This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect Not able to access external application

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Not able to access external application

paul-b
L0 Member

‎08-15-2023 07:45 AM

 

Hi, I have a web application hosted by OCI,  from on Prem I and my users can access the application without any problems.  However when connecting to our PA setup through global protect we cant access the application.

 

We have a very similar setup for some AWS hosted web applications and these work without any issues.

 

Any ideas as I am stumped by this one.  I am fairly new to PA so please be gentle with your replys!!  Thanks

1 person had this problem.
0 Likes Likes
3 REPLIES 3

JayGolf
Community Team Member

‎08-16-2023 12:16 AM

Hi @paul-b ,

 

Welcome to LiveCommunity! Thanks for reaching out.

 

How are you currently routing your GP traffic? Is all traffic being routed through GP or are you using a split tunnel for external connections? 

 

If you are routing all traffic through GP, do you currently have security policies in place to allow traffic from your GP zone to Untrust zone with the required Apps/Services? If so, in the monitor tab, what do the traffic logs look like? Are you able to see the GP IPs as the source and external APP in OCI as the destination?

 

 

 

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

BPry
Cyber Elite
Cyber Elite

‎08-16-2023 06:29 AM

@paul-b,

I'm gonna echo a lot of what @JayGolf already mentioned and add one of my own. 

  • Check how you're routing traffic through GlobalProtect. If you aren't routing everything through the tunnel, you may be sending you're hosted application traffic out locally which could be causing access issues for your hosted application.
  • Check that your security policy is actually allowing the traffic for GlobalProtect users. Remember that denied traffic isn't logged by default, so you may have to temporarily enable interzone-default logging.
  • Check to see how you're NAT'ing traffic from GlobalProtect and if you're potentially using a different public IP than what you use for users working on-prem. If the hosted application is heavily restricted (or you have a static NAT statement to force on-prem from a single IP that you haven't included GlobalProtect in) you would be getting access issues.
  • Check to see if it's an MTU issue. If everything else checks out, the one thing that has to be different is the max MTU size. The tunnel has an overhead and by default the tunnel-mtu is going to be set to 1400. 
0 Likes Likes

paul-b
L0 Member
In response to JayGolf

‎09-29-2023 08:10 AM

I use Global Protect for home workers to connect to th ecorp network.

 

Now, I have a tunnel setup for AWS, which all works fine, from within the office and when using global protect from home.

 

However the OCI connection only works from within the office, as soon as i try from global protect it does not respond.

 

So there is something in the way that the AWS ipsec tunnel is working than the OCI tunnel is working.   I cant see any difference but clearly I am missing something could it be routing or policy, I am completely stumped. 

0 Likes Likes
  • 1814 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks