01-23-2019 11:28 AM
How are people configuring their PAN for clients to grab the inital GP configuration?
Currently, the laptops are being imaged with Windows 10 and automatically connect to our internal network via certificate based authentication. GP is set to automatically attempt to connect to our outside interface. Once that is done, it grabs the configuration. Next time the users are on site, it detects that the laptop is internal and does not create the tunnel.
Is there a way to configure the PAN so that the laptops can grab the inital configuration?
01-24-2019 10:02 AM - edited 01-24-2019 10:36 AM
or simply add a NAT rule at the top of the NAT policies
source= trust , Destination Address="Your-portal-ip-address" Source Translation= None
I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding... and see this as a LAN attack, so add the NAT rule...
01-23-2019 05:15 PM
Are you running your own internal DNS servers? Split DNS would really be your solution for something like this.
01-24-2019 12:55 AM
@meischc, Hi.
I'm not sure what you mean, seems a bit confusing...
if your users (after they have connected outside) are able to detect internal host then your external portal address must be visible from your LAN otherwise you would get a portal address error.
I say this because I have always assumed that GP needs to connect to the portal prior to internal detection, regardless of how many times they have connected externally, otherwise if you made any changes to the app settings then users would not get this until they connected from outside.
anyhows... not sure what is different from your setup to mine, it may be that you need to add the reg setting "always on" in your build, or perhaps use group policy to force this reg setting when they first logon.
01-24-2019 08:39 AM
Sorry, let me elaborate. After they grab the correct GP Portal configuration hitting the outside interface, everthing is working as designed.
The problem that I am trying to solve, is getting that GP portal configuration on the laptops, prior to hitting the outside interface. Right now, we have a WiFi hotspot that the desktop folks are using to simulate being on the outside connection.
Is there a way to configure an internal gateway or NoNAT so that users can hit the outside interface to grab the portal configuration without having to leave the internal network?
How are you accomplishing this? Or do you just wait for your users to connect from home/outside?
01-24-2019 09:06 AM
thanks for the clarification....
OK I understand now what you are describing but I cannot understand why it is not working already...
on any laptop on your network, what happens when you browse to https://your-portal-address
can you get to the page and with certificates it should login and display GP downloads.
lets start there and progress... else i get confused
01-24-2019 09:40 AM
Sorry i have just realised that it may be working for me because our GP portal is on a different firewall. so we go out of our main firewall to connect to our VPN firewall...
not sure if NAT will suffice... you may be better off adding a second portal to your config and make it available to your internal interface.
then as @BPry stated, use your internal dns to resolve to the internal portal.
sorry for the confusion
01-24-2019 10:02 AM - edited 01-24-2019 10:36 AM
or simply add a NAT rule at the top of the NAT policies
source= trust , Destination Address="Your-portal-ip-address" Source Translation= None
I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding... and see this as a LAN attack, so add the NAT rule...
01-24-2019 10:44 AM
Also.... could you confirm that currently when users connect to the lan after connecting externally that they do get the little house icon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
