WireGuard + Headscale → Palo Alto GlobalProtect

WireGuard + Headscale ↔ Palo Alto GlobalProtect: integration to migration path.

Remote access is load-bearing — break the tunnel and your whole workforce is locked out of corp at once. So WireGuard + Headscale goes live behind Palo Alto GlobalProtect first, both clients running side by side while GP keeps owning HIP-gated routes, and only takes over one cohort's CIDR at a time. No flag day, no forced re-credentialing, and every phase rolls back in minutes.

The honest end state is often permanent coexistence: the cutover unit is user × route × posture-class, and GP's HIP catalogue, inline URL filtering and Threat Prevention, and Prisma Access's global edge have no OSS equal. We name those gaps up front, because the rest of this only matters if you can trust it.

Map my migration with an engineer →

The idea

Run behind GlobalProtect first. Retire it route by route last.

The topology that makes this zero-downtime is parallel tunnels split by route and posture-class. Both clients run on the endpoint; the GP App's split-include shrinks to the HIP-gated CIDRs while a Headscale namespace advertises the cohort's CIDRs through WireGuard's AllowedIPs, with the cohort's WireGuard adapter pinned above GP so it carries the route. Both halves federate to the same IdP, so one group claim — and, later, a signed posture claim — moves a user across both sides at once. WireGuard owns the modern L4 surface; GP keeps the regulated, HIP-gated surface — each route migrated independently, each reversible, never a single big cutover.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We read Panorama: per-route CIDR ownership, per-HIP-profile membership and which AV / disk-enc / patch / EDR rules each route depends on, every user's Gateway and Prisma Access edge, DNS push policy, App-ID rules and the URL-filtering categories enforced inline. Read-only — nothing moves.

Users see: No user impact.

Rollback: N/A

Headscale goes live behind GlobalProtect

Headscale stands up in HA — three-plus nodes, Postgres, a DERP relay reachable on TCP/443 — and federates via OIDC PKCE to the same IdP that backs GP's SAML. A canary of 20 endpoints enrolls alongside the GP App, advertising only a synthetic test CIDR with no overlap with GP-pushed routes. No production route moves.

Users see: None for production users; the canary sees a second tray icon and reaches the test subnet.

Rollback: Uninstall the WireGuard client and delete the Headscale instance — no production route depends on it. Under 15 minutes.

Cohort A: one low-risk CIDR, both paths live

One non-HIP-gated CIDR — a dev sandbox with no compliance exposure — is made reachable via WireGuard while it stays reachable via GP. The cohort's WireGuard adapter is pinned above GP so it carries the route, and a SIEM rule alerts if GP carries any flow to that CIDR from the cohort after a day.

Users see: None — both paths work; users don't know which adapter carried the packet.

Rollback: Per endpoint: lower the WireGuard adapter metric back below GP and the route returns to GP. Under 15 minutes.

Per-route cohort migration in waves

Every non-HIP-gated CIDR migrates cohort by cohort: add it to the Headscale ACL, bake seven days with the parallel GP route live, then remove it from the GP App split-include and verify zero GP carries for 14 days. GP retains only HIP-gated CIDRs and the URL-filtering / TP egress path. The IdP still owns credentials throughout.

Users see: None — auth still resolves at the IdP for both halves; only route ownership changes.

Rollback: Re-add the CIDR to the GP split-include via Panorama push; the WireGuard ACL stays in place so an adapter-metric flip is the only mechanism. Under 15 minutes.

Lift soft-gated routes with IdP-claim posture

Each Panorama HIP profile is classified hard-gated or soft-gated. Soft-gated routes — those needing only "EDR present, disk encrypted, OS patched" — move to WireGuard, with the posture asserted as a signed Intune / Jamf / CrowdStrike claim emitted into the OIDC token and gating Headscale ACL membership. Hard-gated routes that need PAN's curated catalogue stay on GP.

Users see: None for users whose posture claim is healthy; users without it are blocked at the ACL or routed back to GP. The new block reason is communicated at least 30 days ahead.

Rollback: Restore the CIDR to the GP split-include and downgrade the ACL to non-posture-gated. Under 15 minutes.

Replace URL filtering, TP and the Prisma edge

Inline URL filtering moves to a per-endpoint DNS filter, inline Threat Prevention to endpoint EDR plus an egress NGFW IDS, and Prisma Access's global edge to a self-hosted DERP fleet — which is not a like-for-like for global anycast. PAN URL categories are mapped to the filter vendor's, and the EDR's coverage of the TP threat classes is confirmed before anything is cut.

Users see: Possible web-browsing UX changes — different block-page styling and category granularity — and roaming users may see latency regressions on long-haul paths until the DERP fleet is sized. Communicated at least 30 days ahead.

Rollback: Re-enable the GP gateway URL/TP/Prisma path and revert the DNS filter and DERP routing — minutes for the URL filter, up to a few hours for the Prisma fallback.

Retire GP, or accept permanent coexistence

Option A migrates the hard-gated CIDRs via auditor-accepted IdP-claim equivalence, a replacement posture vendor, or a signed compensating control, then decommissions GP. Option B keeps GP for the hard-gated CIDRs forever, scopes its licensing to that user base only, and cancels licences for fully-migrated cohorts.

Users see: Option A: same as Phase 4. Option B: none — you are already operating in this state.

