https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318502#M81768 <P>From what I understand, the only thing needed is that internal detection IP and name. I would check and make sure your reverse lookup is working to whatever you have set for DNS for your clients. Make sure it's responding with the hostname you specified in the internal host detection section in your portal configuration. I think I read something about it having to be all lowecase (can't seem to find that info again so it may be irrelevant). The biggest thing I think is that it's a reverse lookup IP&gt;name, so if you don't have a PTR record it's not going to work properly.</P><P>&nbsp;</P> Wed, 25 Mar 2020 14:24:29 GMT ZachBiles 2020-03-25T14:24:29Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318469#M81758 <P>We want to prevent Globalprotect from connecting when user is on the internal network. We have the client set to manual connect/disconnect but users can be stupid and connect anyway.</P><P>We don't have an internal gateway, and dont want any ssl tunnel when user is on internal network.</P><P>We tried putting in an ip address&nbsp; of a reachable lan server in the "internal host detection" box and left the "internal gateways" list blank but didnt seem to work.</P><P>We also tried removing the DNS entry of the gateway from internal DNS zone (we have split-horizon DNS) but that was more trouble than it was worth due to caching of NX records leaving users unable to connect to VPN until zone TTL expiry when they jumped off the LAN network and tried to connect shortly after.</P><P>What is the correct way (by correct I mean best practice) to prevent clients from connecting to GP from internal network (keeping in mind we do not have internal GP gateway and do not want any VPN running when users are on LAN)</P> Wed, 25 Mar 2020 11:56:49 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318469#M81758 SteveVernau 2020-03-25T11:56:49Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318502#M81768 <P>From what I understand, the only thing needed is that internal detection IP and name. I would check and make sure your reverse lookup is working to whatever you have set for DNS for your clients. Make sure it's responding with the hostname you specified in the internal host detection section in your portal configuration. I think I read something about it having to be all lowecase (can't seem to find that info again so it may be irrelevant). The biggest thing I think is that it's a reverse lookup IP&gt;name, so if you don't have a PTR record it's not going to work properly.</P><P>&nbsp;</P> Wed, 25 Mar 2020 14:24:29 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318502#M81768 ZachBiles 2020-03-25T14:24:29Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318538#M81774 <P>yes as per&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/127359">@ZachBiles</a>&nbsp;.</P><P>&nbsp;</P><P>check the GlobalProtect logs.</P><P>&nbsp;</P><P>this is how it looks when working correctly.&nbsp; (Albeit "Always On") in this case...&nbsp; &nbsp; but the process will be similar.</P><P>&nbsp;</P><P>(T19360) 03/25/20 16:43:23:581 Debug(11593): GetNetworkTypeDS</P><P>(T19360) 03/25/20 16:43:23:581 Debug(11596): No ipv6 internal host detection.</P><P>(T19360) 03/25/20 16:43:23:581 Debug(1816): IP 10.250.1.56</P><P>(T19360) 03/25/20 16:43:23:581 Debug(1835): host prxweb.yourdomain.co.uk</P><P>(T19360) 03/25/20 16:43:23:581 Debug(1852): DnsQuery returns 0</P><P>(T19360) 03/25/20 16:43:23:581 Debug(1867): Resolved 56.1.250.10.in-addr.arpa for internal host detection with return value 0</P><P>(T19360) 03/25/20 16:43:23:581 Debug(1891): The host name is prxweb.yourdomain.co.uk</P><P>(T19360) 03/25/20 16:43:23:581 Debug(5932): --Set state to Discovery complete</P><P>(T19360) 03/25/20 16:43:23:581 Debug(9839): SetVpnStatus called with new status=1, Previous Status=1</P><P>(T19360) 03/25/20 16:43:23:581 Debug(4112): UpdatePrelogonStateForSSO() - User-logon tunnel state = Connected</P><P>(T19360) 03/25/20 16:43:23:581 Debug(4797): NetworkDiscoverThread: network type is internal.</P><P>(T19360) 03/25/20 16:43:23:581 Debug(4803): NetworkDiscoverThread: Discover internal network.</P><P>(T19360) 03/25/20 16:43:23:581 Info ( 360): Gateway count is 0 for internal network.</P> Wed, 25 Mar 2020 17:09:21 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/318538#M81774 Mick_Ball 2020-03-25T17:09:21Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/344818#M86243 <P>Has anyone been able to figure this out? We have internal detection working with the PTR record but users can still manually connect to the gateways. Is there a way to prevent the users from connecting to the gateways manually when they are internal?</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Thu, 20 Aug 2020 15:57:26 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/344818#M86243 hdauncey 2020-08-20T15:57:26Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/425107#M94323 <P>Is this an Always-ON conn? or On-Demand?</P><P>&nbsp;</P><P>Internal detection doesn't not work with OD</P> Fri, 06 Aug 2021 12:40:33 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/425107#M94323 gurjarn 2021-08-06T12:40:33Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/431381#M95078 <P>Maybe a simple security rule not allowing this traffic to get out to the gateway from your internal network?&nbsp;</P> Fri, 03 Sep 2021 13:54:24 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/431381#M95078 ZachBiles 2021-09-03T13:54:24Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/431541#M95098 <P>Hello,</P><P>Another thought would be, why disable it? Let the internal clients connect to an internat GP Portal/Gateway so that way you have zero trust between hosts on the LAN.</P><P>&nbsp;</P><P>Just a thought, I know there are other factors.</P><P>&nbsp;</P><P>Cheers!</P> Fri, 03 Sep 2021 21:10:38 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/431541#M95098 OtakarKlier 2021-09-03T21:10:38Z https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/451315#M101142 <P>Because when on site it says in the lower right Gateway External-Gateways<BR />The network connection is unreliable and GlobalProtect reconnected using an... (then it's cut off and not fit on the screen).</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 03 Dec 2021 21:17:26 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-globalprotect-from-connecting-when-user-on-internal/m-p/451315#M101142 ksauer507 2021-12-03T21:17:26Z