GlobalProtect users with app status "Connected You are on the internal corporate network." lose access to internal/external resources after some time

GlobalProtect users with app status "Connected You are on the internal corporate network." lose access to internal/external resources after some time

3198
Created On 08/10/22 09:55 AM - Last Modified 01/31/25 22:19 PM


Symptom


  • GlobalProtect users connected to internal gateway are unable to access internal/external resources after some time, even if the connection status on GlobalProtect app shows "Connected You are on the internal corporate network.".

GP App Status

  • The issue is related to environments with user-based policies, where user-to-ip-mapping is retrieved from GlobalProtect.
  • An example where the user is able to reach internal/external resources.

    Screenshot 2022-08-10 at 16.46.30.png

    • On the firewall GUI under the Monitor > Traffic, "user1" matched the allow rule presented before. 

    Screenshot 2022-08-10 at 16.49.25.png

    • The command issued below shows User-to-IP-mapping is done via GlobalProtect.

    Screenshot 2022-08-10 at 16.38.45.png

    • After 120 minutes (7200 seconds) that is close to the moment when Login Lifetime expired, the user-to-IP-mapping is no longer visible on the firewall.

    Screenshot 2022-08-10 at 16.45.13.png

    • The client machine is unable to reach the resources because the user-to-IP-mapping is deleted.

    Screenshot 2022-08-10 at 16.41.20.png

    • As a result, the allow policy is not matched because the user is not verified.

      Screenshot 2022-08-10 at 16.43.36.png

      Environment


      • Palo Alto Firewalls
      • Supported PAN-OS versions
      • GlobalProtect (GP) App
      • GlobalProtect users connected to internal gateway
      • Internal Host Detection (IHD)
      • User-based policies

      Cause


      • user-to-IP mapping is deleted after the internal gateway login lifetime expires, even if the mapping is refreshed on hourly HIP checks.
      • GP users will temporarily lose access to internal/external resources because the user is not matching user-based security policy rule.
      • GP app shows "Connected You are on the internal corporate network." as long as IHD is successful.

      Resolution


      1. Increase the Login Lifetime value to match user's business hours. In this manner, the user-to-IP mapping should remain present throughout their working hours until a fresh login/logout is issued.

      GUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Connection Settings

      Screenshot 2022-08-10 at 16.56.22.png

      1. Perform "Refresh Connection" from GP app to refresh the gateway connection. This will recreate the user-to-IP mapping and user's traffic will match the user-based security policies.

        Screenshot 2022-08-10 at 16.57.35.png

        Additional Information


        Other reason fo the same behavior: GlobalProtect Client Shows "Connected You are on the internal corporate network" but There is no IP Address-to-Username Mapping of the User
        Other users also viewed:
        Actions
        • Print
        • Copy Link

          https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cr8rCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail