- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-18-2023 07:48 PM
I have a PA-440 running 10.2.3-h4. I have a working external GlobalProtect gateway and created an internal gateway. I have enabled "Internal Host Detection" added the internal gateway information to the config of the portal. After trying to connect, the main GlobalProtect screen shows "Not Connected" with "Select the portal to connect and secure access to your applications and the internet.", however, the "Settings" screen shows "Connected - Internal". I do not see any user information in the firewalls for this client connection, however the GlobalProtect logs show successful authenication. Any idea why this would be happening?
05-19-2023 12:53 AM
Hi @jwalls ,
The logs you have provided shows that client is connecting and authenticating to the portal, but no logs from the internal gateway. You should see successfull authentication from internal gatway if connection is successful.
Have you checked if traffic is allowed? Traffic from GP client to GP portal/gateway is also passing the policy. In general the default intra-zone rule would allow this (inside user to inside interface), but I would suggest you to first start by confirming that FW is allowing the traffic to the internal gateway.
- Check traffic logs filtering by the internal gateway IP
From the client screenshots it looks like the internal host detection is working fine, but to confirm you can check GP logs.
- Check the logs "PanGPS.log" and "pan_gp_events.log". Here are some resources that might help you:
https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClUk
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS
Last episode of PANCast by @jarena can also help you - https://live.paloaltonetworks.com/t5/pancast/pancast-episode-17-globalprotect-connections-and-troubl...
05-19-2023 12:53 AM
Hi @jwalls ,
The logs you have provided shows that client is connecting and authenticating to the portal, but no logs from the internal gateway. You should see successfull authentication from internal gatway if connection is successful.
Have you checked if traffic is allowed? Traffic from GP client to GP portal/gateway is also passing the policy. In general the default intra-zone rule would allow this (inside user to inside interface), but I would suggest you to first start by confirming that FW is allowing the traffic to the internal gateway.
- Check traffic logs filtering by the internal gateway IP
From the client screenshots it looks like the internal host detection is working fine, but to confirm you can check GP logs.
- Check the logs "PanGPS.log" and "pan_gp_events.log". Here are some resources that might help you:
https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClUk
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS
Last episode of PANCast by @jarena can also help you - https://live.paloaltonetworks.com/t5/pancast/pancast-episode-17-globalprotect-connections-and-troubl...
05-23-2023 01:22 PM
Thanks! I dug into those logs a little deeper an saw: P1370-T31867 05/23/2023 14:34:24:869 Error(3312): Received DNS reverse lookup response error -65554
My Reverse DNS was not working properly for my internal gateway. Once I corrected that it is working perfect!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!