How do you treat users from Egypt using GlobalProtect?
Interestingly, colleagues from Egypt can establish a connection via GlobalProtect, but no data is transferred over this connection.
An automatic fallback to IPsec does not happen.
Manual connection with “SSL Only” option works fine.
So it looks like Egypt is “filtering” IPsec traffic in some way.
We can assign an SSL-Only profile to the users from Egypt using an Active Directory group, but this would cause problems for business travelers to Egypt.
Is there an option that an automatic fallback to SSL VPN happens if no data can be transferred over IPsec?
Of course, it would be even better if Palo Alto Networks offered more modern alternatives to TCP-based SSL VPN. (for example WireGuard or DTLS).
I don’t want to be a buzz kill. I think Egypt is blocking IPsec traffic as a hint because VPNs are legal in Egypt. doesn’t matter that we have clever ways around it. You don’t want your end users doing something illegal in foreign countries.
There might be exceptions for businesses. most likely they invoice approval from the government.
Have your legal department look into this and have them make the decision on what to do next.