Palo Alto Networks Knowledgebase: GlobalProtect Cloud Service: Egress IP Control

GlobalProtect Cloud Service: Egress IP Control

811
Created On 09/25/18 15:19 PM - Last Updated 09/25/18 23:10 PM
Resolution

From cloud service to enterprise apps (SaaS or Public Cloud)

 

In the new GlobalProtect Cloud Service (GPCS) plugin 1.1.0, customers can now fetch the public egress IP addresses assigned to their ‘Global Protect Cloud Portals and Gateways‘ and ‘Remote Networks’  instances using an API key that can be generated on the Panorama.

 

They don’t have to rely on the Technical Assistance Center (TAC) to give them the public IP address. They can simply run a CURL command with the ‘generated API key’ from Panorama > Cloud Services > Configuration > Service Setup > Service Operations.

 

Customer Use Case

 

To prevent users from bypassing security and directly accessing applications hosted on public cloud or SaaS apps, customers deploy IP-based restrictions. Since the cloud service dynamically spins-up and spins-down instances, as demand shifts, egress IPs change frequently. In order to use cloud services,  customers would have to allow access from 'any' IP and that's a security risk they should not take.

 

Procedure to fetch Egress IPs from the GPCS Cloud Infrastructure:

-------------------------------------------------------------------------------

  1. Log in to Panorama WEB UI and navigate to Panorama > Cloud Services > Configuration > Service Setup > Service Operations.

         Screen Shot 2018-06-05 at 4.36.28 PM.png

 

         2. Click on ‘Generate API key’

 

Screen Shot 2018-06-05 at 4.41.44 PM.png

 

         3.  Copy the command from the ‘Usage Example’ and use it without needing to edit it.

         [Not pasting the result/output for the Curl Command here as it contains public IP addresses for the cloud envionment

used in this example]

 

Note:

 

1. This output will not list ‘Service Connection’ IP addresses as you can see them in the ‘Network Details’ tab on Panorama > Cloud Services > Status.

 

2. This API Key is valid until a new key is generated through 'Generate New API Key'. Once the new key is generated, the old key is unusable.

 

[user@Machine ~]# curl -k -H header-api-key:ixbi8pnrr3__ho3O8ez8E98ANGXhkvtux1zu8pGGE8Em6lTnvMTZ "https://api.gpcloudservice.com/getAddrList/latest?fwType=$fwType&addrType=$addrType"
{"message":"Unauthorized"}

 

For more information about GlobalProtect Cloud Service, please refer to our product page.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClDZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language