Global protect - Windows issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect - Windows issues

L4 Transporter

Hi,

 

We are having any issue wih globalprotect and several feaures of windows (office store, images word...).

we realised that if we configure de default gateway made by hand in PAnGP interfaces, its working fine. Why is this happening?

Is there any way to add atumacticallyany default gateway in PAnGP interface?

 

For Windows store we found this link:

https://support.microsoft.com/en-us/help/4537233/microsoft-store-not-open-after-domain-joined-comput...

5 REPLIES 5

L4 Transporter

Do you have security policies allowing the Internet traffic from the zone your GP tunnel is in to get to the Internet?  Do you see any blocks in the monitoring tab?

If the security policy isn't the issue, and you are trying to exclude traffic from the tunnel and go straight to the internet, adjusting the default gateway isn't the best way to go.  GP generally (at least the ways I've used it), operates in tunnel mode, and clients get an IP address with a 255.255.255.255 subnet mask, and the interface doesn't have a default gateway.  The split tunnel section of your gateway configuration determines what goes down the tunnel, and what doesn't. If you're wanting to exclude certain traffic, you can specify it in the split tunnel exclude section, or alternatively only include certain internal subnets in the split tunnel include section.

HI,

 

I mean that we have a GP. Some clients (192.168.1.20-192.168.1.50 range) had connectivity issues dowloading the system center (AV). So we went to PanGPadapter and we dont see any gateway for PanGP adapter. So we tried to add this GP gateway (192.168.1.1), and it worked.

 

SO is there any way to assign a gateway for PanGP interface from PA config? hy PanGP doesnt have gateway?

Is 192.168.1.20-192.168.1.50 your client pool for GP?  I don't know your topology.  What devices is 192.168.1.1?  The GP interface doesn't have a gateway because of how it works as a tunnel interface.  When you put routes in the split tunnel include section of the gateway config (Network > GlobalProtect > Gateways > Your Gateway > Client Settings > Your Client Config > Split Tunnel), these routes get installed in the Windows route table by GP with the GP adapter as the on-link interface.  Anything in the Exclude section does not get tunneled.  You should be able to verify the routes on a Windows machine by running this command in the command prompt:

route print

 

192.168.1.1 is the ip for the tunnel GP.

Network -> Interfaces->tunnel.1 (192.168.1.1)

 

If we add in PanGP adaprter the gateway the ip_tunnel is working fine

 

why? is there any way to configure the gateway for PanGP adapter from the FW?

I have never configured IP addresses on my GlobalProtect tunnel interfaces.  When you specify routes in the Split Tunnel Include section, these will get installed in your computer's route table as "on-link" routes pointing to the IP that your GP interface gets from the pool.  It looks something like this:

OwenFuller_0-1591130057528.png

In this case, I'm tunneling everything (0.0.0.0/0), and my GP interface IP address is 172.X.X.X

  • 3542 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!