Split tunnel greyed out

Reply
Highlighted
L4 Transporter

Split tunnel greyed out

Hello,

 

We are using PANOS 8.1.7 and GP 4.1.8.

 

We have multi Vsys and one of our VSYS administrator account cannot access GP protect agent split tunnel setup.

 

It is greyed out.


Is this an account limit or something wrong?

 

Screenshot.jpg


Accepted Solutions
Highlighted
L4 Transporter

Re: Split tunnel greyed out

Hi @vsys_remo 

 

PA TAC assisted us to confirm that this is an expected behaviour.

 

++ As superuser admin, configured global protect portal and gateway.
++ Also created another vsysadmin.
++ Logged in as the vsysadmin, and was unable to modify Gateway config, specifically anything related to network was grayed out.
++ According to documents:
vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems.
A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Person with vsysadmin permission can commit configurations for only the virtual systems assigned to them.
++ As such, any GP config related to above will just be read-only for the vsys admin. This is expected behavior.
++ Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems/virtual-systems-overview/a...

 

 

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Split tunnel greyed out

Hi @FarzanaMustafa 

 

Is "Tunnel Mode" enabled on this GP Gateways Agent settings tab?

Highlighted
L4 Transporter

Re: Split tunnel greyed out

Hi @vsys_remo 

 

YES.

Highlighted
Cyber Elite

Re: Split tunnel greyed out

Hmn ... does your vsys administrator have the permission to change this? Do you have other administrators with thw same permission where this is possible to change?

Highlighted
L4 Transporter

Re: Split tunnel greyed out

Hi @vsys_remo 

 

PA TAC assisted us to confirm that this is an expected behaviour.

 

++ As superuser admin, configured global protect portal and gateway.
++ Also created another vsysadmin.
++ Logged in as the vsysadmin, and was unable to modify Gateway config, specifically anything related to network was grayed out.
++ According to documents:
vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems.
A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Person with vsysadmin permission can commit configurations for only the virtual systems assigned to them.
++ As such, any GP config related to above will just be read-only for the vsys admin. This is expected behavior.
++ Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems/virtual-systems-overview/a...

 

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!