Sure. Here are some screenshots from my gateway configuration if that helps. Don't forget you will need rules to allow traffic between zones and you will also need an internal route pointing to the Palo Alto firewall for whatever IP pool you assign that will issue IPs to the phones. For the interface, I have a public IP assigned to the loopback interface but you could also use your gateway interface, whatever is easier. I have a block of IPs I use outside of the main gateway interface, which is why I am using loopback. For the authentication page, you can select an existing or create an SSL/TLS Service Profile. For client authentication, you will want to set the OS type to X-Auth as shown here. The next screenshot shows the Client Authentication settings. For the GlobalProtect Agent tab, you'll select a tunnel interface, enable IPSec, enable X-Auth support and set the Group Name parameters as shown. This is what will need to match in the Avaya configuration I detailed in my post above. Next click on the Client Settings tab and setup the IP Pool you will assign to the phones. You'll also need to split-tunnel your internal routes for the Avaya phone system and other user VoIP subnets. I'm not 100% sure these settings are required unless you are doing FQDN for the Avaya system. Our Telecom team has everything going to host IPs so we really don't use any DNS on the phones. I just included for reference. That's really all there is to it really. I setup a completely separate GP gateway just for the phones and I have all of my regular VPN users connecting on a different gateway but I also have a pool of public IPs to pull from where as that may not be an option.
... View more