- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-15-2018 01:42 PM
Hi @jdprovine
-It allows you to pick a different IP than the one that's attached to the physical interface (no need to fuss with subnetting etc)
-It also provides a layer of protection, since you're able to create a security policy for <untrust to untrust, destination IP of the loopback>, that will actually protect against a few potential exploits (some zero-day web-targetted exploits could theoretically go unblocked by a threat prevention profile if the GP gateway is on the physical interface as it could hit before the profile is triggered)
-it provides more clarity in 'topology', as the GP is running on it's own interface+ip
if you really really need it, it could run on
although I would not recommend this, as it makes the deployment far more complex, but there could be a need to do so
05-16-2018 06:17 AM
I assume it allows you to add more virtual interfaces to one physical interface. I had read something that wa using a physical outside interface for their VPN. I guess thats okay if you only have one VPN and can spare a whole interface.
Thanks reaper you helped me decide that for me created the new VPN on a loopback make more sense than assigning a whole interface to the outside to it
05-23-2018 01:16 PM
On a GP Gateway box, using a loopback interface with a private IP address also let's you share a single public IP and just forward ports through as needed.
We have this setup on one of our GP Gateway firewalls as there are 3 separate Gateways configured. They all share the same public IP, but have separate private IPs on loopback interfaces. There are NAT Policies in place to forward specific destination ports to each of the private IPs (using the standard GP port).
Then, in the GP Portal, we have it configured to send different users to different gateways, and have the port listed in the config there.
05-28-2024 02:48 PM
can someone provide a real KB link to configure GP with loopback interface?
05-29-2024 02:02 AM
LMGTFY: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKPCA0
05-29-2024 07:18 AM
Although you can use loopback for GlobalProtect I suggest not to.
If you have multiple ISPs and need to DNAT different WAN IPs to single GlobalProtect portal/gateway IP then use DMZ interface.
Limitation of loopback interface is that you can't apply QoS to it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!