Name: #paloaltofirewalltraining | Day 47 | How to Configure Global Protect Portal and Gateway
Uploaded: 2026-02-06 21:40:56
Duration: 22 min 55 s

Question 1

How do I configure GlobalProtect Portal and Gateway on separate Palo Alto firewalls?

Accepted Answer

In this video I configure the Portal on one firewall and the Gateway on another firewall, both reachable from the internet. The client connects to the Portal first, and the Portal provides the Gateway information so the client can build the VPN tunnel with the Gateway. This is the common industry scenario, and it helps a lot when you troubleshoot traffic flow.

Question 2

What is the traffic flow when Portal and Gateway are separate in GlobalProtect?

Accepted Answer

The first connection is always to the Portal, because the client needs configuration and gateway details. After that, the client starts communicating to the Gateway IP and establishes the GlobalProtect/IPSec VPN tunnel there. In my capture you can see the initial portal communication and then the next stream going to the gateway.

Question 3

Do I need a certificate on the GlobalProtect Portal if I am using username/password authentication?

Accepted Answer

Yes, you still need a certificate/TLS profile for the Portal because the client connects over SSL to download and communicate securely. In my lab I generate a certificate using the Portal IP address since I don’t have an FQDN. Then on the client side I install it into trusted so I don’t get certificate warnings.

Question 4

Can I use local user authentication for GlobalProtect Portal and Gateway?

Accepted Answer

Yes, in this topology I use local database authentication to keep it simple. I create a local user (test) and an authentication profile pointing to local database. On the gateway I also switch from LDAP to local authentication so both sides match for the lab.

Question 5

Why does GlobalProtect show a different gateway IP after I connect to the portal?

Accepted Answer

Because the portal is only the first touch point—once it gives the gateway address, the actual VPN tunnel is built with the gateway. In my client settings you can see I entered the portal IP, but the connected gateway becomes a different IP. That confirms portal redirection is working correctly.

Question 6

How do I troubleshoot GlobalProtect portal-to-gateway redirection issues?

Accepted Answer

First I validate the flow: client should reach portal, then it should start sessions to the gateway. In the video I use packet capture and follow TCP streams to confirm that sequence. If you want deeper troubleshooting with debug logs, I mentioned I can make a separate video focused only on debug and log-based analysis.

Question 7

Which interface and zone should I use for the GlobalProtect Portal in a simple lab?

Accepted Answer

In my lab I use the outside interface as Layer3 and put it into the outside zone, and I take IP via DHCP. That keeps the setup straightforward when you just want to learn the concept. After that, the portal is bound to that interface/IP for client connectivity.

#paloaltofirewalltraining | Day 47 | How to Configure Global Protect Portal and Gateway

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech