Which IP is Used for User-IP Mapping when Internal GlobalProtect is Configured and Multiple NIC Cards are Enabled?
Symptom
When Internal GlobalProtect is configured, there is no tunnel created. By design, GlobalProtect reports only one client IP when sending hip report to a non-tunnel gateway. This means the user mapping will map only one IP when multiple NICs are enabled at the same time, and that will be the IP through which traffic reaches the gateway. The GlobalProtect Client will look at the available route metric values and always select the route with the lowest metric for sending GlobalProtect Client events to the GlobalProtect Gateway.
Environment
- Pan-OS
- Globalprotect
Resolution
For example, a PC client has two NIC cards:
- Physical NIC with IP 192.168.0.21
- WiFi with IP192.168.0.19
In the following example, the user is connected to the Internal Global Protect through Wifi (IP=192.168.0.19):
The default route in the PC route table is as follows:
C:\Users\test>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.19 25
The GlobalProtect users listing on the firewall shows that the user is connected with 192.168.0.19 and the user-IP mapping for the user "test" also shows 192.168.0.19:
> show global-protect-gateway current-user
GlobalProtect Gateway: GP_ext (0 users)
Tunnel Name : GP_ext-N
GlobalProtect Gateway: GP_gateway (1 users)
Tunnel Name : GP_gateway
Domain-User Name : :test
Computer : EVERYDAYLAPTOP
Client :
Private IP : 0.0.0.0
Public IP : 192.168.0.19
ESP : none
SSL : none
Login Time : Sep.17 21:28:41
Logout/Expiration : Oct.17 21:28:41
TTL : 2591896
Inactivity TTL : 10696
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
------------- ------ ------- ------------------------- -------------- -------------
192.168.0.19 vsys1 GP test 10692 10692
Total: 1 users
The following message will be seen in sslvpn-access.log
> tail follow yes webserver-log sslvpn-access.log
192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036
192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 552
192.168.0.19 - - [Tue Sep 17 21:37:56 2013 PDT] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 519
However, if the user connects through the second NIC with a physical cable, the following message are seen on the sslvpn-access.log
> tail follow yes webserver-log sslvpn-access.log
192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/logout.esp? HTTP/1.1" 200 603
192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642
192.168.0.21 - - [Tue Sep 17 21:36:40 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036
192.168.0.21 - - [Tue Sep 17 21:36:41 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 551
The above output shows a logout event, followed by a login event sent by 192.168.0.21. This is because the lower metric in the PC route table is now 192.168.0.21:
C:\Users\test>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.19 25
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.21 10
Immediately, the GlobalProtect mapping of current users on the firewall shows the user's IP as 192.168.0.21:
> show global-protect-gateway current-user
GlobalProtect Gateway: GP_ext (0 users)
Tunnel Name : GP_ext-N
GlobalProtect Gateway: GP_gateway (1 users)
Tunnel Name : GP_gateway
Domain-User Name : :test
Computer : EVERYDAYLAPTOP
Client :
Private IP : 0.0.0.0
Public IP : 192.168.0.21
ESP : none
SSL : none
Login Time : Sep.17 21:38:41
Logout/Expiration : Oct.17 21:38:41
TTL : 2591896
Inactivity TTL : 10696
The user-IP mapping for the user "test" also shows 192.168.0.21:
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
------------ -------- ------- -------------------- -------------- -------------
192.168.0.21 vsys1 GP test 10592 10592
Total: 1 users
If the WiFi adapter card is now disabled or disconnected, the sslvpn-access.log will show that the logout event is still being sent with IP 192.168.0.21 because of the route table and lower metric number. This also triggers the mapping to be updated, as well as the current GlobalProtect user. In this case, the values remain unchanged and the output will be the same:
> tail follow yes webserver-log sslvpn-access.log
192.168.0.21 - - [Tue Sep 17 21:38:37 2013 PDT] "POST /ssl-vpn/logout.esp? HTTP/1.1" 200 603
192.168.0.21 - - [Tue Sep 17 21:38:40 2013 PDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642
192.168.0.21 - - [Tue Sep 17 21:38:41 2013 PDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2036
192.168.0.21 - - [Tue Sep 17 21:38:41 2013 PDT] "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1" 200 551
C:\Users\test>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.21 10
> show global-protect-gateway current-user
GlobalProtect Gateway: GP_ext (0 users)
Tunnel Name : GP_ext-N
GlobalProtect Gateway: GP_gateway (1 users)
Tunnel Name : GP_gateway
Domain-User Name : :test
Computer : EVERYDAYLAPTOP
Client :
Private IP : 0.0.0.0
Public IP : 192.168.0.21
ESP : none
SSL : none
Login Time : Sep.17 21:58:41
Logout/Expiration : Oct.17 21:58:41
TTL : 2591896
Inactivity TTL : 10696
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
------------ ------ ------ ------------------- -------------- -------------
192.168.0.21 vsys1 GP test 10392 10392
Total: 1 users
Additional Information
Also see the following docs on configuration of GlobalProtect:
- How to Configure Internal GlobalProtect Only
- How to Configure GlobalProtect
- GlobalProtect Configuration Tech Note
owner: mbutt