GlobalProtect Gateway on Different IP address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Gateway on Different IP address

L2 Linker

Let's say we  have an external facing interface  Ethernet1/3  with  Ip address of 1.1.1.14/28.   The upstream isp router is 1.1.1.1 all other addresses (1.1.1.2-1.1.1.14) are routed to the Palo Alto and in use for various web services, etc..

Per the documentation I can find it looks like you have to set the Global Protect gateway IP address to the address you have set on the interface.   Is there a way to use one of the other addresses in the range we have assigned?  e.g.  1.1.1.10

mdl: PA-2050

Pan-OS 6.0.4

1 accepted solution

Accepted Solutions

Hello Travisj,

You can create a loopback IP with that address and NAT that IP address so that the request actually goes to PAN GP on the interface IP 1.1.1.1/32. You can also NAT it using a port, you may refer to this document for the steps:

Can GlobalProtect Portal Page be Configured to be Accessed on any Port?

Regards,

Dileep

View solution in original post

4 REPLIES 4

L5 Sessionator

travisj

You can configure that IP address as /32 i.e. 1.1.1.10/32 on that interface and then should be able to use it for GP.

You can also terminate the gateway on loopback,, configure any IP address on loopback and NAT 1.1.1.10 to that IP address.

Hope it helps !

L6 Presenter

Hi Travisj,

Global Protect has to be configured on specific interface and its IP address.

Hence you can not terminate GP on Untrust interface with 1.1.1.10/32.

As above suggested only way is to create loopback interface with 1.1.1.10/32, put it in untrust interface[depends on requirement]. And terminate GP on it.

Regards,

Hardik Shah

Hello Travisj,

You can create a loopback IP with that address and NAT that IP address so that the request actually goes to PAN GP on the interface IP 1.1.1.1/32. You can also NAT it using a port, you may refer to this document for the steps:

Can GlobalProtect Portal Page be Configured to be Accessed on any Port?

Regards,

Dileep

L2 Linker

thanks.  dreputi that's exactly what I needed, the issue I was facing was that I already had something on 443 of the interfaces IP address.  I didn't even consider nat'ing different port to a loopback deal.

  • 1 accepted solution
  • 5087 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!