Unfortunately because the packets stay in the same zone, there is no security rule to drop undesired connection attempts, say from outside our desired region.
I could add a drop rule, but in my mind, a better solution would be to add a new zone for the loopback interface, or move it to an existing Trust zone, then update the allow rule with our desired region.
The tunnel interface is in it’s own zone already; should I move the loopback interface there?
It depends on the scenario. You can absolutely drop packets within the zone. It’s called an intrazone rule. Or you specific the same zone for source and destination.
Interface that globalprotect portal/gateway runs on should be in dmz.
Tunnel interface that is used in gateway config should be in its own globalprotect zone.
Also don’t use loopback but real interface to run globalprotect on
don’t use loopback but real interface to run globalprotect on
Interface that globalprotect portal/gateway runs on should be in dmz
We are in the situation where we need port 443 for something else, so we need to put Global Protect on a different port, hence the loopback interface. That aside, is there a technical reason why it’s preferable to slave a vpn to a wan interface?
You can configure globalprotect to run on physical dmz interface. This allows to keep NAT.
If you run globalprotect on loopback and are asked to throttle user bandwidth in the future then you can’t because Palo don’t support QoS on loopback.