topic Re: Global Protect Internal Host detection in GlobalProtect Discussions

Global Protect Internal Host detection

mmantilla — Wed, 09 Nov 2022 18:03:45 GMT

Hello,

I have configured Global Protect with Portal + External gateway and pre-logon always-on with Enforced Global protect Connection for Network Access. I have enabled Internal Host Detection IPv4. So far this is working great and Global Protect detects if it is in an Internal Network and if it is not it automatically prompts you for authentication to connect to the external gateway. We are using Azure SAML authentication with Microsoft 2FA. If we don't have a DNS entry for the GP portal internally then the Internal Network detection randomly fails so we need to have a DNS entry to point at portal then at that point only after you log into portal the agent will detect the Internal network. The problem with this is that users require to authenticate to Global Protect Portal even when they are in the Internal network and this constitute an extra steps that management don't want the users to take when they are in the Internal network. So, is there a way that I can have Internal Network detection working properly without authentication when I am in the internal network?

Re: Global Protect Internal Host detection

aleksandar.astardzhiev — Sun, 27 Nov 2022 20:54:53 GMT

Hi @mmantilla ,

Unfortunately I am afraid there is no other way. This is how GlobalProtect works - you need to connect to GP portal first, before connecting to GP gateway. In addition GP client will periodically connect to portal to refresh its config (portal config refresh interval).

In real world GP client is caching gateway configuration and in attempt to optimase the process it will try to use the cached config and directly connect to GP first. So it is possible that internal users don't authenticate to portal and connect straight to internal gateway, but this doesn't solve your problem.

One possible workaround would be to use "split DNS zone", or in simple terms create DNS entry for your portal and external gateway, to point to internal IP address. This address to be loopback on the firewall where you have configured different GP gateway/portal using different authentication that does not require MFA (probably only machine cert).

Re: Global Protect Internal Host detection

mmantilla — Mon, 28 Nov 2022 14:53:33 GMT

Hi, this is a good solution that I attempted to take before since we already have split-DNS setup for the company. I attempted to create a portal/gw in the trust interface but where I am failing is in configuring machine certificate authentication only. I have tried following the two articles below but I am prompted for a username/password still. So either you always get prompted and that is how GP works or there is something I am doing wrong. I would really appreciate if you have some sort of guide or idea in what I can be doing wrong when attempting this. Please let me know and thanks a lot for taking the time to reply.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQCCA4

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication

Re: Global Protect Internal Host detection

bauernet32 — Fri, 16 Aug 2024 15:00:37 GMT

Hi, I came across this thread searching for a solution to a similar problem on getting MFA challange while on the internal network even when interna host detection is configured and based on logs working. Could you please share the solution approach details if you were able to address your concerns. Thanks in advance.