Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-29-2021 11:13 AM
All,
I am working on a PA-220 LAB, in preparation for a PA 820 rollout. I have setup and configured my Global protect VPN. When it comes to DHCP, I know I can't use my DHCP servers but have to rely on DHCP from the firewall. That is OK. My question is this:
For my VPN users, If I create a DHCP scope in Network>GatewayS>MyGateway>Agent>Client Settings>Configs>IP Pools>IP Pool, and the DHCP addresses are not sub set of an existing Ethernet Interface\sub-interface, will I have to create a layer 3 sub interface so the VPN traffic is routed correctly? IE; all Interfaces\sub interfaces are 10.0.x.x and I want VPN addresses to be 192.168.x.x. Will I need to create a layer 3 interface for the 192.168.x.x so traffic flows correctly?
I am sure this is simple but I want to make sure I do it correctly in the building\testing stage
07-30-2021 02:30 AM
Hi @RussMc
Yes you will need a L3 interface and a zone if you want to land the tunnel in a isolated zone.
08-17-2021 01:00 PM
You will need to add a security policy allowing traffic from the GP tunnel zone to your lan interface zone.
07-30-2021 02:30 AM
Hi @RussMc
Yes you will need a L3 interface and a zone if you want to land the tunnel in a isolated zone.
07-30-2021 07:41 AM
Thank you. I will add it and test this weekend.
08-17-2021 10:47 AM
Ok, I added the L3 interface and added the VLAN to my switches and committed all changes. I can connect to VPN by computer but not by an app on my iPhone (I do have the correct licensing for the GP app). The error I get is " The network connection is unreachable or the gateway is unresponsive.
Also, when I have a laptop successfully connected to the VPN, I can't seem to get to any VLAN's on my network. I do have the VLAN's identified in the split tunnel. I tried adding the VLA's individually as well as specifying 0.0.0.0/0 to no avail.
Any thoughts or suggestions?
08-17-2021 01:00 PM
You will need to add a security policy allowing traffic from the GP tunnel zone to your lan interface zone.
08-18-2021 12:26 AM
Absolutely as @Mick_Ball says, you need to treat the Global protect environment as you would any other so
Using the 0.0.0.0/0 route will tunnel everything back to the Gateway so you may want to just use the subnets that you require.
08-18-2021 07:36 AM
For testing purposes, I have the tunnel added to my untrusted (Internet) zone and set on my gateway configuration. In the past, this has worked just fine with all applicable VLAN's added to the split tunnel.
08-18-2021 08:48 AM
Are the vlans you mentioned external or internal
08-19-2021 06:11 AM
OK, I have the VPN client working now on the client PC's & MAC's. I forwent adding the tunnel to my untrusted (Internet) zone and went with Mick's suggestion. I created a new zone, configured the tunnel, and added a security policy and access to the VLAN's works just fine. The only issue I have is our iPhones will not connect to the VPN. I still get the following error:
Gateway <My Gateway>: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
Could this be caused by the self signed certificate I am using for testing (I will have a real, valid cert in production)? If this is the case, I guess I am looking for validation since I ran out of time until this weekend to do more testing. I found this article:
https://medium.com/collaborne-engineering/self-signed-certificates-in-ios-apps-ff489bf8b96e
Thoughts on if will resolve the issue?
08-19-2021 01:22 PM
Do you have the required gateway subscription for mobile devices?
ios works differently from windoze with cert stuff... i only have trusted certs so cannot test but when i use ip address for portal i get ...
the network is unreachable or the portal is unresponsive....
not sure why you get the gateway error....
anyhows... try the fix yo have as you will need to trust your ssigned cert...
laters...
08-20-2021 08:24 AM
I have the required licensing for mobile devices.
From Safari, Chrome, and Firefox, from an iPhone, I can hit the VPN gateway (by IP) and login just fine. Once I do, I see the links to download the appropriate client, though you can't on an idevice... This means all but the App is working fine.
I have the cert loaded and trusted in my device and will test this weekend and report back on Monday. Thank you for all the help and advice.
08-23-2021 08:06 AM
The testing over the weekend was successful. Creating a L3 interface for the VPN traffic, then creating a zone\rules for the traffic to flow and then, installing the cert and trusting it on the iDevice worked perfectly. I was then able to navigate where my rules permitted. I will be obtaining a true, trusted cert for the production rollout. Thanks and Kudos to @Mick_Ball & @laurence64 for all the help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
