great presentation, it is just my preference that should not move the screen around because it is difficult to follow. Again it is just for me. good job!
Here a video about SSL Forward Proxy: th-cam.com/video/UuKcjfQicNw/w-d-xo.html. I still need to do the one about SSL Inbound, though. I will keep it in mind.
Amazing video. Thank you! I think, after watching it I was able to figure out why I am getting connected to portal but the connection fails at finding the best available gateway. I misconfigured the Agent External part which is crucial to connect to the gateway
Thanks for the great video, Can you do video for pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers,
Great video, it was very informative. I realize you purchased the certificate from Digicert, but can you show which certificate type you chose and the step by step process to import the certificate? I've seen the self signed certificate process, but that's not quite the same. Again, great video!!
Thank you. We just bought the cheapest one we found, since it was just for our lab. I released a video about 2 weeks ago (Inbound SSL Decryption) where I show how you can import a Let's Encrypt certificate to the firewall, if you're interested. As a result, you get a public certificate for free. :-) But for that you need a Linux server. Take a look there and let me know if that's what you were looking for: th-cam.com/video/HIt65vK2TXI/w-d-xo.htmlfeature=shared
Hi. I'm glad you liked the video. Here we bought a certificate for vpn.netsums.com, but there are other videos that we created a Root-CA certificate on the firewall (CA), and used this CA to sign other certificates we generated locally. Could I answer your question? :-)
Thank you for this video, I have a quick question, since I have centralized approach to achieve Hub and spoke model in AWS, which allows data flow on only one private interface in Palo Alto but those are divided into 3 sub interfaces(ingress, egress and east - west). Could you please guide in that case how should I proceed the configurations of Global Protect?
Hi. Do any of the sub interfaces have a public IP? If not, you would have to configure NAT somewhere. If I were you, I think I would configure a loopback address specially for the portal and gateway configuration and configure the address translation from the public IP to this loopback address. Would it be possible? How does it sound for you?
@@netsums so neither of these sub interfaces have public IP, however I do have NAT gateway outside of PA. These sub interfaces are plugged in through endpoints for traffic inspection. Where do I need to configure these loopback addresses and how should I configure the address translation?
You configure the loopback addresses under network -> interfaces. I unfortunately cannot help you with the configuration of your gateway NAT on AWS, because it has been a long time I configured one. It should be a static NAT, all packets addressed to the public IP should be forwarded to THE firewall loopback address. If it's too complicated, you can also forward to a physical interface. I just think the configuration with the loopback is "cleaner", because you have a dedicated interface for GlobalProtect. Just a personal preference. :-)
hello my friend. I have a problem in my environment that, every time the user logs into the internal environment, global protect closes the connection and the client cannot access the internal network. It's as if global protect blocked access. How can I resolve this situation? can you help me?
Hi. I am not sure I understood your problem. Do you have GlobalProtect setup with internal gateway? What does the log from the GlobalProtect client say (under settings -> troubleshooting)? I would suggest to start with the event log (I think it's called pan_gp_event.log).
@@netsums sorry that not what I meant what I want is for users not to auto connect to global protect if they are sitting in the office I only want them to order. Connect to Global protect when they go home.
Hi , I was trying Verizon home internet and noticed whenever i connect my machine to work via global protec the speed goes really down. Why is that? Is there anything I can do to fix?
Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.
@@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?
On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.
If you have a public IP for your portal, you don't need NAT. You said it correctly, it is typically like this, but not a requirement. You can have a private IP for your portal, as I have in my lab, and still make it reachable from the Internet through a NAT device doing destination NAT.
@@netsumsthank you very much for the response. I recently tried configuring a gp vpn on a client's FW in which they had an existing gp vpn tunnel but wanted a second...i was creating the second GP VPN using their public IP that they use for the existing GP VPN. This caused users to redirect. Do you know off the top of your head by chance why that is? I thought the packet would reach its final destination (the FW) and would get to the code and go to the correct Portal and GW(?). Our new plan is to use a spare public IP they have for the new tunnel.
I would strongly recommend you to use the second IP for the other portal, I don't think Palo Alto supports two portals sharing the same interface. Why do you need a new portal, anyway? Different authentication methods?
When you say new tunnel, do you mean new GlobalProtect Gateway? If I were you, I would configure second portal and second gateway sharing the same public IP. The tunnel interface doesn't need an IP address.
@@netsums thank you again for your response sir. The client needs a second GP VPN Tunnel because they want to authenticate with corp laptops with certificate, they have an existing GP VPN tunnel for personal devices. I am going to work with the client in about two hours from now to configure it up. The plan is to use their second public IP for the new GP VPN Tunnel. Only thing I'm unsure of now is how routing and NAT will work with this but I'm looking into it now and think I can figure it out on the fly, hopefully, when I hop on the call with them to see how their current is configured.
