GlobalProtect - To which ethernet interface? WAN Facing?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect - To which ethernet interface? WAN Facing?

L2 Linker

Greetings,

I am setting up GP on a small home office PA220 .  I have a single E 1/1 Untrusted L3 interface that is internet facing.

My logic tells me this interface should have the GP configured on it.  However, the documentation and video turtorials don't specifically outline that the GP needs to be on an internet facing interface.

 

I have followed the configurations to a 'T' with my GP interface being Untrusted L3 E 1/8.  This E 1/8 interface has no physical ethernet cable connected to it, nor does it actually bind with anything other than the tunnel.1

 

My question is:  Have I configure the GP properly and it should work by visiting my external IP address from an outside location?  I wouldn't think so - but....

 

If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?

 

Thanks PA-LC for all your help 🙂

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hey @catrock

 

It really depends on what GlobalProtect setup you want, there are multiple.

 

1. If you want remote access to your home office, where you would be connecting from externally (internet cafe etc) then both the GlobalProtect portal and gateway should reside on your Outside interface.

 

2. If you want GlobalProtect as an extra layer of security where you would be connecting to it from inside the network, you would configure a GlobalProtect gateway to terminate on your internal interface.


Edit:

 

"Have I configure the GP properly and it should work by visiting my external IP address from an outside location?  I wouldn't think so - but...."

 

Correct. Once the GlobalProtect portal and gateway are configured against your outside interface, visiting the IP address (recommended to use an FQDN) will present you with the portal login page.

 

"If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?"

 

When you select the interface for the globalprotect portal/gateway terminates on, by default the "IPv4 Address" dropdown will be set to "None" but selecting the dropdown will allow you to chose the IPs that are set on that interface.

 

Hope this answers your question, there's some useful docs on this too:

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The below article covers scenario one. step 6 discusses configuring the gateway on the untrust interface.

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprot...

 

The below article covers scenario two

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprot...

 

Cheers,

Luke.

View solution in original post

6 REPLIES 6

L5 Sessionator

Hey @catrock

 

It really depends on what GlobalProtect setup you want, there are multiple.

 

1. If you want remote access to your home office, where you would be connecting from externally (internet cafe etc) then both the GlobalProtect portal and gateway should reside on your Outside interface.

 

2. If you want GlobalProtect as an extra layer of security where you would be connecting to it from inside the network, you would configure a GlobalProtect gateway to terminate on your internal interface.


Edit:

 

"Have I configure the GP properly and it should work by visiting my external IP address from an outside location?  I wouldn't think so - but...."

 

Correct. Once the GlobalProtect portal and gateway are configured against your outside interface, visiting the IP address (recommended to use an FQDN) will present you with the portal login page.

 

"If GP should actually be assigned to to the internet facing IP (E 1/1) - How would I go about doing so as it is already assigned?"

 

When you select the interface for the globalprotect portal/gateway terminates on, by default the "IPv4 Address" dropdown will be set to "None" but selecting the dropdown will allow you to chose the IPs that are set on that interface.

 

Hope this answers your question, there's some useful docs on this too:

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The below article covers scenario one. step 6 discusses configuring the gateway on the untrust interface.

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprot...

 

The below article covers scenario two

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/globalprot...

 

Cheers,

Luke.

Hello,

Do you have a policy that allows that traffic to the IP? I always put a DENY ALL polic at the bottom of my policy list and have it log so I know if things are getting blocked.

 

Regards,

@LukeBullimore

 

Thanks much for the response.

Option 1 - is what I am after.

 

I do have a dynamic IP frm my ISP.  This map to a host nmane using a DynDns agent running inside my lan/network.  *Looks like there's no DynDnS agent option to run directly on the PA220?

 

In my reading on NAT'g- I do see where I will want to  assign the external facing interface the FQDN as well.  I have used the FQDN in my GP certificate as well.

 

 

 

 

Hey @catrock

 

You're correct that PAN doesn't support DynDNS - but that shouldn't be required. Things that would be needed:

 

A port forward on your ISP router to forward all tcp/443 requests to your PAN FW IP.

 

Regarding NAT - you'll want to make sure that the inbound traffic to your GP portal isn't hitting your outbound NAT rule, it may be required to make a "No-NAT" rule to say if you're coming from external going to the IP of your untrust interface then do not nat it.

 

Do you see the logs of your attempts in the traffic logs?

 

You may have to override the default intrazone and interzone-default rules and enable logging at session end.

 

Thanks,

Luke.

Greetings @OtakarKlier,

The default DENY is in place at the bottom - yes.

 

@LukeBullimore

I was able to get the login GP screen.

Gateway and Portal interface have been changed to the E1/1 Untrusted interface.

As my E/1/ inteface is DHCP the IP setting was left at none vs. an IP for the GP interace.

Now - working through authentication (AD/LDAP).

 

 

Thanks again.

 

  • 1 accepted solution
  • 5142 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!