GlobalProtect blocking access internet using browser

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect blocking access internet using browser

L1 Bithead

My company uses GlobalProtect VPN and I have a problem that needs help connecting Globalprotect on MacOS.

On the company device, it requires a GlobalProtect VPN connection to access company systems, allowed applications. But on MacOS, every time the employee takes the device out of the office and uses a wifi network other than internal wifi, all websites accessed by browser cannot be accessed, it reports an error: This site can't be reached. However, all applications installed on the device still connect normally such as: Teams, Outlook, Lark,...etc. I ping and nslookup the website, the IP has a signal but cannot access. I have tried many ways such as: setting the router's fixed DNS, Google DNS, AWS DNS, using the command sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder to clear DNS cache on MacOS, disable connect and reconnect, refresh VPN connection and uninstall GlobalProtect then reinstall but all failed.

The only way is to wait for the device for about 1-2 hours and it will automatically access the websites again.

The same thing happens when an employee successfully accesses the website using an external wifi and the next day reconnects to the internal wifi but still cannot access the website using the browser.

4 REPLIES 4

Cyber Elite
Cyber Elite

You manage Palo firewall in the company?

Do devices inside the network establish IPSec tunnel or have Internal Host Detection enabled?

Does GlobalProtect connect while using external wifi?

Do website names resolve to IP while using external wifi?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

You manage Palo firewall in the company?
- Yes I can access and check, basic configuration on the firewall, but I don't fully understand how it works.
Do devices inside the network establish IPSec tunnel or have Internal Host Detection enabled?
- Sorry I don't know where to check it from. Can you give me more information so I can check it.
Does GlobalProtect connect while using external wifi?
- GlobalProtect must always be connected to be able to access the internet from the company device. If the connection fails or is connected, the internet cannot be accessed.
Do website names resolve to IP while using external wifi?
- Yes. I use nslookup from the website to resolve to IP with external websites as well as internal websites.

Cyber Elite
Cyber Elite

Try to access Internet from outside the company.

Then check Palo logs (Monitor > Traffic).

Do you see sessions from Mac GlobalProtect IP towards Internet?

Is action allow?

Is source nat applied (you can check session details if you click on a mag glass on left side of traffic log).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

 

When using the internet outside the company and GlobalProtect VPN connected, I saw traffic from the device going to the internet such as: ms-team, ms-outlook-web,... and many other applications installed on the device. I was sure that those traffics were allowed, I also created a separate rule allow any any any to test but still had to wait 1,2 hours later for the device to be able to access the internet using the browser.
One thing I saw was that at that time, the traffic log called back to my company's DNS server a lot, more than the traffic going out to the internet. All of them were allowed.

This only happens on MacOS devices, my company has over 400 Windows devices and GlobalProtect works fine. About 20 MacOS devices for the dev team have the same problem.

  • 392 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!