- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-09-2024 05:27 PM
Hi Everyone,
We have a working GP setup and our users connect to the VPN without issues. However, when trying to access the firewall via its management IP while connected to the GP, we cannot reach the firewall. Other network resources specified in the access routes are reachable. Here are the troubleshooting steps I conducted:
1. Ping, SSH, Access through HTTPS the MGMT IP of Firewall: Fail
2. I made sure that the Interface MGMT Settings have the remote user's IP is included in the permitted IP address. (HTTPS, SSH, PING also ticked)
3. I made sure that the Firewall's Mgmt IP is included in the Split Tunnel - Access Route configuration in the GP Configurations (As well as in the Security Policy in Destination Addr.)
4. I checked the logs, specifying the source addr and destination addr, it says "allow" but it shows Application Incomplete when accessing the GUI of Firewall.
5. I made sure that there is a route from the remote user to the IP Addr of the Firewall by using "route print"
6. I also tried disabling the local windows defender firewall of the remote user, disabling the IPv6 of the PANGP Network Adapter, and tried manually installing different versions of GP App. Result: Fail
Are there any missing steps that I haven't tried yet?
08-13-2024 06:40 PM
Verify the routing between the your management interface subnet and the Vpn subnet. Even though the mgmt interface is part of the firewall it won't act as data interface.
If the application shows as incomplete there is no tcp handshake between the source and destination.
Run the tcpdump in the mgmt interface and try to access to verify the traffic is reaching to the respective interface. Refer below kb for packet capture on mgmt interface.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
08-14-2024 06:57 PM
Thanks for your response,
The issue is now solved. Turns out that we had to adjust our pbf policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!