SSL VPN on a Palo Alto with DHCP WAN address

October 25, 2014 at 11:01 pm 7 comments

The below was written relative to version 6.0.5-h3.

I have a PA-200 hooked up to a cable modem, getting a DHCP address for the WAN.  I’ve been trying to get GlobalProtect configured so that I can VPN into this network from the outside.  Unfortunately, I couldn’t find a document walking me through how to do this.  I experimented, taking clues from multiple documents, and then kept at it until I got it working.  First, I got IPsec working from an iPhone.  Now that I’ve got the SSL VPN also working from a Windows 7 machine, I wanted to write up what I did, so I can do it again if needed.  I also thought that writing it up would help my understanding of how the GlobalProtect Portal and Gateway work together.  As with all things computers, this method is probably not the only way to do this, but it works.

Much of the official Palo Alto documentation works off of the assumption that you have a static IP.  In order to get around that issue, you need to have a machine on your internal network performing dynamic DNS.  If you aren’t familiar with that, a dynamic DNS service keeps a domain name pointing to the same device, despite the fact that the IP address of the device changes.  Before you do anything else, get that working, so when you ping your public DNS name you have, it always returns your current WAN address.  Below, you’ll create an Address object in the Palo Alto that points to your public DNS name.  The PA periodically resolves that name (every 30 minutes I believe) and if it changes, all the rules, etc using that IP get changed.

Also, before continuing, go to Device > GlobalProtect Client and download the latest one, then activate it.

1. Create Loopback Interfaces:  You need two interfaces, one for the portal ( and one for the gateway (  Make sure you have HTTPS available in the management profile of these.  They should be in your main Virtual Router, untrusted zone.  You can use any unused private IPs you want here, but I’ll be referring to the ones listed above later in this document.

Loopbacks2. Create a tunnel interface, using the next available number (like tunnel.1).  Use the same Virtual Router as above, but place this in the trusted zone.  Alternatively, you could create a new zone and place it there, but then you’d need to add a security policy to allow traffic from people VPN’ed in to specific internal resources.

tunnel3. On Objects > Services, add services for UDP 500 (ike), UDP 4501 (esp), TCP 7000 (for GP Portal) and TCP 7001 (for GP Gateway).  You can use whatever ports you want for the last two, just keep them

4. On Objects > Service Groups, add an IPsec group which includes your UDP 500, UDP 4501, and HTTPS ports.  I called mine SSL-VPN-Gateway.service-groups

5. On Objects > Addresses, add a new object named after your dynamic DNS name, of type FQDN, with the dynamic name as the address.  Periodically, the PA will check external sources to see what public IP you have and all your rules will be around it.dyndns-object

6. On Device > Certificates, generate a new cert, making it a Certificate Authority.  The Subject name should be your dynamic DNS name.  After generating the cert, edit it and check the Trusted CA Root checkbox.  The names here should reflect the real dynamic DNS name you

7. On Policies > NAT, add a new NAT rule for access to your portal.  The source AND destination zone should be untrusted, destination interface should be your external interface, destination address should be your dynamic dns object.  Destination service, port 7000. On the Translated tab, you want Destination, then put the IP address of your portal loopback address, and port 443.  This will translate external requests for port 7000 to the internal loopback on port 443.  See the screenshot at step 13.

8. On Policies > Security, add a new security policy for access to your portal.  Source and Dest zones are untrusted.  Services are port 7000 and HTTPS.  Not 100% sure you need both.  See the screenshot at step 14.

9.  On Device > Authentication Profile, add a new one.  For simplicity sake, I used Local authentication (in the dropdown under the allow list window).  My profile is “Local-Auth”.  If you have an AD server, or some other LDAP source, you’ll probably want to get that configured here once everything else is working.  If you use a Local Auth policy, be sure to go to Device > Users and add a user.

10.  On Network > Portals, add your portal.  On the Portal Configuration section, set your interface as your portal loopback.  Set the IP Address (in my case,, and select the cert you just made for Server Certificate.  Select your Authentication Profile.  portal1


On the Client Configuration tab, add your cert under Trusted Root CA, then add a new Client Config.

