12-04-2024 01:50 PM
I was presented with a interesting question. If the inside interface of a Firewall hosting an external GlobalProtect Gateway is down, will the Palo allow users to still connect to that Gateway
My testing has indicated, yes users will connect but be dead in the water because the firewall has no where to send the on-prem traffic.
If this is correct, then is there any method that would allow us to down the outside interface, GP Tunnel interface, or another method that would prevent users from connecting to a gateway that has a downed inside interface.
12-10-2024 03:41 AM
interesting take 🙂
here's a couple ideas:
1. set the authentication method for your users to an internal server (behind the internal interface) so authentication becomes impossible if that interface goes down
2. set your default route up with path monitoring, and target something internal.
3. actually attach the globalprotect gateway to the internal interface and use NAT to redirect traffic inbound
12-10-2024 06:22 AM
Thanks for the reply and all are good ideas.
1. I think the issue here is that the portal still sends users to a gateway that goes nowhere. The Gateway is not checking to see if it can authenticate prior to accepting users as I understand.
2. The trick here is that you seemingly cannot pull a route from monitoring that is not pinging from that interface. We were unable to get the outside interface with the 0.0.0.0 route to ping inside successfully. Unless we missed something
3. Interesting thought I will maybe have to lab it up to see if that works.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
