How to Configure GlobalProtect Portal Page to be Accessed on any Port

How to Configure GlobalProtect Portal Page to be Accessed on any Port

232350
Created On 09/25/18 17:30 PM - Last Modified 10/10/23 20:22 PM


Environment


  • PAN-OS 7.1, 8.0, 9.0
  • Palo Alto Firewall.
  • GlobalProtect Configured.

Resolution


Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.

 

Steps:

  1. Create a loopback
2018-07-19_14-48-09.jpg

 

  1. Make sure the untrust interface can ping the loopback.
  2. Assign the loopback as the portal address and the gateway address.
2018-07-19_14-50-55.jpg

2018-07-19_14-52-32.jpg

 

 

  1. In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)

 

2018-07-19_14-56-34.jpg

 

  1. Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443

lp.JPG
 

  1. Create a security policy with the destination address as the untrust interface and services as 7000 and 443

    lp.JPG

  2. With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1.Download and install the GlobalProtect client software.
3581_lp.png

 

  1. Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.

 

4184_gp non https 2.png

 

 

 

4185_gp non https 4.jpg

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language