https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205133#M6383 <P>Hi Expert,</P> <P>&nbsp;</P> <P>I have setup an internal GP GW to get user-id, which works fine. But now the question is how to enforce users to connect to it once in office. On GP portal, I set <SPAN data-olk-copy-source="MessageBody">&lt;Enforce GlobalProtect for user access&gt;&nbsp;</SPAN> to Yes , but it is not working. Tried both&nbsp;</P> <DIV data-olk-copy-source="MessageBody"><SPAN>&nbsp;</SPAN>&lt;pre-logon always on&gt; and&nbsp;&lt;user-logon always on&gt;.</DIV> <DIV data-olk-copy-source="MessageBody">Please let me know any way can get it resolved.</DIV> Thu, 23 Jan 2025 05:48:03 GMT C.Gao140612 2025-01-23T05:48:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205133#M6383 <P>Hi Expert,</P> <P>&nbsp;</P> <P>I have setup an internal GP GW to get user-id, which works fine. But now the question is how to enforce users to connect to it once in office. On GP portal, I set <SPAN data-olk-copy-source="MessageBody">&lt;Enforce GlobalProtect for user access&gt;&nbsp;</SPAN> to Yes , but it is not working. Tried both&nbsp;</P> <DIV data-olk-copy-source="MessageBody"><SPAN>&nbsp;</SPAN>&lt;pre-logon always on&gt; and&nbsp;&lt;user-logon always on&gt;.</DIV> <DIV data-olk-copy-source="MessageBody">Please let me know any way can get it resolved.</DIV> Thu, 23 Jan 2025 05:48:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205133#M6383 C.Gao140612 2025-01-23T05:48:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205227#M6388 <P>make sure the internal gateway has tunnel mode enabled, else the agent won't connect to it:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1737664451172.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65426i7D29FC4E6A99763F/image-size/large?v=v2&amp;px=999" role="button" title="reaper_0-1737664451172.png" alt="reaper_0-1737664451172.png" /></span></P> <P>&nbsp;</P> Thu, 23 Jan 2025 20:34:30 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205227#M6388 reaper 2025-01-23T20:34:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205251#M6389 <P>Thanks a lot for the reply. So this is internal GW with tunnel mode. And I just need to setup a tunnel interface and if need to configure the ip pool ? Or the client just use the DHCP assigned internal ip address.</P> Fri, 24 Jan 2025 01:06:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205251#M6389 C.Gao140612 2025-01-24T01:06:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205328#M6395 <P>Create an IP pool and also do the split tunneling including all internal network subnets and fqdn's. This will make GP to only forward office network traffic through it's virtual Network adapter and the rest outside internet traffic will be passed through physical Network adapter.</P> Fri, 24 Jan 2025 13:12:16 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205328#M6395 trewale 2025-01-24T13:12:16Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205432#M6401 <P>I think you referring to Internal host detection where users always connect to the internal gateway when in the office. To achieve this you need a PTR record configured on the firewall that must be resolved for internal users.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab</A></P> <P>&nbsp;</P> <P>Let me know if this is the requirement or if I have misunderstood your query.&nbsp;</P> Mon, 27 Jan 2025 02:55:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205432#M6401 arusharma 2025-01-27T02:55:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205509#M6405 <P>Hi Arusharma, the internal gw is working fine , but question is how to enforce users to connect to GP internal GW by default when they are in office.&nbsp;</P> <P>Already opened a TAC case, but suggested to use HIP, I do not think that is related.</P> Mon, 27 Jan 2025 18:56:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205509#M6405 C.Gao140612 2025-01-27T18:56:47Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205519#M6406 <P>Hello,</P> <P>Restrict the default LAN IP that is received by the client to only be able to connect to a few things:</P> <P><A href="https://skrzsecurity.net/zero-trust#:~:text=get%20to%20it.-,Architecture,-%3A" target="_blank">https://skrzsecurity.net/zero-trust#:~:text=get%20to%20it.-,Architecture,-%3A</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Mon, 27 Jan 2025 20:47:41 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-enforce-user-to-connect-to-gp-internal-gw/m-p/1205519#M6406 OtakarKlier 2025-01-27T20:47:41Z