I’ve got a question about the IP of the default gateway when connected to Global Protect. I am getting 0.0.0.0 as the default gateway and 255.255.255.255 as the subnet mask and wanted to see if that was normal?
Under Network → GlobalProtect → Gateways → Gateway Name → Agent → Client Settings → Configs → IP Pools. I’ve got an IP Pool for VPN Users that pulls from Addresses under Objects and it is set as IP Netmask of 10.10.253.0/24
We were troubleshooting a VPN issue and the user had 10.10.253.1 as an IP and .1 is usually the gateway for everything here but I can’t find a gateway set anywhere for Global Protect users and when I connected I got the 0.0.0.0 and wanted to make sure that was all correct.
Thanks for any help.
There’s no default GW concept with GP. The IP you’re getting is fine.
Under the Split Tunnel tab, have you included any prefixes that need to route across the tunnel? That is how you define what needs to come across it. If you want all traffic to come over the tunnel then add 0.0.0.0/0 in the Include section.
Make sure you refresh client settings on the GP client after making any changes on the firewall
I put the .1 of the GP subnet on the tunnel interface. It is not required but it gives you a pingable IP within the same zone so you can at least tell if you are getting to the firewall. It also gives you a first hop in traceroutes which I find useful for troubleshooting.
No, we don’t have anything listed in the include only the exclude, I’ve gathered all the Office 365 IPs and put them in a group, mainly because we don’t want Teams going through the VPN and causing issues for meetings and calls.
I am on Teams calls all day long with it all going through the tunnel out the firewall at our datacenter without issues.
Why not try to just add prefixes in the include section rather than exclude. You also definitely need something in Include if you want traffic to come across the tunnel.
If you add your private ranges to Include, that should be enough. All internet traffic will break out locally on the client.
I guess I am not sure what you mean by prefixes?
Everything seems to be coming across just fine and this is the first time we have heard of this problem (mapped drive not connecting) in trying to figure out why the one user couldn’t get to the file server we noticed the IP of the gateway. We do have all the IPs of the internal networks we can add to the include section though.
Yeah a prefix is nothing but an IP subnet. Like 10.10.253.0/24 is a prefix.
So if all user and server IPs fall under 10.10.0.0/16, just add this prefix to the include section and it will all come through the tunnel. This will include all local Teams traffic too.
Ah, got it, thanks.
But with the exclude of the 365 IPs that traffic will still use the local/home internet connection and not go over the VPN correct?
Yeah it will. It’s just simpler to use positive enforcement by only including your private ranges to Include.
Everything else will break out locally. You can test that with a traceroute. Or you can see the route table in the GP client under Troubleshooting
Sounds, good. Appreciate the help.
If you leave include BLANK it will include all traffic. Ignore the fool that is telling you to do so. Excluding the teams IPs only excludes those, everything else gets included automatically.