Cloudflare Gateway DNS Filtering + GlobalProtect VPN Compatibility
WARP🛡️Zero TrustWe want to implement DNS-based web filtering using Cloudflare Gateway (malware, phishing, adult content, social media) to support ISO 27001 compliance, while remaining compatible with our existing Palo Alto GlobalProtect VPN setup. When warp client is turned on, GlobalProtect vpn disconnects.
Solutions tried:
Added the domains and IPs that are accessed via globalprotect to the split-tunnel exclude section of cloudflare device profile and also to the local domain fallback section.
This configuration resulted in DNS conflicts, TLS certificate issues, and unstable connectivity. Ultimately abandoned due to persistent interference between the two clients.
Need guidance to setup these two, so that they are running at the same time where globalprotect resolves the internal domains and ips while cloudflare still blocks the contents via dns as a web-filter.
Also we don’t have control over Globalprotect configuration. It is customers vpn and we need to use it. We can’t do that completely configuration in warp because of this. So we can’t change the behaviour of globalprotect.
Suggested solution from community:
"Then you’ll want to switch the Warp deployment to traffic only mode and perhaps HTTPS based filtering would be sufficient." https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/deployment/vpn/#traffic-only-mode
The community post is closed already as this as a solution.
So i tried this and the warp tunnel was connected and showed that it is running on "SWG without DNS" mode and the connected status was "DNS policies are not enforced"
Now I tried to connect globalprotect vpn, it just keeps disconnecting. Even though warp tunnel is running on traffic-only mode.
I don't understand why this happens.
Solutions tried:
Added the domains and IPs that are accessed via globalprotect to the split-tunnel exclude section of cloudflare device profile and also to the local domain fallback section.
This configuration resulted in DNS conflicts, TLS certificate issues, and unstable connectivity. Ultimately abandoned due to persistent interference between the two clients.
Need guidance to setup these two, so that they are running at the same time where globalprotect resolves the internal domains and ips while cloudflare still blocks the contents via dns as a web-filter.
Also we don’t have control over Globalprotect configuration. It is customers vpn and we need to use it. We can’t do that completely configuration in warp because of this. So we can’t change the behaviour of globalprotect.
Suggested solution from community:
"Then you’ll want to switch the Warp deployment to traffic only mode and perhaps HTTPS based filtering would be sufficient." https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/deployment/vpn/#traffic-only-mode
The community post is closed already as this as a solution.
So i tried this and the warp tunnel was connected and showed that it is running on "SWG without DNS" mode and the connected status was "DNS policies are not enforced"
Now I tried to connect globalprotect vpn, it just keeps disconnecting. Even though warp tunnel is running on traffic-only mode.
I don't understand why this happens.
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
86,942Members
Resources
Was this page helpful?
