Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo Alto global Protect setup issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto global Protect setup issue

L1 Bithead

Hi All,

I'm currently trying to set up an SSL VPN using the global protect client on a Palo Alto FW.

I have:-

- issue a self signed root CA and CA to the palo

- set up VPN tunnel

- created VPN zone

- setup an authentication profile using RADIUS and directed it to our NPS server which currently policy to allow access to an AD group "VPN Users"which i am the only member of.

- setup portal access

- created a virtual gateway

- applied policy to allow users contacting the palo from the outside to connect to the portal

- I have also setup policy to allow VPN users to access certain routes.

I am not able to access the portal, I type https://gateway-address and it sends me to the IIS7 page.

I'm not to sure where I've gone wrong or how to locate any errors etc to resolve this issue.

any advise will be much appreciated.

Thanks

1 accepted solution

Accepted Solutions

L4 Transporter

Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?

 

Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

Please make sure that your connection is terminating on the firewall.

 

You can check your session on CLI:

 

show session all filter source <ip of your client>  (use public IP if accessing from outside)

 

See if there is any NAT happening here.

View solution in original post

3 REPLIES 3

L4 Transporter

Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?

 

Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

Please make sure that your connection is terminating on the firewall.

 

You can check your session on CLI:

 

show session all filter source <ip of your client>  (use public IP if accessing from outside)

 

See if there is any NAT happening here.

L4 Transporter

I suspect there is some Destination NAT is causing this.

 

Please check the session details either from the Traffic logs or via 'show session all filter source <User's public IP> destination <Portal's public IP>

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

L1 Bithead

Turns out the SSL CA we were using was redirecting us to another server.

  • 1 accepted solution
  • 3554 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!