Hi, it's a informative video, but my question is how to ping global protect user to outside server. like 1 on premise server installed in India and second server install in US. site A and Site B both side configured ip sec tunnel (site to site VPN), in my case global protect user not able to ping US server. could you please provide the solution.
There are many reasons for the connection not to be working. But I would start with verifying if the firewall in US can route the global protect network. If yes, I would verify if the encryption domain in the s2s tunnel is encrypting the global protect traffic going to the US servers. Do you see the traffic arriving in US or not? I am assuming the global protect user is connecting to a gateway in India.
Take a look in the template stack to see if everything is there, the gateways, the tunnels and the virtual routers, if you're still having problems. And yes, the course I'm building will cover templates and device groups deployment. :-)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
Good Job, Ricardo!
Thank you, I hope I could help!
Great explanation, thanks!
You're welcome, I'm glad you liked it!
Good Tutorial...updated and accurate! Thanks
Glad it was helpful, thank you for the feedback.
Thank you for video. I learned a lot.
Very nice, I'm glad we could help you 😊
Great video! Thank you for what you do!
No worries, I'm glad you liked the video!
great presentation, it is just my preference that should not move the screen around because it is difficult to follow. Again it is just for me. good job!
Hi. Thank you for the comment and for your feedback! These feedbacks help us a lot to improve the video quality. :)
you explained very well. let me test this in lab
Cool, I'm glad you liked it. Let me know later if it worked in your lab
@@netsums Sure, will do. also can you please create one for SSL forward & SSL Inbound decryption.?
Here a video about SSL Forward Proxy: th-cam.com/video/UuKcjfQicNw/w-d-xo.html. I still need to do the one about SSL Inbound, though. I will keep it in mind.
good video thank you
Glad you enjoyed it!
Amazing video. Thank you! I think, after watching it I was able to figure out why I am getting connected to portal but the connection fails at finding the best available gateway. I misconfigured the Agent External part which is crucial to connect to the gateway
Cool! I'm glad I could help.
awesome
I'm glad you liked it. 👍
Thanks for the great video, Can you do video for pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers,
What do you mean exactly? Do you mean site to site VPN?
Great video, it was very informative. I realize you purchased the certificate from Digicert, but can you show which certificate type you chose and the step by step process to import the certificate? I've seen the self signed certificate process, but that's not quite the same. Again, great video!!
Thank you. We just bought the cheapest one we found, since it was just for our lab.
I released a video about 2 weeks ago (Inbound SSL Decryption) where I show how you can import a Let's Encrypt certificate to the firewall, if you're interested. As a result, you get a public certificate for free. :-) But for that you need a Linux server. Take a look there and let me know if that's what you were looking for:
th-cam.com/video/HIt65vK2TXI/w-d-xo.htmlfeature=shared
Good Video...
Very good 👍, if you could show how certificates has done for this GP, would be lovely. Thank you for your hard work
Hi. I'm glad you liked the video. Here we bought a certificate for vpn.netsums.com, but there are other videos that we created a Root-CA certificate on the firewall (CA), and used this CA to sign other certificates we generated locally. Could I answer your question? :-)
Thanks you! So can you show us how to configured with multiple gateway? It would be useful.
Hi. I will consider it for an upcoming video. Thank you for the request.
Thank you for this video, I have a quick question, since I have centralized approach to achieve Hub and spoke model in AWS, which allows data flow on only one private interface in Palo Alto but those are divided into 3 sub interfaces(ingress, egress and east - west). Could you please guide in that case how should I proceed the configurations of Global Protect?
Hi. Do any of the sub interfaces have a public IP? If not, you would have to configure NAT somewhere. If I were you, I think I would configure a loopback address specially for the portal and gateway configuration and configure the address translation from the public IP to this loopback address. Would it be possible? How does it sound for you?
@@netsums so neither of these sub interfaces have public IP, however I do have NAT gateway outside of PA. These sub interfaces are plugged in through endpoints for traffic inspection.
Where do I need to configure these loopback addresses and how should I configure the address translation?
You configure the loopback addresses under network -> interfaces. I unfortunately cannot help you with the configuration of your gateway NAT on AWS, because it has been a long time I configured one. It should be a static NAT, all packets addressed to the public IP should be forwarded to THE firewall loopback address.
If it's too complicated, you can also forward to a physical interface. I just think the configuration with the loopback is "cleaner", because you have a dedicated interface for GlobalProtect. Just a personal preference. :-)
hello my friend.
I have a problem in my environment that, every time the user logs into the internal environment, global protect closes the connection and the client cannot access the internal network. It's as if global protect blocked access.
How can I resolve this situation? can you help me?
