This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Mlhras0
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Mlhras0
05-05-2023
2Posts
0Likes
0Solutions
May 05, 2023Last Visited
User
Activity
User
Profile
Latest posts by Mlhras0
| Subject | Views | Posted |
|---|---|---|
| 767 | 03-15-2023 08:38 AM | |
| 995 | 03-15-2023 08:20 AM |
User Badges
Community Statistics
| Member Since | 09-30-2022 10:55 AM |
| Date Last Visited | 05-05-2023 12:02 AM |
| Posts | 2 |
03-15-2023
08:38 AM
I dont have much experience with global protect and cleint VPNs on the Palo Alto. I have had similar problems with Anyconnect and an ASA.
For the users that you are having issues connecting to, what is the subnet of their local network? Does it overlap with one of the networks that should be tunneled through global protect? If there is an overlap, your server will know how to get to the user device, but the user device will then try to respond on the local network. When you change the prefered ip, the user device then sends traffic over the vpn. Once you do this, does the user device loose access to other devices on thier local network. In a command prompt on the user device you can run "route print" to show you what routes are on the computer and the gateway for each route.
I have seen this happen with users that connect directly to a comcast router. They get a 10.0.0.0/24 address. We used to use 10.0.0.0/16 for devices on our network. They would have issues getting to those first 254 addresses.
Matt
... View more
03-15-2023
08:20 AM
We have several Palo alto firewalls in production now. We currently have client vpn going to Cisco ASAs. We are looking to move the VPN to the Palo Alto. I have been able to get a single vpn profile working. Before we can move to the Palo Alto, i need to figure out how to get the Global protect vpn working similar to the ASA anyconnect vpns. On the ASA we have two profiles that allow our users to connect. A user can connect to either profile. Users can only connect to one of the profiles if they are using a domain joined computer. this check is done with Azure Saml login. A user can log in at https://ourrouter/vpn1 or https://ourrouter/vpn2. If the user has a domain joined computer they will be allowed to log in to vpn1 and they will have full access to our network. If the users chooses to log in to vpn2 or does not have a domain joined computer, once they log in, the computer has only RDP and DNS access to devices on our network. We also have a vendor vpn at https://ourrouter/vendor. We have a couple of AD groups for the vendors. If an acccount is a member of vendor1 group, they get allowed access to a couple of devices based on ACL. if the vendor is in vendor2group they get another ACL. we can add more vendor groups and add an acl for each of those groups. How would we go about creating a similar configuration on the Palo Alto?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-05-2023
12:02 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks