Global Protect Setup

Reply
Highlighted

Global Protect Setup

I have attached pictures of my current Global Protect setup. Now we have had a request to allow IPAD's, and Android tablets on to the VPN. Can I have multiple profiles? One for our Domain laptops and one for tablets? I see from the documentation that the tablets will need a Root Certificate from the PAN. If I create a Root Certificate for the tablet profile, will it cause problems for the Domain laptop profile, where I do not need a Root Certificate from the PAN.

Thank You


Accepted Solutions
Highlighted
L3 Networker

Re: Global Protect Setup

We have 3 GP different configurations on the same firewall. You just need an additional IP address for each portal/gateway combination. For example we have one GP portal/GW for pre-logon clients that authenticate to IP address 1, next we have another GP portal/GW configuraiton with IP address 2 that only allows clients http access to a particular inside/DMZ resource. and finally a test GP portal/GW setup that uses IP address 3.

You can then apply specific configuraiton to each of the portal/GW nodes.

So yes you can. You just need an additional IP address for the each of your portal/gw configurations.

Rod

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: Global Protect Setup

Hi,

I am not sure if you got a chance to look at the following doc or not.

https://live.paloaltonetworks.com/docs/DOC-2016

The document show GlobalProtect-Config-Apple-iOS.

Hopefully this helps

Thank you

Numan

Highlighted

Re: Global Protect Setup

Thanks...I have read those documents. I understand the setup, but I am worried about breaking the setup I already have. That's why I am wondering if it is possible to have 2 different configurations on the same PAN...1 for tablets that need a Root CA Certificate and 1 for Domain laptops that do not need  a Root CA certificate

Highlighted
L3 Networker

Re: Global Protect Setup

We have 3 GP different configurations on the same firewall. You just need an additional IP address for each portal/gateway combination. For example we have one GP portal/GW for pre-logon clients that authenticate to IP address 1, next we have another GP portal/GW configuraiton with IP address 2 that only allows clients http access to a particular inside/DMZ resource. and finally a test GP portal/GW setup that uses IP address 3.

You can then apply specific configuraiton to each of the portal/GW nodes.

So yes you can. You just need an additional IP address for the each of your portal/gw configurations.

Rod

View solution in original post

Highlighted

Re: Global Protect Setup

Great...thanks Rod, that's what I needed to know

Highlighted
L5 Sessionator

Re: Global Protect Setup

Hi,

Yes that can be done. You can have multiple Global protect configurations. The thing to keep in mind is that you will need different IP address for portal and gateway..

Hopefully that helps.

Thank you

Numan

Highlighted
L1 Bithead

Re: Global Protect Setup

Curious about multiple IP addresses, and where they get applied.  I have a /30 link space on my untrust interface (with functioning gateway/portal for Windows machines & specific HIP), so I can't add more there, but I do have plenty of rout-able IP's in my DMZ that I could use.  Possible to create multiple gateways/portals off the DMZ interface using unique IP addresses there?   Any tips would be appreciated.

Regards,

Brad

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!