Is it possible to host a Global Protect Portal and Gateway on the same outside interface as IPSEC VPNS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to host a Global Protect Portal and Gateway on the same outside interface as IPSEC VPNS

L0 Member

I'm trying to set up a global protect gateway on an interface that already has a couple IPSEC VPN tunnels on it. But I am unable to browse to the page to download the client. After some checking I realized that I'm not even able to ping this interface from inside the network or from the public IP of the other PA. If I ping out, then I am getting replies. I'm confident in the configuration itself because I have an identical setup on firewall (PA460, 10.2.3 btw) located elsewhere. 

 

I'm not sure this is the right forum for solving my overall issue, but if what I am trying to accomplish isn't possible then I can save some time. 

 

 

 

 

3 REPLIES 3

L7 Applicator

Yes GlobalProtect and IPSec work fine on same interface.

Portal works on tcp/443

Gateway works on udp/4501 (failback to tcp/443 if udp is not accessible)

IPSec works on udp/500 and udp/4500

 

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

L7 Applicator

Do you see connection attempts in traffic log?

Firewall policies permit this traffic?

For testing you can open tcp/443 and udp/4501

If it works then adjust rule to permit only applications ipsec, panos-global-protect, ssl on application-default service.

You can also add web-browsing if you want portal to have http to https redirection.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

Agent will try to connect with IPSec and if it fails it will fall back to SSL.

SSL can be configured as default protocol as well.

"Virtual Wire-capable interface" can't host portal. Only Layer3 interface can.

GlobalProtect portal runs on tcp/443.

GlobalProtect gateway runs on udp/4501 - configurable.

 

It is not good idea to run GlobalProtect on loopback interface because this limits QoS (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPh3CAG&lang=en_US%E2%80%A...).

Better to run GlobalProtect on DMZ interface and use NAT if different port is needed.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!