https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221601#M63795 <P>Hello,</P><P>&nbsp;</P><P>I&nbsp;am looking to configure an always-on VPN with full tunnel access and enable"Enforce Global protect for Network access".</P><P>This basically means that users have to connect GP portal to access network when logging in to their machine when off-prem. Giving us the ability to filter the traffic 24x7 even when off-prem. But, I am now facing a challenge where I need to have them connected to wired network when internal and donot want them to intiate vpn tunnel.&nbsp;</P><P>I'd gone through numerous internal host detection docs but all say that if reverse dns is successful,it will try to connect to Internal gateway and then external. But I need a scenario where it has to&nbsp;stop trying&nbsp; VPN process when connected to LAN.</P><P>&nbsp;</P><P>Please provide me your inputs on thisissue.</P><P>&nbsp;</P><P>TIA</P> Tue, 10 Jul 2018 17:40:48 GMT SThatipelly 2018-07-10T17:40:48Z https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221601#M63795 <P>Hello,</P><P>&nbsp;</P><P>I&nbsp;am looking to configure an always-on VPN with full tunnel access and enable"Enforce Global protect for Network access".</P><P>This basically means that users have to connect GP portal to access network when logging in to their machine when off-prem. Giving us the ability to filter the traffic 24x7 even when off-prem. But, I am now facing a challenge where I need to have them connected to wired network when internal and donot want them to intiate vpn tunnel.&nbsp;</P><P>I'd gone through numerous internal host detection docs but all say that if reverse dns is successful,it will try to connect to Internal gateway and then external. But I need a scenario where it has to&nbsp;stop trying&nbsp; VPN process when connected to LAN.</P><P>&nbsp;</P><P>Please provide me your inputs on thisissue.</P><P>&nbsp;</P><P>TIA</P> Tue, 10 Jul 2018 17:40:48 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221601#M63795 SThatipelly 2018-07-10T17:40:48Z https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221611#M63796 If you do not configure an internal gateway, but enable internal host detection, then it will not connect to the external gateway and it will achieve what you are trying to accomplish Tue, 10 Jul 2018 18:08:24 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221611#M63796 welly_59 2018-07-10T18:08:24Z https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221622#M63799 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91200">@welly_59</a>&nbsp;Thank you so much for the quick response. How does an agent lookup the hostname&amp; IP? From all the docs, it seems like the IP is reverse-DNS queried for the hostname. Is there any way I can make the agent to do the other way around meaning Hostname should be resolved to specific IP? That way I can forge the response with firewall sinkhole capability and make only specific zone/traffic to be considered as internal.</P><P>Apologies If my question seem unclear.&nbsp;</P> Tue, 10 Jul 2018 20:09:20 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221622#M63799 SThatipelly 2018-07-10T20:09:20Z https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221627#M63801 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>Internal Host Detection relies soly on a reverse DNS lookup for the internal host. If the agent is unable to find the internal host the agent assumes that it's outside the network and establishes a tunnel to the external gateway. There isn't a way to modify this behavior.&nbsp;</P> Tue, 10 Jul 2018 20:54:06 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-vpn-in-the-internal-network/m-p/221627#M63801 BPry 2018-07-10T20:54:06Z