topic Re: Global Protect users not able to use internet when they move to office from Home in GlobalProtect Discussions

Global Protect users not able to use internet when they move to office from Home

tamilvanan — Wed, 29 Sep 2021 12:50:29 GMT

Hi All,

We had configured an GP Portal/Gateway on the firewall. The login method configured on GP is Pre-Logon method and we also had enabled "No Direct Access to local network". The Authentication method used is LDAP. Gateway is configured in Full tunnel mode

As the user were working from home previously they will be able to access internet only when GP VPN is enabled. Now the users started moving to office and also in office environment they need to connect through GP to access internal network and internet.

Is there any way to configure GP in such an manner that when the user is using his laptop in home he need to connect to GP-VPN to use their system and when they come to office no need to connect to GP-VPN to use their system to access internet and organization internal network.

Thanks in advance!!

Re: Global Protect users not able to use internet when they move to office from Home

WeidmannIT — Tue, 26 Oct 2021 12:20:53 GMT

Hello

You can use Internal Gateway as possible solution.

Re: Global Protect users not able to use internet when they move to office from Home

TomYoung — Wed, 27 Oct 2021 03:25:03 GMT

Hi @tamilvanan ,

Yes, this can be done. In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled. https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1

Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked). As the name implies, no encrypted tunnel is formed between the client and the gateway.

This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.

Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab.html.

Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/globalprotect-gateway-concepts/types-of-gateways.html.

Thanks,

Tom

Re: Global Protect users not able to use internet when they move to office from Home

emarschang — Mon, 11 Jul 2022 21:51:08 GMT

When configuring this, when it comes to portal configuration, do I edit our existing external portal? In the portal configuration assuming im using our existing external portal, do I change the interface to the internal interface/IP?