Global Protect Clients connection Policies through the NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Clients connection Policies through the NGFW

L0 Member

Hi, Comunity,

I'd like to ask your advice.
Is there any instruction somewhere on how to do the best set of the rules on Firewall PAN to only allow traffic for global protect clients?
The clients are on a normal network with DHCP. They have DNS from AD server.
I want the client to get to the Internet only via Prisma Access/ This means that the client passes through a firewall that only allows access to  Mobile Users Gateways.

I have found via API in Panorama/Cloud Plugin GW addresses, Portals and even IP ranges. I gradually prepared the rules.
I still have a problem with this. After setting the rules it works. However, the next day it doesn't.

Thank you

3 REPLIES 3

L6 Presenter

You can try on the Firewall to create a policy rule that allows only the Globalprotect Application from your source IP addresses/username/ad groups as a workaround.

 

nikoolayy1_0-1676366109548.png

 

 

Outside of that better make a server that pulls your Prisma Access endpoint addresses using the API as you already saw and then make an External Dynamic List that the Palo Alto Firewalls can ingest but will be complex. You can alse feed in the firewalls using their API and and modify the address object. As Prisma Access addreses change better pull the data every maybe 10 minutes.

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-a...

 

 

The API to retrive the Prisma Access addresses:

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-a...

 

 

Thank you for your advice. However, it looks like the problem is in Authentication.
The GP client logs in and receives a cookie for 24 hours. However, after expiring this cookie, it is unable to re-authenticate.
I'll try enabling SAML portal now and see what happens.

Also check if the cookies are correctly configured as maybe the portal cookie timeout is different of the gateway one:

 

How to generate cookies on GlobalProtect Portal and use cookies for Gateway Authentication

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

 

GlobalProtect portal and gateway authentication override cookie lifetime does not expire or last for set lifetime

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&lang=en_US%E2%80%A...

 

  • 1384 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!