11-11-2019 05:53 AM
Hi,
Does anyone know a way to get access to the panos web management interface over a globalprotect VPN? We are using three interfaces on our firewall;
1 - Management Interface
2 - Trust
3 - Untrust
Global Protect is setup on the trust - and I have a rule in the Security Policy to allow access from my device to anything - however I can't get to the interface - should this be something that should just work? I can't see any logging saying anything is denied after I have made a change?
Setup management access also on the trust interface for testing and I still get the same results.
Is it not meant to be managed this way?
Thanks
Stephen
11-11-2019 06:13 AM
@HyderB Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies.
This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users.
11-12-2019 03:07 AM
Thanks BatD
Thats something I haven't had a look at yet - I will get into the nitty gritty and see where the routing thinks this is going to be sent out. Using this in AWS currently and had to add some static routes previously so would make sense.
Thanks
Stephen
11-11-2019 06:13 AM
@HyderB Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies.
This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users.
11-12-2019 03:07 AM
Thanks BatD
Thats something I haven't had a look at yet - I will get into the nitty gritty and see where the routing thinks this is going to be sent out. Using this in AWS currently and had to add some static routes previously so would make sense.
Thanks
Stephen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
