Untrust interface we have created Global protect gateway

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Untrust interface we have created Global protect gateway

Sonu_Singh_0-1595145568421.png

we have separated GP portal and GP gateway interface.

Untrust interface we have created Global protect gateway and we allowed ping on the interface but when we are typing untrust interface IP address on our browser eg https://112.20.20.1 . We are getting the above message 502 bad gateway.

Qustion :we have only allowed ping on GP gateway interface ...why https or https port open here ??

Is that normal?

 

 

 

 


Accepted Solutions
Highlighted
Cyber Elite

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @bit_byte 

Did you check the monitor tab of you see this connection in your logs?

In addition, what PAN-OS version do you have installed?

Highlighted
Cyber Elite

@bit_byte 

 

As the GP Gateway Interface and your Interface connected to ISP belongs to same untrust zone thats the reason you are able to access the GP on port 443.

 

It is Intrazone traffic which is allowed by default.

Please check your Traffic logs as next step as mentioned by the Remo.

 

Regards

 

 

MP
Highlighted
L2 Linker

GP gateway  zone:VPN_zone
outside inteface:Untrust_zone

Both are different zone 

Yes traffic is hitting intrazone 

249916 ssl DISCARD FLOW *ND 84.210.70.110[54375]/Untrust/6 (84.210.70.110
92[54375])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2
0077])
124853 ssl DISCARD FLOW *ND 84.210.70.110[54379]/Untrust/6 (84.210.70.110
92[54379])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2


OS version:9.0.8

 

monitor_traffic.PNG

 

untrust interface we have applied management profile and we have only allowed ping but why it is listening to HTTP or https traffic.

@vsys_remo 

Thanks for your reply.

Highlighted
Cyber Elite

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!