This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect, use custom port for portal, followed the tutorial on paloaltonetwork

Jborgeaud
L1 Bithead

‎09-21-2018 12:10 PM

Hi,

 

I followed the tutorial : How to Configure GlobalProtect Portal Page to be Accessed on any Port but it's not working.

When I connect using browser I get an error. I see in monitor that the port is accessed and I see the rules for the nat as well, but in the application it's written "incomplete". How can I debug it further ?

Thanks for help.

Jon

0 Likes Likes
6 REPLIES 6

OtakarKlier
Cyber Elite
Cyber Elite

‎09-21-2018 12:26 PM

HEllo,

I would start by looking at the logs to see if/where the traffic is getting blocked. My guess is that its probably a typo somewhere and its causing a block?

 

Regards,

0 Likes Likes

Jborgeaud
L1 Bithead
In response to OtakarKlier

‎09-22-2018 09:22 AM

There is no typo.

Here is the screenshot of the monitor:2018-09-22-18-19-12.png

0 Likes Likes

Jborgeaud
L1 Bithead
In response to OtakarKlier

‎09-22-2018 09:28 AM

pics of loopback:

2018-09-22-18-23-29.png

screen of nat:

2018-09-22-18-25-20.png

security rules:

2018-09-22-18-26-25.png

We see that all rules has count, means they are triggered...

And inside the monitr they are no block, I even override intra/interzone to show inside the logs.

 

 

 

 

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Jborgeaud

‎09-22-2018 12:12 PM

@Jborgeaud,

I would take a look at your routing with that NAT statement in place. Your logs don't seem to show it due to where you cut them off, but are you showing any received traffic at all or just sent? 

0 Likes Likes

Jborgeaud
L1 Bithead
In response to BPry

‎09-22-2018 12:19 PM

Sorry but I didnt understand what you mean.
there is no routing, only default route 0.0.0.0/0 on the next hope, and if I remove loopback, nat and loopback ip on the portal/ge, the portal is working from outside using port 443.
0 Likes Likes

Jborgeaud
L1 Bithead
In response to Jborgeaud

‎09-25-2018 11:50 AM - edited ‎09-25-2018 12:44 PM

Just to add some new information.

After applying the NAT rules, I see on the other router ARP message like this: Broadcast ARP Gratuitous  request for 172.16.0.254 ( duplicate use of 172.16.0.254 detected).

 

172.16.0.254 == my second router IP and the configured nextHop on the palo.

 

The network diagram is the following:

 

palo with ip internal 192.168.200.1 and ip external 172.16.0.200 connected to a router with ip 172.16.0.254.

I'm wondering why adding the nat rules make this message appears.

 

After doing packet capture on the palo, I can see in the DROP pcap, SYN from 172.16.0.144 (ip where i connect to the portal on port 30043) on port 443, on RECV pcap, I can see SYN on port 30043 from ip 172.16.0.144.

Question is why traffic is dropped on 443 ? I have rules like in the tutorial for it.

0 Likes Likes
  • 3555 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks