GlobalProtect - Multiple Gateways on One IP Address

BTG-charlie · ‎02-22-2017

Good day,

Our PA-500 is currently on PANOS 7.0.5-h2. We want to configure GlobalProtect - Multiple Gateways using the same IP Address. Is this possible?

We tried to follow the instructions here: http://dsg0.com/t/palo-alto-networks-globalprotect-with-multiple-gateways-on-one-ip-address/122 but we are getting an error that the GlobalProtect client cannot connect to XX.XX.XX.XX:1111 or XX.XX.XX.XX:2222 or XX.XX.XX.XX:3333.

Any help would be great. Thanks!

BTG-charlie

BTG-charlie · ‎03-01-2017

Hi BrianRa,

Are you using an HA-pair PA-500 firewall? What additional licenses did you procure to make this feature work?

Your worries actually detract from the actual concern of this forum posting query. I simply removed mentioning about usage of Windows security groups on the said 4 remote-access VPN connection profiles. This can be done at a later stage once the actual problem which is multiple gateway config on 1 IP Address has been resolved.

As of now, regardless of how many security groups I make, this is still not working. If you can share some config 'workarounds' that you have made to make this work, then that would be helpful.

BrianRa · ‎03-02-2017

,

Sorry, no we are using HA-pair PA-3000 firewalls. We do have the "GlobalProtect Portal" license. But from what I understand that should not be required for this to work (PAN techs clarify??). That should be more related to MDM, HIP checks, etc. I may be wrong because we wanted those features out of the gate so I have not configured the PA OS without that license.

I was told that configuring multiple Portals/Gateways on one IP was not possible. That is why we used the Agent profiles within the same Portal/Gateway.

What you are trying to do (if I understand correctly) should be possible with one Portal/Gateway and multiple Agents.

Network -> GlobalProtect -> Portals -> <Portal_Profile> -> Agent -> <an agent for each type of user>

Network -> GlobalProtect -> Gateways -> <Gateway_Profile> -> Agent -> Client Settings -> <matching config and name for each Portal agent>

Once those have been created (under the gateways you will set different IP ranges for each) you will build Policies that allow traffic from those IP ranges to your other Zones/Interfaces.

First create the Policy Based Forwarding rules.

VPN IPs to DMZ,External,Trusted,etc

Then create the Security rules.

VPN Group1/IP Range/Security Group/Users to Trusted/IP Range/Zone using Applications/Services.

Trusted/IP Ranges/Zone to VPN Group1/IP Range using Applications/Services.

These are just examples of rules but it is the general concept.

Brian

BPry · ‎03-03-2017

@BTG-charlie,

Correct me if I'm wrong but what you are essentially looking to do is create different 'connection profiles' like you would on the ASA? Unfortunately @BrianRa is correct, the proper way to accomplish this is to setup multiple different agent configurations, and unfortunately I don't believe that you're going to be able to use the agent configurations if you want all users to get the option to switch between them.

SecurityCentral · ‎04-26-2022

BrianRa,

Are you using different External Gateway Addresses (FQDN) for each of the Portal Agent profiles, or are they all using the same one? Just wondering if it would be necessary or even helpful in this scenario. We are looking at deploying a similar type of configuration that you have described.

thanks,

OtakarKlier · ‎04-27-2022

Hello,

With regards to split-tunnel. I recommend only Full tunnels. Its the only way to make sure the PAN is scanning all traffic to/from VPN clients and is a finding on pretty much all compliance models.

Regards,

GlobalProtect - Multiple Gateways on One IP Address

GlobalProtect - Multiple Gateways on One IP Address

Show your appreciation!