Scenario:
Palo hosting GlobalProtect is behind another device that is NATing the public IP to the outside IP of the palo which has a private IP. We are able to get to the public IP ok and get the portal, download the client etc. Of note, we are using a private IP on the outside interface on the inside palo which is the portal and gateway IP for the globalprotect config.
When connecting to the public IP with the client we see authentication for the portal but the gateway times out.
No NAT policies on the inside palo at all.
Private self generated cert on the inside palo.
I’ve tried a loopback on the gateway interface, removing the split tunnel. Nothing works and nothing good in logs.
Anyone else have to work through a scenario like this?
Thanks
What ports are you allowing through the device doing NAT? You need TCP-443 and UDP-4501
Does it need IPSEC? I thought it would fail over to 443 if IPSEC wasnt available.
We had the udp/4501 added to the upstream device and still no dice. I’m pretty sure it has to do with certificates at this point but with the two devices being involved that confuses things.
It can’t be a certificate issue if you are forwarding 443 through and not decrypting the traffic on the NAT device. This is easy to prove by going to the portal address in your browser.
There’s not a lot to check here besides the obvious stuff.
- Are you allowing TCP 443 and UDP 4501? Even if not the latter, unless you disabled it, GlobalProtect would fall back to SSL when connecting to the gateway.
- Do you have a rule from untrust any to the untrust IP used by the portal and gateway for the above ports (You’re better off using the built in apps for this instead of ports)With all that, see what happens, check the traffic logs to see if anything is denied or not showing something expected. Also , check the GlobalProtect logs.
The situation you’re describing is how every single Palo in AWS/Azure/GCP works.