02-22-2021 06:15 PM
We have deployed a PA-VM into AWS running 10.0.4 and are currently trying to configure Global Protect to secure our developer connections to our AWS environment. We have a Global Protect Gateway deployed and are able to establish a VPN connection. The issue we have is with the IP Pool assignment.
Each IP in the pool which is distributed to a GP Client needs to be added to the private interface as a secondary IP address, whilst this is fine for one or two connections, there is a limit in AWS of 10 secondary IP addresses, when we exceed 10 clients connecting the traffic from, for example a web server, cannot route back to the appliance correctly to be returned to the GP Client.
I have reviewed numerous documents around the configuration and setup of PA-VM in AWS and none of the Global Protect documentation seems to address cloud deployments, it all references on-premise. There are detailed steps on GP in AWS which properly addresses this problem.
Is there any best practice or previous solutions for deploying Global Protect in AWS on how to handle this IP Pool routing issues and AWS private IP limitation?
02-24-2021 06:37 PM - edited 02-24-2021 06:47 PM
Thank you for your response.
'Better way is to create route for the GP pool to point back to the FW.'
This option does not work, in AWS you cannot create routes which are more specific than the local default and the default route is the VPC size so a /16. As such you cannot route to the interface.
I have asked my client to check with their PA SEs. I am closing this thread now.
02-23-2021 12:17 AM
"Each IP in the pool which is distributed to a GP Client needs to be added to the private interface as a secondary IP address,"
Wait what? Apologies I haven't seen PAN FW in AWS, so I could be wrong, but this sound insanly wrong...
It sound you are appling some kind of workaround for simple routing issue. When you assing IP pool to GP, each user will be allocated an IP address from it. So when GP user wants to reach anything behind the FW - the network behind it needs to know how to route back to the IP range used for the GP (to route the return traffic). Putting the IP address as secondary IP on the firewall will force the firewall to responde to traffic destine to that IP, but this is not the proper way to do it. Better way is to create route for the GP pool to point back to the FW. I haven't work with AWS, so I am not sure how exactly you can do that, but this is basic routing, so it doesn't make much difference between AWS and on-prem.
02-24-2021 06:37 PM - edited 02-24-2021 06:47 PM
Thank you for your response.
'Better way is to create route for the GP pool to point back to the FW.'
This option does not work, in AWS you cannot create routes which are more specific than the local default and the default route is the VPC size so a /16. As such you cannot route to the interface.
I have asked my client to check with their PA SEs. I am closing this thread now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
