Remote Network Locations with Overlapping Subnets

Learn how to onboard two remote network locations that have overlapping subnets to the GlobalProtect cloud service.
As a general rule, you cannot have any overlapping subnets within a GlobalProtect cloud service deployment. That is, the subnets for all remote network locations, your service connections, and your GlobalProtect cloud service for mobile users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping subnets. For example, if you acquired a company that uses subnets that overlap with your existing subnets you have in use. In some cases, you might want to configure two regions with overlapping subnets by design; for example, if you want to create a separate guest network at a retail store location with different policies.
GlobalProtect cloud service does allow you to onboard remote network locations with overlapping subnets, as long as you either check the Overlapped Subnets check box when configuring the remote network settings, or create the remote networks in different regions. Keep in mind, however, that this configuration has the following limitations:
Sites without overlapping subnets function normally and are not affected in a deployment with sites that have overlapping subnets.
  • There is no inbound remote network-to-remote network traffic. The other remote network locations would not know where route the traffic because multiple remote network locations route to the same subnets. However, users and services at any remote network location can access resources at other remote network locations provided there are no overlapping subnets at the site, and any site can access the internet through the GlobalProtect cloud service.
  • Traffic from your service connections can not access resources at any remote network location with overlapping subnets because it would not know which remote network location to route the traffic. The remote network locations with overlapping subnets can, however, access resources from service connections.
  • Mobile users cannot access resources at the remote network locations with overlapping subnets, again because of the inbound routing limitations.
  • When you select the Overlapped Subnets check box, the source zone in the traffic logs changes to the remote network name that is configured in PanoramaCloud ServicesConfigurationRemote NetworksOnboardingName.
qc-overlapping-subnets.png

Related Documentation