GlobalProtect Client is connected but the user cannot reach internal servers once Microsoft Outlook client is launched. Pings to internal servers fail, but the GlobalProtect Client remains connected.
Cause
The Outlook client username may be different from the GlobalProtect username. In this scenario, the IP-user-mapping changes when Outlook is launched. If the security rules configured on the Palo Alto Networks device only allows GlobalProtect usernames/groups, a change in the username/group mapping will cause the "deny all" rule to be hit.
Steps to verify issue:
Verify connection with GlobalProtect Client on the firewall:
> show global-protect-gateway current-user
Perform continuous pings on any internal server from the GlobalProtect Client
Verify mapping source from GlobalProtect on the firewall:
> show user ip-user-mapping all | match <ip address>
Use the IP address of the GlobalProtect Client used in Step 1 above
Launch the Outlook client. The continuous pings now request timeout.
Verify that the mapping source is now from AD and the IP-user mapping has changed:
> show user ip-user-mapping all | match <ip address of GlobalProtect Client>
Resolution
Add a security rule on the Palo Alto Networks firewall to allow Outlook client usernames/group.