Using Global Protect with one gateway and both split & full tunnel
Environment
- PAN-OS 7.0.
- Palo Alto Firewall.
- GlobalProtect Split Tunnel.
Resolution
This document describes how you can configure Global Protect when you need, sometimes full tunnel and sometimes split-tunnel usage.
GlobalProtect resource List provides additional information on configuring and troubleshooting GlobalProtect.
In this example we'll use IP interfaces as
ETH1 WAN : 88.88.88.88/32
ETH2 LAN : 192.168.0.1/24
Loopback : 1.1.1.1/32
VR: default
2 Tunnel interface with default VR and LAN zone selected
( You can create different zones for each tunnel interface, just you have to write security rule for them and Nat rule for the one used in a full tunnel )
1- Create a certificate
2- Create an Authentication Profile.(Here we use Local)
3- Create Local Groups for Split and Full Tunnel
4- Create users in these groups.
5- Create a loopback interface
6- Configure Global Protect Portal (You will only have one portal)
7- We need 2 different client configuration , one for split and one for full.
Choose user groups that we created on each config.Also One gateway should have a port.Here we used 444 but you can use any except for 443.
8- Create 2 seperate Global Protect Gateways, 1 with wan and 1 with loopback interface.Each has different ip pools.
9- Now we have to create NAT and security rules
Now when you connect to Global Protect Portal ip 88.88.88.88 using client software , each group will have different access
test1 user --------- Full Tunnel
test2 user --------- Split Tunnel