Application web pages are not loading properly when accessed through Clientless VPN.

• New implementation of Clientless VPN.
• All the applications that are published in the Clientless VPN are partially loading.
• Network Address Translation (NAT) is used to provide access to the Clientless VPN portal.

User <==> Internet <==> NAT device <==> PA FW (VPN Portal)

• From the client side browser access, the application web page rewrite was happening to the private IP address of the firewall interface.

• Palo Alto Firewall
• PAN-OS 9.1, 10.1, 10.2
• GlobalProtect Clientless VPN

• In the Clientless VPN configuration, the Hostname field should be the IP address or FQDN for the GlobalProtect portal that hosts the web applications landing page.
• The GlobalProtect Clientless VPN rewrites application URLs with this hostname.
• If the Network Address Translation (NAT) is used to provide access to the Clientless VPN portal, then the IP address or FQDN must match (or resolve to) the NAT IP address for the GlobalProtect portal (the public IP address).
• Clientless VPN was misconfigured to use private IP address as the Hostname that caused the issue.

1. Go to GUI: Network > GlobalProtect  > Portals > (portal-config) > Clientless VPN
2. In the General Tab, change the Hostname to the public IP address or FQDN that the NAT device is using. The same IP/FQDN will be used by the user to connect to the portal.
3. Commit the configuration.