How to change or override (from Panorama) the GlobalProtect gateway interface from CLI
5617
Created On 04/15/21 19:52 PM - Last Modified 08/01/25 20:35 PM
Objective
This article provides the correct CLI commands to be used when configuring GP gateway interface and/or IP address.
Environment
- Palo Alto Networks firewall
- PAN-OS 8.1 and above.
- GlobalProtect gateway configured or pushed from a template stack in Panorama.
Procedure
To change the interface associated with the GP gateway, the following CLI commands can be used. In The example below, GP gateway is already configured on Ethernet1/1.
- Use the following CLI commands to change the GP gateway interface correctly:
Firewall CLI to change the local GP gateway interface:
> configure
#set network tunnel global-protect-gateway GP-Gateway-N local-address interface ethernet1/3 ip ipv4 192.168.20.1/24
Panorama CLI to change the same:
> configure
#set template <template-name> config network tunnel global-protect-gateway GP-Gateway-N local-address interface ethernet1/3 ip ipv4 192.168.20.1/24
Note: Notice the "-N" which is automatically appended to the gateway name "GP-Gateway". This indicates the network settings of the GP gateway where the interface binding actually takes place. With the above command, changes will be accurately reflected in the web UI.
- If a specific use case requires the user to override a Panorama pushed GP gateway locally on the firewall CLI, use the following commands:
> configure
# override global-protect global-protect-gateway GP-Gateway
# override network tunnel global-protect-gateway GP-Gateway-N
# set network tunnel global-protect-gateway GP-Gateway-N local-address interface ethernet1/3 ip ipv4 192.168.20.1/24
Note: Both the override commands have to be issued first before changing the interface using the 3rd command.
Making the same change from web UI is straightforward because there is no separate override button for the network tunnel settings. A single override button in the GP settings and subsequent change of the interface will automatically override the network tunnel settings.
Additional Information
- Customers previously assumed the following command would accomplish the same task as the steps mentioned above, however, the change will not take effect and it will not reflect in the web UI:
> configure
# set global-protect global-protect-gateway GP-Gateway local-address interface ethernet1/3 ip ipv4 192.168.20.1/24
- This behavior is because the interface binding of the GP gateway actually happens under the network > tunnel > global-protect-gateway hierarchy instead of the global-protect > global-protect-gateway hierarchy.
- These two config hierarchies can be distinguished when viewing from CLI using the # show command or the XML version of the config when exported. From the web UI, it is not very apparent because everything is configured under Network > GlobalProtect > Gateways.
- At least for the interface binding, it is indicated by the heading "Network Settings".