https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/285199#M76393 <P>If internal host detection is configured, and not internal portals/gateways are defined, will the GP client simply stop trying to establish vpn?&nbsp; Thats what i'd like to see.</P> Tue, 27 Aug 2019 05:41:41 GMT JimMcGrady 2019-08-27T05:41:41Z https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16935#M12344 <HTML><HEAD></HEAD><BODY><P>I am confused with GlobalProtect offical documents.</P><P></P><P>From GlobalProtect troubleshooting guide:</P><P></P><P><STRONG>Internal Host Detection</STRONG><BR />Internal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. <SPAN style="color: #ff0000;"><STRONG>If it is not configured, GP client will always try to connect to each internal gateway first</STRONG></SPAN>. If it fails to connect to any internal gateway or if there is no internal gateway defined, it will then attempt to connect to the best external gateway. Admin should try to set internal host detection as it speeds up the tunnel establishment.</P><P></P><P>From Configuring GlobalProtect Tech Note:</P><P></P><P><STRONG>Internal Host Detection</STRONG>: This helps Client determine whether the host is inside or outside the corporate network and then connect to the corresponding Gateway. The DNS name specifies a hostname that only can be reached from internal network and its IP address. The Client performs a reverse lookup on the IP address and if it receives the expected hostname as a response, it will attempt connecting to the Gateways in the internal list. If no response is received that Client will attempt to connect to the external Gateways in the external list<BR /><SPAN style="color: #ff0000;"><STRONG>If no “internal-host-detection” configuration is provided, Client always connectes to the external Gateways. </STRONG></SPAN></P><P></P><P>Anyone know which one is correct?</P></BODY></HTML> Mon, 14 May 2012 09:37:57 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16935#M12344 linusso 2012-05-14T09:37:57Z https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16936#M12345 <HTML><HEAD></HEAD><BODY><P>So looking at the purpose of Internal Host Detection, the Client will try to resolve the host name to the IP provided. If DNS does not resolve, it will quickly assume you are not on an internal network, and try to create a tunnel with the external IP's provided in your configuration.&nbsp; Looking at the Admin guide, we can see the following:</P><P></P><P><A name="1261037">External Gateways</A>—Specify the list of firewalls the client will try to establish a tunnel with <STRONG>when not on the corporate network.</STRONG> The client will contact all of the gateways and establish a tunnel with the firewall that provides the fastest response and the lowest priority value.</P><P></P><P>This implies that the sequence will be internal, then external. The internal IP's will time out rather quickly and a tunnel will then be established with the fasted external IP.</P><P></P><P>Does this help?</P><P></P><P>Dez</P></BODY></HTML> Wed, 23 May 2012 03:08:44 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16936#M12345 dlorenzen 2012-05-23T03:08:44Z https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16937#M12346 <HTML><HEAD></HEAD><BODY><P>Hi Dez,</P><P></P><P>Thanks for your answer. I understand the function of Internal Host Detection from admin guide. My problem is there is contradiction on GP configuration guide and troubleshooting guide.</P><P></P><P>Anyway, I have opened a support case and now I can confirmed:</P><P></P><P>1. If SSO is selected, Internal Host Detection with be used (by reserve DNS lookup, resolve IP to hostname)</P><P>2. If On Demand mode is selected. GP client <SPAN style="font-size: 11pt; font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;;">(start from 1.1.4) will always set its network type to 'External' and connect to external gateway. </SPAN></P><P>3. From support team: "<SPAN style="font-size: 11pt; font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;;">The statement in GP troubleshooting guide looks incorrect. I have escalated to verify this"<BR /></SPAN></P></BODY></HTML> Wed, 23 May 2012 03:37:26 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/16937#M12346 linusso 2012-05-23T03:37:26Z https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/285199#M76393 <P>If internal host detection is configured, and not internal portals/gateways are defined, will the GP client simply stop trying to establish vpn?&nbsp; Thats what i'd like to see.</P> Tue, 27 Aug 2019 05:41:41 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/285199#M76393 JimMcGrady 2019-08-27T05:41:41Z https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/436227#M96244 <P>This is incorrect, if you define internal host detection and you have no internal gateway define it will just look for that address to be available and if it is then it will not attempt to connect to external gateway.</P> Thu, 23 Sep 2021 18:46:16 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-host-detection-in-globalprotect/m-p/436227#M96244 jmora 2021-09-23T18:46:16Z