GlobalProtect Gateway Behind Nginx Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Gateway Behind Nginx Issue

L1 Bithead

Hello everyone! My environment only has one public IPv4 so I'm trying to make the most of it. We already run a number of web services on port 80/443 behind an Nginx reverse proxy. I'm trying to add GlobalProtect to the mix. I have my portal and gateway running on the same IP. When I forward the ports (80, 443, 4501) the portal seems to work correctly but the gateway just fails. Everything in my FW GP logs says success and my client logs just have a generic "no route" error. Sometimes they connect and can't pass traffic. I've done. Bunch of testing and what I've found is that port 443 needs to be forwarded/streamed directly to the FW otherwise clients fail. Does anyone know why this is or what setting I need to tweak to get the gateway to work behind Nginx?

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

You don't need to run GlobalProtect portal and gateway on WAN interface.

You can run them on DMZ interface for example and use NAT.

In this case you can DNAT any port and don't need to use defaults (portal tcp/443 and gateway udp/4501).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

L1 Bithead

Found the second issue. I was testing external user access from a T-Moblie internet connection. Apparently T-Mobile requires lowering the GlobalProtect MTU. For anyone coming across this in the future, I lowered it to 1280 for the time being. I may try raising/tweaking it again later.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

You don't need to run GlobalProtect portal and gateway on WAN interface.

You can run them on DMZ interface for example and use NAT.

In this case you can DNAT any port and don't need to use defaults (portal tcp/443 and gateway udp/4501).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks for the reply. This is a good idea to eliminate the reverse proxy (which I'm a fan of). I gave it a try this morning and maybe I have something else going on but it didn't quite work either. I have the portal using 80/443 behind the reverse proxy (which in my testing so far hasn't been an issue) and I have the gateway DNAT'd from 8443 to 443 and 4501 to 4501. I can connect immedeatly but then the VPN doesn't allow TCP traffic. ICMP and DNS work fine but websites all get err_time_out and this is consistant to external and internal IPs. I can see the traffic coming through in the traffic logs and being allowed without any errors or anything. The logs don't seem to have any errors. Any ideas?

L1 Bithead

Found the second issue. I was testing external user access from a T-Moblie internet connection. Apparently T-Mobile requires lowering the GlobalProtect MTU. For anyone coming across this in the future, I lowered it to 1280 for the time being. I may try raising/tweaking it again later.

  • 2 accepted solutions
  • 1775 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!