PA-200 with DHCP assigned Internet IP and GlobalProtect using self signed certs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-200 with DHCP assigned Internet IP and GlobalProtect using self signed certs

Not applicable

Hello everyone, trying to find a how-to or config guide on how to configure PA-200 that has 2 interfaces configured, eth1/1 and eth1/2 runnin PANOS v5.0.8, downloaded and activated 1.2.7 GP client on the PA-200.

eth1/1 is in untrust zone and setup with ip using dhcp from the ISP

eth1/2 is in trust zone and setup with 192.168.1.1/24

I would like to setup GP on this device with self signed certs for the ca-root and cert to use for gp. the eth1/1 interface (internet) is setup with DDNS, so the fqdn is resolveable to the dhcp assigned ip from outside.

I tried to follow the typical "how to setup gp" docs from the PA KB site, checked out some videos on pa support site, saw some other docs about gp and dual isp etc, but cant find a comprehensive doc that explains what I am trying to do. any help would be appreciated. thank you,

6 REPLIES 6

L6 Presenter

Just configure Global Protect Gateway, that would be easier, let me know if you need any help with that.

L6 Presenter

There is no issue with DHCP address on WAN interface - GP is supported with that ...

You can use self signed cert in Gateway/Portal, make sure you keep CN name as FQDN.

GP configuration is like wizard, if you miss any detail commit will fail with an error.

so just configure the GP-Gateway without GP-Portal?

L5 Sessionator

Hi,

For me no issue with GP config based on Portal + gateway on L3 interface in DHCP client mode.

Please follow the "Quick start Guide Global Protect V2".

Hope help

rgds

L4 Transporter

Hello,

This setup should be no different from a regular GP gateway and Portal configuration, even with the gateway L3 interface in DHCP mode. What issue do you see when you configure this?

Refer:

https://live.paloaltonetworks.com/docs/DOC-2904

https://live.paloaltonetworks.com/docs/DOC-2020

Thanks,

Aditi

VinceM, I cannot find this Quick start Guide Global Protect V2 on PA Support site, I found one but its in japanese.

apasupulati, I read this document https://live.paloaltonetworks.com/docs/DOC-2904 and its got some good info, yet not complete info. I also read the https://live.paloaltonetworks.com/docs/DOC-2020 and its also good doc but most of its screenshots are for 4.x and the document is still missing complete instructions.

The issue I have is I have followed all these documents and to my knowledge configured everything the way it should be but yet when I try to access the external IP of my firewall I dont get the portal page and also port 443 on the external interface is not responding to any port checks.

I see documents that say you have to enable https mgmt profile to the external interface, i also see docs that talk about you need routing to be configured between tunnel.1 interface and trust, I also see docs about giving the tunnel.1 doc an ip address, also there are different docs about server cert or server cert with ca on PA box. so my problem is that there are documents all over the place with each document different info from the others, I am just trying to find out if there is a single doc or something that exists that walks you through from head to tail on configuring this GP on a small scale for user VPN access only. on top of all that, how to on split tunnel VPN would be a good help. thank you

  • 3815 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!