destianation NAT any source zone , Internet destination Zone , to 192.168.10.1 Destination Address, Service (Port6000) Destination Translation address 10.10.10.253 port 443
Security Policy
Inbound - any source to Internet Zone Detination with address 10.10.10.253 and 192.168.10.1 Global Protect applications Allow
Outbound - Global Protect Zone any address to Corporate LAN, Internet default application allow
Both loopback and tunnel has been added to the default router
Now how do I say any traffic from 192.168.10.1 going outbound goes via 192.168.50.1 and NOT via default route ?
I tried setting up a policy based forwarding but there doesn't seem to be any traffic that is going to it.
the Policy is
From interface WAN1 Address 192.168.50.1 and 10.10.10.253 , negate the internal LANs , forward traffic to WAN1 Interface 192.168.100.2.
10-07-2020 12:32 PM
Hello,
Have you setup an internal gateway for globalprotect? That way it doesnt have to go 'outside' to connect?
Couple links that may help:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS
Regards,
10-07-2020 12:57 PM
Hi,
To achieve what you want. You will need to create policy based forwarding for outgoing traffic and enable “symmetric Routing”. The back traffic the will be recognized automatically.
10-09-2020 05:23 AM
Hey Abdul,
I have already setup a policy based forwarding or tried to which goes something like
Source Internet Zone with IP (WAN Subnet IP) , Negate Destination (Local subnets) forward to next hop of WAN 1
but no traffic seem to be using that policy
02-06-2024 08:18 AM
Did you find an answer to this problem? I'm having the same issue, created PBF rules but the traffic does not seem to hit it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
