02-07-2023 03:40 PM
I'd like to ask your advice.
Is there any instruction somewhere on how to do the best set of the rules on Firewall PAN to only allow traffic for global protect clients?
The clients are on a normal network with DHCP. They have DNS from AD server.
I want the client to get to the Internet only via Prisma Access/ This means that the client passes through a firewall that only allows access to Mobile Users Gateways.
I have found via API in Panorama/Cloud Plugin GW addresses, Portals and even IP ranges. I gradually prepared the rules.
I still have a problem with this. After setting the rules it works. However, the next day it doesn't.
02-14-2023 01:19 AM - edited 02-14-2023 01:21 AM
You can try on the Firewall to create a policy rule that allows only the Globalprotect Application from your source IP addresses/username/ad groups as a workaround.
Outside of that better make a server that pulls your Prisma Access endpoint addresses using the API as you already saw and then make an External Dynamic List that the Palo Alto Firewalls can ingest but will be complex. You can alse feed in the firewalls using their API and and modify the address object. As Prisma Access addreses change better pull the data every maybe 10 minutes.
The API to retrive the Prisma Access addresses:
02-14-2023 04:34 AM
Thank you for your advice. However, it looks like the problem is in Authentication.
The GP client logs in and receives a cookie for 24 hours. However, after expiring this cookie, it is unable to re-authenticate.
I'll try enabling SAML portal now and see what happens.
02-14-2023 12:04 PM
Also check if the cookies are correctly configured as maybe the portal cookie timeout is different of the gateway one:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!