End-of-Life (EoL)

Tunnel Connections Over Proxies

You can now configure the GlobalProtect app to use proxies or bypass proxies.
Software Support
: Starting with GlobalProtect™ App 4.1.7 and with PAN-OS® 8.1 and later releases
OS Support
: Windows 7 and later releases and macOS 10.10 and later releases
You can now configure GlobalProtect to bypass proxies so that all HTTP/HTTPS traffic that matches the proxy/PAC file rules is required to traverse the GlobalProtect VPN tunnel before reaching the intended destination. When you configure the option to bypass proxies, you can prevent users from setting up a personal proxy to access web resources without going through the VPN tunnel for inspection and policy enforcement.
If you enable GlobalProtect to use proxies on Windows endpoints, only the HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the proxy directly after users establish the GlobalProtect connection. All other traffic that matches the access routes configured on the GlobalProtect gateway goes through the tunnel established over the proxy. On macOS endpoints, proxies are disabled after users establish the GlobalProtect connection. This occurs because proxy settings are not copied from the physical network adapter of the endpoint to the virtual network adapter of the endpoint, and the virtual network adapter becomes the primary adapter from which the macOS endpoint receives proxy settings.
The following tables describe network traffic behavior based on the endpoint OS, tunnel type, and GlobalProtect proxy use.
Network Traffic Behavior on Windows Endpoints
Tunnel Type
GlobalProtect Uses Proxies
GlobalProtect Bypasses Proxies
SSL
1
—All login requests go through the proxy.
1
—All login requests bypass the proxy and go directly to the gateway.
2
—SSL tunnel setup goes through the proxy.
2
—SSL tunnel setup bypasses the proxy and goes directly to the gateway.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the proxy and bypasses the SSL tunnel.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the SSL tunnel and then through the proxy.
If the proxy is unreachable from the gateway, HTTP/HTTPS traffic is dropped, and users cannot access the intended destination.
4
—Other traffic that matches the access routes configured on the gateway goes through the SSL tunnel built over the proxy.
4
—Other traffic that matches the access routes configured on the gateway bypasses the proxy and goes through the SSL tunnel.
IPSec
You cannot set up an IPSec tunnel through a proxy because proxies do not support UDP traffic.
1
—All login requests go through the proxy.
1
—All login requests bypass the proxy and go directly to the gateway.
2
—IPSec tunnel setup bypasses the proxy and goes directly to the gateway.
2
—IPSec tunnel setup bypasses the proxy and goes directly to the gateway.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the proxy and bypasses the IPSec tunnel.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the IPSec tunnel and then through the proxy.
If the proxy is unreachable from the gateway, HTTP/HTTPS traffic is dropped, and users cannot access the intended destination.
4
—Other traffic that matches the access routes configured on the gateway bypasses the proxy and goes through the IPSec tunnel.
4
—Other traffic that matches the access routes configured on the gateway bypasses the proxy and goes through the IPSec tunnel.
Network Traffic Behavior on Mac Endpoints
Tunnel Type
GlobalProtect Uses Proxies
GlobalProtect Bypasses Proxies
SSL
1
—All login requests go through the proxy.
1
—All login requests go through the proxy.
2
—SSL tunnel setup goes through the proxy.
2
—SSL tunnel setup bypasses the proxy and goes directly to the gateway.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules goes through the SSL tunnel built over the proxy.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules bypasses the proxy and goes through the SSL tunnel.
4
—Other traffic that matches the access routes configured on the gateway goes through the SSL tunnel built over the proxy.
4
—Other traffic that matches the access routes configured on the gateway bypasses the proxy and goes through the SSL tunnel.
IPSec
You cannot set up an IPSec tunnel through a proxy because proxies do not support UDP traffic.
1
—All login requests go through the proxy.
3
—IPSec tunnel setup bypasses the proxy and goes directly to the gateway.
3
—HTTP/HTTPS traffic that matches the proxy/PAC file rules bypasses the proxy and goes through the IPSec tunnel.
4
—Other traffic that matches the access routes configured on the gateway bypasses the proxy and goes through the IPSec tunnel.
Use the following steps to configure GlobalProtect to use proxies or bypass proxies:
  1. Enable tunneling.
    1. From your gateway configuration (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      ), select
      Agent
      Tunnel Settings
      to enable
      Tunnel Mode
      .
      • To specify whether GlobalProtect must use an IPSec tunnel or SSL tunnel for the gateway connection, configure one of the following options:
        • To enable GlobalProtect to use IPSec tunnels for the gateway connection, select the check box to
          Enable IPSec
          . If a user fails to establish a connection using an IPSec tunnel, GlobalProtect then uses an SSL tunnel.
        • To enable GlobalProtect to use SSL tunnels for the gateway connection, clear the
          Enable IPSec
          check box.
    • To specify whether you want to deploy your agent configuration to Windows or Mac endpoints, select
      User/User Group
      and then configure one of the following
      OS
      options:
      • To deploy your agent configuration to Windows endpoints,
        Add
        and select
        Windows
        .
      • To deploy your agent configuration to Mac endpoints,
        Add
        and select
        Mac
        .
    • Configure one of the following options to require GlobalProtect to use proxies or bypass proxies:
      • To require GlobalProtect to use proxies, set the
        Set Up Tunnel Over Proxy (Windows & Mac only)
        option to
        Yes
        .
      • To require GlobalProtect to bypass proxies, set the
        Set Up Tunnel Over Proxy (Windows & Mac only)
        option to
        No
        .
  2. Commit
    your changes.

Recommended For You