How to Configure Internal GlobalProtect Only

Printer Friendly Page

Overview

  • This document describes the steps to configure an internal only GlobalProtect Gateway.
  • This document was created on Palo Alto Networks device running PAN-OS 8.0

 

Steps

  1. Identify the interface where the customers are going to connect.
    interfaces.pngInterfaces
  2. Configure GlobalProtect Gateway:
    1. Use the dropdown list to select the internal interface, IP address, and SSL/TLS Service Profile, and Authentication Profile
    2. Client configuration for the internal gateway is not needed if tunneling is not performedInternal Gateway.pngInternal Gatewaygateway authentication.pngInternal Gateway Authentication
  3. Configure GlobalProtect Portal:
    1. Use the dropdown list to select the internal interface, IP address, and SSL/TLS Service Profile, and Authentication Profile
    2. Add the trusted Root CA
    3. Add Agent Configuration
      1. Make sure the Connect Method is not On-Demand
      2. Add the gateway to the list of internal gateways

portal configuration.pngGP Portal configurationportal authentication.pngGP Portal Authenticationagent configuration.pngGP Portal Agent configurationinternal gateway configuration.pngAgent Internal Gateway configurationagent user-logon always on.pngAgent App behavior - always-on

 

 

 

Now connect through the internal gateway:

Screen Shot 2015-06-24 at 3.37.57 PM.png

 

See Also

Reference the GlobalProtect Administrator Guide for any additional help with configuring GlobalProtect:

GlobalProtect Administrator's Guide 8.0 (English)

 

owner: aabdelhalim

Comments

since newer PAN versions don't have the "On Demand" checkbox, what should we be putting for the Connect Method? Userlogon, prelogon?

The more recent PAN-OS versions, 7.0 and 7.1, introduced significant changes to the GlobalProtect agent setup.

The Connect Method is now in Network > GlobalProtect > Portals > portal config > Agent > Configs > agent config > App

 

The methods available for selection are now

  • User-logon (Always On)
  • Pre-logon (Always On)
  • On-demand (Manual user initiated)
  • Pre-logon then On-demand

If you are supporting Windows clients, you can also benefit by select YES for Use Single Sign-on

 

Please see 

Do we need to configure External Gateway?

If Yes, Is it possible to to configure without External Gateway?

If No, Can we use different authentication profile for Internal and External Gateway?

 

Hi @riteshg

 

As the title of the article indicates, you can set up an internal-only gateway, an external gateway is not mandatory (the external gateway box can be left empty)