https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-internal-gateway-non-tunnel-mode-does-it-provide/m-p/367365#M655 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/151796">@SergGur</a>,</P> <P>If you choose not to tunnel the traffic back to the gateway the only thing you are doing is HIP and User-ID through GlobalProtect. It doesn't add any form of encryption and the traffic outside of agent checks never hits the internal gateway.&nbsp;</P> Fri, 04 Dec 2020 18:31:26 GMT BPry 2020-12-04T18:31:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-internal-gateway-non-tunnel-mode-does-it-provide/m-p/367319#M654 <DIV>Hello Experts,</DIV><DIV>&nbsp;</DIV><DIV>Can you please clarify if Non-tunnel mode provide packet encryption, or just HIP/User-ID for the gateway?</DIV><DIV>&nbsp;</DIV><DIV>Does the traffic goes in from GlobalProtect&nbsp; (laptop) to GlobalProtect gateway (firewall) in non-tunnel mode setup?</DIV><DIV>&nbsp;If it is encrypted, how much of IP header retained, is it just IP or ports are in clear as well?</DIV><DIV>&nbsp;</DIV><DIV>It is not clear from the documentation:</DIV><DIV>&nbsp;</DIV><DIV><STRONG>Internal</STRONG> —An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. <EM><STRONG>You can configure an internal gateway in either tunnel mode or non-tunnel mode</STRONG></EM>. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint.</DIV><P>&nbsp;</P><P>References:</P><P><A href="https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/globalprotect-gateway-concepts/types-of-gateways.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/globalprotect-gateway-concepts/types-of-gateways.html</A></P><P><A href="https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration.html</A></P> Fri, 04 Dec 2020 14:38:40 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-internal-gateway-non-tunnel-mode-does-it-provide/m-p/367319#M654 SergGur 2020-12-04T14:38:40Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-internal-gateway-non-tunnel-mode-does-it-provide/m-p/367365#M655 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/151796">@SergGur</a>,</P> <P>If you choose not to tunnel the traffic back to the gateway the only thing you are doing is HIP and User-ID through GlobalProtect. It doesn't add any form of encryption and the traffic outside of agent checks never hits the internal gateway.&nbsp;</P> Fri, 04 Dec 2020 18:31:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-internal-gateway-non-tunnel-mode-does-it-provide/m-p/367365#M655 BPry 2020-12-04T18:31:26Z