Palo Alto Networks Knowledgebase: GlobalProtect Pre-Logon Issue with Bluecoat User Agent

GlobalProtect Pre-Logon Issue with Bluecoat User Agent

Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:05 AM


After deploying GlobalProtect with pre-logon enabled, clients running a bluecoat user agent (bcua) experience intermittent connectivity issues. A continous ping from the client to internal resources shows successful replies but after 40 - 50 seconds, the pings begin to time out. Connection will then get reestablished after a few minutes and the behavior will loop.


The bcua creates a tunnel to Symantec Web Security Service (WSS) which means GP traffic is also tunneled. This causes intermittent connectivity.


This can be verified by running a packet capture on the client machine.


A few other ways to verify this is the case:

  • Check the client's public IP address; you can do this by doing a google search of "whats my ip address"
  • Verify if this is the IP address from the client's ISP or whether it belongs to Symantec. I used arin[dot]net to verify. If you get a Symantec IP address that would be an indication that a tunnel has been created to Symantec.
  • On the firewall, run the following commands as shown in the screenshot:




Symantec is aware of this issue and has provided a workaround in this link

Once the changes have been made, verify the IP seen by the firewall. This should be a non-symantec IP and connectivity should now be stable.



  • Print
  • Copy Link

Choose Language