My colleagues recently discovered that users can not connect to Palo Alto Global Protect when using their Mac via Personal Hotspot. After some tests, we could nail it down that this only affects users that are using a Personal Hotspot via an iPhone on mobile carrier T-Mobile Germany. Other SIMs by other carriers in the same iPhone worked just fine.
We had some challenges before with T-Mobile Germany using IPv6-only as default in their cellular network with other software vendors.
Today I found in the MacAdmin Slack a thread by others reporting the same issue. I was reminded by colorenz in this thread that you still can use the old APN internet.telekom as a temporary workaround. Matthew G also provided some insides which point to DS-Lite/IPv4-over-IPv6 as root cause and that a fix is on its way. Thanks again macadmins Slack community!
I will try getting a confirmation and ETA from Palo Alto for that.
If you wanna change APN settings this manually go to Settings - Cellular - Select the SIM you wanna modify - Cellular Data Network and change the second APN under Personal Hotspot to internet.telekom.