topic Re: GP communication between remote users in GlobalProtect Discussions

GP communication between remote users

Andrew.Vernon — Fri, 17 Apr 2020 15:42:45 GMT

One of our help desk analysts working remotely asked why he was unable to use remote administration tools to assist end users also connected to the GP gateway. I'm not able to find a definitive answer in the docs and KB, but I expect this is by design. Can anybody confirm this, and is there a mitigation besides providing support staff with a virtual desktop on the inside LAN for administrative tasks?

Re: GP communication between remote users

JoergSchuetter — Fri, 17 Apr 2020 16:05:59 GMT

Hello @Andrew.Vernon

If you permit the access on the firewall security policy, then it's possible to facilitate a connection between two GP clients.

Check your firewall logs for blocked traffic.

Re: GP communication between remote users

Andrew.Vernon — Fri, 17 Apr 2020 19:06:07 GMT

That traffic isn't even making it far enough to have security rules applied. We have our VPN subnets in their own zone and no intrazone traffic is being logged.

But, looking at the routing table, I only see a /32 for my own GP IP address. Subnets in my split-tunnel address group appear with the agent virtual IP as the next hop. That suggests that I may need to add the client address block to the split-tunnel.