Unable to reach GP Portal while on internal network

Reply
Highlighted
L3 Networker

Unable to reach GP Portal while on internal network

Hi All,

 

I was working with a site that has a PA firewall with a GP Portal and Gateway.  Some time ago, I had an issue where my users couldn't upgrade their globalprotect version while in the office. I was able to resolve this issue by creating a No NAT rule where if the source was internal and the destination was the IP of the portal.  That works as expected.

 

I'm now working with another site that has a GP Portal/Gateway on the firewall, I created the same No Nat rule, but these users are still not able to upgrade internally, they are not prompted.  They are not even able to hit the web portal.  The difference in this site is they are using a dual ISP setup.  This is setup using PBF.  e1/1 is the primary ISP, so there is the typical PBF rule for external traffic to forward out e1/1.   I'm not sure if the issue is related to PBF.  Has anyone come across this issue?

Highlighted
L4 Transporter

Hi,

 

please make sure, that the users have a exception in the pbf rule, so they will led to the public interface with the gp portal.

Otherwise they will be forced to the wrong public interface.

 

Regards

Chacko

Best Regards
Chacko
Highlighted
L3 Networker

@Chacko42 

 

Not sure I'm clear what you mean?  The GP Portal is the IP of the e1/1 interface.  The PBF rule states if you from source internal to external, forward to e1/1

 

I tried creating a no PBF rule for the specific GP IP, but then that made things worse

Highlighted
L4 Transporter

Is there a security policy allowing ssl and panos-global-protect from your inside zone to the zone/address of the portal?

Highlighted
L3 Networker

I was able to resolve this by excluding the GP portal from the PBF rule and then create a static route on the VR

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!