Palo Alto Networks Knowledgebase: GlobalProtect setup when the Palo Alto Networks firewall is not the edge device

GlobalProtect setup when the Palo Alto Networks firewall is not the edge device

6185
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
GlobalProtect Prisma Access
Resolution

This document walks you through the steps when the users try to setup GlobalProtect on a firewall that is not the edge device. Also, we are assuming that you are not performing NAT on the firewall.

 

The public ip-address of the edge router in this case is 67.133.166.12

The outside interface on the firewall in this case is 10.66.24.53

 

To set up GlobalProtect, follow these steps:

  1. Port-forward any traffic that comes to the public ip of the edge router (67.133.166.12) to the outside interface ip-address on the Palo Alto Networks firewall (10.66.24.53).
  2. On the firewall create a GlobalProtect server certificate. Make the CN the public ip-address of the edge router (67.133.166.12).Screenshot_1.png
  3. Configure the Certificate CN with the public ip of the router because that is the ip-address which users connect to and there should not be a certificate CN mismatch.
  4. Configure the GlobalProtect Portal on the outside interface on the Palo Alto Networks firewall, but on the client configuration. Where you specify the External/Internal Gateways, the GW should be the public ip-address of the edge-router (67.133.166.12).Screenshot_2.pngScreenshot_7.pngScreenshot_4.png
    You need to configure the gateway on the client config as the public-ip address of the edge router (67.133.166.12) because the Portal pushes this config to the client and the client, in return, tries to connect to the gateway specified in this setting. If the GW specified here is firewall address (10.66.24.53), the client will not know where the 10.66.24.53 address is and it will be stuck in connecting state.

 

The Gateway config on the firewall is like any other normal scenario in this case.

 

Screenshot_5.png

Screenshot_6.png

 

You should now be connected to GlobalProtect. 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClImCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language