Home / GlobalProtect / Paloalto / Paloalto Networks / GlobalProtect remote-access VPN to enable Internet users to reach internal server

GlobalProtect remote-access VPN to enable Internet users to reach internal server

October 20, 2025 , ,

GlobalProtect remote-access VPN to enable Internet users to reach internal server 

GlobalProtect remote-access VPN to enable Internet users to reach internal server

Information on Setup

Inside interface: ethernet1/1192.168.10.10/24 (Inside_Zone)
Outside interface: ethernet1/2125.16.14.22/24 (Outside_Zone)
Next hop / ISP router: 125.16.14.23
Tunnel interface: tunnel.1 → gateway 172.16.10.1/24, client pool
172.16.100.0/24
Server: 192.168.10.45 (gateway must be 192.168.10.10)

Step 1: Prechecks & Backups

Login to the Palo Alto web UI at https://<firewall-ip>.
Screenshot: login page.
Click Device → Setup → Operations → Save named configuration snapshot.
Snapshot name: pre-GP-backup-<date>
Click OK. Capture screenshot of the confirmation.

Step 2: Create Security Zones

Click sequence:
Network → Zones → Add
Name: Inside_Zone
Type: Layer3 → OK (or Add then OK)
Repeat: Add Outside_Zone (Layer3) and VPN_Zone (Layer3)
Screenshot: capture the Network → Zones list showing the three zones.

Step 3: Configure Layer3 Interfaces (ethernet1/1 and ethernet1/2)

Click sequence (Ethernet1/1 - Inside):
Network → Interfaces → Ethernet → Click ethernet1/1 (row)
Tab: Config (some PAN-OS versions label this General/Config)
Interface Type: Layer3
Virtual Router: default (or your VR)
Security Zone: select Inside_Zone
IPv4: click IPv4 then Add → IP Address: 192.168.10.10/24
Click OK (or Save) on the interface editor
Screenshot: capture the interface page showing Interface Type, IP, Zone.
Click sequence (Ethernet1/2 - Outside):
Network → Interfaces → Ethernet → Click ethernet1/2
Interface Type: Layer3
Virtual Router: default
Security Zone: select Outside_Zone
IPv4: Add → IP Address: 125.16.14.22/24
Click OK / Save
Screenshot: capture the ethernet1/2 page with the external IP and zone.

Step 4: Create Tunnel Interface for GlobalProtect

Click sequence:
Network → Interfaces → Tunnel → Add
Name: tunnel.1
Virtual Router: default
Security Zone: VPN_Zone
IPv4: click IPv4 and Add → IP Address: 172.16.10.1/24 (this is the firewall side of the
tunnel)
Click OK / Save
Screenshot: full tunnel interface pane showing name, VR, zone, IP

Step 5: Static Default Route

Click sequence:
Network → Virtual Routers → Click default (or your VR) → Tab Static Routes → Add
Name: default-out
Destination: 0.0.0.0/0
Next Hop: IP Address → IP Address: 125.16.14.23
Click OK / Save
Screenshot: static route entry list with default route visible.

Step 6: Address Objects (server)

Click sequence:
Objects → Addresses → Add
Name: Server1
IP Netmask: 192.168.10.45/32
Optionally Tag or Add to Address Group
Click OK
Screenshot: Address list showing Server1

Step 7: Certificate — generate for testing (self-signed)

Click sequence:
Device → Certificate Management → Certificates → Generate
Certificate Name: GP-selfsigned-1
Common Name: 125.16.14.22 (or your public FQDN if you have one)
Key Type/Size: RSA / 2048
Signed By: Local (this generates self-signed)
Usage: check SSL/TLS Service Profile if required
Click OK / Generate
Screenshot: certificate list showing GP-selfsigned-1 with CN 125.16.14.22
Note: for production use a CA-signed cert bound to your public FQDN.

Step 8: Local User + Authentication Profile (quick test login)

Create local user:
Device → Local Users → Add
Username: vpnuser
Password: YourStrongPassword123! (type twice)
(Optionally add to Groups)
Click OK
Screenshot: local users list with vpn user.
Create Authentication Profile (Local DB):
Device → Authentication Profile → Add
Name: Local-Auth
Type: Local Database
Login Attribute: leave defaults
Click OK
Screenshot: auth profile list showing Local-Auth.

