https://live.paloaltonetworks.com/t5/globalprotect-discussions/looking-for-documentation-on-how-to-set-up-an-internal-gp/m-p/1256741#M7417 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>&nbsp;,</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN>You typically do not need a separate portal. The existing portal can provide the GP client config, including internal host detection and the internal gateway. The internal gateway can be on an internal interface or loopback, as long as the FQDN resolves internally to that firewall IP and the gateway certificate matches the name users connect to.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>To make this seamless, configure the GP app for </SPAN><STRONG>User-Logon / Always On</STRONG><SPAN> so the client can automatically detect whether it is internal or external and connect accordingly. For User-ID only, the internal gateway can be configured without tunneling user traffic.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P><SPAN>I would recommend reviewing these docs first:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/globalprotect/administration/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access" target="_self"><SPAN>GlobalProtect for Internal HIP Checking and User-Based Access</SPAN></A></P> <P><A href="https://www.packetswitch.co.uk/global-protect-internal-host-detection-internal-gateways-lessons-learnt/" target="_self"><SPAN>Global Protect Internal Host Detection &amp; Internal Gateways - Packetswitch</SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Hope this helps! and please let us know how it goes or if anything comes up.&nbsp;</SPAN></P> Thu, 18 Jun 2026 18:30:59 GMT JayGolf 2026-06-18T18:30:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/looking-for-documentation-on-how-to-set-up-an-internal-gp/m-p/1256616#M7416 <P>This is a PA environment I have inherited and I don't have a PA background, most everything was already set up....I just maintain security rules, NAT, etc....basic stuff.&nbsp;</P> <P>&nbsp;</P> <P>Been having quite a time with our Macs and User-ID through Active Directory and using the App-ID Agent on a server. After a few cases and frustrated users, think we need to pivot to an internal GP gateway for user ID.&nbsp;</P> <P>&nbsp;</P> <P>I don't know if I should take my existing GP portal that is set on a loopback address to include internal detection, or set up a new one with my LAN interface? Do I need to set my GP DNS name internally to point to an IP on my PA-1410? How do I make this seamless to the users so they don't have to log into GP client on their machine?&nbsp;</P> <P>&nbsp;</P> <P>In looking at some links on here as well as through other searches, I didn't find anything that really jumped out at me that matches what we are trying to accomplish. I'm hoping that someone can nudge me in the right direction.</P> <P>&nbsp;</P> Thu, 18 Jun 2026 01:58:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/looking-for-documentation-on-how-to-set-up-an-internal-gp/m-p/1256616#M7416 inSync-MarkValpreda 2026-06-18T01:58:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/looking-for-documentation-on-how-to-set-up-an-internal-gp/m-p/1256741#M7417 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>&nbsp;,</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN>You typically do not need a separate portal. The existing portal can provide the GP client config, including internal host detection and the internal gateway. The internal gateway can be on an internal interface or loopback, as long as the FQDN resolves internally to that firewall IP and the gateway certificate matches the name users connect to.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>To make this seamless, configure the GP app for </SPAN><STRONG>User-Logon / Always On</STRONG><SPAN> so the client can automatically detect whether it is internal or external and connect accordingly. For User-ID only, the internal gateway can be configured without tunneling user traffic.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P><SPAN>I would recommend reviewing these docs first:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/globalprotect/administration/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access" target="_self"><SPAN>GlobalProtect for Internal HIP Checking and User-Based Access</SPAN></A></P> <P><A href="https://www.packetswitch.co.uk/global-protect-internal-host-detection-internal-gateways-lessons-learnt/" target="_self"><SPAN>Global Protect Internal Host Detection &amp; Internal Gateways - Packetswitch</SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Hope this helps! and please let us know how it goes or if anything comes up.&nbsp;</SPAN></P> Thu, 18 Jun 2026 18:30:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/looking-for-documentation-on-how-to-set-up-an-internal-gp/m-p/1256741#M7417 JayGolf 2026-06-18T18:30:59Z