Palo Alto GlobalProtect VPN Configuration [2024 IMPROVED!!!]

You're welcome, I'm glad you liked it!

No worries, I'm glad you liked the video!

Very nice, I'm glad we could help you 😊

Hi. Thank you for the comment and for your feedback! These feedbacks help us a lot to improve the video quality. :)

Cool! I'm glad I could help.

Thank you, I hope I could help!

Cool, I'm glad you liked it. Let me know later if it worked in your lab

@@netsums Sure, will do. also can you please create one for SSL forward & SSL Inbound decryption.?

Here a video about SSL Forward Proxy: ua-cam.com/video/UuKcjfQicNw/v-deo.html. I still need to do the one about SSL Inbound, though. I will keep it in mind.

I'm glad you liked it. 👍

Glad you enjoyed it!

What do you mean exactly? Do you mean site to site VPN?

Thank you. We just bought the cheapest one we found, since it was just for our lab.
I released a video about 2 weeks ago (Inbound SSL Decryption) where I show how you can import a Let's Encrypt certificate to the firewall, if you're interested. As a result, you get a public certificate for free. :-) But for that you need a Linux server. Take a look there and let me know if that's what you were looking for:
ua-cam.com/video/HIt65vK2TXI/v-deo.htmlfeature=shared

Hi. I'm glad you liked the video. Here we bought a certificate for vpn.netsums.com, but there are other videos that we created a Root-CA certificate on the firewall (CA), and used this CA to sign other certificates we generated locally. Could I answer your question? :-)

Hi. I will consider it for an upcoming video. Thank you for the request.

Hi. Do any of the sub interfaces have a public IP? If not, you would have to configure NAT somewhere. If I were you, I think I would configure a loopback address specially for the portal and gateway configuration and configure the address translation from the public IP to this loopback address. Would it be possible? How does it sound for you?

@@netsums so neither of these sub interfaces have public IP, however I do have NAT gateway outside of PA. These sub interfaces are plugged in through endpoints for traffic inspection.
Where do I need to configure these loopback addresses and how should I configure the address translation?

You configure the loopback addresses under network -> interfaces. I unfortunately cannot help you with the configuration of your gateway NAT on AWS, because it has been a long time I configured one. It should be a static NAT, all packets addressed to the public IP should be forwarded to THE firewall loopback address.
If it's too complicated, you can also forward to a physical interface. I just think the configuration with the loopback is "cleaner", because you have a dedicated interface for GlobalProtect. Just a personal preference. :-)

Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.

@@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?

On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.

There are many reasons for the connection not to be working. But I would start with verifying if the firewall in US can route the global protect network. If yes, I would verify if the encryption domain in the s2s tunnel is encrypting the global protect traffic going to the US servers. Do you see the traffic arriving in US or not?
I am assuming the global protect user is connecting to a gateway in India.

Hi. I am not sure I understood your problem. Do you have GlobalProtect setup with internal gateway? What does the log from the GlobalProtect client say (under settings -> troubleshooting)? I would suggest to start with the event log (I think it's called pan_gp_event.log).

Hi. Yes, it is. Just be careful that for android you need the GlobalProtect Gateway license.

Hi. Yes, you're looking for internal gateway. Take a look at this video: ua-cam.com/video/5PvzQ2GoUR0/v-deo.htmlsi=-vB6IKju_5Sz7vXw

@@netsums sorry that not what I meant what I want is for users not to auto connect to global protect if they are sitting in the office I only want them to order. Connect to Global protect when they go home.

The only way I know around this problem is to use the internal host detection that I show in this video.

Strange. Are you using Panorama for the configuration? If yes, are your gateway and tunnel configurations in different templates?

@@netsums yes I am using Panorama for this deployment -- there are two existing GP Portals & Gateways -- the logs show only one template --thank you

does your training course cover Panorama deployments & configuration ?

Take a look in the template stack to see if everything is there, the gateways, the tunnels and the virtual routers, if you're still having problems.
And yes, the course I'm building will cover templates and device groups deployment. :-)

@@netsums the interfaces , gateways and tunnels are all part of the same template stack

If you have a public IP for your portal, you don't need NAT. You said it correctly, it is typically like this, but not a requirement. You can have a private IP for your portal, as I have in my lab, and still make it reachable from the Internet through a NAT device doing destination NAT.

@@netsumsthank you very much for the response. I recently tried configuring a gp vpn on a client's FW in which they had an existing gp vpn tunnel but wanted a second...i was creating the second GP VPN using their public IP that they use for the existing GP VPN. This caused users to redirect. Do you know off the top of your head by chance why that is? I thought the packet would reach its final destination (the FW) and would get to the code and go to the correct Portal and GW(?). Our new plan is to use a spare public IP they have for the new tunnel.

I would strongly recommend you to use the second IP for the other portal, I don't think Palo Alto supports two portals sharing the same interface. Why do you need a new portal, anyway? Different authentication methods?

When you say new tunnel, do you mean new GlobalProtect Gateway? If I were you, I would configure second portal and second gateway sharing the same public IP. The tunnel interface doesn't need an IP address.

@@netsums thank you again for your response sir. The client needs a second GP VPN Tunnel because they want to authenticate with corp laptops with certificate, they have an existing GP VPN tunnel for personal devices.
I am going to work with the client in about two hours from now to configure it up. The plan is to use their second public IP for the new GP VPN Tunnel. Only thing I'm unsure of now is how routing and NAT will work with this but I'm looking into it now and think I can figure it out on the fly, hopefully, when I hop on the call with them to see how their current is configured.

That's a good suggestion! I'll keep this in mind, thanks!

I'm not sure. Give it a try to see if it accepts the configuration.