topic Re: GlobalProtect Internal Host Detection with Always-On and Enforcement in GlobalProtect Discussions

GlobalProtect Internal Host Detection with Always-On and Enforcement

gkevlin — Thu, 13 Mar 2025 02:44:32 GMT

Hello,

I am trying to deploy GlobalProtect on some of our endpoints, but I'm running into a set of issues due to our business requirements.

The requirements are:
VPN is in Always-On with full enforcement
All traffic from those devices must stay internal, or be tunneled over the VPN (excepting what's needed for tunnel establishment)
MFA is required to establish a VPN tunnel outside

Our MFA utilizes RADIUS with OTP

The devices that GlobalProtect is installed on can move between our internal LAN and external locations

My solution was to create internal and external portals with the same FQDN that resolve differently depending if the device is internal or external. For the internal portal, I am using the machine certificate to auth which triggers internal host detection successfully. Externally everything works as desired with the MFA authentication prompt triggering on user login and the connection method is set to User-Logon(Always-On) both internally and externally.

The issue I am running into is internal host detection before a user logs in. If they reboot and let the device sit, it is completely inaccessible which I am pretty sure is going to brick patching. I have the internal network CIDRs in the Enforce GlobalProtect agent config, but that hasnt helped.

I think the normal recommendation would be to enable pre-login on the internal portal, but I was also hoping to have Connect Before Logon configured to address some weird remote-only user corner cases. As far as I can tell, when I register CBL, it does not allow for any pre-login configurations to apply.

Does anyone have a good recommendation to address idle-machines while they are internally connected? I can't disable Enforcement when it's internally connected because the worry would be that a user takes the device home without first logging in, and now it's on their home wifi with unrestricted internet access.

Re: GlobalProtect Internal Host Detection with Always-On and Enforcement

BPry — Thu, 13 Mar 2025 22:00:40 GMT

@gkevlin,

Pretty much all of your issues are solved with pre-login. What exactly is the issue that is preventing you from enabling it and wanting CBL for the remote-only users; that's the whole point of pre-login and that capability solves the rest of your issues.

Re: GlobalProtect Internal Host Detection with Always-On and Enforcement

gkevlin — Fri, 14 Mar 2025 17:05:10 GMT

@BPry,

That's my plan unless I can think of something else. I'm just a little frustrated that with the way an initial portal authentication is required before internal network detection will trigger. It makes automated provisioning a little awkward as after it gets provisioned it requires a portal authentication before it will allow communications after GP client is installed. It also necessitates a second, internal-only portal since I could not find a way to enable machine certificate only authentication for internal hosts while enforcing MFA auth for external hosts.

Re: GlobalProtect Internal Host Detection with Always-On and Enforcement

cjthorse82 — Fri, 04 Apr 2025 13:08:06 GMT

From a TAC Case I recently had:

according to our internal documentation, Internal Host Detection and Internal Gateways are not supported in On-Demand mode.
Upon analyzing the logs from yesterday, I noticed that when connecting to '<ourportal>, the connection method is set to 'pre-logon-then-on-demand', whereas connecting to '<another portal>' uses the 'Pre-logon' connection method. Additionally, the workaround portal '<internal>' also uses the 'Pre-logon' method.

This behavior is by design: In a 'pre-logon-then-on-demand' connection method configuration, Internal Host Detection does not function during the On-Demand phase. Here's a brief explanation of the flow:
- When the user powers on the PC, a tunnel is established using the Pre-logon method and the user is identified as an internal user.
- Once the user switches to a different portal, the Pre-logon tunnel is terminated.
- When the user clicks “Connect” manually, an On-Demand connection is initiated.
- During this On-Demand connection, Internal Host Detection is not supported even if it is configured.
So if you need Internal Host Detection to work, you must configure the connection method as either Pre-logon or User-logon on the portal configuration.
Path: Network > Portals > Agent > App > Connect Method