Globalprotect client VPN for remote users and Office LAN users?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Globalprotect client VPN for remote users and Office LAN users?

L3 Networker
My company has a number of offices which do not have an on-site fw but instead have a router to connect to corporate MPLS through which they also receive internet.

I’ve been asked to look at implementing a globalprotect vpn for all users whether they are on office lan or remote. Is this a standard use case, tunnelling all traffic through vpn to take advantage of the palo ngfw features?

The palo resides in a DC which is connected to the MPLS, so traffic path won’t be much longer. I was thinking of treating the vpn ip pool as an extra satellite site and routing it accordingly through the MPLS. I’m guessing I would need a NAT rule on the palo which would NAT vpn users to a public IP when accessing external resources through the vpn but leaving it unNATTED when accessing internal.

Any downsides I should be aware of?

Cyber Elite
Cyber Elite

hi @welly_59


is the intent to have your remote users also use an encrypted tunnel when they are in an MPLS connected office (is the MPLS considered 'untrusted'?) or simply have the GP client up so they remain connected when outside of the network


How does the topology look now, is the firewall in the core, at the perimeter, or somewhere to the side? If your mpls users currently already go through the PA when reaching out to the internet or other internal resources, you are already taking advantage of all the ngfw features, except a secured channel to the DC


regardless of the above, you will indeed need a NAT policy that hides all outbound connections behind a public IP (this can be added to your existing hide-NAT rules), and no nat rule to reach internal resources (if there are additional routers in your network, they may need to be set up with appropriate routing for the IP pool to be routed back)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Yes the intent is for all users to go via encrypted tunnel. Mpls could be considered untrusted, global vrf routing table is imported into our mpls vrf with no firewalls at some sites.

Mpls core is controlled by us, think of it as a 4 router square with remote sites coming in at different ingress points, with each mpls core router also having an internet breakout directly attached. As each remote site can come in on any core router and access the internet from any internet breakout we want it all to go via Palo Alto for security.

The palo is in a leg off one of the core mpls routers in a DC so remote sites at present do no pass through it.

I am thinking it would need an interface in the global vrf and another, possibly a sub interface, in the Corp vrf. Gateway/portal would be in global vrf, remote workers would come to that and have access to Corp via connected subinterface. Office users would come in on Corp vrf, be routed to global


Sounds like you are on a correct path. The only downside is that the users at the remote sites will not be able to use resources there directly. What I mean is lets say there is a local printer they all print to. No instead of printing directly to it, the traffic will flow down the MPLS and then U-turn back to that printer. Just might take a bit longer for print jobs to spool. If you are using a print server, then this should not change from a users standpoint.


You are correct a Nat is requried for them to browse the web.


Hope that helps.

Could always split tunnel for local resources? I’m going to implement next week for myself and see if anything crops up, using local accounts. Then look at integrating AD and pushing out GP Client via GPO


Yes you can split tunnel if your organization allows it. Most acronym compliances no longs allow it, i.e. PCI, FIMSA, etc.



  • 5 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!