Global Protect Always On When Coming Into the Office

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Always On When Coming Into the Office

L3 Networker

I finally got certificate based always on GP VPN working when my laptop is at home. 
It occurred to me that when people go into the office, they'd be on the internal LAN.
How is that normally handled? Since I currently have an egress separate from the 

GP PAN the traffic would hit the same portal as when they're home and noone

would be the wiser. But it would be wasting some firewall circuits and adding

some extra hops. Not a huge deal. 

 

How is this typically handled? We have a separate DNS zone internal from external

as most places do.

 

Thank you.

2 accepted solutions

Accepted Solutions

L7 Applicator

In your GP portal configuration you need to use internal host detection. Just add the ip address and host name. But do not add internal gateways. This will check every time the portal connection is made. 

View solution in original post

Hi @MichaelMedwid ,

 

You will benefit if you configure internal gateway. The difference between internal and external gateway is that client is not building tunnel to FW and at same time you client still needs to go over the process of authenticating and submitting HIP report (if configured to collect data). The benefit of that is you will still have user-to-ip mapping and HIP checks and you can make your rules for internal users more granular

View solution in original post

3 REPLIES 3

L7 Applicator

In your GP portal configuration you need to use internal host detection. Just add the ip address and host name. But do not add internal gateways. This will check every time the portal connection is made. 

L3 Networker

Great - thank you Mick.

Hi @MichaelMedwid ,

 

You will benefit if you configure internal gateway. The difference between internal and external gateway is that client is not building tunnel to FW and at same time you client still needs to go over the process of authenticating and submitting HIP report (if configured to collect data). The benefit of that is you will still have user-to-ip mapping and HIP checks and you can make your rules for internal users more granular

  • 2 accepted solutions
  • 3638 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!