Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Get a defined target IP Adress and Subnet via GlobalProtect (PA-460)

L1 Bithead


I have a target system that I need to access via WebUI. The system is reachable via its IP address with a /24 ( subnet. Furthermore the system expects a client IP address of, any other IP address will be rejected. The target system is a "proprietary blackbox", which means these settings cannot be changed.


Any locally connected client can reach the target system via the above mentioned IP settings.



My objective is to reach this system now via a GlobalProtect VPN connection, so I set the DHCP IP pool of the gateway configuration to the target systems network ( .



Bild (3).png

I wasn't able reach the target system, yet.

I'm facing different issues, here:


  • I set the IP pool to for the needed subnet mask. However, if I look into the network settings, I have a subnet of configured for the virtual adapter. Shouldn't this be the expected subnet?

Bild (2).png


  •  How can I force my client to use the address? I couldn't come up with an idea, yet. If I set the DHCP range to for instance as I need the /24 subnet which is not possible to configure when defining a range like this.


Thanks a lot in advance for your help


Community Team Member

Hi @SaArlt ,


With the option "Retrieve Framed-IP-Address attribute from authentication server" you can assign a fixed IP address to GP users with AD (LDAP) Authentication.


Check if the following article can help you:

How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication ... 


Hope this helps,


LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Hi @kiwi ,

thanks a lot for your answer. I'm not using an AD but local users I configured in the local user database in this setup, so I'm afraid that "Retrieve Framed-IP-Address attribute from authentication server" might not help fixing my issue.


Meanwhile I found this method to be able to receive a static IP address with my client pc which seems to work:


My ethernet configuration still shows me I have a subnet mask of configured and I still cannot reach the target machine. From my understanding a matching subnet mask of both communicating machines is obligatory so they're able to find themselves via ARP broadcasting.

Screenshot 2024-03-14 163711.png

So how's it possible to configure a matching subnet mask of


Thanks a lot.




L1 Bithead

Any ideas here?

Any help would be highly appreciated.


Thanks a lot.


Kind Regards,


Cyber Elite
Cyber Elite

this is a remote user VPN connection, you will not get a /24 subnetmask as you're behind a VPN tunnel and this is your local IP (assigning a /24 would make that a locally connected network)

Furthermore you shouldn't share the same subnet on a physical interface and the GP pool as that will inevitably introduce routing issues (these are 2 different 'networks')


that said, if the proprietary blackbox needs to be reached from a system in it's own subnet, I propose you set up NAT that masks GP users behind the dataplane interface IP of the interface connecting to the black box



GP IP pool

dataplane interface

NAT rule from to source NAT


that should fiox your issue

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!