GlobalProtect Users and Internal Resources

GlobalProtect Users and Internal Resources

15041
Created On 09/25/18 19:36 PM - Last Updated 02/08/19 00:02 AM


Resolution

Sometime even if the configuration is correct, GlobalProtect users are  unable to access internal resources. This situation may result because the subnet assigned to GlobalProtect is used somewhere in the network or there is a routing issue.

 

Global Protect.PNG

 

A workaround is to put the tunnel interface used in the GlobalProtect configuration in a different zone (GP-VPN) and do a source NAT for desired traffic. Make sure you have a security policy to allow the traffic.

 

Following is the topology:

 

GlobalProtect users are in GP-VPN zone, Servers are in DMZ-L3 zone and internal host are in Trust-L3 zone.

 

GP3.PNG

 

If you are try to access the resources in the DMZ-L3 zone, then do a source NAT from GP-VPN to DMZ-L3

 

GP4.PNG

 

Security policy:

GP5.PNG



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language