Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PenTest GlobalProtect Subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PenTest GlobalProtect Subnet

L2 Linker

Hello,

 

Our Palo GP is setup inside Azure - and it is working and serving its purpose. GP can reach everything, but not the other way around.

 

We can't ping GP Clients, we can't RDP to them, any traffic destined to GP Subnet has literally no logs at all.

 

Looking for some expert advice. Thanks in advance.

 

15 REPLIES 15

Cyber Elite
Cyber Elite

Traffic log in 10.29.2.4 firewall shows pen tester traffic going to tunnel.1 towards GlobalProtect client?

If yes and you don't get any replies it means Windows firewall is dropping incoming traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Traffic log in 10.29.2.4 firewall shows pen tester traffic going to tunnel.1 towards GlobalProtect client?

If yes and you don't get any replies it means Windows firewall of the GlobalProtect client is dropping incoming traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hello @popoymaster ,

 

Do you have a security rule allowing traffic to your GP zone?

 

If you do not see logs, it may be because you have not enabled logging on your interzone-default rule which drops all traffic not matched by any rules.  Click on the interzone-default rule; click Override; select Log at Session End; and click Ok.  Commit.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

This actually works! Traffic is dropped by the interzone-default rule.

Ok, so we have 2 palo alto firewalls;

1. On-prem with site-to-site tunnel to azure native vpn gateway
2. The other one is dedicated for GP.

Now, GP palo can reach the GP clients, thanks to you i allow interzone comms.

Problem now is, our on prem palo can reach all the interfaces Eth1 Untrust, Eth2 Trust of the GP FW but not the GP subnets. And this time, no logs at all.

 

Additionally, GP clients can reach the on-prem palo and subnets inside it.

 

753161C0-0B58-4469-A21D-770DC8C3E448.jpeg

Cyber Elite
Cyber Elite

Hi @popoymaster ,

 

  1. Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?
  2. Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?
  3. Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?
  4. What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?
- YES! Azure NGFW's management and GP subnets are pointing to tunnel.
[cid:image001.png@01D992EA.9FD5C5D0]

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?
- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?
- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs - this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?
- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.
[cid:image002.png@01D992EA.9FD5C5D0]

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.
[cid:image003.png@01D992EA.9FD5C5D0]

 

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

popoymaster_0-1685461049236.png

 

 

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

 - YES! Bi-directional.

 

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

 

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

 - I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

popoymaster_1-1685461049263.png

 

 

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

popoymaster_2-1685461049282.png

 

PING from Azure NGFW works but not from the Onprem NGFW.

popoymaster_0-1685461687706.png

 

Hi Tom,

 

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

popoymaster_0-1685461793684.png

 

 

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

 - YES! Bi-directional.

 

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

 

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

 - I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

popoymaster_1-1685461793717.png

 

 

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

popoymaster_2-1685461793752.png

 

Hi Tom,

 

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

popoymaster_0-1685461865605.png

 

 

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

 - YES! Bi-directional.

 

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

 

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

 - I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

popoymaster_1-1685461865637.png

 

 

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

popoymaster_2-1685461865686.png

 

L2 Linker

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

popoymaster_3-1685462038760.png

 

 

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

 - YES! Bi-directional.

 

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

 

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

 - I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

popoymaster_4-1685462038786.png

 

 

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

popoymaster_5-1685462038808.png

 

L2 Linker

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

popoymaster_0-1685462115164.png

 

L2 Linker

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

 - YES! Bi-directional.

L2 Linker

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

  • 4185 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!