🔧 GlobalProtect VPN: Troubleshooting Access to Internal Resources

1. Verify Routing Configuration

Ensure that the virtual router associated with the GlobalProtect tunnel interface has appropriate routes to internal networks. For example:

Destination: 10.0.0.0/8
Next Hop: Appropriate interface or IP address

If using multiple virtual routers, configure 'next-vr' routes to facilitate inter-VR communication.

2. Check Security Policies

Confirm that security policies permit traffic from the GlobalProtect zone to internal zones. The policy should include:

• Source Zone: GlobalProtect VPN zone
• Destination Zone: Internal network zone
• Application: Any or specific applications
• Action: Allow

3. Examine NAT Rules

Review NAT policies to ensure that traffic from VPN clients to internal resources is not being unintentionally translated. Typically, NAT is not required for internal traffic.

4. Verify DNS Settings

Ensure that VPN clients receive correct DNS server information to resolve internal hostnames. This can be configured in the GlobalProtect gateway settings under 'Client Settings' > 'Network Settings'.

5. Inspect Client Configuration

On the client machine:

• Use ipconfig /all (Windows) or ifconfig (macOS/Linux) to verify IP address assignment and DNS settings.
• Check routing table entries to ensure routes to internal networks are present.
• Review GlobalProtect client logs for any errors or warnings.

6. Monitor Logs and Sessions

On the Palo Alto firewall:

• Navigate to Monitor > Logs > Traffic to observe traffic from VPN clients to internal resources.
• Use CLI commands such as show session all filter source <VPN client IP> to inspect active sessions.

7. Additional Resources

• GlobalProtect Users Unable to Access Internal Resources – Palo Alto Networks LIVEcommunity
• GlobalProtect Troubleshooting Guide