Question about Global Protect and ip pools

Reply
Highlighted
L4 Transporter

Question about Global Protect and ip pools

Hi

 

Can any one explain the difference between the ip pools

a) Global protect / gateways  ... external gateway / agent / Client ip pool

vs

b) Global protect / gateways  ... external gateway / agent / client setting / ip pool

 

so for

a) I can't reference an object .. thats annoying

b) I get the pool is just for that setup, I do like having 1 pool of the gateway.

 

Currently I have a object defined which is a range which is attached to b), but I am thinking of moving to a) so that I can have different configs but just 1 ip pool 

 

whats the use case for these different setups

Tags (2)

Accepted Solutions
Highlighted
Cyber Elite

Hi @Alex_Samad 

 

There are two options so that you can either specify a general IP pool for the GP gateway or specific IP pools for example for different OS, user(groups) and/or source IPs/regions.

As long as a general IP pool is configured the IP pool option in the client setting is greyed out.

@MickBall what version are you running? According to the documentation it is already possible as described by @Alex_Samad since PAN-OS 8.0. Right now I had only a PAN-OS 9.0 firewall in my homelab.

View solution in original post


All Replies
Highlighted
L7 Applicator

@Alex_Samad , Hi.

 

I can reference a) Global protect / gateways  ... external gateway / agent / Client ip pool

 

/Network/GlobalProtect/Gateways/Agent/Client settings/Configs/IP pools

 

But I cannot find b) Global protect / gateways  ... external gateway / agent / client setting / ip pool

 

 

 

 

Highlighted
L4 Transporter

click network on top tab

global / protect 

  gateways

 

<select an external gateway>

 

Select agent on the left

 

across the top you should have 

Client IP Pool  <<< This is A

Client setting 

 

 

Select client setting

you have a table of configs

<select a config>

across the top is ip pools << This is B

 

 

 

Highlighted
L7 Applicator

@Alex_Samad ,I cant find "A"

What version are you running.

 

client-ip.png

 

 

Highlighted
Cyber Elite

Hi @Alex_Samad 

 

There are two options so that you can either specify a general IP pool for the GP gateway or specific IP pools for example for different OS, user(groups) and/or source IPs/regions.

As long as a general IP pool is configured the IP pool option in the client setting is greyed out.

@MickBall what version are you running? According to the documentation it is already possible as described by @Alex_Samad since PAN-OS 8.0. Right now I had only a PAN-OS 9.0 firewall in my homelab.

View solution in original post

L4 Transporter

Hi

 

@MickBall  sorry I didn't orignally see the SS, wasn't using the web interface.

I'm on 8.1.5

@vsys_remo so which is the prefered ?

 

I do like at the gateway level not the config level

 

Highlighted
Cyber Elite


@Alex_Samad wrote:

@vsys_remo so which is the prefered ?


I don't know. I personally prefer the general IP pool as I have multiple gateways för different use cases - so I don't need specific client settings based on the possible attributes.

Highlighted
L7 Applicator

yes can see it now, lab was 8.08...  

 

Highlighted
L2 Linker

Is there a limit on how many GP IP Pools we can configure on PA-5250s on PAN-OS 9.0 ? I am looking for 50 IP Pool subnets. Is that possible?

Screen Shot 2020-04-13 at 8.36.27 PM.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!