Hi. I am not sure I understood your problem. Do you have GlobalProtect setup with internal gateway? What does the log from the GlobalProtect client say (under settings -> troubleshooting)? I would suggest to start with the event log (I think it's called pan_gp_event.log).
hi sir I am using Palo Alto VM trail version there is no license, can I perform this practical?
I'm not sure. Give it a try to see if it accepts the configuration.
Hello, with always on, is there a way to exclude auto connecting to GP when user is in the corporate network?
Hi. Yes, you're looking for internal gateway. Take a look at this video: th-cam.com/video/5PvzQ2GoUR0/w-d-xo.htmlsi=-vB6IKju_5Sz7vXw
@@netsums sorry that not what I meant what I want is for users not to auto connect to global protect if they are sitting in the office I only want them to order. Connect to Global protect when they go home.
The only way I know around this problem is to use the internal host detection that I show in this video.
Hi , I was trying Verizon home internet and noticed whenever i connect my machine to work via global protec the speed goes really down. Why is that? Is there anything I can do to fix?
Sorry, I don't think I can help you there. Maybe set your MTU to 1350 or something like this? You can configure it in the portal configuration, under App. Otherwise you could take a look at the GlobalProtect client logs, maybe some errors could point you to the right direction.
@@netsums thanks for the reply. I have seen post about setting the MTU but I have no idea how to do that. Can you guide me where\how I can access the portal config?
On the firewall, you go to network -> GlobalProtect -> portals. Click on your portal and click on Agent. Click on your agent configuration and select the tab App. There you need to search for MTU (you can use the browser search, it works), if I'm not mistaken, there is only one option with MTU in it.
I wonder how NAT applies to this? the portal URL is typically public IP? this just requires DNS record of the public facing IP on the firewall?
If you have a public IP for your portal, you don't need NAT. You said it correctly, it is typically like this, but not a requirement. You can have a private IP for your portal, as I have in my lab, and still make it reachable from the Internet through a NAT device doing destination NAT.
@@netsumsthank you very much for the response. I recently tried configuring a gp vpn on a client's FW in which they had an existing gp vpn tunnel but wanted a second...i was creating the second GP VPN using their public IP that they use for the existing GP VPN. This caused users to redirect. Do you know off the top of your head by chance why that is? I thought the packet would reach its final destination (the FW) and would get to the code and go to the correct Portal and GW(?). Our new plan is to use a spare public IP they have for the new tunnel.
I would strongly recommend you to use the second IP for the other portal, I don't think Palo Alto supports two portals sharing the same interface. Why do you need a new portal, anyway? Different authentication methods?
When you say new tunnel, do you mean new GlobalProtect Gateway? If I were you, I would configure second portal and second gateway sharing the same public IP. The tunnel interface doesn't need an IP address.
@@netsums thank you again for your response sir. The client needs a second GP VPN Tunnel because they want to authenticate with corp laptops with certificate, they have an existing GP VPN tunnel for personal devices.
I am going to work with the client in about two hours from now to configure it up. The plan is to use their second public IP for the new GP VPN Tunnel. Only thing I'm unsure of now is how routing and NAT will work with this but I'm looking into it now and think I can figure it out on the fly, hopefully, when I hop on the call with them to see how their current is configured.
tks for this video, its similar configuration for android user ?
Hi. Yes, it is. Just be careful that for android you need the GlobalProtect Gateway license.
Can we use wildcard certificate for multiple gateway ?
Yes, it should not be a problem.
Hi, it's a informative video, but my question is how to ping global protect user to outside server. like 1 on premise server installed in India and second server install in US. site A and Site B both side configured ip sec tunnel (site to site VPN), in my case global protect user not able to ping US server. could you please provide the solution.
There are many reasons for the connection not to be working. But I would start with verifying if the firewall in US can route the global protect network. If yes, I would verify if the encryption domain in the s2s tunnel is encrypting the global protect traffic going to the US servers. Do you see the traffic arriving in US or not?
I am assuming the global protect user is connecting to a gateway in India.
thank you -- the software will not accept my tunnel interface -- "invalid tunnel reference" in validate commit
Strange. Are you using Panorama for the configuration? If yes, are your gateway and tunnel configurations in different templates?
@@netsums yes I am using Panorama for this deployment -- there are two existing GP Portals & Gateways -- the logs show only one template --thank you
does your training course cover Panorama deployments & configuration ?
Take a look in the template stack to see if everything is there, the gateways, the tunnels and the virtual routers, if you're still having problems.
And yes, the course I'm building will cover templates and device groups deployment. :-)
@@netsums the interfaces , gateways and tunnels are all part of the same template stack
can you make one for ipv6 as well please?
That's a good suggestion! I'll keep this in mind, thanks!
Thomas Matthew Rodriguez Eric Lewis Sandra
Jones Sharon Davis Daniel Young George