loopback for globalprotect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

loopback for globalprotect VPN

L4 Transporter

What is the advantage of using a loopback interface for a global protect VPN?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @jdprovine

-It allows you to pick a different IP than the one that's attached to the physical interface (no need to fuss with subnetting etc)

-It also provides a layer of protection, since you're able to create a security policy for <untrust to untrust, destination IP of the loopback>, that will actually protect against a few potential exploits (some zero-day web-targetted exploits could theoretically go unblocked by a threat prevention profile if the GP gateway is on the physical interface as it could hit before the profile is triggered)

-it provides more clarity in 'topology', as the GP is running on it's own interface+ip

 

if you really really need it, it could run on

  • a different zone and
  • a different internal IP range and go through NAT

although I would not recommend this, as it makes the deployment far more complex, but there could be a need to do so

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

I assume it allows you to add more virtual interfaces to one physical interface. I had read something that wa using a physical outside interface for their VPN. I guess thats okay if you only have one VPN and can spare a whole interface. 

Thanks reaper you helped me decide that for me created the new VPN on a loopback make more sense than assigning a whole interface to the outside to it

On a GP Gateway box, using a loopback interface with a private IP address also let's you share a single public IP and just forward ports through as needed.

 

We have this setup on one of our GP Gateway firewalls as there are 3 separate Gateways configured.  They all share the same public IP, but have separate private IPs on loopback interfaces.  There are NAT Policies in place to forward specific destination ports to each of the private IPs (using the standard GP port).

 

Then, in the GP Portal, we have it configured to send different users to different gateways, and have the port listed in the config there.

L1 Bithead

 can someone provide a real KB link to configure GP with loopback interface?

LMGTFY: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

Although you can use loopback for GlobalProtect I suggest not to.

If you have multiple ISPs and need to DNAT different WAN IPs to single GlobalProtect portal/gateway IP then use DMZ interface.

 

Limitation of loopback interface is that you can't apply QoS to it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 5016 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!