I'd like to ask your advice.
Is there any instruction somewhere on how to do the best set of the rules on Firewall PAN to only allow traffic for global protect clients?
The clients are on a normal network with DHCP. They have DNS from AD server.
I want the client to get to the Internet only via Prisma Access/ This means that the client passes through a firewall that only allows access to Mobile Users Gateways.
I have found via API in Panorama/Cloud Plugin GW addresses, Portals and even IP ranges. I gradually prepared the rules.
I still have a problem with this. After setting the rules it works. However, the next day it doesn't.
You can try on the Firewall to create a policy rule that allows only the Globalprotect Application from your source IP addresses/username/ad groups as a workaround.
Outside of that better make a server that pulls your Prisma Access endpoint addresses using the API as you already saw and then make an External Dynamic List that the Palo Alto Firewalls can ingest but will be complex. You can alse feed in the firewalls using their API and and modify the address object. As Prisma Access addreses change better pull the data every maybe 10 minutes.
The API to retrive the Prisma Access addresses:
Also check if the cookies are correctly configured as maybe the portal cookie timeout is different of the gateway one:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!