Untrust interface we have created Global protect gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Untrust interface we have created Global protect gateway

L2 Linker

Sonu_Singh_0-1595145568421.png

we have separated GP portal and GP gateway interface.

Untrust interface we have created Global protect gateway and we allowed ping on the interface but when we are typing untrust interface IP address on our browser eg https://112.20.20.1 . We are getting the above message 502 bad gateway.

Qustion :we have only allowed ping on GP gateway interface ...why https or https port open here ??

Is that normal?

 

 

 

 

1 accepted solution

Accepted Solutions

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

View solution in original post

4 REPLIES 4

L7 Applicator

Hi @bit_byte 

Did you check the monitor tab of you see this connection in your logs?

In addition, what PAN-OS version do you have installed?

Cyber Elite
Cyber Elite

@bit_byte 

 

As the GP Gateway Interface and your Interface connected to ISP belongs to same untrust zone thats the reason you are able to access the GP on port 443.

 

It is Intrazone traffic which is allowed by default.

Please check your Traffic logs as next step as mentioned by the Remo.

 

Regards

 

 

MP

Help the community: Like helpful comments and mark solutions.

GP gateway  zone:VPN_zone
outside inteface:Untrust_zone

Both are different zone 

Yes traffic is hitting intrazone 

249916 ssl DISCARD FLOW *ND 84.210.70.110[54375]/Untrust/6 (84.210.70.110
92[54375])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2
0077])
124853 ssl DISCARD FLOW *ND 84.210.70.110[54379]/Untrust/6 (84.210.70.110
92[54379])
vsys1 112.20.20.1 [443]/Untrust (112.20.20.1 [2


OS version:9.0.8

 

monitor_traffic.PNG

 

untrust interface we have applied management profile and we have only allowed ping but why it is listening to HTTP or https traffic.

@Remo 

Thanks for your reply.

thats why I don't like these defaul firewallrules ... I always overwrite them with a dedicated deny all rules which I configure above these default rules.

 

@bit_byte Global Protect portal/gateway access cannot be enabled/allowed by a management profile. As the name implies, this management profile mainly is for management services. So if you enable https in a management profile you would enable the firewall management interface and not something related to global protect. Globalprotect access you need to configure in the security policy.

  • 1 accepted solution
  • 4635 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!