Global protect with DHCP client on WAN interface

Reply
Highlighted
L4 Transporter

Global protect with DHCP client on WAN interface

I have a PA-200 which is configured with DHCP-client on the WAN interface.

When configuring Global Protect, I'm not able to configure the gateway address. When I choose the WAN interface as the gateway address interface, I'm not able to choose the IP-address currently on that interface(because of the DHCP Client setting I guess). The same apply to the Global Protect Portal configuration. I can not set the Portal Address. (see attached picture)

Is there anyway around this, or is it impossible to setup Global Protect gateway and portal on a DHCP client interface?

I have dyn-dns running. Is it possible to somehow set the portal and gateway address to a FQDN?


Accepted Solutions
Highlighted
Community Team Member

Re: Global protect with DHCP client on WAN interface

I am sorry for the inconvenience, this is actually a UI issue, bug #33914.

The workaround is that you can actually set this from CLI with the following command:

set network tunnel global-protect-gateway <name> local-address interface e1/1

Version 4.1.2 documents this issue, Please see the release notes here:

https://support.paloaltonetworks.com/index.php?option=com_pan&task=view_releasenotes&vn=4.1.2&ut=sw&...

Will this be resolved in 4.1.3? I hope so, but cannot answer that until that versio is released and that bug # is shown as a resolved issue.

Kind Regards

Stay Secure,
Joe
End of line

View solution in original post


All Replies
Highlighted
Community Team Member

Re: Global protect with DHCP client on WAN interface

I am sorry for the inconvenience, this is actually a UI issue, bug #33914.

The workaround is that you can actually set this from CLI with the following command:

set network tunnel global-protect-gateway <name> local-address interface e1/1

Version 4.1.2 documents this issue, Please see the release notes here:

https://support.paloaltonetworks.com/index.php?option=com_pan&task=view_releasenotes&vn=4.1.2&ut=sw&...

Will this be resolved in 4.1.3? I hope so, but cannot answer that until that versio is released and that bug # is shown as a resolved issue.

Kind Regards

Stay Secure,
Joe
End of line

View solution in original post

Highlighted
Not applicable

Re: Global protect with DHCP client on WAN interface

Hey Joe,

is there a command line for the "GP portal" part as well? There has to be the interface and IP defines as well.

Mike

Highlighted
L4 Transporter

Re: Global protect with DHCP client on WAN interface

I think the command for setting the GP portal address to the interface address is the following:

set global-protect global-protect-portal "portal name" portal-config local-address interface ethernet1/X

Highlighted
Not applicable

Re: Global protect with DHCP client on WAN interface

Thanks, I will try it!

Highlighted
Not applicable

Re: Global protect with DHCP client on WAN interface

Works like a charm!

Highlighted
L0 Member

Re: Global protect with DHCP client on WAN interface

Hmm, interesting. I´m having the exact same problem running version 7.01, so the bugfixing seem to be a bit off for this one (3 years or so). Can you elaborate a bit on the command line stuff, as I´m not so savvy in that area?

Best regards

/Micke

Highlighted
L4 Transporter

Re: Global protect with DHCP client on WAN interface

Hi,

I have not had any problem with this i 7.0. I just choose the WAN interface, which is configured with DHCP client, as my Portal and Gateway interface. IP-address is just set to "none" in the webui. Have you tried just doing that?

Looking at the config in the CLI, I see the same thing with the command "show global-protect global-protect-portal <Portal-name>" in configure mode. Local-address is just the interface (no ip-address).

If I run "show global-protect-gateway gateway" in opreation mode in CLI, I do see the ip-address I get from DHCP under local address, as expected.

- Tor

Highlighted
L1 Bithead

Re: Global protect with DHCP client on WAN interface

This is how mine is setup and works fine since 5.x  Select the WAN interface and leave address to none.

Highlighted
L0 Member

Re: Global protect with DHCP client on WAN interface

Managed to solve my problem. Had nothing to do with the DHCP on the external interface:-). It turned out to be a policy problem. I had to add an ESP service to the policy for tunneling to work. For some reason the denied traffic was not logged and the only thing I could see was the 443 session initiating the VPN and just failure on the client. I think there is probably some stuff that should be added to the 7.0 Global Protect set-up guide, for example what policy you should set for the external - external traffic for initiation of the tunnel.

Best regards

/Micke

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!