Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

Having GlobalProtect Users Access Webserver NAT Address Instead of Internal Address

I'm very very new to Palo Alto.  For the few weeks that I've been using it, I've been very impressed with its ease of use, and functionality.  I have a question when it comes to GlobalProtect.  We have a webserver that we want to exclude from the GlobalProtect VPN tunnel.  Let's say the site is test.testcompany.com.  In the Client settings, in GlobalProtect, I see that you can exclude addresses from going through the tunnel. Since this website is part of a round robin, is there a way to exclude by FQDN instead of by IP?  From the looks of it, you can't.  The second question I have is let's say that the internal IP address for test.testcompany.com is  If I want GlobalProtect users to route to this servers public address, let's say, instead of, is there a way to do this through the Palo Alto?  I've tried researching, but haven't come up with anything concrete.  Appreciate your help!

L7 Applicator

split tunneling manipulates the routing table, so there's no possibility to do this based on FQDN


if you have an internal DNS server you can have it serve up different dns entries based on the source of the query. alternatively you can set up a dns proxy and have your GP clients use this as their dns server. You can set the external ip as the dns record for your site

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Cyber Elite


SO first things first lets look at the webserver exlusion. 

1) If you followed best practices and the GlobalProtect terminates on it's own security zone, then you would simply create a security policy that says that anything from the zone 'GP' or whatever you named it, cannot access the webserver. Alternatively if you have a rule allowing all traffic simply add the IP that you don't want them visiting to the 'destination' field and then utilize the 'Negate' option. This will continue to allow all traffic unless the IP is listed in the destination field. 

2) If you didn't terminate GlobalProtect in it's own zone you'll need to add the IP into the 'Excludes' Split Tunnel configuration on the GP Gateway Client Settings. Since you can't take advantage of FQDN you'll need to include all of the IPs of the servers particiapting in the round-robin configuration. 


Your second question gets a little more complicated. What you'd need to do is actually setup a destination NAT. Essentially stating that if something comes from the GlobalProtect zone with the GP IP range to, the translated packet is going to be setup as a destination address translation to to a translated port of 443. 



@reaper's suggestion is by far easier to configure :) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!