- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-19-2023 07:07 AM
I'm trying to set up a global protect gateway on an interface that already has a couple IPSEC VPN tunnels on it. But I am unable to browse to the page to download the client. After some checking I realized that I'm not even able to ping this interface from inside the network or from the public IP of the other PA. If I ping out, then I am getting replies. I'm confident in the configuration itself because I have an identical setup on firewall (PA460, 10.2.3 btw) located elsewhere.
I'm not sure this is the right forum for solving my overall issue, but if what I am trying to accomplish isn't possible then I can save some time.
01-19-2023 07:26 AM
Yes GlobalProtect and IPSec work fine on same interface.
Portal works on tcp/443
Gateway works on udp/4501 (failback to tcp/443 if udp is not accessible)
IPSec works on udp/500 and udp/4500
01-19-2023 07:31 AM
Do you see connection attempts in traffic log?
Firewall policies permit this traffic?
For testing you can open tcp/443 and udp/4501
If it works then adjust rule to permit only applications ipsec, panos-global-protect, ssl on application-default service.
You can also add web-browsing if you want portal to have http to https redirection.
01-22-2023 08:54 PM
Agent will try to connect with IPSec and if it fails it will fall back to SSL.
SSL can be configured as default protocol as well.
"Virtual Wire-capable interface" can't host portal. Only Layer3 interface can.
GlobalProtect portal runs on tcp/443.
GlobalProtect gateway runs on udp/4501 - configurable.
It is not good idea to run GlobalProtect on loopback interface because this limits QoS (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPh3CAG&lang=en_US%E2%80%A...).
Better to run GlobalProtect on DMZ interface and use NAT if different port is needed.
09-27-2023 09:26 PM
while like everyone said IPSEC tunnels and GP Portal Can be on the same interface, there is an instersting assymetric problem that I ran into. If you are yourself coming in over that ipsec tunnel to connect to the GP Portal. What happens is, in order to reach the external intercace IP you go over the internet, since u are not gonna advertise the same ip as the one you use to establish the ipsec connection, your return traffic is likely over the tunnel which is a different zone then the incoming traffic. I ran into this problem, pings and tcp sessions do not seem to work. Potential solution is moving the GP portal to another interface, so that if you come in over an ipsec tunnel, the IP address is different then the one used to establish that tunnel to get to the GP portal.
09-28-2023 06:34 AM
Can you share simple diagram of how your traffic flows?
GP and IPSec work fine on same interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!