topic Re: GP Internal Host Detection not Working in General Topics

GP Internal Host Detection not Working

Zewwy — Mon, 07 Mar 2016 20:04:30 GMT

To start off...

I have already read this.

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-not-Detecting-Internal-Network-with-Internal-Host/ta-p/53681

I'll start off with the whole story. We have 2 ISP's, setup to our PA-500's using 2 VR's. One was setup for the DMZ Zone, with it's default out ISP 1. The Second VR was users internet, with the deafult route out ISP 2.

Initially GP was set up on ISP 1. Thus when users attempted to connect their sesssion would be NATed out ISP 2 back into ISP 1, with internal host detection working a treat and showed the little house on the GP sys tray icon.

My goal was to move all my services over to ISP 2. Turns out I couldn't just copy the existing NAT rules since the DMZ default route was out ISP 1, and any connection attempts would fail to due an incomplete hand shake. Welcome Symmetric Return!

So I got all my services to work with either external IP association. I then go to move our VPN to the shaw side using both proper DNS lookup for the portal/gateway and our own internal PKI. I fought tooth n nail and got the internal PKI setup workign just the way I want it to. Externally wokring a treat, so I attempt to connect internally, to my dismay I couldn't reach the external portal from inside the network. Checking my monitor Tab on the PA's I see no blocked traffic, I now it was getting droped somewhere in the PA, so i do a packet capture. Low and behold, my packets are geting dropped.

After talking to my uber smart network engineer, we had two options (NoNAT to my ISP 2 pub IP, or do a UTurn NAT to my ISP pub IP)

After making this config, I could ping and access the web portal no prob! YAY!

And finally to the point of this post, everything works now except internal host detection. and it's driving me up the wall, everything I read on it and how I know my configs are it should just work at this point. But it keeps connecting my client to the VPN DHCP pool and saying its connected and I can see the traffic on teh client system. Even though it's internally connected, (I can ping and resolve the internal host detection stuff from the client system perfectly fine)

to make it even weirder, When I change my portal IP to the ISP 1, internal host dtecttion works a treat
change it back to ISP 2, and interanal host detection fails.

same internal host detection settings on both portal/user configs, same internal network.

Thoughts? I'm bashing my head on this one...

Re: GP Internal Host Detection not Working

BenjAudy.MTL — Tue, 08 Mar 2016 16:06:13 GMT

Hi Zewwy,

What does the PanGP Services log say? Look for a line that contains "DnsQuery returns " and the lines right before and after it.

Benjamin

Re: GP Internal Host Detection not Working

Zewwy — Fri, 11 Mar 2016 18:39:39 GMT

Hey,

Thanks for the reply. I did the following.

I cleared the PanGPS.log file. I connected via the ISP 1 portal, and sure enough I get DNSQuery response 0

As it should be. I clear the log by renaming it.

I change my portal address on my GlobalProtect, connects sayign externally. I then check the PANGPS.log and I don't find a single DnsQuery line in the log at all, as if it's not even trying to do internal host detection.

Thoughts?

Re: GP Internal Host Detection not Working

glastra1 — Thu, 17 Mar 2016 13:12:10 GMT

Make sure that the connection method configured in the portal is "user-logon" and not on-demand.

regards,

Gerardo.

Re: GP Internal Host Detection not Working

Zewwy — Tue, 03 May 2016 14:14:48 GMT

Hey Gerardo,

Thanks so much for the suggestion. I was working with a PAN tech on the case (tier one) so had to argue about a couple things he wasn't understanding about the device, haha.

We tried you answer on my own account by me changing my AD user membership, and then re-newing the PAN's user mappings, and then I found I had to create a new profile (I'm sure possibly a uninstall, or even a registry edit could have resolved it but I didn't know exactly what to look for so I simply re-created my profile) before it would change from on-demnd mode to user-logon. I asked the tech for any documentation that would state why this is.

I can understand as since it's on-Demand that the user wouldn't normally connect internally, but then whats the point of teh internal host detection being available for edit when the type is set to on-demand. Seems like a UI bug or something that was merely overlooked and was just never thought of and conisdered as-is.

Thanks for your answer.

One last thing I noticed when I was testing and that was that the user cert I install on users system that goes into their personal certificate store of the user, when I created a new user an AD and logged into that user on a system I had installed the cert for another user, taht cert is already in the new users certificate store... I found this baffeling. The other weird part is when I removed my profile to fix the on-demand problem I noticed it removed my certificate from the store, more along the lines to be expected with a profile wipe.

Re: GP Internal Host Detection not Working

Maxstr — Fri, 19 Aug 2016 19:01:08 GMT

I'm having a similar issue, I am try to enable internal host detection. But the GP client keeps trying to contact our external gateway and failing with "invalid gateway", so it never gets to the internal detection.

I'm not sure how to U-turn NAT it, because the GP gateway doesn't have internal IP address.

Re: GP Internal Host Detection not Working

nwetech — Tue, 23 Aug 2016 15:53:34 GMT

Make sure for the host name that you are using the FQDN (ie test.mydomain.com and not just test).

Re: GP Internal Host Detection not Working

junior_r — Sat, 28 Oct 2017 21:37:38 GMT

Hi,

Can someone confirm if on-Demand and "Internal Host Detection" will work? I have my configuration set to on-demand and have "enforce GlobalProtect for Network Access". I need a way to disable this when user is on the inernal network. I cannot go down the path of user-logon as the client is using OTP for VPN so SSO wont work

Thanks