11-01-2024 07:08 AM
Hello,
I have been implementing our PaloAlto's GlboalProtect VPN and we have been having trouble accessing internal resources after setting security policies. I had an amateur question that I would appreciate any input on.
When setting up the agent connection a unique IP address is created and assigned within the firewall to the GP client. The client has set policies that allow traffic into the intrazone from the outside interface on the firewall. Do I still need to build a vlan interface for this unique IP within my 9200 core and assign it to the trunk ports? I am not sure how the traffic is able to traverse our network to our internal servers without the internal network knowing about the unique ip range which is currently solely existent in the firewall.
Solved! Go to Solution.
11-01-2024 07:14 AM
Usually the firewall perform NAT translation and have route towards the internal network.
It is not a good Idea to have the client VPN on the same segment as the internal network.
11-01-2024 07:14 AM
Usually the firewall perform NAT translation and have route towards the internal network.
It is not a good Idea to have the client VPN on the same segment as the internal network.
11-01-2024 10:03 AM - edited 11-01-2024 10:04 AM
Thank you for your reply, I really appreciate it.
This absolutely makes sense. To reiterate in my own words, the firewall NAT translation policy will translate the source address to something the network is familiar with rather than allowing the traffic directly which is a huge security risk.
11-01-2024 10:09 AM
You got it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide