How to Configure Global Protect Gateway on Loopback Interface with iPhone Access

How to Configure Global Protect Gateway on Loopback Interface with iPhone Access

Created On 09/25/18 17:50 PM - Last Modified 05/05/20 23:33 PM


In addition to using a non-https Global Protect Portal, you can access an associated Gateway on a configured loopback interface. If you only have one public-facing IP address, and you wish to host SSL-based applications, such as OWA on that IP, the following information provides the configuration steps for doing so.


Please follow Knowledge Base article How to Configure GlobalProtect Portal Page to be Accessed on any Port with one caveat. You'll need to create a second loopback interface in addition to the first loopback interface used for the Portal.


  • Pan-OS
  • GlobalProtect


Create additional loopback interface

Make sure the untrust interface can ping the loopback.

> ping source host 10.1.1.

    PING ( from : 56(84) bytes of data.

    64 bytes from icmp_seq=1 ttl=64 time=0.126 ms

    64 bytes from icmp_seq=2 ttl=64 time=0.068 ms


    User-added image

Assign loopback interface as the Portal address

User-added image

Assign loopback.2 interface as the Gateway address

User-added image


Create the following services and add them to a service group.

These services will be natted to our Gateway loopback interface. In this example, services were created destined for ports 500 (ike/ciscovpn), 4501 (ipsec-esp-udp).

The two custom services are added in addition to the predefined service-https to the gateway service group profile.


Create the services


Add the services to a service group object


Create the security policies as needed.

As noted in the prior KB article,  a rule is needed for the Portal page to redirect that traffic on a non-ssl standard port to our first loopback interface.

Here GP portal is accessed on port 7000 instead of port 443. Below this rule, another rule is created to the gateway allowing ike, ipsec, panos-global-protect, ssl and web-browsing respectively.




Create the NAT policy which will forward traffic to the second loopback (loopback.2) interface.

In this example, the gateway service group is utilized and used to forward traffic to, the loopback.2 interface previously configured.




Configure iPhone/iPad on the Gateway.

Enable 'X-Auth Support' on the gateway and create a Group Name and the Group Password respectively. This will be utilized when configuring the VPN profile on the mobile devices.


User-added image


Create the VPN Profile on the iPhone/iPad using the shared secret configured in the previous step. The password in the profile will need to match with the authentication method chosen (ie ldap, kerberos,localdb, etc).



Additional Information

Confirm access via your Global Protect client as well as your mobile device.


> show global-protect-gateway current-user


        GlobalProtect Name : gp-gateway (2 users)

        Domain User Name      Computer        Client          Private IP      Public IP      ESP    SSL    Login Time      Logout/Expiration TTL     Inactivity TTL

        ------ ---------      ---------      ----------      ---------      ---    ---    ----------      ----------------- ---      ----------- ---

              \renato          PAN01347        Windows 7 (Version 6.1 Build 7601 Service Pack 1)    exist  none    Oct.02 06:04:01 Nov.01 06:04:01  2589926  9641

              \renato    iPhone OS:6.0    exist  none    Oct.02 06:38:33 Oct.02 07:39:33  3657     10798



owner: rkalugdan

  • Print
  • Copy Link

Choose Language