Issues connecting to GlobalProtect Cloud Gateways if 'Prisma Access' name is changed
Resolution
Information
On Panorama WebGUI the 'Mobile_User_Template' > GlobalProtect > GlobalProtect Portal Configuration > Agent > External Gateway > Name, the default name of 'Prisma Access' should not to be changed, as it needs to use that name in order for the GlobalProtect (GP) Cloud Users to connect to the Cloud Gateways.
Issue
The entry Name is editable and changing it to any other name will Prevent Cloud users to connect to GlobalProtect Cloud Gateways.
If it is changed, you will see the following errors in the GP Client logs installed in the end user machines.
PanGPS.log:
P4030-T12295 Aug 08 13:01:22:447847 Debug(4618): getaddrinfo of gpcloudservice.com failed with error 8(Exec format error) P4030-T12295 Aug 08 13:01:22:447914 Debug(3983): Set network discover in progress P4030-T12295 Aug 08 13:01:22:447947 Debug(4039): NetworkDiscoverThread: network type is external. P4030-T12295 Aug 08 13:01:22:447977 Debug(4108): NetworkDiscoverThread: Discover external network. P4030-T12295 Aug 08 13:01:22:448075 Debug( 502): Discover external gateway: gateway count is 1, cutoff time is 5 P4030-T12295 Aug 08 13:01:22:448111 Error(2457): Failed to convert remote host gpcloudservice.com of gateway gpcloudservice.com. P4030-T12295 Aug 08 13:01:22:448141 Debug( 523): Failed to get client ip for gateway gpcloudservice.com. P4030-T12295 Aug 08 13:01:22:448170 Debug( 529): Already tried with ipv4 P4030-T12295 Aug 08 13:01:22:448199 Error(4148): NetworkDiscoverThread: failed to discover external network. P4030-T12295 Aug 08 13:01:22:448231 Debug(5085): --Set state to Disconnected
PanGPA.log:
2018-08-08 13:01:22.504 GlobalProtect[4026:2359426] Debug: (GPAppDelegate.m:142) Resp: <?xml version="1.0" encoding="UTF-8"?> <response> <type>status</type> <status>Disconnected</status> <protocol/> <portal-config-version>4100</portal-config-version> <error>Cannot connect to GlobalProtect. There appears to be a problem with your Internet connection or the GlobalProtect network. If the issue is persistent, contact your IT help desk.</error> <product-version>4.1.1-14</product-version> <product-code/> <portal-status>Connected</portal-status> <user-name>pan.support</user-name> <username-type>regular</username-type> <state>Disconnected</state> <check-version>no</check-version> <portal>gpcs-portal.gpcloudservice.com</portal> <mdm-is-enabled>no</mdm-is-enabled> <mdm-jailbroken>no</mdm-jailbroken> <udid>e89117167400d51c67f63ab0eab7ce458d4be197</udid> <gateway-list name="gateway-list" type="external"> <entry> <gateway>gpcloudservice.com</gateway> <tunnel>no</tunnel> <description>gpcloud</description> <allow-tunnel>no</allow-tunnel> <passwd-expire-days/> <priority>1</priority> <internal>no</internal> <authenticated>no</authenticated> </entry> </gateway-list> <mobile-network-type>2</mobile-network-type>
From the errors, the user connects to the cloud portal but fails to receive the Cloud Gateway address FQDN. It receives the gateway address as 'gpcloudservice.com' which is not resolvable to an actual Cloud Gateway.
Resolution
To fix this, revert the External Gateway name back to the 'default' name i. e 'Prisma Access' on the Panorama WebGUI under 'Mobile_User_Template' > GlobalProtect > GlobalProtect Portal Configuration > Agent > External Gateway > Name
Commit the Config on Panorama and push the changes to the GlobalProtect cloud service for mobile users to resolve this issue.