Is it possible to host a Global Protect Portal and Gateway on the same outside interface as IPSEC VPNS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to host a Global Protect Portal and Gateway on the same outside interface as IPSEC VPNS

L0 Member

I'm trying to set up a global protect gateway on an interface that already has a couple IPSEC VPN tunnels on it. But I am unable to browse to the page to download the client. After some checking I realized that I'm not even able to ping this interface from inside the network or from the public IP of the other PA. If I ping out, then I am getting replies. I'm confident in the configuration itself because I have an identical setup on firewall (PA460, 10.2.3 btw) located elsewhere. 

 

I'm not sure this is the right forum for solving my overall issue, but if what I am trying to accomplish isn't possible then I can save some time. 

 

 

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

Yes GlobalProtect and IPSec work fine on same interface.

Portal works on tcp/443

Gateway works on udp/4501 (failback to tcp/443 if udp is not accessible)

IPSec works on udp/500 and udp/4500

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Do you see connection attempts in traffic log?

Firewall policies permit this traffic?

For testing you can open tcp/443 and udp/4501

If it works then adjust rule to permit only applications ipsec, panos-global-protect, ssl on application-default service.

You can also add web-browsing if you want portal to have http to https redirection.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Agent will try to connect with IPSec and if it fails it will fall back to SSL.

SSL can be configured as default protocol as well.

"Virtual Wire-capable interface" can't host portal. Only Layer3 interface can.

GlobalProtect portal runs on tcp/443.

GlobalProtect gateway runs on udp/4501 - configurable.

 

It is not good idea to run GlobalProtect on loopback interface because this limits QoS (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPh3CAG&lang=en_US%E2%80%A...).

Better to run GlobalProtect on DMZ interface and use NAT if different port is needed.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L0 Member

while like everyone said IPSEC tunnels and GP Portal Can be on the same interface, there is an instersting assymetric problem that I ran into. If you are yourself coming in over that ipsec tunnel to connect to the GP Portal. What happens is, in order to reach the external intercace IP you go over the internet, since u are not gonna advertise the same ip as the one you use to establish the ipsec connection, your return traffic is likely over the tunnel which is a different zone then the incoming traffic. I ran into this problem, pings and tcp sessions do not seem to work. Potential solution is moving the GP portal to another interface, so that if you come in over an ipsec tunnel, the IP address is different then the one used to establish that tunnel to get to the GP portal.

Can you share simple diagram of how your traffic flows?

GP and IPSec work fine on same interface.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 3603 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!