10-17-2018 07:43 AM - edited 10-17-2018 07:46 AM
Greetings,
I am setting up GP on a small home office PA220 . I have a single E 1/1 Untrusted L3 interface that is internet facing.
My logic tells me this interface should have the GP configured on it. However, the documentation and video turtorials don't specifically outline that the GP needs to be on an internet facing interface.
I have followed the configurations to a 'T' with my GP interface being Untrusted L3 E 1/8. This E 1/8 interface has no physical ethernet cable connected to it, nor does it actually bind with anything other than the tunnel.1
My question is: Have I configure the GP properly and it should work by visiting my external IP address from an outside location? I wouldn't think so - but....
If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?
Thanks PA-LC for all your help 🙂
10-17-2018 08:17 AM - edited 10-17-2018 08:20 AM
Hey @catrock
It really depends on what GlobalProtect setup you want, there are multiple.
1. If you want remote access to your home office, where you would be connecting from externally (internet cafe etc) then both the GlobalProtect portal and gateway should reside on your Outside interface.
2. If you want GlobalProtect as an extra layer of security where you would be connecting to it from inside the network, you would configure a GlobalProtect gateway to terminate on your internal interface.
Edit:
"Have I configure the GP properly and it should work by visiting my external IP address from an outside location? I wouldn't think so - but...."
Correct. Once the GlobalProtect portal and gateway are configured against your outside interface, visiting the IP address (recommended to use an FQDN) will present you with the portal login page.
"If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?"
When you select the interface for the globalprotect portal/gateway terminates on, by default the "IPv4 Address" dropdown will be set to "None" but selecting the dropdown will allow you to chose the IPs that are set on that interface.
Hope this answers your question, there's some useful docs on this too:
The below article covers scenario one. step 6 discusses configuring the gateway on the untrust interface.
The below article covers scenario two
Cheers,
Luke.
10-17-2018 08:17 AM - edited 10-17-2018 08:20 AM
Hey @catrock
It really depends on what GlobalProtect setup you want, there are multiple.
1. If you want remote access to your home office, where you would be connecting from externally (internet cafe etc) then both the GlobalProtect portal and gateway should reside on your Outside interface.
2. If you want GlobalProtect as an extra layer of security where you would be connecting to it from inside the network, you would configure a GlobalProtect gateway to terminate on your internal interface.
Edit:
"Have I configure the GP properly and it should work by visiting my external IP address from an outside location? I wouldn't think so - but...."
Correct. Once the GlobalProtect portal and gateway are configured against your outside interface, visiting the IP address (recommended to use an FQDN) will present you with the portal login page.
"If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?"
When you select the interface for the globalprotect portal/gateway terminates on, by default the "IPv4 Address" dropdown will be set to "None" but selecting the dropdown will allow you to chose the IPs that are set on that interface.
Hope this answers your question, there's some useful docs on this too:
The below article covers scenario one. step 6 discusses configuring the gateway on the untrust interface.
The below article covers scenario two
Cheers,
Luke.
10-17-2018 08:52 AM
Hello,
Do you have a policy that allows that traffic to the IP? I always put a DENY ALL polic at the bottom of my policy list and have it log so I know if things are getting blocked.
Regards,
10-17-2018 09:31 AM - edited 10-17-2018 12:30 PM
Thanks much for the response.
Option 1 - is what I am after.
I do have a dynamic IP frm my ISP. This map to a host nmane using a DynDns agent running inside my lan/network. *Looks like there's no DynDnS agent option to run directly on the PA220?
In my reading on NAT'g- I do see where I will want to assign the external facing interface the FQDN as well. I have used the FQDN in my GP certificate as well.
10-17-2018 09:44 AM
Hey @catrock
You're correct that PAN doesn't support DynDNS - but that shouldn't be required. Things that would be needed:
A port forward on your ISP router to forward all tcp/443 requests to your PAN FW IP.
Regarding NAT - you'll want to make sure that the inbound traffic to your GP portal isn't hitting your outbound NAT rule, it may be required to make a "No-NAT" rule to say if you're coming from external going to the IP of your untrust interface then do not nat it.
Do you see the logs of your attempts in the traffic logs?
You may have to override the default intrazone and interzone-default rules and enable logging at session end.
Thanks,
Luke.
10-17-2018 04:34 PM
I was able to get the login GP screen.
Gateway and Portal interface have been changed to the E1/1 Untrusted interface.
As my E/1/ inteface is DHCP the IP setting was left at none vs. an IP for the GP interace.
Now - working through authentication (AD/LDAP).
Thanks again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
