Global Protect Setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Setup

I have attached pictures of my current Global Protect setup. Now we have had a request to allow IPAD's, and Android tablets on to the VPN. Can I have multiple profiles? One for our Domain laptops and one for tablets? I see from the documentation that the tablets will need a Root Certificate from the PAN. If I create a Root Certificate for the tablet profile, will it cause problems for the Domain laptop profile, where I do not need a Root Certificate from the PAN.

Thank You

1 accepted solution

Accepted Solutions

We have 3 GP different configurations on the same firewall. You just need an additional IP address for each portal/gateway combination. For example we have one GP portal/GW for pre-logon clients that authenticate to IP address 1, next we have another GP portal/GW configuraiton with IP address 2 that only allows clients http access to a particular inside/DMZ resource. and finally a test GP portal/GW setup that uses IP address 3.

You can then apply specific configuraiton to each of the portal/GW nodes.

So yes you can. You just need an additional IP address for the each of your portal/gw configurations.

Rod

View solution in original post

6 REPLIES 6

L5 Sessionator

Hi,

I am not sure if you got a chance to look at the following doc or not.

https://live.paloaltonetworks.com/docs/DOC-2016

The document show GlobalProtect-Config-Apple-iOS.

Hopefully this helps

Thank you

Numan

Thanks...I have read those documents. I understand the setup, but I am worried about breaking the setup I already have. That's why I am wondering if it is possible to have 2 different configurations on the same PAN...1 for tablets that need a Root CA Certificate and 1 for Domain laptops that do not need  a Root CA certificate

We have 3 GP different configurations on the same firewall. You just need an additional IP address for each portal/gateway combination. For example we have one GP portal/GW for pre-logon clients that authenticate to IP address 1, next we have another GP portal/GW configuraiton with IP address 2 that only allows clients http access to a particular inside/DMZ resource. and finally a test GP portal/GW setup that uses IP address 3.

You can then apply specific configuraiton to each of the portal/GW nodes.

So yes you can. You just need an additional IP address for the each of your portal/gw configurations.

Rod

Great...thanks Rod, that's what I needed to know

Hi,

Yes that can be done. You can have multiple Global protect configurations. The thing to keep in mind is that you will need different IP address for portal and gateway..

Hopefully that helps.

Thank you

Numan

Curious about multiple IP addresses, and where they get applied.  I have a /30 link space on my untrust interface (with functioning gateway/portal for Windows machines & specific HIP), so I can't add more there, but I do have plenty of rout-able IP's in my DMZ that I could use.  Possible to create multiple gateways/portals off the DMZ interface using unique IP addresses there?   Any tips would be appreciated.

Regards,

Brad

  • 1 accepted solution
  • 6373 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!