Wrong Source IP from GlobalProtect User in Traffic Logs

Wrong Source IP from GlobalProtect User in Traffic Logs

21155
Created On 09/26/18 13:54 PM - Last Modified 06/07/23 07:25 AM


Resolution


Symptom

Sometimes in the traffic logs, traffic from a Windows GlobalProtect user will have the source address of the clients LAN / WAN IP rather than their GlobalProtect assigned IP address.

Cause

The GlobalProtect client cannot force a particular source IP address to be used when Windows, or an application (such as one that uses licensing based on IP address) specifies a specific IP address to be used as a source address. In these situations, the routes installed in Windows by GlobalProtect will be used, and the traffic will be sent over the GlobalProtect connection and therefore be seen by the Palo Alto Networks firewall.

Typically, as GlobalProtect clients connect from a Private IP, this traffic will be dropped as there will be no route back or the policy on the firewall will block it as it does not match the IP range used for the GlobalProtect zone.

owner: mcooke
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzhCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language