topic Global Protect Not able to access external application in General Topics

Global Protect Not able to access external application

paul-b — Tue, 15 Aug 2023 14:45:12 GMT

Hi, I have a web application hosted by OCI, from on Prem I and my users can access the application without any problems. However when connecting to our PA setup through global protect we cant access the application.

We have a very similar setup for some AWS hosted web applications and these work without any issues.

Any ideas as I am stumped by this one. I am fairly new to PA so please be gentle with your replys!! Thanks

Re: Global Protect Not able to access external application

JayGolf — Wed, 16 Aug 2023 07:16:43 GMT

Hi @paul-b ,

Welcome to LiveCommunity! Thanks for reaching out.

How are you currently routing your GP traffic? Is all traffic being routed through GP or are you using a split tunnel for external connections?

If you are routing all traffic through GP, do you currently have security policies in place to allow traffic from your GP zone to Untrust zone with the required Apps/Services? If so, in the monitor tab, what do the traffic logs look like? Are you able to see the GP IPs as the source and external APP in OCI as the destination?

Re: Global Protect Not able to access external application

BPry — Wed, 16 Aug 2023 13:29:09 GMT

@paul-b,

I'm gonna echo a lot of what @JayGolf already mentioned and add one of my own.

Check how you're routing traffic through GlobalProtect. If you aren't routing everything through the tunnel, you may be sending you're hosted application traffic out locally which could be causing access issues for your hosted application.
Check that your security policy is actually allowing the traffic for GlobalProtect users. Remember that denied traffic isn't logged by default, so you may have to temporarily enable interzone-default logging.
Check to see how you're NAT'ing traffic from GlobalProtect and if you're potentially using a different public IP than what you use for users working on-prem. If the hosted application is heavily restricted (or you have a static NAT statement to force on-prem from a single IP that you haven't included GlobalProtect in) you would be getting access issues.
Check to see if it's an MTU issue. If everything else checks out, the one thing that has to be different is the max MTU size. The tunnel has an overhead and by default the tunnel-mtu is going to be set to 1400.

Re: Global Protect Not able to access external application

paul-b — Fri, 29 Sep 2023 15:10:41 GMT

I use Global Protect for home workers to connect to th ecorp network.

Now, I have a tunnel setup for AWS, which all works fine, from within the office and when using global protect from home.

However the OCI connection only works from within the office, as soon as i try from global protect it does not respond.

So there is something in the way that the AWS ipsec tunnel is working than the OCI tunnel is working. I cant see any difference but clearly I am missing something could it be routing or policy, I am completely stumped.