Global protect with DHCP client on WAN interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect with DHCP client on WAN interface

L4 Transporter

I have a PA-200 which is configured with DHCP-client on the WAN interface.

When configuring Global Protect, I'm not able to configure the gateway address. When I choose the WAN interface as the gateway address interface, I'm not able to choose the IP-address currently on that interface(because of the DHCP Client setting I guess). The same apply to the Global Protect Portal configuration. I can not set the Portal Address. (see attached picture)

Is there anyway around this, or is it impossible to setup Global Protect gateway and portal on a DHCP client interface?

I have dyn-dns running. Is it possible to somehow set the portal and gateway address to a FQDN?

1 accepted solution

Accepted Solutions

L7 Applicator

I am sorry for the inconvenience, this is actually a UI issue, bug #33914.

The workaround is that you can actually set this from CLI with the following command:

set network tunnel global-protect-gateway <name> local-address interface e1/1

Version 4.1.2 documents this issue, Please see the release notes here:

https://support.paloaltonetworks.com/index.php?option=com_pan&task=view_releasenotes&vn=4.1.2&ut=sw&...

Will this be resolved in 4.1.3? I hope so, but cannot answer that until that versio is released and that bug # is shown as a resolved issue.

Kind Regards

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

View solution in original post

10 REPLIES 10

L7 Applicator

I am sorry for the inconvenience, this is actually a UI issue, bug #33914.

The workaround is that you can actually set this from CLI with the following command:

set network tunnel global-protect-gateway <name> local-address interface e1/1

Version 4.1.2 documents this issue, Please see the release notes here:

https://support.paloaltonetworks.com/index.php?option=com_pan&task=view_releasenotes&vn=4.1.2&ut=sw&...

Will this be resolved in 4.1.3? I hope so, but cannot answer that until that versio is released and that bug # is shown as a resolved issue.

Kind Regards

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hey Joe,

is there a command line for the "GP portal" part as well? There has to be the interface and IP defines as well.

Mike

I think the command for setting the GP portal address to the interface address is the following:

set global-protect global-protect-portal "portal name" portal-config local-address interface ethernet1/X

Thanks, I will try it!

Works like a charm!

Hmm, interesting. I´m having the exact same problem running version 7.01, so the bugfixing seem to be a bit off for this one (3 years or so). Can you elaborate a bit on the command line stuff, as I´m not so savvy in that area?

Best regards

/Micke

Hi,

I have not had any problem with this i 7.0. I just choose the WAN interface, which is configured with DHCP client, as my Portal and Gateway interface. IP-address is just set to "none" in the webui. Have you tried just doing that?

Looking at the config in the CLI, I see the same thing with the command "show global-protect global-protect-portal <Portal-name>" in configure mode. Local-address is just the interface (no ip-address).

If I run "show global-protect-gateway gateway" in opreation mode in CLI, I do see the ip-address I get from DHCP under local address, as expected.

- Tor

This is how mine is setup and works fine since 5.x  Select the WAN interface and leave address to none.

Managed to solve my problem. Had nothing to do with the DHCP on the external interface:-). It turned out to be a policy problem. I had to add an ESP service to the policy for tunneling to work. For some reason the denied traffic was not logged and the only thing I could see was the 443 session initiating the VPN and just failure on the client. I think there is probably some stuff that should be added to the 7.0 Global Protect set-up guide, for example what policy you should set for the external - external traffic for initiation of the tunnel.

Best regards

/Micke

L1 Bithead

Can somebody help me with this?

I tried to configure ip address manually from CLI, but I got error message: 
Server error : portal-config -> local-address -> ip '<my ip address>' is not a valid reference
portal-config -> local-address -> ip is invalid

  • 1 accepted solution
  • 8048 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!