Global Protect Enforcer Exception List
31434
Created On 12/02/19 22:47 PM - Last Modified 03/14/25 23:40 PM
Symptom
- Global Protect App configuration has an option called "Enforce GlobalProtect Connection for Network Access"
- This option when enabled limits the user access to resources if global protect is not able to connect.
- The option can cause an issue where the end-user trying to get some essential services such as DHCP address on the local computer as this would be blocked by the enforcer.
Environment
- PAN-OS 8.1 or later (for GlobalProtect Portal)
- GlobalProtect Client version 5.1 or later
- "Enforce GlobalProtect Connection for Network Access" enabled.
Resolution
There is a new option added in the Global Protect App Configuration with App & Threat version 8196-5685. The option is called "Allow traffic to specified hosts/networks when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established". This option allows the admin to add exception to the enforcer, i.e. DHCP server should be reachable for the client to get an ip-address.
- A single address in the exception list can be entered with no subnet mask (e.g. 192.168.223.1)
- Multiple addresses must be entered with a mask and separated by a comma (e.g. 192.168.223.1/32,10.0.0.1/32)
- Once the GP client connects to the gateway, access to the exception list addresses no longer applies
- These options will only work with Global Protect Client 5.1 or above.
- These options can be enabled using GUI: Network> GlobalProtect> Portals> Agent> (agent name)> App.