GlobalProtect Initial configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Initial configuration

L1 Bithead

How are people configuring their PAN for clients to grab the inital GP configuration?

 

Currently, the laptops are being imaged with Windows 10 and automatically connect to our internal network via certificate based authentication. GP is set to automatically attempt to connect to our outside interface. Once that is done, it grabs the configuration. Next time the users are on site, it detects that the laptop is internal and does not create the tunnel. 

 

Is there a way to configure the PAN so that the laptops can grab the inital configuration?

1 accepted solution

Accepted Solutions

or simply add a NAT rule at the top of the NAT policies

 

source= trust , Destination Address="Your-portal-ip-address"  Source Translation= None

 

I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding...  and see this as a LAN attack, so add the NAT rule...

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

@meischc,

Are you running your own internal DNS servers? Split DNS would really be your solution for something like this. 

L7 Applicator

@meischc, Hi.

I'm not sure what you mean, seems a bit confusing...

 

if your users (after they have connected outside) are able to detect internal host then your external portal address must be visible from your LAN otherwise you would get a portal address error.

 

I say this because I have always assumed that GP needs to connect to the portal prior to internal detection, regardless of how many times they have connected externally, otherwise if you made any changes to the app settings then users would not get this until they connected from outside.

 

anyhows... not sure what is different from your setup to mine, it may be that you need to add the reg setting "always on" in your build, or perhaps use group policy to force this reg setting when they first logon.

Sorry, let me elaborate. After they grab the correct GP Portal configuration hitting the outside interface, everthing is working as designed.

 

The problem that I am trying to solve, is getting that GP portal configuration on the laptops, prior to hitting the outside interface. Right now, we have a WiFi hotspot that the desktop folks are using to simulate being on the outside connection.

 

Is there a way to configure an internal gateway or NoNAT so that users can hit the outside interface to grab the portal configuration without having to leave the internal network?

 

How are you accomplishing this? Or do you just wait for your users to connect from home/outside?

thanks for the clarification....

 

OK I understand now what you are describing but I cannot understand why it is not working already...

 

on any laptop on your network, what happens when you browse to https://your-portal-address

 

can you get to the page and with certificates it should login and display GP downloads.

 

lets start there and progress...   else i get confused

Sorry i have just realised that it may be working for me because our GP portal is on a different firewall. so we go out of our main firewall to connect to our VPN firewall...

 

not sure if NAT will suffice... you may be better off adding a second portal to your config and make it available to your internal interface.

 

then as @BPry stated, use your internal dns to resolve to the internal portal.

 

 

sorry for the confusion

 

or simply add a NAT rule at the top of the NAT policies

 

source= trust , Destination Address="Your-portal-ip-address"  Source Translation= None

 

I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding...  and see this as a LAN attack, so add the NAT rule...

Also.... could you confirm that currently when users connect to the lan after connecting externally that they do get the little house icon.

Yep! They do.

  • 1 accepted solution
  • 3603 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!