https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247211#M70353 <P>How are people configuring their PAN for clients to grab the inital GP configuration?</P><P>&nbsp;</P><P>Currently, the laptops are being imaged with Windows 10 and automatically connect to our internal network via certificate based authentication. GP is set to automatically attempt to connect to our outside interface. Once that is done, it grabs the configuration. Next time the users are on site, it detects that the laptop is internal and does not create the tunnel.&nbsp;</P><P>&nbsp;</P><P>Is there a way to configure the PAN so that the laptops can grab the inital configuration?</P> Wed, 23 Jan 2019 19:28:52 GMT meischc 2019-01-23T19:28:52Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247211#M70353 <P>How are people configuring their PAN for clients to grab the inital GP configuration?</P><P>&nbsp;</P><P>Currently, the laptops are being imaged with Windows 10 and automatically connect to our internal network via certificate based authentication. GP is set to automatically attempt to connect to our outside interface. Once that is done, it grabs the configuration. Next time the users are on site, it detects that the laptop is internal and does not create the tunnel.&nbsp;</P><P>&nbsp;</P><P>Is there a way to configure the PAN so that the laptops can grab the inital configuration?</P> Wed, 23 Jan 2019 19:28:52 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247211#M70353 meischc 2019-01-23T19:28:52Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247255#M70362 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/102468">@meischc</a>,</P><P>Are you running your own internal DNS servers? Split DNS would really be your solution for something like this.&nbsp;</P> Thu, 24 Jan 2019 01:15:00 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247255#M70362 BPry 2019-01-24T01:15:00Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247306#M70374 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/102468">@meischc</a>, Hi.</P><P>I'm not sure what you mean, seems a bit confusing...</P><P>&nbsp;</P><P>if your users (after they have connected outside) are able to detect internal host then your external&nbsp;portal address&nbsp;must be visible from your LAN otherwise you would get a portal address error.</P><P>&nbsp;</P><P>I say this because I have always assumed that GP needs to connect to the portal prior to internal detection, regardless of how many times they have connected externally, otherwise if you made any changes to the app settings then users would not get this until they connected from outside.</P><P>&nbsp;</P><P>anyhows... not sure what is different from your setup to mine, it may be that you need to add the reg setting "always on" in your build, or perhaps use group policy to force this reg setting when they first logon.</P> Thu, 24 Jan 2019 08:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247306#M70374 Mick_Ball 2019-01-24T08:55:27Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247391#M70383 <P>Sorry, let me elaborate. After they grab the correct GP Portal configuration hitting the outside interface, everthing is working as designed.</P><P>&nbsp;</P><P>The problem that I am trying to solve, is getting that GP portal configuration on the laptops, prior to hitting the outside interface. Right now, we have a WiFi hotspot that the desktop folks are using to simulate being on the outside connection.</P><P>&nbsp;</P><P>Is there a way to configure an internal gateway or NoNAT so that users can hit the outside interface to grab the portal configuration without having to leave the internal network?</P><P>&nbsp;</P><P>How are you accomplishing this? Or do you just wait for your users to connect from home/outside?</P> Thu, 24 Jan 2019 16:39:40 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247391#M70383 meischc 2019-01-24T16:39:40Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247393#M70384 <P>thanks for the clarification....</P><P>&nbsp;</P><P>OK I understand now what you are describing but I cannot understand why it is not working already...</P><P>&nbsp;</P><P>on any laptop on your network, what happens when you browse to https://your-portal-address</P><P>&nbsp;</P><P>can you get to the page and with certificates it should login and display GP downloads.</P><P>&nbsp;</P><P>lets start there and progress...&nbsp;&nbsp; else i get confused</P> Thu, 24 Jan 2019 17:06:06 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247393#M70384 Mick_Ball 2019-01-24T17:06:06Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247397#M70389 <P>Sorry i have just realised that it may be working for me because our GP portal is on a different firewall. so we go out of our main firewall to connect to our VPN firewall...</P><P>&nbsp;</P><P>not sure if NAT will suffice... you may be better off adding a second portal to your config and make it available to your internal interface.</P><P>&nbsp;</P><P>then as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;stated, use your internal dns to resolve to the internal portal.</P><P>&nbsp;</P><P>&nbsp;</P><P>sorry for the confusion</P><P>&nbsp;</P> Thu, 24 Jan 2019 17:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247397#M70389 Mick_Ball 2019-01-24T17:40:51Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247399#M70390 <P>or simply add a NAT rule at the top of the NAT policies</P><P>&nbsp;</P><P>source= trust&nbsp;, Destination Address="Your-portal-ip-address"&nbsp; Source Translation= None</P><P>&nbsp;</P><P>I think what is happening is that your current traffic is being NAT'd to your external address so the Palo will see your external address trying to talk to your external address, this will cause it's nose to start bleeding...&nbsp; and see this as a LAN attack, so add the NAT rule...</P> Thu, 24 Jan 2019 18:36:52 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247399#M70390 Mick_Ball 2019-01-24T18:36:52Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247403#M70391 <P>Also.... could you confirm that currently when users connect to the lan after connecting externally that they do get the little house icon.</P> Thu, 24 Jan 2019 18:44:15 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247403#M70391 Mick_Ball 2019-01-24T18:44:15Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247405#M70393 <P>Yep! They do.</P> Thu, 24 Jan 2019 19:02:08 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-initial-configuration/m-p/247405#M70393 meischc 2019-01-24T19:02:08Z