Region based config selection criteria fails for Internal GlobalProtect users during External gateway selection

Region based config selection criteria fails for Internal GlobalProtect users during External gateway selection

1000
Created On 07/27/22 14:05 PM - Last Modified 04/11/25 20:06 PM


Symptom


Internal GlobalProtect users are unable to connect to an External gateway when Gateway Client Settings profile have source address/region restriction.

Environment

Cause


If user was connected to an Internal gateway (office), upon gateway selection, whatever the source region is, it is ignored as the user is internal:

(P11396-T11348)Debug(6265): 04/09/21 18:30:50:472 HipReportThread: network type is internal network.
...
(P11396-T8596)Info ( 502): 04/09/21 18:46:59:495 msgtype = manual-gateway
(P11396-T8596)Debug(3964): 04/09/21 18:46:59:499 ProcessManualSetGateway Hong Kong
...
P11396-T8596)Debug(3663): 04/09/21 18:47:04:464 Pre-login response is <?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
.....
<saml-default-browser>yes</saml-default-browser><connected-ip>X.X.X.X</connected-ip><region>SG</region>
</prelogin-response>
(P11396-T8596)Debug(3715): 04/09/21 18:47:04:464 REGION-PRIO, internal network, ignore any region code now
...
(P11396-T8596)Error( 835): 04/09/21 18:47:05:056 Failed to set client config
(P11396-T8596)Debug(6849): 04/09/21 18:47:05:056 --Set state to Connection failed

Resolution


  1. This is an expected behavior.
  2. Source address is determined as follows:
    1. Evaluating client’s local IP address sent by the client when the client is internal.
    2. Evaluating client's public IP address to determine the source region when client is external, followed by gateway config lookup.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wl83CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail