Hardware reference guide
34 GlobalProtect Administrator’s Guide
Configure GlobalProtect Gateways Set Up the GlobalProtect Infrastructure
Step 5 (Tunnel Mode only) Configure the
network settings to assign the clients’
virtual network adapter when an agent
establishes a tunnel with the gateway.
Network settings are not required in
internal gateway configurations in
non-tunnel mode because in this
case agents use the network settings
assigned to the physical network
adapter.
1. On the GlobalProtect Gateway dialog, select
Client
Configuration > Network Settings
.
2. Specify the network configuration settings for the clients in one
of the following ways:
• You can manually assign the DNS server(s) and suffix, and
WINS servers by completing the corresponding fields.
• If the firewall has an interface that is configured as a DHCP
client, you can set the
Inheritance Source to that interface
and the GlobalProtect agent will be assigned the same
settings received by the DHCP client.
3. To specify the
IP Pool to use to assign client IP addresses, click
Add and then specify the IP address range to use. As a best
practice, use a different range of IP addresses from those
assigned to clients that are physically connected to your LAN to
ensure proper routing back to the gateway.
4. To define what destination subnets to route through the tunnel
click
Add in the Access Route area and then enter the routes as
follows:
• To route all client traffic GlobalProtect (full-tunneling), enter
0.0.0.0/0 as the access route. You will then need to use
security policy to define what zones the client can access
(including untrust zones). The benefit of this configuration is
that you have visibility into all client traffic and you can
ensure that clients are secured according to your policy even
when they are not physically connected to the LAN. Note
that in this configuration traffic destined for the local subnet
goes through the physical adapter, rather than being tunneled
to the gateway.
• To route only some traffic—likely traffic destined for your
LAN—to GlobalProtect (split-tunneling), specify the
destination subnets that must be tunneled. In this case, traffic
that is not destined for a specified access route will be routed
through the client’s physical adapter rather than through the
virtual adapter (the tunnel).
The firewall supports up to 100 access routes.
Configure the Gateway (Continued)