Palo Alto global Protect setup issue

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Palo Alto global Protect setup issue

Hi All,

I'm currently trying to set up an SSL VPN using the global protect client on a Palo Alto FW.

I have:-

- issue a self signed root CA and CA to the palo

- set up VPN tunnel

- created VPN zone

- setup an authentication profile using RADIUS and directed it to our NPS server which currently policy to allow access to an AD group "VPN Users"which i am the only member of.

- setup portal access

- created a virtual gateway

- applied policy to allow users contacting the palo from the outside to connect to the portal

- I have also setup policy to allow VPN users to access certain routes.

I am not able to access the portal, I type https://gateway-address and it sends me to the IIS7 page.

I'm not to sure where I've gone wrong or how to locate any errors etc to resolve this issue.

any advise will be much appreciated.

Thanks


Accepted Solutions
Highlighted
L4 Transporter

Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?

 

Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

Please make sure that your connection is terminating on the firewall.

 

You can check your session on CLI:

 

show session all filter source <ip of your client>  (use public IP if accessing from outside)

 

See if there is any NAT happening here.

View solution in original post


All Replies
Highlighted
L4 Transporter

Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?

 

Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

Please make sure that your connection is terminating on the firewall.

 

You can check your session on CLI:

 

show session all filter source <ip of your client>  (use public IP if accessing from outside)

 

See if there is any NAT happening here.

View solution in original post

Highlighted
L4 Transporter

I suspect there is some Destination NAT is causing this.

 

Please check the session details either from the Traffic logs or via 'show session all filter source <User's public IP> destination <Portal's public IP>

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L1 Bithead

Turns out the SSL CA we were using was redirecting us to another server.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!