This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Untrust interface we have created Global protect gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Untrust interface we have created Global protect gateway

Go to solution
bit_byte
L2 Linker

‎07-19-2020 01:11 AM

Sonu_Singh_0-1595145568421.png

we have separated GP portal and GP gateway interface.

Untrust interface we have created Global protect gateway and we allowed ping on the interface but when we are typing untrust interface IP address on our browser eg https://112.20.20.1 . We are getting the above message 502 bad gateway.

Qustion :we have only allowed ping on GP gateway interface ...why https or https port open here ??

Is that normal?

 

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Remo
L7 Applicator
In response to bit_byte

‎07-19-2020 11:34 PM

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

View solution in original post

4 REPLIES 4

Go to solution
Remo
L7 Applicator

‎07-19-2020 03:49 PM

Hi @bit_byte 

Did you check the monitor tab of you see this connection in your logs?

In addition, what PAN-OS version do you have installed?

Go to solution
MP18
Cyber Elite
Cyber Elite

‎07-19-2020 07:56 PM

@bit_byte 

 

As the GP Gateway Interface and your Interface connected to ISP belongs to same untrust zone thats the reason you are able to access the GP on port 443.

 

It is Intrazone traffic which is allowed by default.

Please check your Traffic logs as next step as mentioned by the Remo.

 

Regards

 

 

MP

Help the community: Like helpful comments and mark solutions.

Go to solution
bit_byte
L2 Linker
In response to MP18

‎07-19-2020 10:47 PM

GP gateway  zone:VPN_zone
outside inteface:Untrust_zone

Both are different zone 

Yes traffic is hitting intrazone 

249916 ssl DISCARD FLOW *ND 84.210.70.110[54375]/Untrust/6 (84.210.70.110
92[54375])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2
0077])
124853 ssl DISCARD FLOW *ND 84.210.70.110[54379]/Untrust/6 (84.210.70.110
92[54379])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2


OS version:9.0.8

 

monitor_traffic.PNG

 

untrust interface we have applied management profile and we have only allowed ping but why it is listening to HTTP or https traffic.

@Remo 

Thanks for your reply.

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to bit_byte

‎07-19-2020 11:34 PM

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

  • 1 accepted solution
  • 5047 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks