Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Why GlobalProtect users cannot access the internal resources - Knowledge Base - Palo Alto Networks

Why GlobalProtect users cannot access the internal resources

36716
Created On 09/25/18 19:36 PM - Last Modified 02/05/24 14:37 PM


Symptom


GlobalProtect is connected but users cannot access the internal resources.

Cause


Sometimes even if the configuration is correct and GlobalProtect is connected, users are not able to access the internal resources. This situation may occur when the subnet assigned to GlobalProtect client is already in use somewhere in the network, or when there is a routing issue.

Global Protect.PNG

Resolution


Change the GlobalProtect IP Pool with a subnet which is not already in use.
To workaround the problem you can also put the GloblaProtect tunnel interface in a different zone (GP-VPN) and configure a source NAT for the desired traffic. Make sure you have a security policy to allow the traffic.
 

Following is the topology:

GlobalProtect users are in GP-VPN zone, Servers are in DMZ-L3 zone and internal host are in Trust-L3 zone.

GP3.PNG

 

If you want to access the resources in the DMZ-L3 zone, configure a source NAT from GP-VPN to DMZ-L3

GP4.PNG

 

Security policy:

GP5.PNG
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,292
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClaB&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language