No Route on the Palo Alto Networks Firewall to Reach GlobalProtect Clients

No Route on the Palo Alto Networks Firewall to Reach GlobalProtect Clients

Created On 09/26/18 13:51 PM - Last Modified 06/02/23 19:26 PM



Users cannot assign their preferred IP on GlobalProtect clients for their devices, and so it is mandatory for configuring a IP Pool on the Palo Alto Networks firewall. After user authentication, the firewall will assign an IP from its configured pool for the offered and available IPs. The firewall should automatically create a route through the configured tunnel interface.This auto generated route is used as a reverse route for replying to the connected GlobalProtect clients.


The firewall will generate a route for the offered/available IPs, only if tunnel interface is assigned on a virtual-router. The virtual-router should be chosen as per the traffic flow.

Bind VR to the tunnel interface (this tunnel should be the same configured on the GlobalProtect gateway):


Go to Network > GlobalProtect > Gateways > Client Configuration, below is the Tunnel Interface on the gateway:

gateway tunnel.PNGtunnel bind.PNG


Shown below is the User Authentication and IP Assignment:

ipoffered.PNG            ippool.PNG


Shown below, see routes for offered IP through tunnel.55 and another route for for the available IP on pool.

Route auto generation in default-VR:

route for tunnel.55.PNG


Note: Even though it is an auto generated route, the firewall will flag it as active-static.


owner: skumarasam

  • Print
  • Copy Link

Choose Language