GlobalProtect Enforcement Bypass URLs are getting Blocked in Enforcement Policy when using Edge as default browser.
576
Created On 01/28/26 02:59 AM - Last Modified 04/01/26 21:52 PM
Symptom
- The GlobalProtect app is configured to enable enforcer for network access.
- The configuration also has required FQDN's listed to exempt them from enforcer including the IDP URL's (for example cloud-auth.in.apps.paloaltonetworks.com)
- Microsoft Edge is being used as the system default browser and use of Default browser for SAML is enabled.
- Occasionally, when the GlobalProtect attempts to connect, the connection to authentication URL itself is blocked.
- Restarting the PC or GlobalProtect service usually fixes the issue.
Environment
- GlobalProtect App on Windows (Any version)
- Prisma Access with GlobalProtect
- Strata NGFW with GlobalProtect
Cause
- The GlobalProtect app monitors the system DNS requests to identify the IP address of the domains and match them with enforcer exception list.
- In this case the browser Edge is using operating system DNS but uses it's own cache to initiate the traffic and thus no DNS query is sent via the OS.
- Due to this the GlobalProtect app does not see the current IP for the bypassed domain and continues to block it.
Resolution
- Disable the built in DNS client of edge by making a registry change.
HKLM\SOFTWARE\Policies\Microsoft\Edge Value Name :BuiltInDnsClientEnabled Value Type : REG_DWORD Value : 0 - Clear the browser cache once and restart the browser and then attempt to reproduce the issue again.
- Since the browser now sends the DNS queries via the Operating system, The GlobalProtect should be able to intercept them and dynamically allow the bypassed domains.
Additional Information
- The registry change can be pushed to all the windows machines using a group policy by the system admin.
- The GlobalProtect here is working as expected.