Palo Alto Networks Knowledgebase: Using Global Protect with one gateway and both split & full tunnel

Using Global Protect with one gateway and both split & full tunnel

13963
Created On 02/07/19 23:57 PM - Last Updated 02/07/19 23:57 PM
Resolution

 

This document describes how you can configure Global Protect when you need, sometimes full tunnel and sometimes split tunnel usage.

 

When configuring Global Protect if you need detail look for the Tech Note

GlobalProtect Configuration Tech Note

 

In this example we'll use IP interfaces as

 

ETH1 WAN : 88.88.88.88/32

ETH2 LAN :  192.168.0.1/24

Loopback : 1.1.1.1/32

VR: default

2 Tunnel interface with default VR and LAN zone selected
( You can create different zones for each tunnel interface , just you have to write security rule for them and Nat rule for the one used in full tunnel )

 

1- Create a certificate

1.png

2- Create an Authentication Profile.(Here we use Local)

2.png

3- Create Local Groups for Split and Full Tunnel

3.png

4- Create users in these groups.

4.png5.png

5- Create a loopback interface

6.png7.png

6- Configure Global Protect Portal (You will only have one portal)

9.png

7- We need 2 different client configuration , one for split and one for full.

Choose user groups that we created on each config.Also One gateway should have a port.Here we used 444 but you can use any except for 443.

 

10.png

 

8- Create 2 seperate Global Protect Gateways, 1 with wan and 1 with loopback interface.Each has different ip pools.

 

14.png

 

9- Now we have to create NAT and security rules

12.png

13.png

Now when you connect to Global Protect Portal ip 88.88.88.88 using client software ,  each group will have different access

 

test1 user --------- Full Tunnel

test2 user --------- Split Tunnel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUhCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language