06-27-2018 04:53 AM
Hi folks,
We are using a PA 3020 PANOS 7.1.14.
We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.
Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).
We want split tunnelling except for when accessing <name>.okta.com.
We have our internal DNS server IP added for the GlobalProtect clients to use (forwarding configured to public DNS).
However, when connected to GlobalProtect <name>.okta.com will not resolve, "this site can't be reached", times out.
I've confirmed with a ping -a that the public IP it resolves to is in the list for access routes.
I've also tried adding adding an internal DNS zone for <name>.okta.com, but has not helped.
Wondering if anyone has any tips?
06-27-2018 05:16 AM
Are you positive there is a nat rule for this outbound traffic?
Scurity policy to allow it?
Do you see this traffic in the logs?
06-27-2018 05:16 AM
Are you positive there is a nat rule for this outbound traffic?
Scurity policy to allow it?
Do you see this traffic in the logs?
06-27-2018 07:05 AM
Yea, I think your are right, thank you. We do not have a security rule in place from VPN zone to Untrust zone. I assume because it was not necessary.
I just tried it, but still not working. I believe I need to add all the IPs in there, since I am now getting a page not found error (instead of time out).
Traffic to the Okta public IP is not even registering the traffic log at the moment, have not packet captured yet.
Not sure if the internal DNS zone I created for <name>.okta.com is needed or not, will try to find out.
Still testing, will update.
06-27-2018 08:04 AM
Hello,
Just another though might be to not decypt the traffic to Okta, if you are decrypticing traffic.
Regards,
06-27-2018 08:19 AM
Just to ensure that you are actually getting all of the logs you might want to override the interzone default policy to log the traffic, as if you don't have a security policy allow it the denied traffic won't be logged by default.
06-27-2018 02:54 PM
You were right. I did not think to go add the VPN zone to the security rule to Untrust and Dynamic IP and Port NAT rule.
Resolved. Thanks again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
