Global Protect Routing

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Global Protect Routing

I just recently setup GP and I'm in the testing phase. My tests are failing. The very first time I connected I could ping out to the internet, I could ping devices via IP address inside our network (behind the firewall), and I could ping via hostname. After I connected a second time I can't ping anything except the internet. I have fiddled with the client routes, PBF, and NAT and security policies.

I should mention that I am testing from behind the firewall. I have the same results from outside the network. We have a LAN setup that we use for testing. So, traffic is essentially leaving the network and coming back in. Our GP Gateway is built to an interface we have configured for our BGP setup, on the untrust zone. The same zone our IPs live on. All of our tunnel interfaces live on the trust zone.

Tags (1)
Highlighted
L4 Transporter

Mario,

My guess if you are connected to GP is a policy or routing issue. Few things to look at are the sessions from the session browser, to see if the pan is even creating a session for the ping packet and if so what interface is the packet forwarding to. Also from the session browser if you be able to see if the packet will have nat correctly applied (if it needs to).

Dominic

Highlighted
L4 Transporter

Thanks for your response. The session browser shows there is a session created for the ping packets. The session shows that traffic is being forwarded to my primary ISP interface. NAT is being correctly applied for outbound traffic. I've attached a screen shot of the session.

I think it might be a routing issue but I can't pinpoint where. Global protect is setup to hit a public IP address we are advertising via BGP. This interface is configured in the untrust zone. Do I need to setup security policies for this when building a VPN tunnel? Shouldn't the tunnel creation on either side allow the traffic to pass through without additional security policies?

My assumption is that the VPN tunnel would terminate at the tunnel interface I created during the configuration of GP, which is on the trust network. Trust to trust is allowed on the firewall.

Is my understanding flawed?

Highlighted
L4 Transporter

I just thought I would post an update. I worked with Palo Alto support on this issue for several hours. The issue seemed to stem from the fact that the tunnel interface used for GP was in our trust zone. This created all kinds of NAT, security policy, and routing issues. To keep it simple we just created a new zone for Global Protect, with new security policies, PBF, static routes, etc., and it all started working.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!