Scribd
Upload
201 views10 pages

GlobalProtect and Pulse Secure Interop Guide

Uploaded by

shaktalab
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
201 views10 pages

GlobalProtect and Pulse Secure Interop Guide

Uploaded by

shaktalab
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

GlobalProtect and Pulse Secure

Interop Guide

Palo Alto Networks, Inc.


www.paloaltonetworks.com
© 2022-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A
list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All
other marks mentioned herein may be trademarks of their respective companies.
Revision Date: Aug 24, 2022
Table of Contents

GlobalProtect and Pulse Secure Interop Guide 3


Scenario Statement 1 3

Safe Operating Conditions 4

Setup 5

DNS Resolution 7

Scenario Statement 2 8

Caveats 9

GlobalProtect and Pulse Secure Interop © 2023 Palo Alto Networks, Inc.
Guide

2
GlobalProtect and Pulse Secure Interop Guide

Disclaimer:
Please note that the below statements in this document are intended to outline general product behavior and
general direction and should not be relied on in making a purchasing decision and does not represent a
commitment, promise or legal obligation to deliver any material, code or functionality. It is intended for information
purposes only, and may not be incorporated into any contract.

TAC/Support:
● Palo Alto Networks will make a “Best Effort” to troubleshoot potential issues that may arise when
coexisting with third party agents.
● Specific guidance and direction for 3rd party product configurations is the responsibility of the customer
and third party product vendor.
● Palo Alto Networks TAC support is limited to the GlobalProtect agent configuration and operation with
supported versions for customers with valid support entitlements.

Objective:

This interop guide conveys general principles to configure GlobalProtect and


Pulse Secure on the same Windows endpoint.

Scenario Statement 1:
IT/ITES companies want to secure internet and intranet traffic using GlobalProtect and enforce security
and auth policies from Prisma Access. Within the IT/ITES companies, groups of employees working on
customer data use 3rd Party VPN to get to the customer network. IT/ITES company has no control over
3rd party VPN config since it is managed by their customer.

© 2023 Palo Alto Networks, Inc. GlobalProtect and Pulse Secure Interop Guide

3
Use-Case:
GlobalProtect secures all traffic to the internet and private apps in the corporate DC (Consulting
firm). Pulse Secure secures traffic to private apps in their customer’s DC (Consulting firm’s
customers)

Safe Operating Conditions:

We recommend the below safe operating conditions for GlobalProtect to co-exist with Pulse
Secure.

Connect Method
● GlobalProtect is set up in an always-on mode and employees connect to Pulse Secure in an
on-demand mode. In always-on mode GlobalProtect will be brought up first after windows
logon and then employee(s) can connect to Pulse Secure as needed.

GlobalProtect and Pulse Secure Interop © 2023 Palo Alto Networks, Inc.
Guide

4
GlobalProtect and Pulse Secure Interop Guide

Setup
● Customer administrator needs to ensure that the

○ Pulse Secure configuration will only add routes to specific subnets to IT/ITES’ customer
network(s) and does not add the default route on the endpoint.

○ Pulse Secure gateway IP is added to the Exclude Access Route List on GlobalProtect
Gateway Configuration
■ On Panorama managed Prisma Access: Pulse Secure gateway IP is added to the
Exclude Access Route List on GlobalProtect Gateway Configuration under
Network –> Gateway -> Agent -> Client Settings -> Client Configuration -> Split
Tunnel -> Access Route -> Exclude Access Route.

■ On Cloud Managed Prisma Access: Pulse Secure gateway IP is added to the


Exclude Access Route List on GlobalProtect Gateway Configuration under Manage
–> GlobalProtect -> GlobalProtect App -> Tunnel Settings -> Split Tunneling
Exclude Traffic -> Route.

○ GlobalProtect “Split-Tunnel Option” should be set to “Network Traffic” Only.

■ On Panorama Managed Prisma Access: Portal Agent App Configuration for


“Split-Tunnel option” should be set to “Network-Traffic” only. You can find the
option under Network -> Portal -> Agent -> Agent Configuration -> App Tab

■ On Cloud Managed Prisma Access: “Split-Tunnel option” under Manage –>


GlobalProtect -> GlobalProtect App -> App Settings -> VPN should be set to
“Network-Traffic” only.

○ “Resolve all FQDN using Tunnel DNS servers (Windows only)” should be set to “No.”
■ On Panorama Managed Prisma Access: Portal Agent App Configuration “Resolve
all FQDN using Tunnel DNS servers (Windows only)” should be set to “No.” A
mirror option resides on Pulse Secure VPN configuration which should be
disabled.

© 2023 Palo Alto Networks, Inc. GlobalProtect and Pulse Secure Interop Guide

5
■ On Cloud Managed Prisma Access: DNS setting “Resolve all FQDN using Tunnel
DNS servers (Windows only)” should be set to “No.” You can navigate to this
option via Manage -> GlobalProtect -> GlobalProtect App -> App Settings ->
DNS. A mirror option resides on 3rd Party VPN configuration - that should be
disabled.

● No Direct Access to Local Subnet should be disabled.


○ On Panorama Managed Prisma Access: Network –> Gateway -> Agent -> Client
Settings -> Client Configuration
○ On Cloud Managed Prisma Access: Manage –> GlobalProtect -> GlobalProtect
App -> Tunnel Settings

● 3rd Party VPN Configuration needs to be configured with Pulse Secure Adapter Name.
This option accepts existing drop down values and free text input
○ Panorama: Network -> Portal -> Client Configuration -> External
○ Cloud Managed: Manage -> GlobalProtect App setup -> GlobalProtect App
Configuration -> Third Party VPN

● On Pulse Secure Configuration, enable Split-DNS setting to prevent DNS hijacking on all
interfaces
○ Configuration -> Advanced Client Configuration, enter the following:
<enable-SplitDNS-driver>true</enable-SplitDNS-driver>

GlobalProtect and Pulse Secure Interop © 2023 Palo Alto Networks, Inc.
Guide

6
GlobalProtect and Pulse Secure Interop Guide

DNS Resolution

● With “Resolve all FQDN using tunnel DNS servers (Windows only)” set to “No” This ensures
DNS queries are sent to all adapters (Physical, GlobalProtect, and Pulse Secure). The Pulse
Secure configuration for this element needs to be set for the same behavior.

● Internet websites’ DNS resolution could be performed by either a Physical Adapter DNS resolver
or GlobalProtect tunnel DNS server (assuming pulse DNS server doesn’t resolve public websites’
DNS queries)

● Intranet website DNS resolution will be performed by the GlobalProtect tunnel DNS server
(Although DNS queries may be sent to all adapters).

● IT/ITES company’s customer network DNS queries will be resolved by the Pulse Secure agent on
the endpoint (Although DNS queries will be sent to all adapters).

Example:
Physical Adapter DNS: 1.1.1.1
GlobalProtect DNS: 169.254.169.254
Pulse Secure DNS: 10.55.66.11
Pulse Secure Virtual Adapter: 172.168.1.34

Let’s assume that “jira.company.local” is in IT/ITES company’s customer network and only Pulse Secure
can resolve the domain into an IP.

DNS query for “jira.company.local” is sent to all adapters; Physical, GlobalProtect, and Pulse Secure.

© 2023 Palo Alto Networks, Inc. GlobalProtect and Pulse Secure Interop Guide

7
Only the DNS server tied to Pulse Secure can resolve the DNS query. In this example the domain
resolves to 10.0.2.31

Traffic to the destination “jira.company.local” (10.0.2.31) will be sent via the Pulse Secure adapter
(172.168.1.34)

Scenario Statement 2:
Customers that have a prior valid Pulse Secure license would like to evaluate GlobalProtect for a
PoC. GlobalProtect will be used to secure access to the internet and Pulse Secure would be used
to secure access to DC. Since both are active at the same time, this leads to interop issues, poor
user experience, and an IT helpdesk that is overwhelmed with tickets.

GlobalProtect and Pulse Secure Interop © 2023 Palo Alto Networks, Inc.
Guide

8
GlobalProtect and Pulse Secure Interop Guide
Use-Case:
GlobalProtect secures all traffic to the internet and Pulse Secure secures access to private apps in
customer DC. Both may or may not be active at the same time.

Safe Operating Conditions


● Same as Scenario Statement 1 above

Caveats
● Co-existence of GlobalProtect with Pulse Secure has only been tested with Windows 10 (64
bit) machines. Production environments can vary from which co-existence was tested.
Customers should reach out to Pulse Secure to understand best practice recommendations
while operating in a multiple-agent environment.
● Pulse Secure updates or future releases can make changes to their architecture, routing,
DNS resolution making it incompatible to co-exist with GlobalProtect and these safe
operating conditions.
● For DNS resolution the administrator needs to ensure neither GlobalProtect nor Pulse
Secure is capturing all the DNS queries. Ensure the “Resolve all FQDN via Tunnel DNS
Servers” setting was turned off in GlobalProtect and the similar setting on Pulse Secure was
disabled.

© 2023 Palo Alto Networks, Inc. GlobalProtect and Pulse Secure Interop Guide

9
GlobalProtect and Pulse Secure Interop © 2023 Palo Alto Networks, Inc.
Guide

10

You might also like