01-16-2020 03:50 PM
I have just started my journey to PA world and spend several days configuring global protect features.
I successfully configured portal for as internal point of connection for Global protect client.
Idea is to provide User-id information to firewall without VPN connection.
As result my GP client tells me that "you are connected to internal network" but under PA device I don't see user<->ip information. User-id based rules don't work. no information from "show user ip-user-mapping all."
1. Are there any additional steps required to enable User-id features. I enable it only at security zone level.
2. Would it be possible to have one portal but two gateways (ext, int) for internal (user-id provisioning only ) and external (vpnssl) deployments. Or there are two portals external / internal are required ?
Thanks in advice !
01-16-2020 04:30 PM
Do you mean interface where portal is hosted !
Thanks for reply !
01-16-2020 05:14 PM
That's correct. Say for example I'm using the interface ethernet1/2 for the internal gateway and you have that assigned to the default 'trust' zone, you'll need to ensure that you have user ID enabled for the zone.
01-17-2020 03:58 AM
So I believe you're looking for how to authenticate logged in users whether they're outside or inside. I've spent 2 ways on how to do it, the documentation is not describing it clearly. You need to have 2 gateways for this, one external, and one internal one. The internal gateway can be your firewall interface inside IP address, the main trick is here:
this IP must be resolvable into your internal hostname you specified in the portal config in both ways: in the direct internal DNS resolution, and also reversed DNS resolution.
In my example I have the inside L3 interface with the IP 192.168.1.1. In my internal DNS there is an A record pa-int.ovel.ru pointing to this IP, and ALSO there is reversed zone arpa.1.168.192 that resolves .1 into pa-int.ovel.ru.
The gateway config is here:
And then the portal config is here:
And after that your GlobalProtect should be able to get your user authenticated straight away.
And yes, it's very important: All this is working in "Always-On" mode only!!! At least in my case.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!