https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/413192#M92935 <P>Hello,</P><P>&nbsp;</P><P>We enabled a week ago the feature enforce network access on our environment.</P><P>We are using internal host resolution to detect if user is inside or outside corporate network.</P><P>In a random way, we're experiencing issue with users worldwide. We have a dns server at each location</P><P>&nbsp;</P><P>This issue seems to be present only when the user is connected from inside (wifi and wired)</P><P>&nbsp;</P><P>Let me give you a quick overview :</P><P>&nbsp;</P><P>User is connected to wifi or wired.&nbsp;</P><P>The client is not detecting as "internal" the network and then it enforces network policy to prevent access if your vpn is not mounted.</P><P>We cannot establish vpn from inside network to external gateway (by design and it would not acceptable)</P><P>At this time, even if the client is connected to inside, all flow are blocked (due to enforcement, I see it in pangps log) because the tunnel is not established and client not detecting network as internal.</P><P>&nbsp;</P><P>The client has an ip, can successfuly resolve the ptr record that we use in internal check detection but for unknown reason, the issue is still there.</P><P>&nbsp;</P><P>Any clue would be appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P>Yoann&nbsp;</P><P>&nbsp;</P> Tue, 15 Jun 2021 08:55:20 GMT Yoann-Wolf 2021-06-15T08:55:20Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/413192#M92935 <P>Hello,</P><P>&nbsp;</P><P>We enabled a week ago the feature enforce network access on our environment.</P><P>We are using internal host resolution to detect if user is inside or outside corporate network.</P><P>In a random way, we're experiencing issue with users worldwide. We have a dns server at each location</P><P>&nbsp;</P><P>This issue seems to be present only when the user is connected from inside (wifi and wired)</P><P>&nbsp;</P><P>Let me give you a quick overview :</P><P>&nbsp;</P><P>User is connected to wifi or wired.&nbsp;</P><P>The client is not detecting as "internal" the network and then it enforces network policy to prevent access if your vpn is not mounted.</P><P>We cannot establish vpn from inside network to external gateway (by design and it would not acceptable)</P><P>At this time, even if the client is connected to inside, all flow are blocked (due to enforcement, I see it in pangps log) because the tunnel is not established and client not detecting network as internal.</P><P>&nbsp;</P><P>The client has an ip, can successfuly resolve the ptr record that we use in internal check detection but for unknown reason, the issue is still there.</P><P>&nbsp;</P><P>Any clue would be appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P>Yoann&nbsp;</P><P>&nbsp;</P> Tue, 15 Jun 2021 08:55:20 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/413192#M92935 Yoann-Wolf 2021-06-15T08:55:20Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/413423#M92961 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/180197">@Yoann-Wolf</a>,</P> <P>Assuming that you aren't using On-Demand as your connection method correct?</P> <P>&nbsp;</P> <P>The first few things that I would look at is if the reverse DNS lookup is succeeding in the PanGPS logs, whether the internal host detection hostname matches&nbsp;<EM>exactly&nbsp;</EM>what has been configured, and if ICMP is allowed to that host.&nbsp;</P> Tue, 15 Jun 2021 21:26:50 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/413423#M92961 BPry 2021-06-15T21:26:50Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/414133#M93053 <P>Hello,</P><P>&nbsp;</P><P>Thank for your reply.</P><P>The fqdn/ip configured is exactly the same as what we've configured centrally.</P><P>This is not a global issue as not all users are impacted. It's happening at any time, I haven't find the trigger yet but keep analyzing at this time.&nbsp;</P><P>May I ask you why the icmp fact is important ? I thought the process was only relying on dns resolution.</P><P>&nbsp;</P><P>Note : We're running GP 5.1.5.20</P><P>Yoann</P> Fri, 18 Jun 2021 11:48:56 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-issue-with-enforcer-network-access/m-p/414133#M93053 Yoann-Wolf 2021-06-18T11:48:56Z