topic Re: GlobalProtect DNS server ignores the access routes in General Topics

GlobalProtect DNS server ignores the access routes

mr.linus — Mon, 15 Sep 2014 07:41:52 GMT

Hey all,

Just another PaloAlto funkiness I found out today...

When you configure a DNS server under the gateway configuration for GlobalProtect a route will automatically be added to route traffic to this DNS-ip through the tunnel: REGARDLESS of what you fill in in the access routes.

Ex: DNS server: 10.0.0.1 and access route: 192.168.0.0/16

When connected with GlobalProtect your Windows route table will be

192.168.0.0/16 -> GlobalProtect tunnel

10.0.0.1 -> GlobalProtect tunnel (although this ip is NOT in the access route range)

Just something to think about when you are maybe running into routing issues like I was.

Re: GlobalProtect DNS server ignores the access routes

pulukas — Mon, 15 Sep 2014 10:01:44 GMT

Thanks for the note.

I guess this make sense since you would need a route to use the DNS server. So we would be adding a subnet for this route for the clients during the setup process.

But I'm with you, I like to have independent control of where the routes are installed on the network.

Re: GlobalProtect DNS server ignores the access routes

reaper — Mon, 15 Sep 2014 10:31:23 GMT

when we add the x.x.x.x/32 access route for the DNS server we also ensure this DNS server will always be reachable for clients, even if they are located in a network that overlaps the access route and possibly have a local resource with an identical IP (/32 has priority over all bigger subnets), or the access routes inadvertently don't cover the DNS' IP