GlobalProtect Portal has a problem with DHCP Ext interface

Reply
Highlighted
L4 Transporter

GlobalProtect Portal has a problem with DHCP Ext interface

I'm hoping that someone from PAN Support or Development can answer this question.  I have been fighting with this for weeks now and have narrow the problem down to the GP Portal service.

Scenario

I have a PA-200 in my lab with two Layer3 interfaces defined.  The Internal L3 interface has a Static IP for the local network, while the other L3 interface gets it's IP Dynamically from the Comcast ISP.  I configured my GlobalProtect Portal & External Gateway to use the L3 interface that is dynamically addressed.  From the Public side, users can access the Portal and Gateway just fine.  From the local network, users cannot access the Portal or Gateway, even though I have configured my Source-NAT to not NAT traffic sourced from the LAN destined for the Public IP address.  Now, here's where it gets weird.  I have other computers on my local network that have Public DNS names, so I've created U-Turn NATs to access these devices.  Everything works great!  I even took away the GP Portal & Gateway from the Public IP interface and tried NATting traffic for the Portal & Gateway to Loopback addresses.  Same problem, even worst.  Not even users from the Public side can connect to the Portal & Gateway while the Public IP is dynamically assigned.  When I make the Public interface a Static IP address everything, including the GP Portal & Gateway NATted to the loopback works great.

There seems to be an issue with the GP Portal & Gateway service when trying to connect if the IPs are dynamically assigned on the interface they are bound to or being NATted from.

Can someone in PAN Support or Development please shed some light on this issue?

Thanks,

Jeff

Highlighted
L6 Presenter

Re: GlobalProtect Portal has a problem with DHCP Ext interface

Just to clearify regarding your user from local network, that is not to reach users on the public network but rather setup a VPN (or whatever) towards the portal-ip just like the public users?

If its the later - what about if your local users connect to the internal L3 ip instead?

You should be able to deal with this by the help of the dns.

If the user is externally then your external authoritive dns-server will reply to "vpn.example.com" with the external ip. But when they are on the inside your internal authoritive dns-servers (or if you have the same hardware for both cases then use views in your dnsserver) will reply to "vpn.example.com" with the internal ip.

Highlighted
L4 Transporter

Re: GlobalProtect Portal has a problem with DHCP Ext interface

Hi,

Thanks for the suggestion.  However, this is a workaround and not a solution to a problem with the PAN OS.  I really would like to find out why I have a problem with a DHCP addressed interface and not a Statically addressed interface.

Thx

Jeff

Highlighted
L6 Presenter

Re: GlobalProtect Portal has a problem with DHCP Ext interface

I dont know if its the case you are facing but a solution for a similar question was to remove the ip address you specify in the portal configuration (in the PA box).

Highlighted
L4 Transporter

Re: GlobalProtect Portal has a problem with DHCP Ext interface

I'm not sure what you mean.  When you configure the Portal interface to be a L3 interface that's dynamically addressed the IP address is already set to None.  Could you please elaborate?

Highlighted
L6 Presenter

Re: GlobalProtect Portal has a problem with DHCP Ext interface

Sorry for the confusion... I was most likely thinking of the stuff you already have done (the same stuff as described in )

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!