GlobalProtect issue with Enforcer Network Access

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect issue with Enforcer Network Access

L1 Bithead



We enabled a week ago the feature enforce network access on our environment.

We are using internal host resolution to detect if user is inside or outside corporate network.

In a random way, we're experiencing issue with users worldwide. We have a dns server at each location


This issue seems to be present only when the user is connected from inside (wifi and wired)


Let me give you a quick overview :


User is connected to wifi or wired. 

The client is not detecting as "internal" the network and then it enforces network policy to prevent access if your vpn is not mounted.

We cannot establish vpn from inside network to external gateway (by design and it would not acceptable)

At this time, even if the client is connected to inside, all flow are blocked (due to enforcement, I see it in pangps log) because the tunnel is not established and client not detecting network as internal.


The client has an ip, can successfuly resolve the ptr record that we use in internal check detection but for unknown reason, the issue is still there.


Any clue would be appreciated.






Cyber Elite
Cyber Elite


Assuming that you aren't using On-Demand as your connection method correct?


The first few things that I would look at is if the reverse DNS lookup is succeeding in the PanGPS logs, whether the internal host detection hostname matches exactly what has been configured, and if ICMP is allowed to that host. 



Thank for your reply.

The fqdn/ip configured is exactly the same as what we've configured centrally.

This is not a global issue as not all users are impacted. It's happening at any time, I haven't find the trigger yet but keep analyzing at this time. 

May I ask you why the icmp fact is important ? I thought the process was only relying on dns resolution.


Note : We're running GP


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!