topic Re: Internal Host Detection in Prisma Access Discussions

Internal Host Detection

cylusaragao — Wed, 19 Jun 2024 12:15:45 GMT

How do I ensure that when global protect identifies that it is on the internal network, it does not connect?

Re: Internal Host Detection

KhaleelE — Thu, 20 Jun 2024 05:47:45 GMT

From PanGPS log if you see "NetworkDiscoverThread: network type is internal." That means it connected to internal network.

Re: Internal Host Detection

domari — Thu, 20 Jun 2024 14:50:03 GMT

Hello @cylusaragao

If you take a look at the GlobalProtect Panel, you will see the following if you are internal to the corporate network.

Re: Internal Host Detection

cylusaragao — Thu, 20 Jun 2024 18:33:59 GMT

I want it to not connect to the internal network

Re: Internal Host Detection

domari — Thu, 20 Jun 2024 18:52:56 GMT

What is the behavior you intend GP to do when the user is internal to the network? Connect to globalprotect on an external gateway (prisma access or on-prem gateway) or to the internal corporate network?

Re: Internal Host Detection

cylusaragao — Thu, 20 Jun 2024 20:02:00 GMT

I hope it identifies it is on the internal network and does not connect

Re: Internal Host Detection

domari — Mon, 24 Jun 2024 17:23:59 GMT

In order to achieve this. You have to configure internal host detection as specified in the link below. You only need to configure the IP address and the hostname under internal host detection in order to serve the purpose of not connecting to globalprotect when internal to the network.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab

When the user attempts to log in, the app does a reverse DNS lookup of an internal host using the specified IP Address to the specified Hostname. The host serves as a reference point that does not have to be reachable but reverse DNS lookup should be successful only when the endpoint is inside the enterprise network. If the app finds the host, the endpoint is inside the network and the app connects to an internal gateway, if configured, or the GlobalProtect app shows the connection status as internal. If the app fails to find the internal host, the endpoint is outside the network and the app establishes a tunnel to one of the external gateways.