I'm trying to set up a global protect gateway on an interface that already has a couple IPSEC VPN tunnels on it. But I am unable to browse to the page to download the client. After some checking I realized that I'm not even able to ping this interface from inside the network or from the public IP of the other PA. If I ping out, then I am getting replies. I'm confident in the configuration itself because I have an identical setup on firewall (PA460, 10.2.3 btw) located elsewhere.
I'm not sure this is the right forum for solving my overall issue, but if what I am trying to accomplish isn't possible then I can save some time.
Do you see connection attempts in traffic log?
Firewall policies permit this traffic?
For testing you can open tcp/443 and udp/4501
If it works then adjust rule to permit only applications ipsec, panos-global-protect, ssl on application-default service.
You can also add web-browsing if you want portal to have http to https redirection.
Agent will try to connect with IPSec and if it fails it will fall back to SSL.
SSL can be configured as default protocol as well.
"Virtual Wire-capable interface" can't host portal. Only Layer3 interface can.
GlobalProtect portal runs on tcp/443.
GlobalProtect gateway runs on udp/4501 - configurable.
It is not good idea to run GlobalProtect on loopback interface because this limits QoS (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPh3CAG&lang=en_US%E2%80%A...).
Better to run GlobalProtect on DMZ interface and use NAT if different port is needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!