This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

User-id with internal portal

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-id with internal portal

eronko
L1 Bithead

‎01-16-2020 03:50 PM

Hello community,

I have just started my journey to PA world and spend several days configuring global protect features.

I successfully configured portal for as internal point of connection for Global protect client.

Idea is to provide User-id information to firewall without VPN connection.

 

As result my GP client tells me that "you are connected to internal network" but under PA device I don't see user<->ip information. User-id based rules don't work. no information from "show user ip-user-mapping all."

1. Are there any additional steps required to enable User-id features. I enable it only at security zone level.

2. Would it be possible to have one portal but two gateways (ext, int) for internal (user-id provisioning only )  and external (vpnssl)  deployments. Or there are two portals external / internal are required ?

 

Thanks in advice !

1 person had this problem.
0 Likes Likes
7 REPLIES 7

BPry
Cyber Elite
Cyber Elite

‎01-16-2020 04:08 PM

@eronko,

1) Did you remember to enable user-id on the GlobalProtect interface? 

2) You can use the same gateway for Internal/External connections without issue. 

0 Likes Likes

eronko
L1 Bithead
In response to BPry

‎01-16-2020 04:30 PM

Do you mean interface where portal is hosted ! 

Thanks for reply ! 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to eronko

‎01-16-2020 05:14 PM

That's correct. Say for example I'm using the interface ethernet1/2 for the internal gateway and you have that assigned to the default 'trust' zone, you'll need to ensure that you have user ID enabled for the zone. 

ovel
L2 Linker

‎01-17-2020 03:58 AM

So I believe you're looking for how to authenticate logged in users whether they're outside or inside. I've spent 2 ways on how to do it, the documentation is not describing it clearly. You need to have 2 gateways for this, one external, and one internal one. The internal gateway can be your firewall interface inside IP address, the main trick is here:

this IP must be resolvable into your internal hostname you specified in the portal config in both ways: in the direct internal DNS resolution, and also reversed DNS resolution.

 

In my example I have the inside L3 interface with the IP 192.168.1.1. In my internal DNS there is an A record pa-int.ovel.ru pointing to this IP, and ALSO there is reversed zone arpa.1.168.192 that resolves .1 into pa-int.ovel.ru.

 

The gateway config is here:

ovel_0-1579261895182.png

Authentrication

ovel_1-1579261964067.png

 

And then the portal config is here:

 

ovel_2-1579262016067.png

Internal Gateway:

 

ovel_3-1579262062838.png

And after that your GlobalProtect should be able to get your user authenticated straight away.

 

ovel_4-1579262198522.png

 

And yes, it's very important: All this is working in "Always-On" mode only!!! At least in my case.

Hope this helps.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks