How is the address assignment managed on the GlobalProtect Gateway?
11251
Created On 03/25/20 07:01 AM - Last Modified 03/26/21 17:38 PM
Question
How is the address assignment managed on the GlobalProtect Gateway?
Environment
- PAN-OS
- GlobalProtect Gateway
Answer
The GP gateway is assigning the IP address to the GP users following those points:
Pools
As long the first pool still has some free addresses, the assigned addresses will be from this pool.If the first pool is exhausted, then it will look into the next one (and so on).
For more information, please check the KB article - GlobalProtect: IP Address Assignment When Having More Than One IP Pool
IP assignment
The IP address assigned is random within the pool in use.It is possible to have a "preferred" IP address, please check the KB article - How to Set a Preferred IP Address for GlobalProtect VPN Users
Reserved Addresses in a pool
When the pool is written in a network prefix format (ie. 192.168.1.0/24), the 2^n-2 rule is applied in the pool to know the number of usable addresses.For instance, a /24 pool will contain 254 usable addresses (2^8 - 2 = 254).
There is no need to exclude the network and the broadcast IP addresses, it is automatically done.
When the pool is written in a network range ( ie. 192.168.1.1-192.168.1.10), the rule will not apply, all the addresses in the range will be usable.
Lease of IP address
There is no lease for the IP addresses. Once an user is disconnected, its IP address can be reassigned to the next userRetrieve Framed-IP-Address attribute from authentication server option
This option is allow the Gateway to assign the IP address received from the external authentication server (RADIUS).For an example of implementation, please check the KB article - How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication using the Framed-IP-Address attribute.
Additional Information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/radius.html