On the Client Config General tab, give it a name, uncheck single sign on (unless you have a domain and are using your domain auth), set the Connect Method to on-demand.  Screen Shot 2014-10-26 at 4.50.58 PM

On the Gateways tab, add an external gateway.  Name it the same as your dynamic DNS name.  In the address field, enter your dynamic DNS name again, followed by :7001.client-config-gateways

11.  On Network > Gateways, add your Gateway.  On the General tab, name it, put it on the 2nd loopback, set the IP address ( in my case), and select your new cert for the Server Certificate.  Select your Authentication Profile. gateway1

Go to Client Config.  On the tunnel settings tab, check the Tunnel mode checkbox, select your tunnel interface, check Enable IPSec and Enable X-Auth Support, fill in a group name and group password.  This is needed for IOS IPSec clients.  gateway2

On the Network Settings tab, configure it as you wish.  In my case, my inheritance source is my WAN interface, also for DNS.  Add an IP Pool with an unused subnet.  For Access Route, you may want to think about it a bit.  You could put here, which would route ALL of your end-user traffic through the VPN, or you could use specific routes here.  So, you could use, etc. if you wanted to only have certain traffic go across the tunnel.

12.  On Policies, NAT, add a new policy for your Gateway.  This is for IPsec specifically.  Set it the same as #7 above, except the service should be your IPsec service group, and your destination address is your Gateway loopback ( in my case).  See the screenshot on step 13.

13. On Policies, NAT, add a new policy for Windows and Mac clients.  Set it the same as above, except for port 7001, with the translated destination address being your gateway loopback (again for me), and your destination port as 443.nats

14.  On Policies, Security, add a new rule for Gateway access.  This should be for untrusted as both source and destination, service ports 7001 and your IPsec group.Screen Shot 2014-10-26 at 4.44.25 PM

15.  COMMIT.

To connect with an IOS device, make sure you aren’t on your local Wifi, go to Settings > General > VPN, and Add a Configuration.  Select IPSec at the top.  Enter your Dynamic DNS name as the server (with no port numbers), set your username and password, and set the group name and Secret.IMG_1172

To connect with a Mac / Windows machine, connect to a different public network segment (friend’s wifi, Starbucks, whatever), then in your browser, visit http://yourdynamic.dns:7000/.  You should be able to log in from there. Next, download and install the client (from the resulting page, after you logged in).  When you start the client, configure it to talk to the same address as above (:7000).

Good luck and happy VPN’ing!


Entry filed under: Networking.

Palo Alto PA-200 mini review Palo Alto 6.1.0 released

7 Comments Add your own

  • 1. allothernamestaken  |  November 28, 2014 at 4:19 am

    Thank you very much for putting this guide together. Very useful!

  • 2. gubi (@callmegubi)  |  January 4, 2016 at 7:18 am

    This is really helpful.
    Question: does the loopback IP need to be on the same segment as that of the external interface?

  • 3. gubi (@callmegubi)  |  January 4, 2016 at 7:19 am

    This is really helpful!
    Does the loopback IP need to be on the same segment as that of the external interface?


    • 4. ptaylor  |  January 4, 2016 at 10:49 pm

      Not 100% sure what you mean by segment. It needs to be in the same security zone, but not on the same subnet.

  • 5. Madan Sudhindra  |  June 29, 2016 at 1:35 pm


    Do the loopback interfaces need to be on the same IP subnet as the internal interface ? Also, have you tried configuring this on the new v 7.1.x firmware versions ? If so, can you please post the steps ?

    Thanks in advance,

    • 6. ptaylor  |  July 20, 2016 at 6:35 pm

      I honestly don’t remember. It’s been so long since I did this, and I’m not using it that way anymore.. Sorry.

    • 7. Frank James Wilson  |  November 3, 2016 at 8:00 am

      There is no difference on 7.1.x, the guide will work just fine with any 7.1.x. Tested and confirmed.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


October 2014
« Sep   Nov »

Most Recent Posts

%d bloggers like this: