Why GlobalProtect users cannot access the internal resources

Why GlobalProtect users cannot access the internal resources

29369
Created On 09/25/18 19:36 PM - Last Modified 02/05/24 14:37 PM


Symptom


GlobalProtect is connected but users cannot access the internal resources.

Cause


Sometimes even if the configuration is correct and GlobalProtect is connected, users are not able to access the internal resources. This situation may occur when the subnet assigned to GlobalProtect client is already in use somewhere in the network, or when there is a routing issue.

Global Protect.PNG

Resolution


Change the GlobalProtect IP Pool with a subnet which is not already in use.
To workaround the problem you can also put the GloblaProtect tunnel interface in a different zone (GP-VPN) and configure a source NAT for the desired traffic. Make sure you have a security policy to allow the traffic.
 

Following is the topology:

GlobalProtect users are in GP-VPN zone, Servers are in DMZ-L3 zone and internal host are in Trust-L3 zone.

GP3.PNG

 

If you want to access the resources in the DMZ-L3 zone, configure a source NAT from GP-VPN to DMZ-L3

GP4.PNG

 

Security policy:

GP5.PNG
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClaB&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language