Palo Alto Networks Knowledgebase: Deploying GlobalProtect with an Internal IP Behind an Edge Internet Device

Deploying GlobalProtect with an Internal IP Behind an Edge Internet Device

4650
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
Resolution

Issue

GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:

 

Resolution

Topology:

Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (2.2.2.2/24)---(2.2.2.1/24) ISP

 

Setup instructions:

  1. In the above setup, the Edge Internet Router (2.2.2.2) is performing NAT to the PAN's untrust interface (192.168.10.1). This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned  a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router.

    For example,  homexyz.dyndns.com ->resolves to 2.2.2.2 or to the latest Dynamic public address received by the Internet router.

  2. In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address 192.168.10.2, as shown in the screen shots below:
    4-28-16-gp1.png
    4-28-16-gp2.png

  3. However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below.  This list of gateways gets pushed to the PC which will try to tunnel and connect to them.

 

owner: achitwadg



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHyCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language