topic Re: GlobalProtect blocking access internet using browser in GlobalProtect Discussions

GlobalProtect blocking access internet using browser

binn698 — Mon, 04 Nov 2024 16:21:06 GMT

My company uses GlobalProtect VPN and I have a problem that needs help connecting Globalprotect on MacOS.

On the company device, it requires a GlobalProtect VPN connection to access company systems, allowed applications. But on MacOS, every time the employee takes the device out of the office and uses a wifi network other than internal wifi, all websites accessed by browser cannot be accessed, it reports an error: This site can't be reached. However, all applications installed on the device still connect normally such as: Teams, Outlook, Lark,...etc. I ping and nslookup the website, the IP has a signal but cannot access. I have tried many ways such as: setting the router's fixed DNS, Google DNS, AWS DNS, using the command sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder to clear DNS cache on MacOS, disable connect and reconnect, refresh VPN connection and uninstall GlobalProtect then reinstall but all failed.

The only way is to wait for the device for about 1-2 hours and it will automatically access the websites again.

The same thing happens when an employee successfully accesses the website using an external wifi and the next day reconnects to the internal wifi but still cannot access the website using the browser.

Re: GlobalProtect blocking access internet using browser

Raido_Rattameister — Mon, 04 Nov 2024 16:30:59 GMT

You manage Palo firewall in the company?

Do devices inside the network establish IPSec tunnel or have Internal Host Detection enabled?

Does GlobalProtect connect while using external wifi?

Do website names resolve to IP while using external wifi?

Re: GlobalProtect blocking access internet using browser

binn698 — Mon, 04 Nov 2024 16:40:11 GMT

You manage Palo firewall in the company?
- Yes I can access and check, basic configuration on the firewall, but I don't fully understand how it works.
Do devices inside the network establish IPSec tunnel or have Internal Host Detection enabled?
- Sorry I don't know where to check it from. Can you give me more information so I can check it.
Does GlobalProtect connect while using external wifi?
- GlobalProtect must always be connected to be able to access the internet from the company device. If the connection fails or is connected, the internet cannot be accessed.
Do website names resolve to IP while using external wifi?
- Yes. I use nslookup from the website to resolve to IP with external websites as well as internal websites.

Re: GlobalProtect blocking access internet using browser

Raido_Rattameister — Mon, 04 Nov 2024 19:09:11 GMT

Try to access Internet from outside the company.

Then check Palo logs (Monitor > Traffic).

Do you see sessions from Mac GlobalProtect IP towards Internet?

Is action allow?

Is source nat applied (you can check session details if you click on a mag glass on left side of traffic log).

Re: GlobalProtect blocking access internet using browser

binn698 — Tue, 05 Nov 2024 02:22:30 GMT

When using the internet outside the company and GlobalProtect VPN connected, I saw traffic from the device going to the internet such as: ms-team, ms-outlook-web,... and many other applications installed on the device. I was sure that those traffics were allowed, I also created a separate rule allow any any any to test but still had to wait 1,2 hours later for the device to be able to access the internet using the browser.
One thing I saw was that at that time, the traffic log called back to my company's DNS server a lot, more than the traffic going out to the internet. All of them were allowed.

This only happens on MacOS devices, my company has over 400 Windows devices and GlobalProtect works fine. About 20 MacOS devices for the dev team have the same problem.