GlobalProtect VPN - Management Access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect VPN - Management Access

L0 Member

Hi,

 

Does anyone know a way to get access to the panos web management interface over a globalprotect VPN? We are using three interfaces on our firewall;

 

1 - Management Interface

2 - Trust

3 - Untrust

 

Global Protect is setup on the trust - and I have a rule in the Security Policy to allow access from my device to anything - however I can't get to the interface - should this be something that should just work? I can't see any logging saying anything is denied after I have made a change?

 

Setup management access also on the trust interface for testing and I still get the same results.

 

Is it not meant to be managed this way?

 

Thanks
Stephen

2 accepted solutions

Accepted Solutions

L4 Transporter

@HyderB  Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies. 

This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users. 

View solution in original post

Thanks BatD

 

Thats something I haven't had a look at yet - I will get into the nitty gritty and see where the routing thinks this is going to be sent out. Using this in AWS currently and had to add some static routes previously so would make sense.

 

Thanks

Stephen

 

 

View solution in original post

2 REPLIES 2

L4 Transporter

@HyderB  Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies. 

This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users. 

Thanks BatD

 

Thats something I haven't had a look at yet - I will get into the nitty gritty and see where the routing thinks this is going to be sent out. Using this in AWS currently and had to add some static routes previously so would make sense.

 

Thanks

Stephen

 

 

  • 2 accepted solutions
  • 4788 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!