We are a moderately-sized customer without an assigned sales or engineering resource due to account transitions.
We are in the process of moving to a new ISP and it has been suggested by internal resources, for other reasons, to utilize the same IP for the Global Protect Gateway as is already assigned as the outside IP on the public interface. In the past, and at all other locations, we have used a separate, dedicated IP address for the GP gateway.
What is the best practice? What risks do we undertake by placing the GP GW on the same IP as the public interface to the ISP? We already do not allow outside management access via HTTP or SSH via the public IP on this particular firewall, so that would not be a consideration.
We always use DNS records for the client connection so that the backend IP doesnt matter as much. However you will need to modify the SSL cert to match the IP's and DNS names so you wont get errors.
If you are using IP's, I would suggest transitioning to a DNS based approach and obtaining a certificate that has both DNS and IP addresses so that when the transition occurs, only a DNS change and the PAN IP address changes and nothing on the client side should change.
Hope that makes sense.
Hi there and thanks for replying.
I should have stated that we already use DNS for the portal address, and not the IP address itself.
I guess I am really looking for any gotchas about having the outside interface and the GP GW using the same IP on the Firewall itself.
Besides the SSL certificate, there shouldnt be any issues that I can think of. I have used the PAN IP for GP in the past without any issues.
For configuration simplicity I would suggest to use the firewall public IP for the GlobalProtect. The reason for that is you need to select an interface on which you want to enable the GP. So the firewall will allow you to set an IP address that is already assigned to it, and the simpliest configuration would be to just select publicaly faced interface.
Technically speaking I am not even sure that you can use different IP for the GP in all cases:
- If your fiirewall is assigned with 188.8.131.52/29 and you ISP gives you (route to your FW) 184.108.40.206. You can configure the 220.127.116.11 as a loopback and use it for the GP
- But if your firewall is assigned with 18.104.22.168/29 and you try to use 22.214.171.124 for GP, I don't believe FW will allow you that. If you try to configure loopback with 126.96.36.199/32 it should overlap with your public interface and commit should fail.
So my personal prefferable way to configure GlobalProtect is always use the firewall IP - simple, standard, always work, without interfering other services
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!