https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225809#M6647 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300092">@AhmedAlRashed</a>&nbsp;</P> <P>Are you Panorama or SCM Managed ?&nbsp;</P> <P class="" data-start="68" data-end="192">You said it didn't work or it's just the mapping. Were you able to connect and did IHD (Internal Host Detection) succeed?</P> <P class="" data-start="194" data-end="287">On your GlobalProtect, do you see the message: <EM data-start="241" data-end="286">"You are on the Internal Corporate Network"&nbsp;</EM>?</P> <P class="" data-start="194" data-end="287">What's your GP client version et Prisma Access version (Plugin/dataplane) ?&nbsp;</P> Mon, 07 Apr 2025 08:18:58 GMT ClementADNOV 2025-04-07T08:18:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225664#M6637 <P>Hi All,</P> <P>&nbsp;</P> <P>Has anyone had used Prisma Access Internal Gateway for user-to-IP mapping from Remote Networks to Prisma Access?</P> <P>It doesn't work for me!</P> <P>I can view the source user under GlobalProtect Logs/Strata Logging Service but not under traffic logs</P> <P>The connection method is always on.</P> <P>&nbsp;</P> <P>Hopefully someone out there has configured it and it is working for them.</P> <P>&nbsp;</P> Fri, 04 Apr 2025 03:20:57 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225664#M6637 AhmedAlRashed 2025-04-04T03:20:57Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225809#M6647 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300092">@AhmedAlRashed</a>&nbsp;</P> <P>Are you Panorama or SCM Managed ?&nbsp;</P> <P class="" data-start="68" data-end="192">You said it didn't work or it's just the mapping. Were you able to connect and did IHD (Internal Host Detection) succeed?</P> <P class="" data-start="194" data-end="287">On your GlobalProtect, do you see the message: <EM data-start="241" data-end="286">"You are on the Internal Corporate Network"&nbsp;</EM>?</P> <P class="" data-start="194" data-end="287">What's your GP client version et Prisma Access version (Plugin/dataplane) ?&nbsp;</P> Mon, 07 Apr 2025 08:18:58 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225809#M6647 ClementADNOV 2025-04-07T08:18:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225871#M6651 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/324729">@ClementADNOV</a></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>It’s SCM-managed.</P> <P>Initially I tried using our own internal DNS server to set up IHD. The GlobalProtect client didn’t establish the tunnel - it just showed “You are on the Internal Corporate Network”.</P> <P>I checked the PanGPS logs and it looks like the client isn’t able to reach any-igw.gpojgsy2ony.gw.gpcloudservice.com:443.</P> <P>I then enabled Remote Network IHD and set up the laptop to use the Prisma Access DNS proxy - and that worked. I could see the source users in the traffic logs.</P> <P>TAC have advised that we need to use the Prisma Access DNS proxy for IHD to work, and it doesn’t support using our internal DNS for the client to perform the IHD check.</P> <P>Bit odd really, as the documentation doesn’t mention that the Prisma Access DNS proxy is a requirement</P> <P><BR /><A href="https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/prisma-access-remote-network-advanced-deployments/prisma-access-internal-gateway" target="_blank">https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/prisma-access-remote-network-advanced-deployments/prisma-access-internal-gateway</A></P> <P>&nbsp;</P> <P><BR />(P5036-T8420)Debug( 930): 04/04/25 18:31:03:733 SSL connecting to any-igw.gpojgsy2ony.gw.gpcloudservice.com<BR />(P5036-T8420)Debug( 316): 04/04/25 18:31:03:733 host is FQDN: any-igw.gpojgsy2ony.gw.gpcloudservice.com<BR />(P5036-T8420)Error( 856): 04/04/25 18:31:03:733 getaddrinfo for fqdn any-igw.gpojgsy2ony.gw.gpcloudservice.com failed, 0.<BR />(P5036-T8420)Debug( 567): 04/04/25 18:31:03:733 getaddrinfo of any-igw.gpojgsy2ony.gw.gpcloudservice.com failed with error 11001, No such host is known. <BR />(P5036-T8420)Debug( 935): 04/04/25 18:31:03:733 do_tcp_connect() failed<BR />(P5036-T8420)Error(6795): 04/04/25 18:31:03:733 Failed to ssl connect to 'any-igw.gpojgsy2ony.gw.gpcloudservice.com:443', Disconect ssl and returns FALSE.<BR />(P5036-T8420)Debug(6823): 04/04/25 18:31:03:733 Already tried both ipv4 and ipv6 for gateway any-igw.gpojgsy2ony.gw.gpcloudservice.com<BR />(P5036-T8420)Debug(6030): 04/04/25 18:31:03:733 Show Gateway Prisma Access Internal Gateway: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.</P> Mon, 07 Apr 2025 22:58:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-internal-gateway/m-p/1225871#M6651 AhmedAlRashed 2025-04-07T22:58:43Z