https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/528883#M109200 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270265">@amar</a>,</P> <P>This is easily accomplished when everything is actually in place and setup properly. A common thing I see people forget is the routing on the branch office side of things. You'll need a route on the BO so it actually knows it needs to send the GlobalProtect IPs back to the HO. What you're likely running into is the BO doesn't know where to send the GlobalProtect traffic once it's been received.&nbsp;</P> Fri, 27 Jan 2023 14:44:23 GMT BPry 2023-01-27T14:44:23Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/528833#M109181 <P>Hello - my query is that "Is it possible for Global protect client users of HO to access the resources located at branch office over IPSEC tunnel?</P> <P>&nbsp;</P> <P>We have 3 branch locations configured Site to site IPSEC tunnels.</P> <P>&nbsp;</P> <P>Since I created a access rule in HO for the same but no success.</P> <P>&nbsp;</P> <P>Please suggest&nbsp;</P> Fri, 27 Jan 2023 07:49:37 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/528833#M109181 amar 2023-01-27T07:49:37Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/528883#M109200 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270265">@amar</a>,</P> <P>This is easily accomplished when everything is actually in place and setup properly. A common thing I see people forget is the routing on the branch office side of things. You'll need a route on the BO so it actually knows it needs to send the GlobalProtect IPs back to the HO. What you're likely running into is the BO doesn't know where to send the GlobalProtect traffic once it's been received.&nbsp;</P> Fri, 27 Jan 2023 14:44:23 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/528883#M109200 BPry 2023-01-27T14:44:23Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529017#M109223 <P>Thank you so much</P> <P>I am sorry I forgot to mention the BO sites are CheckPoint devices and it supports policy-based VPN only. The GlobalProtect IP is configured in the VPN Policies as HO networks and is also allowed in Access rules bidirectionally.</P> Sat, 28 Jan 2023 11:11:00 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529017#M109223 amar 2023-01-28T11:11:00Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529307#M109271 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270265">@amar</a>,</P> <P>It's been a long time since I've worked with Checkpoint in any real capacity (currently I'm more migrating people's configurations from CheckPoint to PAN), but I'd be verifying that the return traffic is actually hitting your HO firewall from the BO. If you aren't seeing the return traffic it's dying on the vine and you'll need to address the BO routing, but if it's making it back to the HO you have some other issue happening with routing or policy that you'll need to address on the HO side of things.</P> <P>So to start with I guess, are you seeing the return traffic make it back from the BO to the HO?&nbsp;</P> Tue, 31 Jan 2023 14:48:13 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529307#M109271 BPry 2023-01-31T14:48:13Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529418#M109295 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P> <P>Yes, GlobalProtect IP object was missing at BO access policy. Just added and it worked.</P> <P>Thank you so much.</P> Wed, 01 Feb 2023 06:55:01 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-to-access-ipsec-peer-networks/m-p/529418#M109295 amar 2023-02-01T06:55:01Z