Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect Access Route for a public website?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Access Route for a public website?

L4 Transporter

Hi folks,

 

We are using a PA 3020 PANOS 7.1.14.

 

We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.

Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).

We want split tunnelling except for when accessing <name>.okta.com.

We have our internal DNS server IP added for the GlobalProtect clients to use (forwarding configured to public DNS).

 

However, when connected to GlobalProtect <name>.okta.com will not resolve, "this site can't be reached", times out.

I've confirmed with a ping -a that the public IP it resolves to is in the list for access routes.

I've also tried adding adding an internal DNS zone for <name>.okta.com, but has not helped.

 

Wondering if anyone has any tips?

1 accepted solution

Accepted Solutions

L4 Transporter

Are you positive there is a nat rule for this outbound traffic?

Scurity policy to allow it?

Do you see this traffic in the logs?

View solution in original post

5 REPLIES 5

L4 Transporter

Are you positive there is a nat rule for this outbound traffic?

Scurity policy to allow it?

Do you see this traffic in the logs?

Yea, I think your are right, thank you.  We do not have a security rule in place from VPN zone to Untrust zone.  I assume because it was not necessary.

I just tried it, but still not working.  I believe I need to add all the IPs in there, since I am now getting a page not found error (instead of time out).

 

Traffic to the Okta public IP is not even registering the traffic log at the moment, have not packet captured yet.

 

Not sure if the internal DNS zone I created for <name>.okta.com is needed or not, will try to find out.

 

Still testing, will update.

Hello,

Just another though might be to not decypt the traffic to Okta, if you are decrypticing traffic.

 

Regards,

@OMatlock,

Just to ensure that you are actually getting all of the logs you might want to override the interzone default policy to log the traffic, as if you don't have a security policy allow it the denied traffic won't be logged by default. 

You were right.  I did not think to go add the VPN zone to the security rule to Untrust and Dynamic IP and Port NAT rule.

Resolved.  Thanks again!

  • 1 accepted solution
  • 4062 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!