Step 9: GlobalProtect Portal (exact clicks + fields)

Click sequence:
Network → GlobalProtectPortals → Add
Name: GP-Portal
General tab
Interface: choose ethernet1/2
IP Address: choose 125.16.14.22 (or select the interface management ip) — many PAN UI shows
Interface + IP dropdown
Server Certificate: select GP-selfsigned-1
Authentication tab
Authentication Profile: choose Local-Auth (or Add → select)
Agent (important — this tells clients how to get tunnel settings)
Click Agent → Add (or Add Agent Config)
Agent Name: GP-Agent-Default
Under Client Configuration click Add (creates a client config block)
Client Config Name: Default-Client (auto)
Click the Client Settings row → Add
Client Settings Name: GP-Client-Settings
OS: leave All (or select Windows/Mac if you want per-OS)
Tunnel Settings (tab inside Client Settings):
Enable Tunnel Mode: check / toggle Tunnel Mode (or select Tunnel Mode)
Tunnel Interface: select tunnel.1
Client Address Pool: enter 172.16.100.0/24 (or choose pool config field)
Split Tunnel (tab inside Client Settings): click Split Tunnel → Add → Include:
10.10.10.0/24 (or use Exclude semantics if you want full-tunnel)
Click OK to save Client Settings
Back in Client Configuration, ensure Client Settings is attached to the agent
Click OK to save Agent
Back to Portal, click OK to save Portal config
Screenshot: capture the Portal > Agent > Client Settings page showing Tunnel
Interface=tunnel.1 and Client Address Pool=172.16.100.0/24 and Split Tunnel include
10.10.10.0/24.

Step 10 : GlobalProtect Gateway (exact clicks + fields)

Click sequence:
Network → GlobalProtect → Gateways → Add
Name: GP-Gateway
General tab
Interface: choose ethernet1/2
IP Address: choose 125.16.14.22
Server Certificate: GP-selfsigned-1
Authentication / Client Authentication
Client Authentication: choose Local-Auth (the Authentication Profile created earlier)
If UI shows Authentication Profile dropdown - select Local-Auth
Tunnel Settings
Tunnel Interface: select tunnel.1
Client Address Pool: 172.16.100.0/24 (same pool as portal)
Client Configuration (optional here)
Add a client config if you need per-gateway settings; otherwise Portal Agent settings
propagate common config to the client.
Click OK to save Gateway
Screenshot: Gateway General page showing interface, IP, server cert, Tunnel
Interface=tunnel.1 and Client Address Pool.

Step 11: Security Policy — allow VPN → Internal (exact clicks)

Click sequence:
Policies → Security → Add
Name: Allow_VPN_to_Inside (topology: put this near top)
Source tab:
Source Zone: VPN_Zone
Source Address: any (or create an Address object for 172.16.100.0/24 and select it)
Destination tab:
Destination Zone: Inside_Zone
Destination Address: select Server1 (192.168.10.45/32)
Application: any (for testing) — later lock down to required apps (RDP, HTTP)
Action: Allow
Click OK
Screenshot: the rule editor showing Source Zone=VPN_Zone, Destination
Zone=Inside_Zone, Destination Address=Server1.
Important: ensure the rule is above any explicit Deny rules

Step 12: Check NAT Rules (ensure VPN→Inside is not SNATed)

Click sequence:
Policies → NAT → Review rules top-to-bottom
If you have an existing wide Source NAT that matches any -> any, create an exemption
rule above it:
Add new NAT rule at top
Original Packet / Source Zone: VPN_Zone
Original Packet / Destination Zone: Inside_Zone
Original Packet / Source Address: 172.16.100.0/24 (you can create Address object for
pool)
Original Packet / Destination Address: 10.10.10.0/24 (or Server1)
Translated Packet: choose Original (no source translation) or leave blank depending on
UI
Click OK
Screenshot: NAT rule showing the exemption on top.
Note: the PAN UI may not have an explicit "No NAT" toggle; the idea is to ensure no Source
NAT rule will match the VPN->Inside flow. If in doubt, place a specific NAT rule that does
not perform source translation and put it above any generic source NAT.

Step 13: Commit changes

Click sequence:
Top right → Commit → Confirm → Wait for the commit to complete
Screenshot: commit progress dialog and final success message.


Step 14 : Verify & Test (GUI + client)

A) Verify from the firewall GUI
Network → GlobalProtect → Portals → open GP-Portal → click Monitor or check
Monitor → GlobalProtect to see logins
Network → GlobalProtect → Gateways → click GP-Gateway → there may be a
Current Sessions or View link to show active clients
Monitor → Traffic → Filter: Source = VPN client IP (e.g., 172.16.100.x) and
Destination = 192.168.10.45 to confirm traffic is allowed and shows which rule matched
Screenshot: traffic log line showing allow and rule name Allow_VPN_to_Inside.
B) Client tests
From an external laptop (on a different network / internet):
Install GlobalProtect client (Windows) from Palo Alto site or download from the Portal
https://125.16.14.22 if Portal allows downloads
In the GlobalProtect client Portal field enter: 125.16.14.22 → Connect