Gateway Client-Settings Profiles not applied correctly with Source IP as a Config Selection Criteria when internally located user tries to connect manually to an external gateway

Gateway Client-Settings Profiles not applied correctly with Source IP as a Config Selection Criteria when internally located user tries to connect manually to an external gateway

1210
Created On 08/14/24 09:56 AM - Last Modified 10/20/25 20:29 PM


Symptom


> User is identified as in the internal network by GP.
> The user is trying to connect to an external gateway.
> CSC Source-IP-based client-settings profiles are not assigned correctly when the user is trying to connect to an external gateway.

Environment


Prisma Access
Strata NGFW
GlobalProtect

Cause


> When the user is trying to connect to a gateway, GP will send two pieces of information to the gateway:

1- If the user is located internally or externally.

2- The local IP (Private IP).

> If gateways Client-Settings are configured with Config Selection Criteria "Source IP", the gateway will check if the user is internal or external.

If Internal:

> The gateway will use the user's Local IP (Private IP) to assign the Client-Settings profile.

If External:

> The gateway will use the user's public IP to assign the client-settings profile.

Resolution


> If the user is internal, you can create a Client-Settings profile based on the internal IP/subnet if possible instead of the public IP.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDttCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language