Palo Alto Networks Knowledgebase: GlobalProtect setup when the Palo Alto Networks firewall is not the edge device
GlobalProtect setup when the Palo Alto Networks firewall is not the edge device
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
This document walks you through the steps when the users try to setup GlobalProtect on a firewall that is not the edge device. Also, we are assuming that you are not performing NAT on the firewall.
The public ip-address of the edge router in this case is 220.127.116.11
The outside interface on the firewall in this case is 10.66.24.53
To set up GlobalProtect, follow these steps:
Port-forward any traffic that comes to the public ip of the edge router (18.104.22.168) to the outside interface ip-address on the Palo Alto Networks firewall (10.66.24.53).
On the firewall create a GlobalProtect server certificate. Make the CN the public ip-address of the edge router (22.214.171.124).
Configure the Certificate CN with the public ip of the router because that is the ip-address which users connect to and there should not be a certificate CN mismatch.
Configure the GlobalProtect Portal on the outside interface on the Palo Alto Networks firewall, but on the client configuration. Where you specify the External/Internal Gateways, the GW should be the public ip-address of the edge-router (126.96.36.199). You need to configure the gateway on the client config as the public-ip address of the edge router (188.8.131.52) because the Portal pushes this config to the client and the client, in return, tries to connect to the gateway specified in this setting. If the GW specified here is firewall address (10.66.24.53), the client will not know where the 10.66.24.53 address is and it will be stuck in connecting state.
The Gateway config on the firewall is like any other normal scenario in this case.