![globalprotect troubleshooting globalprotect troubleshooting](https://img.yumpu.com/28536501/6/500x640/installing-vpn-for-pc-v13.jpg)
The App page contains some important changes:īy default, the value is -1. "Authentication" and "Config Selection Criteria" tabs contain standard config. The agent configurations contain some important bits: There's no need to create one for pre-logon and one for SAML, which was my first bet. One portal and one gateway can handle the configuration. Mainly because I found the mix of 2 different authentications in the same configuration confusing. Internal packet processing requires a logical interface to be in the same zone as the public interface in the shared gateway: Firewall GlobalProtect Portal and GatewayĬonfiguring the portal and gateway was a bit tricky. But I can't use the same zone logic as with physical interfaces like this: If I don't have a physical interface, I can use a loopback with a public address for VPN termination (both GP and S2S). With a shared gateway, creating public facing interfaces in different zones is possible like this:Īs long as it's a physical interface. In Azure, I've configured the interfaces like so:Īnd add the 10.0.0.5 as a secondary address on the VM NIC in Azure.įor a non-azure deployment and if using shared gateway it's a little different. The firewall will add as small chunks of the subnet as possible, based on used IP addresses:Ī static route can be added to cover the entire scope and redistributed to BGP, if having a lot of small scopes in the route tables is not desirable.Īdding a second gateway is dependent. Routing to the client IP addresses is automatically added. An internet facing interface in an untrusted zone and a tunnel interface in the GP zone.
![globalprotect troubleshooting globalprotect troubleshooting](https://kb.mc3.edu/assets/notify-connected-internal--actuallyNOTconnected_5d10f4e1b8ad1.png)
Regardless of whether it's in Azure or on-prem, the setup is the same for the first gateway. However, it's still has to be specified like this. The pre logon certificate profile doesn't have anything to do with SAML. Could just use the same for both, really.
GLOBALPROTECT TROUBLESHOOTING DOWNLOAD
The URL to add is the gateway address making the authentication request.įollowing the Azure documentation, just download the Federation Metadata XML file. When adding a new firewall/gateway, the URL has to be added in here: Mainly I just care about the "Single sign-on" tab. Other than that it is quite simple and the integration is A+. Requires Azure AD and some other server stuff that someone else will configure.