No Route on the Palo Alto Networks Firewall to Reach GlobalProtect Clients

No Route on the Palo Alto Networks Firewall to Reach GlobalProtect Clients

15020
Created On 09/26/18 13:51 PM - Last Modified 02/07/19 23:47 PM


Resolution

Details

Users cannot assign their preferred IP on GlobalProtect clients for their devices, and so it is mandatory for configuring a IP Pool on the Palo Alto Networks firewall. After user authentication, the firewall will assign an IP from its configured pool for the offered and available IPs. The firewall should automatically create a route through the configured tunnel interface.This auto generated route is used as a reverse route for replying to the connected GlobalProtect clients.

The firewall will generate a route for the offered/available IPs, only if tunnel interface is assigned on a virtual-router. The virtual-router should be chosen as per the traffic flow.

Bind VR to the tunnel interface (this tunnel should be the same configured on the GlobalProtect gateway):

Go to Network > GlobalProtect > Gateways > Client Configuration, below is the Tunnel Interface on the gateway:

gateway tunnel.PNGtunnel bind.PNG

Shown below is the User Authentication and IP Assignment:

ipoffered.PNG            ippool.PNG

Shown below, see routes for offered IP 55.55.55.55/32 through tunnel.55 and another route for 55.55.55.56/32 for the available IP on pool.

Route auto generation in default-VR:

route for tunnel.55.PNG

Note: Even though it is an auto generated route, the firewall will flag it as active-static.

owner: skumarasam



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluKCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language