GlobalProtect Users and Internal Resources

GlobalProtect Users and Internal Resources

27185
Created On 09/25/18 19:36 PM - Last Modified 02/08/19 00:02 AM


Resolution


Sometime even if the configuration is correct, GlobalProtect users are  unable to access internal resources. This situation may result because the subnet assigned to GlobalProtect is used somewhere in the network or there is a routing issue.

 

Global Protect.PNG

 

A workaround is to put the tunnel interface used in the GlobalProtect configuration in a different zone (GP-VPN) and do a source NAT for desired traffic. Make sure you have a security policy to allow the traffic.

 

Following is the topology:

 

GlobalProtect users are in GP-VPN zone, Servers are in DMZ-L3 zone and internal host are in Trust-L3 zone.

 

GP3.PNG

 

If you are try to access the resources in the DMZ-L3 zone, then do a source NAT from GP-VPN to DMZ-L3

 

GP4.PNG

 

Security policy:

GP5.PNG
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language