Rollback: During the 30-day evidence window, reinstate the GP gateway entry for any CIDR. After the window, rollback is out of scope.

Feature parity

Where WireGuard + Headscale matches GlobalProtect, and where it does not.

Capability	WireGuard + Headscale	Palo Alto GlobalProtect	Parity
Tunnel / transport	WireGuard Noise IK, fixed ChaCha20-Poly1305 + Curve25519 + BLAKE2s	GP negotiated TLS/IPsec (SSL or IKEv2 modes)	At parity
Identity federation	OIDC PKCE to group claim to HuJSON ACL	Portal/Gateway SAML, group from SAML attribute	At parity
ACL policy model	HuJSON tagOwners, autoApprovers, acls (src/dst/proto) in git	Gateway zone + security policy in Panorama	At parity
Cohort / split routing	Per-node AllowedIPs + ACL dst	GP App split-include/exclude	At parity
Device posture	osquery / Intune / Jamf / Falcon claim to IdP to ACL posture tag (minutes)	HIP check at Gateway connect, vendor-curated catalogue, continuous	Partial
NAT traversal / relay	UDP/51820 + self-hosted DERP TCP/443 fallback	TLS/443 native	At parity
Global edge / PoP	Self-hosted DERP fleet, placement-dependent	Prisma Access global anycast (300+ PoPs, SLA)	SaaS only
L7 / App-ID firewalling	None — port-level ACL only	Panorama App-ID security rules	SaaS only
Inline URL filtering	None — replace with an endpoint DNS filter	Gateway URL filtering + categories	SaaS only
Inline threat prevention / IPS	None — endpoint EDR sees post-exploitation only	Gateway Threat Prevention / WildFire	SaaS only
Multi-cloud mesh	Router nodes advertise routes across AWS/GCP/Azure/on-prem, one control plane	GP gateway per region or a Prisma subscription	OSS only
DNS	Headscale MapResponse DNSConfig split DNS / MagicDNS	GP App corp resolver push	At parity
RBAC / admin	Headscale CLI/API, HuJSON in git	Panorama commit-and-push GUI	Partial
Deployment & HA	Self-hosted 3+ nodes + Postgres + DERP, your on-call	Vendor + 24x7 NOC	SaaS only
Cost model	Self-hosted compute + DERP egress	Per-seat GP + Prisma + Panorama + TP/URL subscriptions	Partial
Compliance	Boundary inside your SSP; WG FIPS 140-3 status to confirm	Inherited SOC 2 / FedRAMP; GP FIPS-mode to confirm	SaaS only

What we're honest about

The caveats most vendors leave out.

The HIP catalogue is a signal-quality regression

GlobalProtect's HIP check runs a vendor-curated catalogue at every Gateway connect — specific AV products at specific versions with specific signature dates. WireGuard has no built-in evaluation engine. The honest substitute is a signed Intune / Jamf / CrowdStrike claim emitted into the IdP and gating a Headscale ACL — coarser than HIP, and refreshed roughly every few minutes rather than continuously. We classify each HIP profile hard- or soft-gated, move only the soft-gated, and keep GP for hard-gated rather than pretend a coarse claim equals a curated catalogue.

No inline URL filtering, App-ID or Threat Prevention

GP's Gateway is an inspection point — App-ID security rules, URL filtering by category, inline Threat Prevention and WildFire. WireGuard is port-level only; endpoint EDR sees post-exploitation, not the pre-exploitation network detection PAN was doing. We replace URL filtering with an endpoint DNS filter and TP with EDR plus an egress NGFW IDS, map PAN categories across, and document every gap for GRC sign-off — a real workstream, not a checkbox.

Prisma Access global edge has no OSS equal

Prisma's 300-plus anycast PoPs give roaming users a sub-50ms first hop under an SLA. A self-hosted DERP fleet is placement-dependent, not global anycast, and long-haul roaming typically regresses by tens of milliseconds. We size DERP in your target regions and accept the regression honestly — or, where global latency is the binding constraint, keep GP for the road-warrior population permanently rather than ship a worse experience.

Self-hosting moves uptime and compliance onto you

GP's outage is Palo Alto's; once GP is gone, a Headscale outage is yours — existing sessions keep working, but no new ones establish. The SOC 2 / FedRAMP boundary GP inherited falls back inside your SSP, and the Cortex Data Lake firewall-to-endpoint XDR pivot disappears. We run it as a managed service: three-plus nodes, multi-AZ Postgres, a distributed DERP fleet, a break-glass admin key, a tested DR realm-restore with a measured RTO, and at least one audit cycle of overlap before GP is retired.

Why this beats a flag day

Reversible at every step, with a real soak before anything is cut.

Every phase rolls back in under 15 minutes while both clients remain installed — an adapter-metric flip or a Panorama split-include re-add, never a rebuild. And before any GP licence is cancelled, each migrated route soaks at least 30 consecutive days at 100% WireGuard carry with zero GP carries, the DNS filter and EDR replacements are proven against baseline over a 30-day window, and the DR realm-restore is exercised end to end. A flag day gives you neither; this gives you both.

See whether your remote access migrates cleanly.

A 30-minute call with a senior network engineer. We classify every HIP profile hard- or soft-gated, map your App-ID and URL-filtering dependencies, size the latency cost of replacing Prisma's global edge, and tell you honestly whether your end state is full retirement or permanent coexistence — before you commit to anything.

Map my migration →