Wrong Source IP from GlobalProtect User in Traffic Logs
Sometimes in the traffic logs, traffic from a Windows GlobalProtect user will have the source address of the clients LAN / WAN IP rather than their GlobalProtect assigned IP address.
The GlobalProtect client cannot force a particular source IP address to be used when Windows, or an application (such as one that uses licensing based on IP address) specifies a specific IP address to be used as a source address. In these situations, the routes installed in Windows by GlobalProtect will be used, and the traffic will be sent over the GlobalProtect connection and therefore be seen by the Palo Alto Networks firewall.
Typically, as GlobalProtect clients connect from a Private IP, this traffic will be dropped as there will be no route back or the policy on the firewall will block it as it does not match the IP range used for the GlobalProtect zone.