- Documentation Home
- Palo Alto Networks
- Live Community
- Knowledge Base
- GlobalProtect
- GlobalProtect Portals
Set Up Access to the GlobalProtect Portal
Globalprotect docs.
- 10.1 & Later
- Create the interfaces (and zones) for the firewall where you plan to configure the portal.
- Set up the portal server certificate, gateway server certificate, SSL/TLS service profiles , and, optionally, any client certificates to deploy to end users to enable SSL/TLS connections for the GlobalProtect™ services.
- Define the optional authentication profiles and certificate profiles that the portal can use to authenticate GlobalProtect users.
- Configure a GlobalProtect Gateway and understand Gateway Priority in a Multiple Gateway Configuration .
- Select Network GlobalProtect Portals , and then Add a portal.
- Enter a Name for the portal. The gateway name cannot contain spaces and must be unique for each virtual system.
- ( Optional ) Select the virtual system to which this portal belongs from the Location field.
- Select General .
- In the Network Settings area, select an Interface .
- The IP address type can be IPv4 Only , IPv6 Only , or IPv4 and IPv6. Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
- The IP address must be compatible with the IP address type. For example, 172.16.1.0 for IPv4 addresses or 21DA:D3:0::2F3b for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
- Select an SSL/TLS Service Profile .
- To set the Portal Login Page for user access to the portal, select the factory-default login page, Import a custom login page, or Disable access to the login page.
- To set the App Help Page to provide assistance to users with the GlobalProtect app, select the factory-default help page, Import a custom help page, or select None to remove the Help option from the Settings menu of the GlobalProtect status panel.
- Select Authentication .
- To secure communication between the portal and the GlobalProtect app, select the SSL/TLS Service Profile that you configured for the portal.
- To authenticate users through a local user database or an external authentication service, such as LDAP, Kerberos, TACACS+, SAML, or RADIUS (including OTP), Define the GlobalProtect Client Authentication Configurations .
- If you want to require users to authenticate to the portal using both user credentials AND a client certificate, both a Certificate Profile and Authentication Profile are required.
- If you want to allow users to authenticate to the portal using either user credentials OR a client certificate, and you select an Authentication Profile for user authentication, the Certificate Profile is optional.
- If you want to allow users to authenticate to the portal using either user credentials OR a client certificate, and you do not select an Authentication Profile for user authentication, the Certificate Profile is required.
- If you do not configure any Authentication Profile that matches a specific OS, the Certificate Profile is required.
- Select Portal Data Collection .
- If you want the GlobalProtect app to collect machine certificates from connecting endpoints, select the Certificate Profile that specifies the machines certificates that you want to collect.
- To collect registry data from Windows endpoints, select Windows and then Add the Registry Key and corresponding Registry Value .
- To collect plist data from macOS endpoints, select Mac and then Add the Plist key and corresponding Key value.
- Click OK to save the settings.
- Commit the changes.
Recommended For You
© 2024 Palo Alto Networks, Inc. All rights reserved.
Configuration Changes Required on GlobalProtect with an Upstream NAT Device
Environment.
- Palo Alto Firewalls.
- PAN-OS 7.1 and above.
- GlobalProtect.
- NAT configured on Upstream device.
Example scenario:
PAN Eth1/3 192.168.1.1 (Private IP) with a Static NAT on the upstream device of 1.1.1.1 (Public IP)
The following steps applies the IP addresses from the example scenario described above.
- Generate Portal and Gateway server certificates with the Common Name configured for the Public IP address: FQDN that resolve to 1.1.1.1 or IP address of 1.1.1.1 as Common Name.
- To setup the GlobalProtect Portal go to GUI: Network > GlobalProtect > Portal > Portal Configuration and use the untrust interface Eth1/3 and Private IP address assigned to interface.
- Configure Client Configuration Gateway IP address to the Public IP address
Other users also viewed:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKHCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
- Get Started News & Events Events Ignite Conference News Welcome Guide LIVEcommunity Support Info FAQ
- Discussions Network Security Next-Generation Firewall Discussions VM-Series in the Public Cloud VM-Series in the Private Cloud CN-Series Discussions AIOps for NGFW Discussions Panorama Discussions GlobalProtect Discussions Strata Logging Service Discussions Cloud NGFW Discussions Cloud Delivered Security Services Threat & Vulnerability Discussions Endpoint (Traps) Discussions Enterprise Data Loss Prevention Discussions Next-Generation CASB Discussions IoT Security Discussions Secure Access Service Edge Prisma Access Discussions Prisma Access Insights Discussions Prisma Access for MSPs and Distributed Enterprises Discussions Prisma Access Cloud Management Discussions Prisma SD-WAN Discussions Prisma SD-WAN CloudBlades Discussions Prisma SD-WAN AIOps Discussions Autonomous DEM Discussions Cloud Native Application Protection Prisma Cloud Discussions Cloud Identity Engine Discussions Security Operations Cortex XDR Discussions Cortex XSOAR Discussions Cortex Xpanse Discussions Cortex XSIAM Discussions General Topics Custom Signatures VirusTotal
- Blogs Community Blogs Engineering Blogs
- Products Network Security GlobalProtect Next-Generation Firewall Cloud NGFW for AWS Cloud NGFW for Azure AIOps for NGFW Strata Cloud Manager Strata Logging Service Getting Started With VM-series Private Cloud Oracle Cloud Infrastructure Alibaba Cloud AWS GCP Azure CN-Series Panorama Threat Prevention Services SSL Decryption App-ID Content-ID User-ID 5G Cloud Delivered Security Services Next-Generation CASB IoT Security Enterprise Data Loss Prevention Secure Access Service Edge Prisma Access Prisma Access Insights Autonomous Digital Experience Management Prisma Access Cloud Management Prisma Access for MSPs and Distributed Enterprises Prisma SD-WAN Prisma SD-WAN CloudBlades Prisma SD-WAN AIOps Cloud Native Application Protection Prisma Cloud Cloud Identity Engine Security Operations Cortex XDR Cortex XSOAR Cortex Xpanse Cortex XSIAM Hub
- Tools Integration Resources App for QRadar Cloud Integration Expedition HTTP Log Forwarding Maltego for AutoFocus
- Education Services Certification Instructor-Led Training Digital Learning Education Services Help Center Education Services Upcoming Events Education Services Articles
- Member Recognition Spotlight News Member Spotlights Member Testimonials Cyber Elite Program
- Podcasts PANCast™ PANCast™ Episodes PANCast™: Episode Ideas Submission Threat Vector
Unlock your full community experience!
- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
LDAP is not sending framedIPAddress for GlobalProtect Static Assignment
- LIVEcommunity
- Discussions
- General Topics
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
04-25-2018 01:39 PM
10-22-2018 03:42 AM - edited 10-22-2018 03:43 AM
10-22-2018 06:10 AM
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- GlobalProtect client cant access internal resources in GlobalProtect Discussions 08-19-2022
- Assign Fixed IP Address to Global Protect Users with ldap+radius in GlobalProtect Discussions 02-15-2022
- Is it possible to share which Globalprotect VPN address was assigned to which user/real client ip address to other systems? in GlobalProtect Discussions 08-20-2021
- Error message "Assign Private IP address failed" with GlobalProtect 5.0 app. in General Topics 02-19-2019
- DMZ network redesign in General Topics 07-01-2018
- About Palo Alto Networks
- Privacy Policy
- Terms of Use
- Community Blogs
- Community Help
- Knowledge Base
IMAGES
VIDEO
COMMENTS
Configure the Framed-IP-Attribute on the AD Server for the User :- Open the properties of the User on Active Directory Server. Go to "Dial-in" tab. Check "Assign Static IP Addresses" and click on "Static IP Addresses" button. Check "Assign a static IPv4 address:" and enter the fixed IP address which needs to be assigned to that GlobalProtect user.
As for a static assignment there is actually two ways to do this: Registry reserved-ipv4 reserved-ipv6 options. Framed-IP-Address Attribute. Personally, I would recommend going the Framed-IP-Address method if you are looking for static IP assignments. It's easier to maintain and you don't need to be monkeying around with the registry on every ...
You must configure the following interfaces and zones for your GlobalProtect infrastructure: GlobalProtect portal. —Requires a Layer 3 or loopback interface for the GlobalProtect apps' connection. If the portal and gateway are on the same firewall, they can use the same interface. The portal must be in a zone that is accessible from outside ...
The DHCP IP address pool you configure on the GlobalProtect gateway should match the IP pool in the DHCP server. If you configure DHCP IP addresses incorrectly on the GlobalProtect gateway, the traffic will not flow as expected.
Check "Assign Static IP Addresses" and button on "Static IP Addresses" button. Check "Assign a static IPv4 address:" plus enter the established IP address which needs to be assigned to the GlobalProtect user. Additional Information. The corresponding decimal value the the IP address configured can be noticed among the "Attribute Editor" tab of ...
A few of our end users have mentioned they cannot get a static IP to stick using the registry hack and I haven't found any other way to configure it. It's relatively painless if you have a Microsoft Server / LDAP. On the individual accounts, you can add the IP you want, and then in the GP settings click the 'Retrieve Framed-IP'. Would say ...
The only way to really do this that I'm aware of would be to assign different gateway client configs per user, with that ip per config. This would not work with shared ip pool, and doesn't really scale well. Why not use userid in your policy for access to resources, with a deny after, and allow the gw ips as a whole to access to resource?
It grabs the next available IP from pool-1 and offers it to the client; The GlobalProtect client reads the IP, but it overlaps with the address on its physical NIC, so it declines the IP address; The firewall receives the decline and moves its memory pointer to pool-2. The firewall offers the client a new IP from pool-2; A third client comes in.
For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11./24 network IP address range.
I have an IP pool - 192.168.1./24. User A, UserB, User C. Authentication profile is (Active directory) When user A will connect through the external gateway for this user IP address should be assigned - 192.168.1.10. When user B will connect through the external gateway for this user IP address should be assigned - 192.168.1.50.
The portal address is the address where outside GlobalProtect clients connect. In most cases, this is the outside interface's IP address. The gateway address is usually the same outside IP address. GlobalProtect Connect Methods: On-demand: Requires manually connecting when access to the VPN is required.
Configure the GlobalProtect portal as follows: Before you begin to configure the portal, make sure you: Create the interfaces (and zones) for the firewall where you plan to configure the portal. Set up the portal server certificate, gateway server certificate, SSL/TLS service profiles, and, optionally, any client certificates to deploy to end ...
Hello, For Cisco ASA, I can configure fixed IP address for SSL VPN user by using LDAP attribute "msRADIUSFrameIPAddress IETF-Radius-Framed-IP-Address ".(SSL VPN is authenticated by AD window 2008). Now, I'm using PAN and I don't know how to configure assigning static IP address for GloblaProtect client.
The portal will send the GW IP address that the client will connect to and it will need to be the NAT Public IP address, which is this example: 1.1.1.1. To configure the GlobalProtect Gateway go to GUI: Network > GlobalProtect > Gateway > Add and use the untrust interface Eth1/3 and Private IP address assigned to interface.
We are trying to configure static IP assignment in globalprotect and have selected the "Retrieve framed ip address" option on the client gateway. I've also selected "Static IP Assignment" under the Dial-In tab in AD for the users and given them IPs that fall in the pool for static assignment, however my clients are not receiving their static ...