topic Re: Global Protect Always On When Coming Into the Office in General Topics

Global Protect Always On When Coming Into the Office

MichaelMedwid — Fri, 14 May 2021 22:10:03 GMT

I finally got certificate based always on GP VPN working when my laptop is at home.
It occurred to me that when people go into the office, they'd be on the internal LAN.
How is that normally handled? Since I currently have an egress separate from the

GP PAN the traffic would hit the same portal as when they're home and noone

would be the wiser. But it would be wasting some firewall circuits and adding

some extra hops. Not a huge deal.

How is this typically handled? We have a separate DNS zone internal from external

as most places do.

Thank you.

Re: Global Protect Always On When Coming Into the Office

Mick_Ball — Sat, 15 May 2021 06:55:48 GMT

In your GP portal configuration you need to use internal host detection. Just add the ip address and host name. But do not add internal gateways. This will check every time the portal connection is made.

Re: Global Protect Always On When Coming Into the Office

MichaelMedwid — Sat, 15 May 2021 07:35:19 GMT

Great - thank you Mick.

Re: Global Protect Always On When Coming Into the Office

aleksandar.astardzhiev — Tue, 18 May 2021 09:02:00 GMT

Hi @MichaelMedwid ,

You will benefit if you configure internal gateway. The difference between internal and external gateway is that client is not building tunnel to FW and at same time you client still needs to go over the process of authenticating and submitting HIP report (if configured to collect data). The benefit of that is you will still have user-to-ip mapping and HIP checks and you can make your rules for internal users more granular